Predefined reports, tags, and data points

GuardiumĀ® Insights offers several predefined reports that help you quickly and easily identify security risks, such as inappropriately exposed objects, users with excessive rights, and unauthorized administrative actions. These predefined reports can be copied and customized. They cannot be deleted or modified in any way. Examples of the many predefined reports include: Client IP activity summary, Full SQL, Exception details, and Sensitive object usage.

Predefined reports

Table 1. Predefined reports, tags, and data points
Name Report ID Description Tag Data points
Administrative command usage 000000000000000000000702 This report lists all instances of SQL verbs included in the Administrative Commands group. Insider, Privileged-activity Server IP, Server hostname, Client IP, Service name, Database name, DB user, Source application, Verb, Object name, Total count
Administrative object usage 000000000000000000000703 This report lists all instances of object names included in the Administrative Objects group. Insider, Privileged-activity Server IP, Server hostname, Server database type, Database type, Client IP, OS user, Service name, Database name, DB user, Source application, Object name
Administrative user login 000000000000000000000701 This report details login activity for those with administrator privileges. Insider, Privileged-activity Server IP, Server hostname, Server database type, Database type, Client IP, OS user, Service name, Database name, DB user, Source application, Session ID
Audit results log 000000000000000000001301 A log of all audit activity and results within Guardium Insights Audit-activity, Internal User ID, Report name, Entry type, Date updated (local time), Field updated, Comment, Schedule ID, Entry ID
Classification 000000000000000000001101 This report details incoming classification data. Classification Classification start, Data source IP, Data source name, Data source type, Port, Service name, Schema, Catalog, Table, Column, Description, Classification name, Classification rule, Category, Comprehensive
Client IP activity summary 000000000000000000000901 This report displays activity for each client IP address. Activity Server IP, Server hostname, Server database type, Database type, Client IP, OS user, Service name, Database name, DB user, Source application, Objects and verbs, Total count
Command execution 000000000000000000000704 This report provides details about the usage of SQL verbs in the DROP, GRANT, ALTER, REVOKE Commands group. Insider, Privileged-activity Server IP, Server hostname, Server database type, Database type, Client IP, OS user, Service name, Database name, DB user, Source application, Verb
Connection events 000000000000000000001501 Guardium Insights internal report for tracking all connection events. Connection-events, Internal Hostname, Event type, Message, Event source, Event timestamp (local time), Connection ID, Connection name, Database name
Connection profiling list 000000000000000000000301 This report details incoming database connections. Connections Server IP, Server hostname, Server database type, Database type, Client IP, OS user, Service name, Database name, DB user, Source application, Session ID
DML execution on administrative objects 000000000000000000000705 This report details the instances in which SQL verbs from the DML Commands group were used to reference object names in the Administration Objects group. Insider, Privileged-activity Server IP, Server hostname, Client IP, Service name, DB user, Source application, Verb, Object name
DML execution on sensitive objects 000000000000000000000903 This report details each SQL verb from the DML Commands group that references an object name in the Sensitive Objects group. Activity Server IP, Server hostname, Client IP, Service name, DB user, Source application, Verb, Object name
