Building audit processes

Stop an audit process

Stopping an audit process can be performed only if the audit tasks have not been run or are running. Stopping an audit process will not execute any more tasks that have not started. Stopping an audit process does not deliver partial results. The audit process stops and a stopped error message is the result. However, if tasks are complete, stopping an audit process will not stop the sending of results.

Stop an audit process by invoking GuardAPI (place the cursor on any line and double-click for a drill-down) from the Audit Process Log Report.

For any user, stopping an audit process, will display only the line belonging to that user (just the tasks, not all the details). An admin user can see all the details and can stop anyone's audit processes. A user can only stop their own audit processes.

Results Distribution

Audit process receivers will be notified via email and/or their To-Do list of pending audit process results. You can designate any receiver as a signer for a process, in which case the results can optionally be held at that point on the distribution list, until that receiver electronically signs the results or releases them. Receivers can be individual users, user groups, or roles.

Audit Process Summary

In the Audit Process Finder screen is the Audit Process Status Summary. This section contains information on scheduled audit processes, as well as results, receivers outstanding and errors. This summary is a consolidation of data from multiple audit process reports.

There is also a button to delete any audit process results. See the Audit Process Finder screen. Look for the Results button, next to the Run Once Now button (choices of View or Delete).

Delete audit process results, but track or log who deleted the report. The audit-delete role is used to track or log when an audit process result has been deleted. Users with the audit-delete role can delete reports. Admin users can also delete reports. Tracking is done through the User Activity Audit Trail report.

Process Receivers

You can define any number of receivers for a workflow automation process, and you control the order in which they receive results. In addition, receivers can notify additional receivers, using the Escalate function. It is also possible to run an audit process with no defined receivers. For example, an audit process with no receivers that writes to syslog and has no need to review (or sign) the results.

Who can be a receiver?

On the Process Definition panel, the drop-down list of receivers includes all Guardium® users, user groups, and roles (groups and roles are labeled as such). When a group or role is selected, all users belonging to the group or having that role will receive the results.

If a group receiver is selected, and any workflow automation task uses the special run-time parameter ./LoggedUser in a query condition, the query will be executed separately for each user in the group, and each user will receive only their results.

If a group receiver is selected, and sign-off is required, each group member must sign the results separately (as explained earlier, each member of the group may be looking at a different set of results).

A receiver can be solely an email address and results will be sent to that email address. When entering an email address, the user will be required to enter a user that will be used to filter the data. The user must be the same user that is logged in or a user under the user that is logged in the data hierarchy.

If a role receiver is selected, only one user with that role will need to sign the results, and other users with that role will be notified when the results have been signed.

Email Notification

Optionally, receivers can be notified of new process results via email, and there are two options for distributing results via email:

• Link Only  - The email notification will contain a hypertext link to the results stored on the Guardium system. For the link to work, you must access your mail from a system that has access to the Guardium system. See the following section for more information about email links.
• Full Results - A PDF file or generated CSV file containing the results will be attached to the email, except for an Escalation that specifies a receiver not included in the original distribution list, in which case no PDF or CSV file will be attached. When the Full Results option is selected, care must be taken, since sensitive and private data may be included in the PDF or CSV file. When running an audit process, if there is a receiver with Full Results with CSV checked, it does not generate CSV files for tasks of type Assessment, Classifier or External Feed. These task types also can not generate CSV/CEF/PDF files for export. Only for tasks of type Report, Privacy Set or Entity Audit Trails, and if there is a receiver with Full Results via CSV checked, will CSV files be generated.
  Note: When viewing audit results, if a generated PDF already exists, a Recreate PDF button will appear for the user to recreate and download the regenerated PDF.

Hypertext Links to Process Results

In email messages, there are conditions where links to process results on the Guardium system will not work. For example:

• If you are accessing email from a location where you cannot normally access the Guardium system, the links will not work. For example, when out of the office, you may have access to your email over the Internet, but not to your company's private network or LAN, where the system is installed.
• If you have not accessed your email for a longer period of time than the report results are kept, those results will not be available when you click the link. For example, if the results are kept for seven days but you have been on vacation for two weeks, your email may contain links to results older than seven days, and those links will not work.

