Using the Query Builder to Troubleshoot EffectivelyIBM® Security Guardium™IBM SECURITY SUPPORT OPEN MIC

NOTICE: BY PARTICIPATING IN THIS CALL, YOU GIVE YOUR

IRREVOCABLE CONSENT TO IBM TO RECORD ANY STATEMENTS THAT

YOU MAY MAKE DURING THE CALL, AS WELL AS TO IBM’S USE OF SUCH

RECORDING IN ANY AND ALL MEDIA, INCLUDING FOR VIDEO POSTINGS

ON YOUTUBE. IF YOU OBJECT, PLEASE DO NOT CONNECT TO THIS CALL.Apr 27 2017

To hear the WebEx audio, select an option in the Audio Connection dialog or by access the Communicate > Audio Connection menu option. To ask a question by voice, you must either Call In or have a microphone on your device.

Once connected (on PC), you should see this in the bottom right corner:

For more information, visit:http://ibm.biz/WebExOverview_SupportOpenMic

2 IBM Security

Panelists

Presenter: Avi Walerius – Guardium Technical Support

Panelists:Greg Holmes, Guardium Technical SupportJack Kerbert, Guardium Technical SupportLisette Contreras, Guardium Technical SupportChris Beaney, Technical Support Manager

Moderator: Andrew McCarl, IBM Security eSupport

3 IBM Security

Goal of session

Understand how query builder uses domains, entities, attributes and a main entity to display data in the internal database

Use that knowledge to define useful queries for troubleshooting and reporting

4 IBM Security

Agenda

• What is the query builder?

• Structure of a query Domains Entities Attributes Main entity

• Troubleshooting examples

• Adding conditions

• Steps for creating a troubleshooting query

• Extra tips

• Useful links

5 IBM Security

What is the Query Builder?

• The Guardium internal database contains a lot of information Audit data from agents Configuration settings Self monitoring information

• Support show db-top-tables all

• We want to be able to use and access this data

• We don’t want to give users unlimited permission to it. It includes audit data that should not be tampered with.

• The solution is the query builder

6 IBM Security

What is the Query Builder?

• The query builder is an interface for the user to access most of the underlying data

• Once the query is built it can be used in a report to display the results retrieved from the query

Select GDM_ACCESS.CLIENT_IP STR_DATA1, GDM_ACCESS.SERVER_IP STR_DATA2 From GDM_ACCESS Where ( (GDM_ACCESS.TIMESTAMP >= '?QUERY_FROM_DATE') AND (GDM_ACCESS.TIMESTAMP <= '?QUERY_TO_DATE') ) AND ( (GDM_ACCESS.CLIENT_IP in ( '1.2.3.4'!!1.2.3.4^^12!!)) )

7 IBM Security

Structure of a Query

• There are too many tables in the internal database to give one simple interface to all of them

• Instead the interface is split into smaller, linked areas

• Key concepts: Domain Entity Attribute Main Entity

• Understanding this will help you create good queries

8 IBM Security

Structure of a Query - Domains

A domain is a set of tables that is linked based on the purpose or function of the information in those tables.

Access Domain – Tables related to access of data on a monitored database

Policy Violations Domain – Tables related to policy violation events as defined by the policy

Aggregation/Archive Domain – Tables related to aggregation processes running on the appliance

9 IBM Security

Structure of a Query – Entities• Entity is a label for one table within a domain

• An Entity may be in multiple domains. For example session information is useful for both Access and Policy Violations domains.

Entities in the Access Domain Entities in the Policy Violations Domain

Entities in the Aggregation/Archive Domain

10 IBM Security

Structure of a Query - Attributes• An attribute is one field within an entity

• Attributes with the same name in different entities are not the same. E.g. Timestamp

Attributes in the Session Entity Attributes in the Policy Rule Violation Entity

Attributes in the Agg/Archive Log Entity

11 IBM Security

Structure of a Query – Main Entity• Main entity should be the entity that is the focus of the query

Timestamp runtime parameters will use timestamp defined by the main entity There will be one row in the report for each row in the table corresponding to the main entity:

• Session main entity – One row for every session• SQL main entity – One row for every SQL• Object main entity – One row for every object

• Values are not available for attributes in entities below the main entity.

12 IBM Security

Structure of a Query – Summary

Domain - Group of tables

Access domain:GDM_ACCESSGDM_SESSION

GDM_CONSTRUCTGDM_CONSTRUCT_

TEXT…

Entity - One table in the group

Session Entity:GDM_SESSION

Attribute - One field in the table

Session Start Attribute:GDM_SESSION.SESSI

ON_START

Main Entity - Main focus of your query

Session Main Entity:GDM_SESSION

13 IBM Security

Troubleshooting Examples

• Simple recreations of real life cases

1. Where using the right main entity can be the difference between understanding your problem and not.

2. Where using the wrong main entity makes it seem like there is a problem, when in fact there is not.

14 IBM Security

Troubleshooting Example 1 – Full SQL vs Client/Server

• Problem: Missing DB User

• Initial query to troubleshoot with:

15 IBM Security

What troubleshooting information can we get from this report?

Are there some missing Db Users? – YesHow many sessions are missing user? – Don’t know

Are all S-TAPs affected? –Hard to tell

When did the problem start? – Hard to tell

16 IBM Security

• DB User Name is an attribute in the client/server entity

• To troubleshoot initially, we want information about the client/servers that are missing DB User

• Use Client/Server as the main entity. Better query to troubleshoot with:

• Choose appropriate attributes from other entities with count/min/max

• Use Order-by to sort the results

Troubleshooting Example 1 – Full SQL vs Client/Server

17 IBM Security

What troubleshooting information can we get from this report?

