Building audit processes

Streamline the compliance workflow process by consolidating, in one spot, the following database activity monitoring tasks: asset discovery; vulnerability assessment and hardening; database activity monitoring and audit reporting; report distribution; sign-off by key stakeholders; and, escalations.

Automate and integrate the following audit activities into a compliance workflow:

The ability to group multiple audit tasks (reports, vulnerability assessments, etc.) into one process.
Schedule these processes to run on a regular basis.
Run these tasks in the background.
Write the task results to a comma-separated value (CSV) file or ArcSight Common Event Format (CEF) file and/or forward the results to other systems using Syslog.
Add comments and notations.
Assign the process to its originator for viewing (he/she will get a new item in their To-Do list once the result is ready).
Assign the process for other users or to a group of users or a role.
Create the requirement that these assignees sign on the result.
Allow escalation of the result (assign to someone outside of the original audit trail).

Transform the management of database security from time-consuming manual activities performed periodically to a continuous, automated process that supports company privacy and governance requirements, such as PCI-DSS, SOX, Data Privacy and HIPAA.

Export audit results to external repositories for additional forensic analysis – Syslog, CSV/CEF files, external feed.

The Audit Process Log report, shows a detailed activity log for all tasks including start and end times. This report is available for admin users via the Guardium® Monitor tab. Audit tasks show start and end times, however the start and end of Security Assessments and Classifications (which go to a queue) is the same.

The results of each workflow process, including the review, sign-off trails, and comments can be archived and later restored and reviewed through the Investigation Center.

A compliance workflow automation process answers the following questions:

What type of report, assessment, audit trail, or classification is needed?
Who should receive this information and how are signoffs handled?
What is the schedule for delivery?

Further elements of the compliance workflow automation process include:

A process definition
A distribution plan, which:
- Defines receivers, who can be individual users, user groups, or roles. (See Process Receivers.)
- Defines the review/sign responsibility for each receiver.
- Defines the distribution sequence by setting the Continuous flag.
A set of tasks (see Process Task Types)
A schedule - The audit process can be run immediately, or a schedule can be defined to run the process on a regular basis

Process Task Types

A workflow process may contain any number of audit tasks:

Reports, custom or pre-defined. Guardium provides hundreds of predefined reports, with more than 100 regulation-specific reports.
Security assessment report, The security database assessment scans the database infrastructure for vulnerabilities, and provides an evaluation of database and data security health, with both real-time and historical measurements. It compares current environment against preconfigured vulnerability tests based on known flaws and vulnerabilities, grouped using common database security best practices (like STIG and CIG1), as well as incorporating custom tests. The application generates a Security Health Report Card, with weighted metrics (based on best practices) and recommends action plans to help strengthen database security.
An entity audit trail, A detailed report of activity relating to a specific entity is produced (for example, a client IP address or a group of addresses).
A privacy set, A report detailing access to a group of object-field pairs (a Social Security number and a date of birth, for example) is produced during a specified time period.
A classification process, The existing database metadata and data is scanned, reporting on information that may be sensitive, such as Social Security numbers or credit card numbers.
An external feed, Data can be exported to an external specialized application for further forensic analysis.
Note: The Optional External Data Feed is an optional component enabled by product key. If this feature has not been enabled, this choice will not appear in Audit Task selection and the Feed Type list will be empty.

Workflow Processes, Central Management and Aggregation

On a Central Manager, reports can reference data from remote datasources (managed units). Audit processes that use these reports will be accessible from the Central Manager only, and will not be visible from managed units.

Workflow Automation (audit processing) for the Aggregator server now includes the capability to create ad-hoc databases for each Aggregator task and specify only the relevant days for that task.

Note: The ad-hoc databases for the Aggregation server may be kept in the system for up to 14 days (depending on the value of the CLI command, drop_ad_hoc_audit_db) for post-run analysis by Guardium support services if required.

When defining reports in Audit Process, the number of days of the report (defined by the FROM-TO fields) should not exceed a certain threshold (one month by default). If this threshold is exceeded, a run-time error will result when trying to run the audit task on the Aggregator.

It is permissible to create an audit task with a FROM-TO range that is wider than the max_audit_reporting value (set in CLI) because Audit processes defined on the Aggregator may be run on managed collectors (when this aggregator is a manager). Audit tasks run on collector unit, do not have a max_audit_reporting limitation.

So, it is valid to save tasks beyond the allowed range, but you will get a Run Time Exception when the task is executed on the Aggregator.

