IBM Support

Why does the "SQL" Attribute show the value "DBAS" in IBM Security Guardium® Reports when processing DAM traffic from Microsotf® Azure® Data Stream?

Question & Answer


Question

You are performing Data Activity Monitoring (DAM) of a Microsoft™ SQL Server instance deployed on Microsoft™ Azure™.
When running some reports, you notice that some SQL activity is being logged with the value "DBAS".
The "DB User Name" is showing a hash value, which is also unexpected.
Why are you seeing this unexpected information in your reports?
image 10880

Cause

The IBM Security Guardium® Inspection Core (alias "Sniffer") is designed to get the DAM information from the Microsoft™ Azure™ database audit facility records.

Answer

Here is how it obtains these values: 
Scenario 1. The "DB User Name" Attribute has an unrecognized database user. Instead, a dash-separated alphanumeric string is displayed.
Example:
image 10970
Answer. The database username value is taken from the value of the "session_server_principal_name" column in the Microsoft™ SQL Server audit record.
Scenario 2.  One or more of the "SQL","Full SQL","SQL Verb" or other similar Attributes contain the value "DBAS".
Example:
image 10971
Answer. When an SQL statement is empty in the audit records, Guardium uses the value of the "action_id" column to populate the SQL construct in IBM Security Guardium™.
If you have the proper access and privileges in the Azure environment, you can check that this is a valid value using this query on the Microsoft™ SQL Server audit record:  
SELECT DISTINCT action_id, name, class_desc, parent_class_desc from sys.dm_audit_actions
This explains how IBM Security Guardium™ gets its traffic from the SQL Server audit record.

One other note:  Some records that have the "action_id" = "DBAS" correspond to records having "action_name" = "DATABASE AUTHENTICATION SUCCEEDED".  The sniffer will not log these actions in the future.   
If the data captured represents a problem in your reports, you can try one of the following actions:
  • Filter your reports, so you can omit those records with those unexpected values. 
  • Install the IBM Security Guardium™ v11 Sniffer patch 4030 or above.  

[{"Type":"MASTER","Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSMPHH","label":"IBM Security Guardium"},"ARM Category":[{"code":"a8m0z000000Gp0cAAC","label":"CLOUD"},{"code":"a8m0z000000Gp0SAAS","label":"SNIFFER"}],"ARM Case Number":"TS005682700","Platform":[{"code":"PF004","label":"Appliance"}],"Version":"10.6.0;11.0.0;11.1.0;11.2.0;11.3.0"}]

Document Information

Modified date:
20 July 2021

UID

ibm16470581

Page Feedback