Data mart ingestion status 000000000000000000001800 The status of data mart files being ingested by Guardium Insights. Data mart, Internal Status entry creation time, Period start, Period end, Ingestion ID, Guardium appliance hostname, Data type, Export record count, Export status, Ingestion status, Total file count, Successful file count, Failure file count, Error
Exception details 000000000000000000000904 This report details exceptions logged. Activity Exception timestamp (local time), Server IP, Server hostname, Client IP, Service name, DB user, Source application, SQL that caused exception, Error cause, Exception additional info
Failed login attempts 000000000000000000000707 This report lists all failed login attempts. Insider, Privileged-activity DB user, Source address, Database protocol, Destination address, Exception ID
Full SQL 000000000000000000000905 This report shows the details for the full SQL statements that are run by DB users for a selected period of time. Activity DB user, Full SQL timestamp (local time), Server IP, Server hostname, Server database type, Database type, Client IP, OS user, Service name, Database name, Source application, SQL query
Number of connections per server 000000000000000000000401 This report shows the number of connections associated with each server. Denial-of-Service Server IP, Server hostname, Session ID
Outbound notification log 000000000000000000001401 Guardium Insights internal report for tracking all outbound notifications. Notification, Internal Status, , Integration, Origin, Destination, Title, Contents, Retry count, Date created (local time), Date delivered (local time)
Outlier details Details of outliers per source   Outliers Detailed outlier score, Detailed high volume outlier, Detailed vulnerable object outlier, Detailed new activity outlier, Detailed exception outlier, Total activity count, Server IP, Database type, Client hostname, Operating system user, Database user, Database, Object, Verb, Period start (local time), Timeframe
Outlier summary An hourly summary of outliers per source   Outliers Anomaly score, High volume outlier, Vulnerable object outlier, New activity outlier, Diverse activity outlier, Exception outlier, Ongoing outlier, Server IP, Database, Database user, Privileged user, Period start (local time), Timeframe
Policy violation 000000000000000000000906 This report shows every policy rule violation that is logged. Activity Policy violation timestamp (local time), DB user, Rule name, Server hostname, Server IP, Full SQL, Severity, Source application, Client IP, OS user
Scheduled jobs exceptions 0000000000000000000001001 This report displays exceptions for scheduled jobs. Activity Exception additional info, Exception ID
Sensitive object usage 000000000000000000000907 This report details all objects from the Sensitive Objects group that were referenced. Activity Object name, Server IP, Server hostname, Client IP, Service name, DB user, Source application
Sessions by client IP 000000000000000000000908 This report provides details about session data that is collected for each database user. Activity Client IP, Session ID
SQL errors 000000000000000000000203 This report lists SQL errors that were discovered. Brute-force Server IP, Server hostname, Server database type, Database type, Client IP, OS user, Service name, Database name, DB user, Source application, Exception additional info, Error cause, Exception ID
Vulnerability assessment 0000000000000000000001201 This report details incoming vulnerability assessment data. Vulnerability Data source name, Database type, DB name, DB version, DB patch, Full version info,Description, Host, Test, , Result description, Result text, Recommendation, Severity, Category, Execution date (local time), Assessment description, Service name, Port, Data source ID, Result details, Test ID, External reference, External group description