The Audit Report threshold can be configured using the CLI command, show max_audit_reporting or store max_audit_reporting. There is no warning message when a report is created with an invalid FROM-TO range. Instead a fixed message appears in the Task Parameters panel in the Audit Process setup menu screen (Tools/Audit Process Builder. open up Audit Tasks to display Task Parameters). The fixed message is:

On aggregators, only reports not exceeding the allowed time range (CLI: max_audit_reporting) will be executed.

Note: When running a patch install, all audit processes are stopped.

Stop an audit process

Stopping an audit process can be performed only if the audit tasks have not been run or are running. Stopping an audit process will not execute any more tasks that have not started. Stopping an audit process does not deliver partial results. The audit process stops and a stopped error message is the result. However, if tasks are complete, stopping an audit process will not stop the sending of results.

Stop an audit process by using invoking GuardAPI (place the cursor on any line and double-click for a drill-down) from Comply > Tools and Views > Audit Process Log report.

For any user, stopping an audit process, will display only the line belonging to that user (just the tasks, not all the details). An admin user can see all the details and can stop anyone's audit processes. A user can only stop their own audit processes.

Note:

Queries using a remote source can not be stopped. Online reports using a remote source can not be stopped.

Stopping an audit processes does not apply to Privacy Sets Audit Tasks or External Feed Audit Tasks. If the Privacy Set or External Feed tasks have started, they will finish even if the process is stopped.

Results Distribution

Audit process receivers will be notified via email and/or their To-Do list of pending audit process results. You can designate any receiver as a signer for a process, in which case the results can optionally be held at that point on the distribution list, until that receiver electronically signs the results or releases them. Receivers can be individual users, user groups, or roles.

Audit Process Summary

In the Audit Process Finder screen is the Audit Process Status Summary. This section contains information on scheduled audit processes, as well as results, receivers outstanding and errors. This summary is a consolidation of data from multiple audit process reports.

There is also a button to delete any audit process results. See the Audit Process Finder screen. Look for the Results button, next to the Run Once Now button (choices of View or Delete).

Delete audit process results, but track or log who deleted the report. The audit-delete role is used to track or log when an audit process result has been deleted. Users with the audit-delete role can delete reports. Admin users can also delete reports. Tracking is done through the User Activity Audit Trail report.

Note: Audit process results from remote sources is limited to 100,000 results. To go beyond that limit, use the CLI command, store save_result_fetch_size (show save_result_fetch_size).

Process Receivers

You can define any number of receivers for a workflow automation process, and you control the order in which they receive results. In addition, receivers can notify additional receivers, using the Escalate function. It is also possible to run an audit process with no defined receivers. For example, an audit process with no receivers that writes to syslog and has no need to review (or sign) the results.

Who can be a receiver?

On the Process Definition panel, the drop-down list of receivers includes all Guardium users, user groups, and roles (groups and roles are labeled as such). When a group or role is selected, all users belonging to the group or having that role will receive the results.

If a group receiver is selected, and any workflow automation task uses the special run-time parameter ./LoggedUser in a query condition, the query will be executed separately for each user in the group, and each user will receive only their results.

For example, assume that your company has three DBAs, and each DBA is in charge of a different set of servers. Using the Custom Data Upload facility, upload the areas of responsibilities of each DBA (with server IPs) to the Guardium system, and correlate that to the database activity domain, and then use a report in this custom domain as an audit task. If a user group that contains the three DBAs is designated as the receiver, each DBA will receive the report relevant for his or her collection of servers only.

If a group receiver is selected, and sign-off is required, each group member must sign the results separately (as explained earlier, each member of the group may be looking at a different set of results).

A receiver can be solely an email address and results will be sent to that email address. When entering an email address, the user will be required to enter a user that will be used to filter the data. The user must be the same user that is logged in or a user under the user that is logged in the data hierarchy.

If a role receiver is selected, only one user with that role will need to sign the results, and other users with that role will be notified when the results have been signed.

Note:

When a workflow event is created, every status used by that event can be assigned a role (meaning that events can only be seen by this role when in this status). When an event is assigned to an audit process, it is important that every role that is assigned to a status of this event have a receiver on this audit process. Otherwise, it is possible that an audit result row can be put into a status where none of its receivers are able to see this row or change its status.

