Discovering and Classifying Network Assets 2
Uploaded by
vijay konduruDiscovering and Classifying Network Assets 2
Uploaded by
vijay konduruv14.
7 Database Activity Monitoring User Guide
v14.7 Database Activity Monitoring User
Guide
v14.7 Database Activity Monitoring User Guide 1
Contents
Contents
Discovering and Classifying Network Assets. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
Introduction to SecureSphere Discovery and Classification. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
Understanding the Discovery Window. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
Major Discovery and Classification Tasks. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
Using Service Discovery to Populate a SecureSphere Site. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
Working with SecureSphere Scans. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
Creating a Scan. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
Creating a Service or DB User Rights Scan. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
Creating a DB Data Classification Scan. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
Creating a Scan Profile. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
Configuring a Scan Profile. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
Creating a New DB Data Classification Scan. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
Configuring a Scan. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
Configuring a Service Discovery Scan. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
Customizing Service Discovery Advanced Options. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
Configuring Credentials. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
Configuring Service Credential Options. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
Configuring Database Credential Options. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28
Importing Credentials. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31
Configuring a DB Data Classification Scan. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32
Configuring Cloud Accounts. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33
Enabling Cloud Discovery in AWS. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34
Adding a New Cloud Account. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36
Configuring a Cloud Account. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37
Running a Scan. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38
Understanding Scan History. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39
Configuring Database Data Types. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40
Creating a Data Type Rule. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41
Configuring a Data Type Rule. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42
Sample Regular Expressions for Sensitive Data. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43
Deleting a Data Type Rule. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44
Managing Discovered Servers. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45
Analyzing Discovered Servers. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46
Viewing Discovered Server Details in Tabular View. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47
Viewing Discovered Servers in Graphical Views. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49
Working with Discovered Servers. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52
Editing Discovered Servers. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53
Manually Accepting and Rejecting Discovered Servers. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54
Reinstating Rejected Discovered Servers. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55
v14.7 Database Activity Monitoring User Guide
Contents
Managing Classified DB Data. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56
Analyzing Classified DB Data. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57
Analyzing Classified DB Data in Tabular View. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58
Classified DB Data Details. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60
Viewing Classified DB Data in Graphical Views. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62
Managing Classified DB Data. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65
Editing Classified DB Data. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66
Manually Accepting or Rejecting Classified DB Data. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67
v14.7 Database Activity Monitoring User Guide
v14.7 Database Activity Monitoring User Guide
Discovering and Classifying Network Assets
Identifying the various assets in your network is a crucial step in proactively protecting them.
• Discovering assets in your network
• Classifying database data
• Monitoring access to database data for compliance purposes
• Creating security policies that determine who has the right to access database data
• Alerting when policies are violated
This section reviews the various aspects of working with SecureSphere Discovery and Classification and includes the
following topics:
• Introduction to SecureSphere Discovery and Classification
• Understanding the Discovery Window
• Major Discovery and Classification Tasks
• Working with SecureSphere Scans
• Managing Discovered Servers
• Working with Discovered Servers
• Managing Classified DB Data
v14.7 Database Activity Monitoring User Guide 4
v14.7 Database Activity Monitoring User Guide
Introduction to SecureSphere Discovery and Classification
SecureSphere Discovery and Classification provides a complete set of tools to help you discover, classify and manage
assets in your network that include database services, database data user rights and more. It then allows you to use
this information to create security policies to monitor them, alert you to suspicious activity, audit activity to these
various assets, and more.
The following types of discovery and classification are available:
• Service Discovery: Service discovery scans your network for open ports and determines the services listening
on these ports. For more information on configuring a service discovery scan, see Configuring a Service
Discovery Scan.
• Data Classification: Data Classification consists of scanning database services to classify data types hosted on
these services. It uses credentials you provide to search existing services, either found through service
discovery, or manually configured. For more information on configuring a database data classification scan, see
Configuring a DB Data Classification Scan.
Additionally, with service discoveryand database classification, you can configure SecureSphere to
automatically create configuration objects based on the items discovered, or enable you to review and
manually approve suggestions.