To work with an individual predefined report, click it in the Reports page.

Default report tags

Guardium Insights provides these predefined report tags:

  • Activity
  • Audit-activity
  • Brute-force
  • Classification
  • Connections
  • Connection-events
  • Data mart
  • Denial-of-Service
  • Guardium-monitoring
  • Insider
  • Insider-and-privileged-activity
  • Internal
  • Notification
  • Outliers
  • Privileged-activity
  • Vulnerability

You can also create your own report tags when creating or working with a custom report.

Report data points and columns

Default Guardium Insights report data types include:

Table 2. Event data points
Name Description
ID Event ID
Hostname Database server hostname
Event type Type for the connection event
Message Message in the connection event
Event source Source for the connection event
Connection ID The ID of the connection associated with the event
Connection name The name of the connection
Event timestamp (local time) Date and time of last update (local time)
Table 3. Exception data points
Name Description
Exception type ID Exception type code
Exception ID Uniquely identifies the exception
User Database user
Source address Source address
Destination address Server IP address.
Application user Name of the user creating the policy rule violation
Exception additional info Description of the database or S-TAP exception. S-TAP exceptions contain the IP address or DNS name of the database server. Database exceptions contain an error code from the database management system.
SQL that caused exception SQL that caused exception
Error cause Short text description of the error
Error code Database error code
Exception timestamp Date and time of the last update
Exception timestamp (local time) Date and time of last update (local time)
Session ID Uniquely identifies the session
Information link Link to more information about the exception
Original time zone The UTC offset provides a means of comparing the relative times of activities of collectors in different time zones
Exception count Count
Source ID Source ID
Collector ID Uniquely identifies the session access
Table 4. Full SQL data points
Name Description
Full SQL ID Unique identifier for the full SQL statement
Message type Message type
Session ID Uniquely identifies the session
Full SQL timestamp Date and time of the last update
Full SQL timestamp (local time) Date and time of the last update (local time)
Original time zone The UTC offset provides a means of comparing the relative times of activities of collectors in different time zones
Instance ID Unique identifier for the construct instance
Rule name The description of the rule from its definition
SQL query SQL string
Full SQL: Total records affected Total number of records affected
Result of SQL query Result of the SQL query
Status SQL statement status
SQL query response time The response time for the request in milliseconds
Acknowledge response time Acknowledged response time in milliseconds
Collector ID Uniquely identifies the session access
Table 5. Instance data points
Name Description
Message type Message type
Instance ID Unique identifier for the construct instance
Session ID Uniquely identifies the session
Original time zone Date and time of the last update (local time)
Period start Access period start date and time
Period start (local time) Access period start (local date and time).
Period end Access period end date and time
Period end (local time) Access period end (local date and time).
Application event ID Unique identifier for the application event entity
Application user Name of the user creating the policy rule violation
Application event type Application event type
Application event value (string) Application event value (string)
Application event value (number) Application event value (number)
Application event date Date and time when the event occurred
Application event date (local time) Local date and time value, set by GuardAppEvent:Start (display format yyyy-mm-dd hh:mm:ss).
Construct ID Uniquely identifies the SQL statement
Mask SQL query Original SQL statement before any query rewrites are applied
Objects and verbs Verbs are SQL actions such as SELECT, INSERT, UPDATE, and DELETE. Objects are database objects such as tables, views, and schemas.
Number of successful SQL queries Number of successful SQL queries
Number of failed SQL queries Number of failed SQL queries
DB user Database user is the user that connected to the database, either locally or remotely
OS user OS user
Source application The application that originated the activity
Server IP Server IP address
Client IP Client IP address
Service name Service name or alias used until the service is connected
Client hostname Client hostname
Database type Type of database, for example Db2, Oracle, or Sybase
Database name Name of database for the session. Oracle databases may contain additional application-specific information.
Application event user User name set by GuardAppEvent:Start, part of the Guardium Application Events API
Server port Server port number
Network protocol Network protocol, for example TCP or UDP. For K-TAP on Oracle, this displays as either IPC or BEQ.
Instance: Total records affected Total number of records affected
Server hostname Server hostname
Access timestamp Date and time of the last update
Access (local timestamp)  
Average time to execute SQL queries Average time to execute SQL queries
Collector ID Uniquely identifies the session access
Total count The total number of SQL queries, both successful and failed
Table 6. Object data points
Name Description
Object ID Uniquely identifies the object
Object name Name of the object
Message type Message type
Sentence ID The key of sentence entity
Construct ID Uniquely identifies the SQL statement
Object timestamp Date and time of the last update
Ingest timestamp Date and time of the last update
Table 7. Policy violation data points
Name Description
Message type Message type
Violation ID Uniquely identifies the violation
Session ID Uniquely identifies the session