If this is to occur, the admin user (who is able to see all events, regardless of their roles) would be able to see the row and change its status. However, if data level security is on, the admin user may not be able to see this row. The admin user would need to either turn data level security off (from Global Profile) or have the dataset_exempt role. It is important to configure the audit process so that all roles who must act on an event associated with this audit process are receivers of this audit process.

email Notification

Optionally, receivers can be notified of new process results via email, and there are two options for distributing results via email:

Link Only - The email notification will contain a hypertext link to the results stored on the Guardium system. For the link to work, you must access your mail from a system that has access to the Guardium system. See the following section for more information about email links.
Full Results - A PDF file or generated CSV file containing the results will be attached to the email, except for an Escalation that specifies a receiver not included in the original distribution list, in which case no PDF or CSV file will be attached. When the Full Results option is selected, care must be taken, since sensitive and private data may be included in the PDF or CSV file. When running an audit process, if there is a receiver with Full Results with CSV checked, it does not generate CSV files for tasks of type Assessment, Classifier or External Feed. These task types also can not generate CSV/CEF/PDF files for export. Only for tasks of type Report, Privacy Set or Entity Audit Trails, and if there is a receiver with Full Results via CSV checked, will CSV files be generated.
Note: When viewing audit results, if a generated PDF already exists, a Recreate PDF button will appear for the user to recreate and download the regenerated PDF.

Hypertext Links to Process Results

In email messages, there are conditions where links to process results on the Guardium system will not work. For example:

If you are accessing email from a location where you cannot normally access the Guardium system, the links will not work. For example, when out of the office, you may have access to your email over the Internet, but not to your company's private network or LAN, where the system is installed.
If you have not accessed your email for a longer period of time than the report results are kept, those results will not be available when you click the link. For example, if the results are kept for seven days but you have been on vacation for two weeks, your email may contain links to results older than seven days, and those links will not work.

About Frozen Receivers Links

Once a process has been run, the existing receiver list is frozen, which means:

You cannot delete receivers from the list.
You cannot move existing receivers up or down in the list.
You can add receivers to end of the list at any time, and reposition the new receivers at that time.
If the Guardium user account for a receiver on the list is deleted, the admin user account (which is never deleted) is substituted for that receiver. Thus the admin user receives any email notifications that would have been sent to a deleted receiver, and the admin user must act upon any results released to that receiver.
If you need to create a totally different set of receivers for an existing process, deactivate the original process, make a clone of it, and then make the modifications to the receivers list in the cloned version before saving it.

How Results are Released to Receivers

Results are released to the Guardium users listed on the receivers list, subject to the Continuous check box, as follows:

If the Continuous check box is marked, distribution continues to the next receiver on the list without interruption.
If the Continuous check box is cleared, distribution to the next receiver is held until the current receiver performs the required action (review or sign).

For example, assume you want to define a workflow process as follows:

DBAs - All DBAs should receive their results at the same time, with each DBA receiving a different result set based on the server IPs associated with him/her
Only when ALL DBAs have signed, the DBA Manager should see the results
Only when DBA Manager releases the report, the Auditors should see the results
All Auditors should receive the reports at the same time, but only one of them (any of them) needs to sign each result. The others will be updated when a result was signed.
An auditor can escalate a result to the Audit Manager.

To define this flow:

The DBAs group would be named as the first receiver
The DBA Manager would be next on the list.
The Auditors role (not group) would be next on the list. Any Auditor could sign and others will be notified. Also, any auditor can escalate a results set to the Audit Manager.
Note: The results will only distribute to the next receiver when the current receiver has marked the Continuous button. This is completely separate from the review/sign functionality and does not depend on the review/sign functionality all.

Note: Process results that are exported to CSV or CEF files are sent to another network location by the Guardium archiving and exporting mechanism. These results are not subject to the receivers list or to any signing actions. They are subject to the Guardium CSV/CEF export schedule (if any is defined), and they are subject to the access permissions that have been granted for the directory in which they are ultimately stored.

Exporting Audit Task Output to CSV, CEF or PDF Files

Reports containing information that can be used by other applications, or reports containing large amounts of data, can be exported to other file formats. Report, Entity Audit Trail, and Privacy Set task output can be exported to CSV (Comma Separated Value) files, and output for database activity reports can be exported to an ArcSight Common Event Format (CEF) file.

In addition, CEF and CSV file output can be written to syslog. If the remote syslog capability is used, this will result in the immediate forwarding of the output CEF/CSV file to the remote syslog locations. The remote syslog function provides the ability to direct messages from each facility and severity combination to a specific remote system. See the remotelog (syslog) CLI command description for more information.

Each record in the CSV or CEF file represents a row on the report.