Note: For information on how to work with User Rights, see User Rights Management.
v14.7 Database Activity Monitoring User Guide 5
v14.7 Database Activity Monitoring User Guide
Understanding the Discovery Window
The Discovery and Classification window provides a wide selection of options that enable you to navigate between
the available features to configure scans and display discovered servers and classified data. The Discovery and
Classification window offers a number of main views, as represented by links in the Discovery and Classification
navigation bar. These include:
• Scans: Lists scans used to discover services and user rights, and classify database data and files. Enables you to
create and configure new and existing scans.
• Discovered Servers: Displays services discovered by a service discovery scan operating in your network.
Enables you to manage these services and add them to your network’s SecureSphere architecture.
• Classified Database Data: Displays data that was classified by a data classification scan. Enables you to
manage classified data and add it to your network’s SecureSphere architecture.
• DB User Rights: Part of User Rights Management. Displays Database User Rights discovered by a Database User
Rights scan. Enables you to manage these User Rights.
Note: This section deals with configuring and running service discovery and database
classification. For more information about working with features related to User Rights, see
User Rights Management.
To view the Discovery and Classification window:
• In the Main workspace, select Discovery & Classification > Scans Management. The Scans Management
window appears.
The Discovery and Classification window consists of the following items:
• Filter: Enables you to filter scans using various criteria. For a list of available filter criteria, see
Discovery Filter Criteria.
• Navigation Bar: Enables you to move between the different parts of the Discovery and Classification
windows.
• Scans Pane: Displays the scans that have been configured to discover services and classify data in your
network.
• Details Pane: Enables you to configure scans. For more information see Working with SecureSphere
Scans.
v14.7 Database Activity Monitoring User Guide 6
v14.7 Database Activity Monitoring User Guide
Major Discovery and Classification Tasks
The following table lists the primary tasks involved in working with SecureSphere Discovery and Classification.
Major Tasks Overview
Action Description For more information, see...
Create a discovery or classification
1 Creating a Scan Creating a Scan
scan.
Configuring a Service Discovery
Configure the scan with settings Scan
2 Configuring a Scan for the specific type of scan you
want to conduct. Configuring a DB Data Classification
Scan
Run the scan to discover and
3 Running a Scan classify related components in Running a Scan
your network.
Review discovered components, Working with Discovered Servers
Editing and Adding Components
4 edit parameters if required and
to SecureSphere
add to SecureSphere architecture. Managing Classified DB Data
v14.7 Database Activity Monitoring User Guide 7
v14.7 Database Activity Monitoring User Guide
Using Service Discovery to Populate a SecureSphere Site
SecureSphere service discovery can be used as an alternative method to build a SecureSphere site. Once a site has
been manually created, a service discovery scan is configured while selecting the site. It is then run, and as a result
SecureSphere automatically creates Sites and Server Groups based on the New Entities configuration that is part of
the service discovery scan. If you use SecureSphere discovery to both discover your network assets, and automatically
create Sites and Server Groups using the Automatically Accept New Configuration option, you can later modify
these automatic configurations in the SecureSphere Setup > Sites window. For information on Automatically
Accepting New Configuration:
• For Services, see Configuring a Service Discovery Scan
• For Data, see Configuring a DB Data Classification Scan
v14.7 Database Activity Monitoring User Guide 8
v14.7 Database Activity Monitoring User Guide
Working with SecureSphere Scans
Discovery and classification scans are the means by which SecureSphere determines what to look for in your network.
SecureSphere enables you to configure a range of scans.
Once database data are classified, SecureSphere can be used to monitor these items and track access to them, then
report to meet regulatory requirements.
SecureSphere enables you to create customized default scans to match your requirements and your network.
Note: IPv6 DHCP is not supported for discovery and classification scans.
This section reviews the following subjects:
• Creating a Scan
• Configuring a Scan
• Configuring Cloud Accounts
• Running a Scan
• Configuring Database Data Types
v14.7 Database Activity Monitoring User Guide 9
v14.7 Database Activity Monitoring User Guide
Creating a Scan
The following procedures describe how to create different types of Discovery or Classification scan.
• Creating a Service or DB User Rights Scan
• Creating a DB Data Classification Scan
v14.7 Database Activity Monitoring User Guide 10
v14.7 Database Activity Monitoring User Guide
Creating a Service or DB User Rights Scan
This following procedures describe how create Discovery or Classification scans for Service or DB User Rights.