Original time zone The UTC offset provides a means of comparing the relative times of activities of collectors in different time zones
OS user OS user
DB user Database user is the user that connected to the database, either locally or remotely
Client IP Client IP address
Client hostname Client hostname
Source application The application that originated the activity
Server IP Server IP address
Database type Type of database, for example Db2, Oracle, or Sybase
Service name Service name or alias used until the service is connected
Construct ID Uniquely identifies the SQL statement
Objects and verbs Verbs are SQL actions such as SELECT, INSERT, UPDATE, and DELETE. Objects are database objects such as tables, views, and schemas.
Application user Name of the user creating the policy rule violation
Access rule ID Uniquely identifies the access policy rule
Rule name The description of the rule from its definition
Full SQL SQL string causing the policy rule violation
Occurrences The total number of times a unique violation was observed
Category name Policy rule category
Classification name Classification of the policy rule as defined by the user
Severity Policy rule severity
Policy description Description of the policy
Policy violation timestamp Date and time of the last update
Server hostname Server hostname
Collector ID Uniquely identifies the session access
Policy violation timestamp (local time) Date and time of the last update (local time)
Table 8. Sentence data points
Name Description
Message type Message type
Sentence ID The key of sentence entity
Construct ID Uniquely identifies the SQL statement
Verb SQL command
Depth Depth of the command in the SQL parse tree
Parent sentence ID The key of the parent sentence for a subquery
Sentence timestamp Date and time of the last update
Ingest timestamp Date and time of the last update
Table 9. Session data points
Name Description
Message type Message type
Session ID Uniquely identifies the session
Database type Type of database, for example Db2, Oracle, or Sybase
Server OS Server operating system
Client OS Client operating system
Server ID Server ID
Client IP Client IP address
Network protocol Network protocol, for example TCP or UDP. For K-TAP on Oracle, this displays as either IPC or BEQ.
Database protocol Protocol specific to the database server
Database protocol version Protocol version for the database protocol
DB user Database user is the user that connected to the database, either locally or remotely
OS user OS user
Source application The application that originated the activity
Client hostname Client hostname
Server hostname Server hostname
Service name Service name or alias used until the service is connected
Database name Name of database for the session. Oracle databases may contain additional application-specific information.
Client port Client port number
Server port Server port number
Source ID Source ID
Original time zone The UTC offset provides a means of comparing the relative times of activities of collectors in different time zones
Connection start Date and time the session started
Connection start (local time) Session start (local date and time).
Connection end Date and time the session ended
Connection end (local time) Session end (local date and time)
TTL Time to live. The amount of time that data is allowed to live in the database
Inactive flag -1: Closed by database session timeout, 0: Open (SQL package), 1: Closed by logout or disconnect, 2: Closed due to timeout on Guardium system (session reopens if traffic is regenerated in the same session), 3: Non-SQL packets
Session ignored Indicates if any part of the session was ignored, starting at a specific time.
Ignore since Timestamp when the session was first ignored
Ignore since (local time) Start of session ignore (local timestamp)
UID chain For a session reported by UNIX S-TAP in K-TAP mode, this shows the chain of operating system users when users 'su' with a different username.
Compressed UID chain The chain of operating system users, starting from when a user switches to a different username. The values that appear here vary by operating system and platform. User IDs may be reported instead of usernames in the UID Chain.
Failover flag Indicates if a session failover occurred
Failover timestamp Date and time of session failover
Failover timestamp (local time) Session failover occurred (local timestamp)
Login succeeded Indicates if session login was successful
Sender IP Sender's IP address
Inspection engine identifier Inspection engine identifier
Access ID A unique identifier for this client/server connection
Server IP Server IP address
Server database type Type of database, for example Db2, Oracle, or Sybase
Server IP/Server hostname Server IP/Server hostname
Server/Database type Server/Database type
Table 10. Vulnerability assessment data points
Name Description
Message type Message type
Data source name Full name of the data source
Database type Type of database, for example Db2, Oracle, or Sybase
DB name Database name
DB version Database version level
DB patch Database patch level
Full version info Database version and patch
Description Data source description
Host Database host
Test Test description
Result code Code for the result description that can be used if the report data is exported
Result description Either Pass or the reason for the test failure
Result text Details of the test results
Recommendation Actions to take to eliminate the vulnerability
Severity Policy rule severity
Category Policy rule category
Execution date Date and time the vulnerability process started running
Execution date (local time) Date and time the vulnerability process started running (local time)
Assessment description Name of the assessment process
Service name Service name or alias used until the service is connected
Port Data source port
Data source ID ID of the data source
Result details Additional test result details
Test ID Test case ID
External reference Description of the external reference
External group description Description of the external group
Server IP Server IP address