The exported file is created in addition to the standard task output, it does not replace it. These files are useful when you need to:

Integrate with an existing SIEM (Security Incident and Event Manager) in your infrastructure (Qradar, ArcSight, Network Intelligence, LogLogic, TSIEM, etc.).
Review and analyze very large compliance task results sets. (Task results sets that are intended for Web presentation are limited to 5,000 rows of output, whereas there is no limit to the number of rows that will be written to an exported CSV or CEF file.)

Exported CSV and CEF files are stored on the Guardium system, and are named in the format:

process_task_YYYY_MMM_DD-HHMMSS.<csv | cef>

Where process is a label you define on the audit process definition, task is a second-level label that you can define for each task within the process, and YYYY_MMM_DD-HHMMSS is a date-time stamp created when the task runs.

You cannot access the exported CSV or CEF files directly on the Guardium system. Your Guardium administrator must use the CSV/CEF Export function to move these files from the Guardium system to another location on the network. To access those files, check with your Guardium administrator to determine the location to which they have been copied.

The fact that exported files are sent outside of the Guardium system has two important implications:

The release of these files is not connected to the results distribution plan defined for the audit process. These files are exported on a schedule defined by the Guardium administrator.
Once the CSV/CEF Export function runs, all exported files will be available to anybody (Guardium user or not) who can access the destination directory defined for the CSV/CEF Export operation. For this reason, your Guardium administrator may want to schedule additional jobs (outside of the Guardium system) to copy sets of exported files from the Guardium CSV/CEF Export destination directory, to directories with appropriate access permissions.

CSV/CEF Export activity is available in the Aggregation/Archive Activity report.

Note: If observed data level security has been enabled, then audit process output (including files) will be filtered so users will see only the information of their assigned databases. Files sent to an email receiver as an attachment will be filtered. However, files downloaded locally on the machine and then moved elsewhere using the Results Export function are not subject to data level security filtering. See CSV/CEF Export later in this topic for further information on CSV/CEF Export.

The following table summarizes what happens when exporting an Audit Process file to CSV/CEF/PDF.

Table 1. Exporting Audit Task Output to CSV, CEF or PDF Files
Function	Level	CSV	CEF	PDF
Attach to email	Receiver	Full Details radio --> PDF check box	N/A	Full Details radio --> PDF check box The radio buttons are only for receiver PDF
Export file	Task	Export CSV file check box	Export CSV file check box	Export CSV file check box
Report empty and Approve if Empty = yes	Receiver	Export not affected (empty files will be exported) Attachment, no email attachment	Export not affected (empty files will be exported) Attachment, no email attachment	Export not affected (empty files will be exported) Attachment, no email attachment
Zip attachment	Audit Process	If no file generated, nothing to zip Merge all CSVs into one ZIP file	N/A	If no file generated, nothing to zip PDF is not zipped
Compress (export)	Task	Compressed, separate file for each CSV file	Compressed, separate file for each CSV file	PDF is not compressed

How Zip for Email and Compress work for Audit Task Output

Zip for Email is the highest level of control for Audit Task Export. Zip for email produces a set of CSV or CEF files. PDF is not ever zipped and is not ever compressed.

Compress works on individual files.

Note: For CSV attachments, when Zip for Email is cleared, Compress can still be applied. And Compress can be per task. Thus one Audit Task may send a .csv file while another may send a .csv.gz file, in the same email.

The interaction of Zip for Email and Compress is as follows:

With Zip for email checked (regardless of whether Compress is also checked), the attachment is one zip file of CSV files.
With Zip for email not checked, and Compress checked, the attachment is a set of csv.gz files.
With Zip for email not checked, and Compress not checked, the attachment is a set of csv files.
With Compress checked, Download All will be csv.gz.
With Compress cleared, Download All will be csv.
With Compress checked or cleared, Download displayed will still be csv.
With Compress checked, export of CSV/CEF files will be gzipped.
With Compress cleared, export of CSV/CEF files will not be gzipped.

Export to SCAP or AXIS

In the Audit Process Definition, in the section on Add New Task, when choosing a Task Type of Security Assessment, a number of choices will appear: Export AXIS xml and Export SCAP xml. Choose one of these selections in order to save the Audit Process results and to transfer the XML file to the destination set up for Results Export (Manage > Data Management > Results Export (Files)). Further choices are for configuring the PDF format: Report, Difference, Report and Difference.

SCAP is Security Content Automation Protocol. AXIS is Apache EXtensible Interaction System and is used by QRadar.

Creating or Changing Reports

Use the Report Builder to create or customize reports, including customization such as applying highlight colors to rows. To open the Report Builder, navigate to Reports > Report Configuration Tools > Report Builder.