Only one server IP is missing user.

Both local and remote traffic is missing user from that server.

Not all sessions from that server are missing user.

Problem seems to start around 16.00 on April 19

Could be performance problem on S-TAP.

Possible next steps:Check sessions report for this server.

Get S-TAP diags.

18 IBM Security

• Problem: Duplicate SQLs captured?

• Initial query to troubleshoot with:

Troubleshooting Example 2 – Command vs Full SQL

19 IBM Security

Is my SQL being logged twice?

20 IBM Security

Troubleshooting Example 2 – Command vs Full SQL

• Remember that there is one row in the report for each occurrence of the main entity. In this report command is the main entity

• Is my SQL being logged twice?

• No, there are two commands in the SQL, so it appears twice in report with command as the main entity.

• General lesson – not adding an attribute from the main entity can cause confusing results

Added Command attribute

21 IBM Security

• This problem is about SQL, so make a query with SQL (or Full SQL) as the main entity.

• Add Full SQL ID to see if the values are unique

• Add count of Command to see how many there are per SQL.

Troubleshooting Example 2 – Command vs Full SQL

22 IBM Security

Troubleshooting Example 2 – Command vs Full SQL

• One Full SQL with 2 commands associated with it

• Each Full SQL row has a unique Full SQL ID

• Is this SQL being logged twice? No

23 IBM Security

Adding Conditions

• Be careful adding specific conditions when starting troubleshooting. Try and start with as few as possible.

• Mistaken understanding of what the values will be leads to confusion. You think your server IP is 1.2.3.4 but in fact it is appearing differently in reports. If you make a condition where server ip = 1.2.3.4 the report will be blank.

• Using ‘like parameter’ gives flexibility

24 IBM Security

Steps for creating a troubleshooting query

1. Choose the right domain. If it is related to access of your DB Server it is likely the access domain. Policy Violations and Exceptions domain

are also common.

2. Choose the right main entity. There will be one line in the report for each row in the main entity. Think about the problem you are troubleshooting, what is it “about”? Choose the main entity based on that

3. Choose useful attributes. No need to add many attributes that you wont look at Choose the right timestamp - http://www-01.ibm.com/support/docview.wss?uid=swg21989895 Consider if some count/min/max attributes would be helpful

4. Start with no conditions and then add. Only apply conditions once you are sure they do what you expect.

5. Refine the query as you go. Add or change attributes and conditions to focus on the problem. Reduce the timestamp parameters if it helps

25 IBM Security

Extra tips• “Access Rule Description” attribute

Full SQL Entity -> Access Rule Description (v10 only) Policy violations Domain -> Policy Rule Violation Entity -> Access Rule Description

• “Session Ignored” attribute Session Entity -> Session Ignored

• Export to csv and filter there Useful with many results

26 IBM Security

Extra tips

• Predefined queries Sometimes the query you need

already exists. Search in the main entity for

predefined queries.

• Clone existing queries Clone predefined queries or your own ones to save work.

27 IBM Security

Useful links

• How can I check if the correct data is being logged on my Guardium Appliance? Queries about session and Full SQL information http://www-01.ibm.com/support/docview.wss?uid=swg21699711

• Understanding timestamps in Guardium reports Meaning of timestamp attributes from different entities. How to use the correct timestamp http://www-01.ibm.com/support/docview.wss?uid=swg21989895

• Unexpected results in Guardium reports due to SQL object and command depth Reporting on complex or nested SQL statements with objects and commands at different depths. http://www-01.ibm.com/support/docview.wss?uid=swg21672451

• Guardium data distributions dashboard and reports Analyze spikes in database and system space usage http://www-01.ibm.com/support/docview.wss?uid=swg22001191 Open mic replay - http://www-01.ibm.com/support/docview.wss?uid=swg27049532

28 IBM Security

Questions on this or other topics can be directed to the product forum:https://developer.ibm.com/answers/topics/guardium/

Get started with IBM Security SupportIBM Support Portal | Sign up for “My Notifications”

Follow us:

29 IBM Security

Questions for the panel

Now is your opportunity to ask questions of our panelists.

To ask a question now:

Raise your hand in the WebEx session to ask a question live

or

Type your question into the WebEx chat

To ask a question after this presentation:

You are encouraged to participate in our Forum on this topic -https://developer.ibm.com/answers/topics/guardium/

https://www.facebook.com/IBM-Security-Support-221766828033861/

xforce.ibmcloud.com

@askibmsecurity

youtube/user/ibmsecuritysupport

© Copyright IBM Corporation 2016. All rights reserved. The information contained in these materials is provided for informational purposes only, and is provided AS IS without warranty of any kind, express or implied. Any statement of direction represents IBM's current intent, is subject to change or withdrawal, and represent only goals and objectives. IBM, the IBM logo, and other IBM products and services are trademarks of the International Business Machines Corporation, in the United States, other countries or both. Other company, product, or service names may be trademarks or service marks of others.

Statement of Good Security Practices: IT system security involves protecting systems and information through prevention, detection and response to improper access from within and outside your enterprise. Improper access can result in information being altered, destroyed, misappropriated or misused or can result in damage to or misuse of your systems, including for use in attacks on others. No IT system or product should be considered completely secure and no single product, service or security measure can be completely effective in preventing improper use or access. IBM systems, products and services are designed to be part of a lawful, comprehensive security approach, which will necessarily involve additional operational procedures, and may require other systems, products or services to be most effective. IBM does not warrant that any systems, products or services are immune from, or will make your enterprise immune from, the malicious or illegal conduct of any party.

FOLLOW US ON:

THANK YOU

securityintelligence.com