About Frozen Receivers Links

Once a process has been run, the existing receiver list is frozen, which means:

• You cannot delete receivers from the list.
• You cannot move existing receivers up or down in the list.
• You can add receivers to end of the list at any time, and reposition the new receivers at that time.
• If the Guardium user account for a receiver on the list is deleted, the admin user account (which is never deleted) is substituted for that receiver. Thus the admin user receives any email notifications that would have been sent to a deleted receiver, and the admin user must act upon any results released to that receiver.
• If you need to create a totally different set of receivers for an existing process, deactivate the original process, make a clone of it, and then make the modifications to the receivers list in the cloned version before saving it.

How Results are Released to Receivers

Results are released to the Guardium users listed on the receivers list, subject to the Continuous check box, as follows:

• If the Continuous check box is marked, distribution continues to the next receiver on the list without interruption.
• If the Continuous check box is cleared, distribution to the next receiver is held until the current receiver performs the required action (review or sign).

For example, assume you want to define a workflow process as follows:

• DBAs - All DBAs should receive their results at the same time, with each DBA receiving a different result set based on the server IPs associated with him/her
• Only when ALL DBAs have signed, the DBA Manager should see the results
• Only when DBA Manager releases the report, the Auditors should see the results
• All Auditors should receive the reports at the same time, but only one of them (any of them) needs to sign each result.  The others will be updated when a result was signed.
• An auditor can escalate a result to the Audit Manager.

To define this flow:

• The DBAs group would be named as the first receiver
• The DBA Manager would be next on the list.
• The Auditors role (not group) would be next on the list. Any Auditor could sign and others will be notified. Also, any auditor can escalate a results set to the Audit Manager.
  Note: The results will only distribute to the next receiver when the current receiver has marked the Continuous button. This is completely separate from the review/sign functionality and does not depend on the review/sign functionality all.
  Note: Process results that are exported to CSV or CEF files are sent to another network location by the Guardium archiving and exporting mechanism. These results are not subject to the receivers list or to any signing actions. They are subject to the Guardium CSV/CEF export schedule (if any is defined), and they are subject to the access permissions that have been granted for the directory in which they are ultimately stored.

Exporting Audit Task Output to CSV, CEF or PDF Files

Reports containing information that can be used by other applications, or reports containing large amounts of data, can be exported to other file formats. Report, Entity Audit Trail, and Privacy Set task output can be exported to CSV (Comma Separated Value) files, and output for database activity reports can be exported to an ArcSight Common Event Format (CEF) file.

In addition, CEF and CSV file output can be written to syslog. If the remote syslog capability is used, this will result in the immediate forwarding of the output CEF/CSV file to the remote syslog locations. The remote syslog function provides the ability to direct messages from each facility and severity combination to a specific remote system. See the remotelog (syslog) CLI command description for more information.

Each record in the CSV or CEF file represents a row on the report.

The exported file is created in addition to the standard task output, it does not replace it. These files are useful when you need to:

• Integrate with an existing SIEM (Security Incident and Event Manager) in your infrastructure (Qradar, ArcSight, Network Intelligence, LogLogic, TSIEM, etc.).
• Review and analyze very large compliance task results sets. (Task results sets that are intended for Web presentation are limited to 5,000 rows of output, whereas there is no limit to the number of rows that will be written to an exported CSV or CEF file.)

Exported CSV and CEF files are stored on the Guardium system, and are named in the format:

process_task_YYYY_MMM_DD-HHMMSS.<csv | cef>

Where process is a label you define on the audit process definition, task is a second-level label that you can define for each task within the process, and YYYY_MMM_DD-HHMMSS is a date-time stamp created when the task runs.

You cannot access the exported CSV or CEF files directly on the Guardium system. Your Guardium administrator must use the CSV/CEF Export function to move these files from the Guardium system to another location on the network. To access those files, check with your Guardium administrator to determine the location to which they have been copied.

The fact that exported files are sent outside of the Guardium system has two important implications:

• The release of these files is not connected to the results distribution plan defined for the audit process. These files are exported on a schedule defined by the Guardium administrator.
• Once the CSV/CEF Export function runs, all exported files will be available to anybody (Guardium user or not) who can access the destination directory defined for the CSV/CEF Export operation. For this reason, your Guardium administrator may want to schedule additional jobs (outside of the Guardium system) to copy sets of exported files from the Guardium CSV/CEF Export destination directory, to directories with appropriate access permissions.

CSV/CEF Export activity is available in the Aggregation/Archive Activity report.

The following table summarizes what happens when exporting an Audit Process file to CSV/CEF/PDF.