Create an Audit Workflow Process

Open the Audit Process Builder by navigating to Comply > Tools and Views > Audit Process Builder.
Click the New button to open the Audit Process Definition panel The Audit Process Definition panel is divided into three sections: General, Receivers and Tasks.
Go to the Tasks section first. You must define at least one audit task before you can save the process. Work your way through each task in setting choices. Perform the appropriate procedure for each audit task you want to include in the audit process. The task choices detailed in this section are:
- Define a Report Task
- Define a Security Assessment Task
- Define an Entity Audit Trail Task
- Define a Privacy Set Task
- Define a Classification Process Task
- Define an External Feed Task
Go to the Receivers section. Open the drop-down box and add the receivers for the process. See Add Receivers. Checkoffs are needed to determine action required, additions to To-do list, notification via email notifications and continuous distribution. Again see Add Receivers for complete information in setting these choices.
Go to the General section. Enter a name in the Description box. Do not include apostrophe characters.
Check the Active box to associate a schedule with this process.
Mark the Archive Results box if you want to store the results offline after the retention period has expired. When results have been archived, you can restore them to the system for viewing again, later.
Use the Archive Result purge before Reviewed box to delete the results of an ad-hoc process without holding until all reviewers had reviewed, all sign-offs have taken place, all workflow activities have been met. This feature gives the user an option of deleting results in a specified period of time (such as 1-day) whether the results have been reviewed or not.
In the Keep for a minimum of (n) days or (n) runs boxes, specify how long to keep the results, as either a number of days (0 by default) or a number of runs (5 by default). After that, the results will be archived (if the Keep for a minimum box is marked) and purged from the system.
Note: Results will only be shown if there are receivers for the results. Add receivers, re-run the results and the run will now show up in the dropdown list.
If one or more tasks create CSV or CEF files, you can optionally enter a label to be included in all file names, in the CSV/CEF File Label box. These files can also be compressed, or Zipped, by clicking on the Zip for mail box to add a checkmark.
Note: There is a limit on export of CSV/CEF file sizes greater than 10240 MB (10.240 GB). It is a recommended best practice to check the box Zip for mail.
The Email Subject field in the Audit Process definition is used in the emails for all receivers for that audit process. The subject may contain one (or more) of the following variables that will be replaced at run time for the subject:
- %%ProcessName will be replaced with the audit process description
- %%ExecutionStart will be replaced with the start date and time of the first task.
- %%ExecutionEnd will be replaced with the end date and time of the last task.
Upon entering a subject, it will check whether any variable (starting with %% is present) and will ensure all are valid variables.
Optionally assign security roles.
Optionally add comments.
Click the appropriate buttons to Schedule or Run an Audit Workflow Process.
Click Save. Do not leave this menu screen to perform another configuration before saving your work. Work-in-progress is not saved and not held in half-created suspension if you leave this section to go create something else needed for the audit task.
For example, to define an assessment task in Audit Process Builder, it is first necessary to go to Security Assessment Builder to create assessment tests and then to Datasource Definitions to identify the database(s) to be assessed. Save your work when creating Audit Workflow and then go to other tasks or perform those other tasks first and then create the Audit Workflow Process.

Add Receivers

In the Receiver column, select a receiver from the drop-down list of Guardium individual users, groups, or roles. If you select a group or a role, all members of the group or users with that role will receive the results; and if signing is required, only one member or user will need to sign the results.
In the Action Required column, select one option:
- Review (the default) - Indicates that this receiver does not need to sign the results.
- Review and Sign - Indicates that this receiver must sign the results (electronically, by clicking the Sign Results button when viewing the results online).
In the To-Do List column, either mark or clear the Add check box to indicate whether this receiver should be notified of pending results in their Audit Process To-Do List.
Note: To send files on an external server without sending email and without adding results to the to-do list, define an audit process without receivers. Also clear the to-do list check box in the Add Receiver section and remove/ do not add any receiver in the receiver section in order not to add results to To-do list.
In the Email Notification column, select one option:
- No - email will not be sent to the receiver.
- Link Only - email will contain a hypertext link to the results (on the Guardium system).
- Results - email will contain a copy of the results in PDF or CSV format. Be aware that the results from Classification or Assessment tasks may return sensitive information.
The check box in the Continuous column controls whether or not distribution of results continues to the next receiver (the default), or stops until this receiver has taken the appropriate action. If the Continuous box is cleared, and this receiver is a group or a role, when any user who is a member or that group or role performs the selected action, the results will be released to the next receiver on the list.
Note: The results will only distribute to the next receiver when the current receiver has marked the Continuous button. This is completely separate from the review/sign functionality and does not depend on the review/sign functionality all.
Click Add to add the receiver to the end of the list, and repeat these steps for each receiver. One receiver is required.
Receivers who are not users are permitted. Choose: Email and then enter an email address, and the results will be sent to that email address. When entering a non-user email address, there is a requirement that a user name that will be used to filter the data. The user must be the same user that is logged in or a user under the user that is logged in the hierarchy. This user will be saved in a new column in the Receivers section of the screen.
Approve if Empty - When this check box is checked, if all the reports of the task are empty, it will do the following: automatically sign the result (and/or mark it as viewed); automatically click Continue (if relevant); will NOT send the notification email; will NOT add the task to the To-Do list of that user; will NOT generate any PDF/CSV/CEF files. With this check box, empty audit results will be signed automatically and the results will still look like any other complete (viewed/signed) audit results when looking at the audit result logs. This action will apply to empty reports and the empty security assessment results. See table summarizing what happens when Approve If Empty = YES in the section Exporting Audit Task Output to CSV, CEF or PDF Files.

