Tenant settings

Learn about the various tenant settings that you can make in Guardium® Insights.

Before you begin

To see the various settings, open the main menu. Open this menu by clicking the main menu icon (main menu)) Then click Tenant settings.

Procedure

  • Browser session duration: The default time period after which inactive Guardium Insights sessions expire is 15 minutes. Click this card to change its value. The valid range is 5 minutes to 2 hours.
  • REST-API session duration: The default maximum duration of any Guardium Insights session is 15 minutes. Click this card to change its value. The valid range is 30 minutes to 16 hours.
  • Report settings: Click this card to change these settings:
    • Report data retrieval timeout
    • Online report maximum rows
    • Maximum results exported to a file from an online report
    • PDF report maximum rows
    • Number of days an exported CSV report file is maintained before deletion
      Note: Version 3.4.x and laterCSV files are deleted within 24 hours of the specified time.
    • Version 3.4.x and laterFiles are deleted within 24 hours of the specified time
    • Version 3.3.xNumber of days an exported CSV report file is maintained before deletion
    • Version 3.3.xNumber of days a scheduled report download file is maintained before deletion
    • Scheduled report data retrieval timeout
    • Enable queries that use pipeline plans for online reporting: This setting can improve performance by reducing the time that it takes for reports to load. Use this setting if you have large amounts of data (for example, a report that gathers data over a long time period - or a scheduled report). By default, this is set to enable pipeline Queries without sorts and aggregation. To disable pipeline queries for reporting, select No queries - and to enable all pipeline queries for reporting, select All queries. You can override the default settings for specific reports by using the report settings.
      Note: Pipeline queries often negatively affect the performance queries with sorts and aggregation. In addition, queries that return a small amount of data may also take a long time to execute. For these reports, consider disabling this feature to improve performance.
      Note: Version 3.3.xPlease install the latest Guardium Insights patch (Version 3.2.2 or later) to use this feature.

    • Run an explain before each online report: If you need to know which query plan the user interface is generating for reports, you can receive an explain run by selecting Enabled under Run an explain before each online report.

    • Table join optimization: When this option is activated, reports will run without joins to the SESSION table, by default. The option can improve report runtime for data coming from Guardium collectors. To improve report performance, select Active (by default, this is set to Inactive). You can override the default settings for specific reports by using the report settings.

      Warning: If used in a report that contains data from direct streamed data sources, some fields may be missing data. The default can be overridden for specific reports in the report editor.
  • Risk Events settings:
    • Duration of time to keep a Risk Event active: If a Risk Event remains open, meaning, it’s not closed or delegated manually, then it is active as long as new findings are found for the same asset. If there are no new findings for several days, then the Risk Event remains in Open status, but new findings found after this period will not be added to it. If there are new findings after this period, then a new Risk Event will be created for that asset. The default is 7 days.
    • Risk score threshold: After the risk score is calculated, it is compared to the threshold. A Risk Event is created only if its score is higher than this threshold. Raising the threshold results in less Risk Events created. Lowering the threshold results in more Risk Events created. The default is 40.
    • Global risk score and Global risk severity level: A global Risk Event is created when there are many leads of the same type. For example, many high severity policy violations. This Risk Event indicates there is a cross-system threat, or a cross-system event that affects many assets. When a global Risk Event is created, its risk score and severity level are not calculated. Instead the Risk Event is set with the values defined here. The default for the global risk score is 100. The default for the global severity level is Critical.
    • Number of assets in feature generators group: this is an interval attribute. Do not change this value unless specifically asked to do so by IBM Support. The default is 50.
    • Number of rows to display on the Risk Events page: The Risk Events page retrieves a limited set of Risk Events at a time. The Risk Events are retrieved by the time range set on the page and the Risk Event status. Other filters are applied to the retrieved Risk Events. The default limit is 1000.
    • Detailed reports for each finding type on the Risk Event page: When clicking a finding on the Risk Event page, a right-side panel opens with a link to a detailed report. There is a different report for each finding type – activity, exception, policy violation or outlier. Select a report for each finding type. The defaults are: Client IP activity summary report for activity findings, Exception details report for exception findings, Policy violation report for policy violation finding and Outlier details report for outlier findings.
  • Sniffer settings: Click this card to change these settings:
    • Mask the parser errors: Mask the literal errors when a parser error is encountered.
    • Active parser: The parser engine used by the sniffer.
    • Logging granularity: The number of minutes to use as a logging time period.
    • Maximum SQL verbs in one alert: Maximum number of SQL verbs in one alert message for the Verb template variable.
    • Maximum SQL objects in one alert: Maximum number of SQL objects in one alert message for the Object template variable.
  • Connection settings: Click this card to change these settings:
    • Enable persistent queue: Enable persistent queue to prevent data loss. When enabled, the input data is saved to disk, and only then parsed and sent to the sniffer. This can prevent data loss if a universal connector service fails. The persistent queue might affect the throughput and the performance of the system.
    • Persistent queue size: The maximum data stored in the persistent queue. When the queue is full, Logstash puts back pressure on the inputs to stall data from flowing into Logstash. This mechanism helps Logstash control the rate of data flow at the input stage without overwhelming outputs like Elasticsearch.
    • Enable debug mode: The debug mode output is used by Guardium Support. Enable debug mode only if Guardium Support requests it.
    • Download certificate: Click this to download the certificate to your local system for universal connector configuration.
  • Group synchronization schedule: If you import groups from Guardium or LDAP, you can choose to synchronize them on a regular basis to keep them up-to-date. Click this card to change these settings:
    • Synchronization enabled: When this is set to On, you will be able to enable synchronization when importing group members.
    • Select schedule timezone: Select the timezone of the synchronization schedule.
    • Repeat every: You can repeat the synchronization on a daily or hourly basis. Set the number of days or hours to wait before repeating the synchronization.
    • Run at: Set the time of day to run the synchronization.
  • Data retention settings: Use this setting to purge data that is no longer being analyzed. With this setting, you can specify how long data is retained before it is removed from the system. Any data that is older than the retention period will automatically be purged.
    By default, this setting is disabled. To enable it, move the slider to Enabled. Once enabled, select the time frame (Days, Weeks, Months, or Years) and then set the number to the desired value (by default, the purge takes place at 2:00am. This time can be changed by editing the data-retention-scheduler cron job). Click Save and then restart the data retention pod to set the data retention period.
    Note: This setting removes data from these tables:
    • Full SQL
    • Instance
    • Session
    • Policy violation
    • Overflow fields
    • Exception

    Data from other tables is not removed.

    Important:
    • If it is your intention to use a short retention period for large amounts of data, it is advised that you stagger the length of time that you set for retention. This can prevent Guardium Insights from attempting to purge too much data at once. For example, rather than setting the retention period to 3 months for a large amount of data, set it to 9 months - and then later on, to 6 months, and then 3 months.

      If your data retention setting affects too many rows (by default, this is set to 2 billion rows), Guardium Insights will prompt you with a warning (the default number of rows for this warning can be set with the CUSTOM_MAX_PURGE_ROWS environment variable).

    • When running a report, do not select a time range that includes data that is being purged. This can cause the report to fail, as data that is being queried is in the process of being deleted.
  • Version 3.4.x and laterRisk event setting: By default the risk event setting to provide feedback for the risk event categorization is enabled. You can choose to disable the feedback option. For more information on risk event categorization feedback, see Providing feedback.