How Zip for Email and Compress work for Audit Task Output

Zip for Email is the highest level of control for Audit Task Export. Zip for email produces a set of CSV or CEF files. PDF is not ever zipped and is not ever compressed.

Compress works on individual files.

The interaction of Zip for Email and Compress is as follows:

• With Zip for email checked (regardless of whether Compress is also checked), the attachment is one zip file of CSV files.
• With Zip for email not checked, and Compress checked, the attachment is a set of csv.gz files.
• With Zip for email not checked, and Compress not checked, the attachment is a set of csv files.
• With Compress checked, Download All will be csv.gz.
• With Compress cleared, Download All will be csv.
• With Compress checked or cleared, Download displayed will still be csv.
• With Compress checked, export of CSV/CEF files will be gzipped.
• With Compress cleared, export of CSV/CEF files will not be gzipped.

Creating or Changing Reports

Use the Report Builder to create or customize reports, including customization such as applying highlight colors to rows. To open the Report Builder, navigate to Reports > Report Configuration Tools > Report Builder.

Create an Audit Workflow Process

1. Open the Audit Process Builder by navigating to Comply > Tools and Views > Audit Process Builder.
2. Click the button to open the Audit Process Definition panel. The panel is divided into three sections: General, Receivers and Tasks.
3. Go to the Tasks section first. You must define at least one audit task before you can save the process. Work your way through each task in setting choices. Perform the appropriate procedure for each audit task you want to include in the audit process. The task choices detailed in this section are:
   • Define a Report Task
4. Go to the Receivers section. Open the drop-down box and add the receivers. For the process, see Add Receivers. Checkoffs are needed to determine action required, additions to To-do list, notification via email notifications and continuous distribution. Again see Add Receivers for complete information in setting these choices.
5. Go to the General section. Enter a name in the Description box. Do not include apostrophe characters.
6. Check the Active box to associate a schedule with this process.
7. Mark the Archive Results box if you want to store the results offline after the retention period has expired. When results have been archived, you can restore them to the system for viewing again, later.
8. Use the Archive Result purge before Reviewed box to delete the results of an ad-hoc process without holding until all reviewers had reviewed, all sign-offs have taken place, all workflow activities have been met. This feature gives the user an option of deleting results in a specified period of time (such as 1-day) whether the results have been reviewed or not.
9. In the Keep for a minimum of (n) days or (n) runs boxes, specify how long to keep the results, as either a number of days (0 by default) or a number of runs (5 by default). After that, the results will be archived (if the Keep for a minimum box is marked) and purged from the system.
   Note: Results will only be shown if there are receivers for the results. Add receivers, re-run the results and the run will now show up in the dropdown list.
10. If one or more tasks create CSV or CEF files, you can optionally enter a label to be included in all file names, in the CSV/CEF File Label box. These files can also be compressed, or Zipped, by clicking on the Zip for mail box to add a checkmark.
    Note: There is a limit on export of CSV/CEF file sizes greater than 10240 MB (10.240 GB). It is a recommended best practice to check the box Zip for mail.
11. The Email Subject field in the Audit Process definition is used in the emails for all receivers for that audit process. The subject may contain one (or more) of the following variables that will be replaced at run time for the subject:
    • %%ProcessName will be replaced with the audit process description
    • %%ExecutionStart will be replaced with the start date and time of the first task.
    • %%ExecutionEnd will be replaced with the end date and time of the last task.

    Upon entering a subject, it will check whether any variable (starting with %% is present) and will ensure all are valid variables.

12. Optionally assign security roles.
13. Optionally add comments.
14. Click the appropriate buttons to Schedule or Run an Audit Workflow Process.
15. Click Save. Do not leave this menu screen to perform another configuration before saving your work. Work-in-progress is not saved and not held in half-created suspension if you leave this section to go create something else needed for the audit task.

    For example, to define an assessment task in Audit Process Builder, it is first necessary to go to Security Assessment Builder to create assessment tests and then to Datasource Definitions to identify the database(s) to be assessed. Save your work when creating Audit Workflow and then go to other tasks or perform those other tasks first and then create the Audit Workflow Process.