Export a CSV or CEF File

Report, Entity Audit Trail, and Privacy Set audit task output can be exported to CSV files, and Report audit task output can be exported to a CEF file. From the Report, Entity Audit Trail or Privacy Set section under Audit Tasks, work through the following:

Select title.
Enter an optional label for the file in the CSV/CEF File Label box. The default is from the Description for the task. This label will be one component of the generated file name (another will be the label defined for the workflow automation process).
Mark either Export CSV file or Export CEF file.
Note: CEF file output is appropriate for data access domain reports only (Access, Exceptions, or Policy Violations, for example). Other domains like the Guardium self-monitoring domains (Aggregation/Archive, Audit Process, Guardium Logins, etc.) do not map to CEF extensions.
If Export CEF file was selected, optionally mark the Write CEF to Syslog box to write the CEF records to syslog. If the remote syslog facility is enabled, the CEF file records will thus be written to the remote syslog.
If the Compress box is checked, then the CSV/CEF files to be exported will be compressed.
If the Export PDF file box is checked, then a PDF file (with similar name as CSV Export file) for this Audit Task is created and exported together with the CSV/CEF files.
Note: The Export PDF file will not be compressed, even if the Compress box in the previous step is checked.

Define a Report Task

If you have not yet started to define compliance workflow automation process, create a workflow process before performing this procedure. If the report to be used has not yet been defined, do that first.

If the Add New Task pane is not open, click Add Audit Task.
Click the Report radio button.
There a number of choices for CSV/CEF File Label, Export CSV/CEF, Export PDF, Write to Syslog, and Compress. See Export a CSV or CEF File.
The selection of PDF Options are: Report (the current results), Diff (difference between one earlier report and a new report) and Reports and Diff (both).
Note: The selection of PDF Options applies to both PDF attachments and PDF export files. The Diff result only applies only AFTER the first time this task is run. There is no Diff with a previous result if there is no previous result. The maximum number of rows that can be compared at one time is 5000. If the number of result rows exceeds the maximum, the message
```
(compare first 5000 rows only)
```
will show up in the diff result.
Enter all parameter values in the Task Parameters pane. The parameters will vary depending on the report selected.
Click Apply.

API for automatic execution

By default, the Guardium application comes with setup data that links many of the API functions to reports, providing users, through the GUI, with prepared calls to APIs from reporting data. Use API Assignment in Reports to link additional API functions to predefined Guardium reports or custom reports. The menu choice API for automatic execution will appear in the Add Audit Task: Report when selecting an appropriate predefined Guardium report or custom report that have fields in the report that are linked to API parameters. Examples of predefined reports where the API for automatic execution menu choice will appear are Access Policy Violations, Databases Discovered, and Guardium Group Details.

Workflow Builder

The formal sequence of event types created in Workflow Builder is managed by clicking on the Event and Additional Column button in the Audit Tasks window. This button will appear after an audit task has been created and saved. This additional button will not appear until the audit task is saved. Configure these workflow activities when Adding An Audit Task:

Create and save an Audit Task. After saving, an additional button will appear, Events and Additional Columns.
Click this additional button.
At the next screen, place a checkmark in the box for Event & Sign-off. The workflow created in Workflow Builder will appear as a choice in Event & Sign-off.
Highlight this choice. Apply (save) your selection.
If additional information (such as company codes, business unit labels, etc.) is needed as part of the workflow report, add this information in the Additional Column section of the screen and then click Apply (save). In order to select the predefined or created groups column, change the Type column to Group. When done, close this window.
Apply (save) your Audit Task. Apply (save) the entire Audit Process Definition.