Table 11. Classification data points
Name Description
Message type Message type
Start date (local time) Date and time the classification process started running (local time).
Data source IP The data source server IP
Data source name Full name of the data source
Data source type Database type
Port Data source port
Service name Service name or alias used until the service is connected
Schema Displays if the data source includes schema details.
Catalog Displays if the data source includes catalog details.
Table Table name in the data source
Column Column name in the data source
Description Data source description
Classification name Classification of the policy rule as defined by the user
Classification rule Classification rules use regular expressions, Luhn algorithms, and other criteria to define rules for matching content when applying a classification policy.
Comments Comments are added by users to provide additional details.
Category Categories are used to group policy violations for both reporting and incident management.
Comprehensive Classification based on random sampling of data
Global ID Uniquely identifies the session access
Classification start Date and time the classification process started running
Classification start (local time) Date and time the classification process started running (local time)
Table 12. Audit data points
Name Description
User ID ID of the user that took an action on the audit
Report name Report name for the audit
Data source IP The data source server IP
Entry type Audit or task type
Entry title Audit or task entry
Date updated (local time) Date and time of the last update
Field updated Field updated while auditing
Comment User comment
Schedule ID ID for the scheduled job that includes scheduled tasks
Entry ID ID for the audit or task associated with this audit event
Table 13. User notification data points
Name Description
Title Notification title
Contents Detailed contents for the notification
Retry count Number of times the notification was resent
Date created (local time) Date and time the notification was created
Date delivered (local time) Date and time the notification was delivered
Status Status for the notification
Integration Integration service used by the notification
Origin Incoming source for the notification
Destination Where the notification will be sent
Table 14. Data mart data points
Name Description
Ingestion ID Unique ID generated per data mart per Guardium system
Guardium appliance hostname Full hostname of the Guardium system sending the data mart
Data type The type of data mart
Period start The period start of the data belonging to that particular data mart bundle
Period end The period end of the data belonging to that particular data mart bundle
Export record count The total count of records exported from a Guardium system for a data mart
Export status Status of the export process of data mart from a Guardium system
Ingestion status Status of the ingestion of data inside Guardium Insights
Total file count Total number of files inside a data mart
Successful file count Total number of files successfully ingested for a data mart
Failure file count Total number of files failed on ingestion for a data mart
Error Error information for a data mart, if error information is available
Status entry creation time The timestamp in UTC for when the entry gets created
Table 15. Outlier data points
Name Description
Server IP Server IP address
Database user Database user is the user that connected to the database, either locally or remotely
Database Name of database for the session. Oracle databases may contain additional application-specific information.
Anomaly score Outlier anomaly score
Period start Outliers identified based on activities for the hour starting at this time
Period start (local time) Outliers identified based on activities for the hour starting at this time (local time)
New activity outlier Unusual volume of new activities
Privileged user Privileged user
High volume outlier Exceptionally high volume of activities
Diverse activity outlier Exceptionally high volume of different types of activities. For example, a larger range of activities than usual or activities performed at an unusual time.
Exception outlier Unusually high volume of exceptions
Ongoing outlier Anomaly continued for an ongoing period of time. These anomalies may have had a low score and did not result in an outlier on their own.
Database type Type of database, for example Db2, Oracle, or Sybase
Timeframe Outlier activity occurred during this timeframe. Timeframe can be workday, weekend, or off-hours
Vulnerable object outlier Exceptionally high volume of activities on vulnerable objects
Application The application that originated the activity
Total activity count The total number of SQL commands that result in this outlier
Detailed outlier score The outlier anomaly score applies only to high volume and vulnerable object outliers
Object Name of the object
Verb SQL command
Detailed exception outlier These are the details of an outlier with a high volume of exceptions
Detailed new activity outlier These are the details of an outlier with an unusual volume of new activities
Detailed high volume outlier These are the details of an outlier with an exceptionally high volume of activities
Records affected The number of records affected by the SQL commands that results in this outlier
Client IP Client IP address
Client hostname Client hostname
Operating system user OS user
Detailed vulnerable object outlier These are the details of an outlier with an exceptionally high volume of activities on vulnerable objects

New report data points

Table 16. New report data points
Category Category ID Available data points
Classification 000000000000000000000006
DB activity 000000000000000000000001
DB exception 000000000000000000000003
Data mart ingestion status 000000000000000000000018 Table 14
Full SQL 000000000000000000000004
Outliers 000000000000000000000010 Table 15
Policy violation 000000000000000000000002
Vulnerability assessment 000000000000000000000005