Add Receivers

1. In the Receiver column, select a receiver from the drop-down list of Guardium individual users, groups, or roles. If you select a group or a role, all members of the group or users with that role will receive the results; and if signing is required, only one member or user will need to sign the results.
2. In the Action Required column, select one option:
   • Review (the default) - Indicates that this receiver does not need to sign the results.
   • Review and Sign - Indicates that this receiver must sign the results (electronically, by clicking the Sign Results button when viewing the results online).
3. In the To-Do List column, either mark or clear the Add check box to indicate whether this receiver should be notified of pending results in their Audit Process To-Do List.
   Note: To send files on an external server without sending email and without adding results to the to-do list, define an audit process without receivers. Also clear the to-do list check box in the Add Receiver section and remove/ do not add any receiver in the receiver section in order not to add results to To-do list.
4. In the Email Notification column, select one option:
   • No - email will not be sent to the receiver.
   • Link Only - email will contain a hypertext link to the results (on the Guardium system).
   • Results - email will contain a copy of the results in PDF or CSV format. Be aware that the results from Classification or Assessment tasks may return sensitive information.
5. The check box in the Continuous column controls whether or not distribution of results continues to the next receiver (the default), or stops until this receiver has taken the appropriate action. If the Continuous box is cleared, and this receiver is a group or a role, when any user who is a member or that group or role performs the selected action, the results will be released to the next receiver on the list.
   Note: The results will only distribute to the next receiver when the current receiver has marked the Continuous button. This is completely separate from the review/sign functionality and does not depend on the review/sign functionality all.
6. Click Add to add the receiver to the end of the list, and repeat these steps for each receiver. One receiver is required.
7. Receivers who are not users are permitted. Choose: Email and then enter an email address, and the results will be sent to that email address. When entering a non-user email address, there is a requirement that a user name that will be used to filter the data. The user must be the same user that is logged in or a user under the user that is logged in the hierarchy. This user will be saved in a new column in the Receivers section of the screen.
8. Approve if Empty - When this check box is checked, if all the reports of the task are empty, it will do the following: automatically sign the result (and/or mark it as viewed); automatically click Continue (if relevant); will NOT send the notification email; will NOT add the task to the To-Do list of that user;  will NOT generate any PDF/CSV/CEF files. With this check box, empty audit results will be signed automatically and the results will still look like any other complete (viewed/signed) audit results when looking at the audit result logs. This action will apply to empty reports and the empty security assessment results. See table summarizing what happens when Approve If Empty = YES in the section Exporting Audit Task Output to CSV, CEF or PDF Files.

Export a CSV or CEF File

Report, Entity Audit Trail, and Privacy Set audit task output can be exported to CSV files, and Report audit task output can be exported to a CEF file. From the Report, Entity Audit Trail or Privacy Set section under Audit Tasks, work through the following:

1. Select title.
2. Enter an optional label for the file in the CSV/CEF File Label box. The default is from the Description for the task. This label will be one component of the generated file name (another will be the label defined for the workflow automation process).
3. Mark either Export CSV file or Export CEF file.
   Note: CEF file output is appropriate for data access domain reports only (Access, Exceptions, or Policy Violations, for example). Other domains like the Guardium self-monitoring domains (Aggregation/Archive, Audit Process, Guardium Logins, etc.) do not map to CEF extensions.
4. If Export CEF file was selected, optionally mark the Write CEF to Syslog box to write the CEF records to syslog. If the remote syslog facility is enabled, the CEF file records will thus be written to the remote syslog.
5. If the Compress box is checked, then the CSV/CEF files to be exported will be compressed.
6. If the Export PDF file box is checked, then a PDF file (with similar name as CSV Export file) for this Audit Task is created and exported together with the CSV/CEF files.
   Note: The Export PDF file will not be compressed, even if the Compress box in the previous step is checked.

Define a Report Task

If you have not yet started to define compliance workflow automation process, create a workflow process before performing this procedure. If the report to be used has not yet been defined, do that first.

1. If the Add New Task pane is not open, click Add Audit Task.
2. Click the Report radio button.
3. There a number of choices for CSV/CEF File Label, Export CSV/CEF, Export PDF, Write to Syslog, and Compress. See Export a CSV or CEF File.
4. The selection of PDF Options are: Report (the current results), Diff (difference between one earlier report and a new report) and Reports and Diff (both).
   Note: The selection of PDF Options applies to both PDF attachments and PDF export files. The Diff result only applies only AFTER the first time this task is run.  There is no Diff with a previous result if there is no previous result. The maximum number of rows that can be compared at one time is 5000. If the number of result rows exceeds the maximum, the message

   (compare first 5000 rows only)

   will show up in the diff result.
5. Enter all parameter values in the Task Parameters pane. The parameters will vary depending on the report selected.
6. Click Apply.