This Event and Additional Column button appears in all audit tasks. By placing the cursor over this button, an information balloon will appear telling the user if the audit task has an Event or a Sign-off column linked to the specific audit task.

Note:

If data level security at the observed data level has been enabled, then audit process output will be filtered so users will see only the information of their databases.

Under the Report choices within Add an Audit Task are two procedural reports, Outstanding Events and Event Status Transition. Add these two reports to two new audit tasks to show details of all workflow events and transitions These two reports will not be filtered (observed data level security filtering will not be applied). These two reports are available by default in the list of reports only to admin user and users with the admin role.

The Additional Columns button is disabled for Classification tasks.

Clone an Audit Task - If you are cloning a process, and you made changes to a cloned task before the cloned process is saved, the workflow associated with the original task will not be cloned.

Deletion of a event status is permitted only if the status is not in the first status of any events, and if it not used by any action. The validation will provide a list of events/actions that prevent the status from being deleted.

The owner/creator of a workflow event can always see all statuses of this event, regardless of what roles have been assigned to these statuses.

Define a Security Assessment Task

f you have not yet started to define a compliance workflow automation process, create a workflow process before performing this procedure. If the assessment to be used has not yet been defined, do that first.

If the Add New Task pane is not open, click Add Audit Task.
Click the Security Assessment button.
Select a security assessment from the Security Assessment list.
The selection of PDF Content are Report (the current results), Diff (difference between one earlier report and a new report) and Reports and Diff (both).
Click Apply.

Note:

If data level security at the observed data level has been enabled, then audit process output will be filtered so users will see only the information of their databases.

If a security assessment task is empty (for example, a security assessment with a set of no roles), this empty security assessment will not show up in the drop-down list in Audit Builder.

Define an Entity Audit Trail Task

If you have not yet started to define a compliance workflow automation process, create a workflow process before performing this procedure.

If the Add New Task pane is not open, click Add Audit Task.
Click the Entity Audit Trail button.
Select the type of entity to be audited. Depending on the type selected, you will be required to supply the following information:
- Object: Enter an object name.
- Object Group: Select an object group from the list.
- Client IP: Enter a client IP address.
- Client Group IP: Select a client IP group.
- Server IP: Enter a server IP address.
- Application User Name: Enter an application user name.
There a number of choices for CSV/CEF File Labels, Write CEF to Syslog, Compress and Export PDF. See Export a CSV or CEF File.
In the Task Parameters pane, supply run-time parameter values (only the From and To periods are required).
Click Apply.

Note: If data level security at the observed data level has been enabled, then audit process output will be filtered so users will see only the information of their databases.

Define a Privacy Set Task

f you have not yet started to define a compliance workflow automation process, create a workflow process before performing this procedure. If the privacy set to be used has not yet been defined, do that first.

If the Add New Task pane is not open, click Add Audit Task.
Click the Privacy Set button.
Select a privacy set from the Privacy Set list.
Select either Report by Access Details or Report by Application User to indicate how you want the results sorted and displayed.
There a number of choices for CSV/CEF File Labels, Write CEF to Syslog, Compress and Export PDF. See Export a CSV or CEF File.
Enter starting and ending dates for the report in the Period Start and Period End boxes.
Click Apply.

Note: If data level security at the observed data level has been enabled, then audit process output will be filtered so users will see only the information of their databases.

Define a Classification Process Task

If you have not yet started to define a compliance workflow automation process, create a workflow process before performing this procedure. If the classification process to be used has not yet been defined, do that first.

If the Add New Task pane is not open, click Add Audit Task.
Click the Classification Process button.
Note: You will be alerted that classification processes may return sensitive data, and those results will be appended to PDF or CSV files.
Select a classification process from the Classification Process list. Click Apply.

Note: If data level security at the observed data level has been enabled, then audit process output will be filtered so users will see only the information of their databases.

Define an External Feed Task

This type of workflow automation task feeds data collected by Guardium to an external application, mapping the data to a format recognized by that application. This task type is an extra-cost feature, enabled by a patch.

Note: If this feature is used in a Central Manager environment, the External Feed Patch must be installed on the Central Manager, and on all managed units on which the task will run.

For more information about how the data is mapped from Guardium to the external application, refer to the documentation for the option that was purchased.

If you have not yet started to define a compliance workflow automation process, create a workflow process before performing this procedure.