API for automatic execution

By default, the Guardium application comes with setup data that links many of the API functions to reports, providing users, through the GUI, with prepared calls to APIs from reporting data. Use API Assignment in Reports to link additional API functions to predefined Guardium reports or custom reports. The menu choice API for automatic execution will appear in the Add Audit Task: Report when selecting an appropriate predefined Guardium report or custom report that have fields in the report that are linked to API parameters. Examples of predefined reports where the API for automatic execution menu choice will appear are Access Policy Violations, Databases Discovered, and Guardium Group Details.

View or Sign Results

1. Open the Compliance Workflow Automation results.
2. If signing is required, click the Sign Results button.
3. Optional. To forward these results to another user, click Escalate, and see Forward Results to Additional Receivers (in Escalation section).
4. Click Close this window link.

Audit process cannot be signed - has pending events.

Please update all outstanding events prior to signing this result.

Release Results without Signing or Viewing

1. Open your To-Do List panel.
2. Click the Continue button for the results you want to release to the next receiver on the distribution list.
3. Click Close this window link.

View Results Distribution

1. Open the compliance workflow automation results.
2. Expand the Distribution Status panel by clicking the Show Details button.
3. Click Close this window link.

View Receiver Comments Added to Results

1. Open the compliance workflow automation results.
2. Expand the Comments panel by clicking the Show Details button.
   Note: These are the comments that were attached to the results when the report page was retrieved from the Guardium system. If you add comments of your own, or if other receivers are adding comments simultaneously, you will not see those comments until you refresh your page (using your browser Refresh function).
3. Click Close this window link.

Escalate Process Results

A receiver of process results can forward the results notification for review and/or sign-off to additional receivers. If you escalate the results to a receiver outside of the original audit and sign-off trail, and the results include a CSV file, that file will not be included with the notification.

Regardless of who is a receiver of an audit result, an escalation can involve any user on the system, provided the Escalate result to all users box is checked in the Setup > Tools and Views > Global Profile menu. A check mark in this box escalates audit process results to all users, even if data level security at the observed data level is enabled. The default setting is enable. If the check box is disabled (no check mark in the check box), then audit process escalation will only be allowed to users at a higher level in the user hierarchy. If the check box is disabled, and there is no user hierarchy, then no escalation is permitted.

Also, depending on event permissions, if for example, the infosec user can only see events in status1 and dba user can only see events in status2, the dba user will receive a different result than the result the infosec user saw when the infosec user clicked Escalate.  It is possible that infosec will escalate to dba, and dba will receive an audit result with 0 rows in it.

1. If the compliance workflow automation results you want to forward are not open, open them now.
2. Click Escalate.
3. Select the receiver from the Receiver list.
4. In the Action Required column, select Review (the default) or Review and Sign.
5. Click the Escalation button to complete the operation.

Audit process results cannot be escalated to a group of users, only to users or roles.

When escalating to an user who already has the result in the user's to-do list, a popup message will appear, asking if an additional email should be sent. If yes, an additional email will be sent to the user, but the to-do list will not be incremented.

Schedule or Run a Compliance Workflow Automation Process

1. Open the Audit Process Builder by navigating to Comply > Tools and Views > Audit Process Builder.
2. Select the process from the Process Selection List.
3. Click Modify to open the Audit Process Definition panel.
4. To run the process once, click Run Once Now, or to define a schedule for the process, click Modify Schedule.
   Note: After a schedule has been defined for a process, the process runs according to that schedule only when it is marked active. To activate or deactivate an audit process, see the next section.

Activate or Deactivate a Compliance Workflow Automation Process

After a schedule has been defined for an audit process, it runs according to that schedule, only when it is marked active.

To activate or deactivate an audit process:

1. Open the Audit Process Builder by navigating to Comply > Tools and Views > Audit Process Builder.
2. Select the audit process from the Process Selection List.
3. Click Modify.
4. In the Audit Process Definition panel, mark the Active box to start running the process according to the schedule; or clear the Active box to stop running the process (ignoring any schedule defined).
   Note: If you are activating the process but there is no schedule, click Modify Schedule to define a schedule for running the process.
5. Click Save.