If the Add New Task pane is not open, click Add Audit Task.
Click External Feed.
Select a feed type from the Feed Type list.
The controls that appear next depend on the feed type selected. See Optional External Feed for additional information on specific External Feed Types.
Select an event type from the Event Type list.
Select a report from the Report list. Depending on the report selected, a variable number of parameters will appear in the Task Parameters pane.
In the Extract Lag box, enter the number of hours by which the feed is to lag, or mark the Continuous box to include data up to the time that the audit task runs.
In the Datasources pane, identify one or more datasources for the external feed.
Enter all parameter values in the Task Parameters pane. The parameters will vary depending on the report selected.
Click Apply.

View or Sign Results

Open the Compliance Workflow Automation results.
If signing is required, click the Sign Results button.
Optional. To forward these results to another user, click Escalate, and see Forward Results to Additional Receivers (in Escalation section).
Click Close this window link.

Note: If there are outstanding events, then the results can not be signed either from the audit viewer or from the To-do list. If there are outstanding events and an attempt is made to sign the results, the following message appears:

Audit process cannot be signed - has pending events.

Please update all outstanding events prior to signing this result.

Note: When viewing audit process results, if a result has events associated with it, the Sign Results button is not available on this result until all events are in a Final state or cannot be seen by this user (due to data-level security).

Note: This report also contains a date or Last Action Time, located in a column between Receiver and Status. This report shows that the result was signed by user AAA, but also when this user AAA signed this result.

Release Results without Signing or Viewing

Open your To-Do List panel.
Click the Continue button for the results you want to release to the next receiver on the distribution list.
Click Close this window link.

View Results Distribution

Open the compliance workflow automation results.
Expand the Distribution Status panel by clicking the (Show Details) button.
Click Close this window link.

View Receiver Comments Added to Results

Open the compliance workflow automation results.
Expand the Comments panel by clicking the Show Details button.
Note: These are the comments that were attached to the results when the report page was retrieved from the Guardium system. If you add comments of your own, or if other receivers are adding comments simultaneously, you will not see those comments until you refresh your page (using your browser Refresh function).
Click Close this window link.

Escalate Process Results

A receiver of process results can forward the results notification for review and/or sign-off to additional receivers. If you escalate the results to a receiver outside of the original audit and sign-off trail, and the results include a CSV file, that file will not be included with the notification.

Regardless of who is a receiver of an audit result, an escalation can involve any user on the system, provided the Escalate result to all users box is checked in the Setup > Tools and Views > Global Profile menu. A check mark in this box escalates audit process results to all users, even if data level security at the observed data level is enabled. The default setting is enable. If the check box is disabled (no check mark in the check box), then audit process escalation will only be allowed to users at a higher level in the user hierarchy. If the check box is disabled, and there is no user hierarchy, then no escalation is permitted.

Also, depending on event permissions, if for example, the infosec user can only see events in status1 and dba user can only see events in status2, the dba user will receive a different result than the result the infosec user saw when the infosec user clicked Escalate. It is possible that infosec will escalate to dba, and dba will receive an audit result with 0 rows in it.

If the compliance workflow automation results you want to forward are not open, open them now.
Click Escalate.
Select the receiver from the Receiver list.
In the Action Required column, select Review (the default) or Review and Sign.
Click the Escalation button to complete the operation.

Note:

Audit process results cannot be escalated to a group of users, only to users or roles.

When escalating to an user who already has the result in the user's to-do list, a popup message will appear, asking if an additional email should be sent. If yes, an additional email will be sent to the user, but the to-do list will not be incremented.

Schedule or Run a Compliance Workflow Automation Process

Open the Audit Process Builder by navigating to Comply > Tools and Views > Audit Process Builder.
Select the process from the Process Selection List.
Click Modify to open the Audit Process Definition panel.
To run the process once, click Run Once Now, or to define a schedule for the process, click Modify Schedule.
Note: After a schedule has been defined for a process, the process runs according to that schedule only when it is marked active. To activate or deactivate an audit process, see the next section.

Activate or Deactivate a Compliance Workflow Automation Process

After a schedule has been defined for an audit process, it runs according to that schedule, only when it is marked active.

To activate or deactivate an audit process:

Open the Audit Process Builder by navigating to Comply > Tools and Views > Audit Process Builder.
Select the audit process from the Process Selection List.
Click Modify.
In the Audit Process Definition panel, mark the Active box to start running the process according to the schedule; or clear the Active box to stop running the process (ignoring any schedule defined).
Note: If you are activating the process but there is no schedule, click Modify Schedule to define a schedule for running the process.
Click Save.