To create a Discovery or Classification Scan:
1. In the Main workspace, select Discovery & Classification > Scans Management. The Scans Management
window appears.
2. In the Scans pane in the middle of the Scans Management window, click New, then choose a scan type, as
follows:
◦ Service Discovery: Configures a service discovery scan to identify the services running in your network.
For details on configuring its settings, see Configuring a Service Discovery Scan.
◦ DB User Rights: Database User Rights scans enable you to scan your databases for granted User Rights,
and optionally interface with LDAP to import User and Group information, then manage granted user
rights by approving or rejecting them. For more information, see Configuring a Database User Rights Scan.
The Create New Scan dialog appears for the selected scan type.
3. Type a Name for the scan.
4. Choose to create the scan from scratch or select an existing scan on which to base the new scan. If creating the
scan from scratch select a site for the scan.
5. Click Create. The new scan appears in the central selection table.
6. Configure the scan as described in the following:
◦ Configuring a Service Discovery Scan
◦ Creating a User Rights Scan
For more information on creating a DB Data Classification Scan, see Creating a DB Data Classification Scan.
v14.7 Database Activity Monitoring User Guide 11
v14.7 Database Activity Monitoring User Guide
Creating a DB Data Classification Scan
Data Classification scans enable you to scan your network for databases, and use custom algorithms to classify
various types of data contained within these databases. This information can then be used to protect activity to
sensitive databases, understand what users have access rights, audit this activity, and more. By configuring a data
classification scan you determine the parameters by which SecureSphere searches for these databases and data in
your network, and whether they are automatically added to a SecureSphere service for monitoring and protection or
need to be manually reviewed and added to a service.
Notes:
• Data search is not case sensitive in Oracle, DB2, MSSQL, and Informix databases. However
data classification searching in Sybase database is case sensitive.
• IMS classification is not supported on z/OS.
• Classification results can be impacted by DB activity. Data being accessed during a scan may
result in this information no being included in classification results. Subsequently it is
recommended that classification scans be run while the database is idle.
• The maximum column width for a database classification scan is 32,768 characters. Columns
larger than this will not be scanned.
A DB Data Classification Scan scans a database using a set of rules contained in a scan profile. When you create a DB
Classification Scan, you associate it with a single scan profile.
Scan profiles are persistent objects and can therefore be used by many DB Classification Scans. A scan profile contains
one or more data types. Data types contain the rules that the scan uses. You can at any time configure a data type by
adding rules or deleting user-defined rules. In this way, a scan profile is a persistent container for the rules that a scan
uses when you run that scan.
You can at any time configure a profile by enabling or disabling its component data types, or enabling or disabling
individual rules within those data types, thus tailoring a scan profile for a particular use.
To create a scan profile, perform the actions in the table below:
Creating a DB Data Classification Scan Task Overview
Task Overview Description For more information, see
If the appropriate data type exists,
1 Create a Data Type (Optional) you can enable it in a profile. If not, Creating New Global Objects
you can create a new data type.
v14.7 Database Activity Monitoring User Guide 12
v14.7 Database Activity Monitoring User Guide
Task Overview Description For more information, see
If necessary, you can configure a
2 Configure a Data Type (Optional) data type by adding rules or Configuring Database Data Types
deleting user-defined rules.
You can create a scan profile for Creating a Scan Profile
Create/Configure a Scan Profile
3 your new scan, or alternatively,
(Optional)
you can use an existing profile. Configuring a Scan Profile
Create a DB Data Classification
Create a DB Data Classification Creating a New DB Data
4 Scan by associating it with a scan
Scan Classification Scan
profile.
• Creating a Scan Profile
• Configuring a Scan Profile
• Creating a New DB Data Classification Scan
v14.7 Database Activity Monitoring User Guide 13
v14.7 Database Activity Monitoring User Guide
Creating a Scan Profile
A scan profile is a persistent container of the rules that apply to any scan with which you associate it.
To create a scan profile:
1. In the Main workspace, select Discovery & Classification > Scans Management.
2. Under the Scope Selection drop down, select Scan Profiles.
3. Click the New button . The Create Scan Profile dialog box appears.
4. Enter parameters for the scan profile:
◦ Type a Name.
◦ You can create a scan profile from scratch, or base it on an existing profile.
5. Click Create.
v14.7 Database Activity Monitoring User Guide 14
v14.7 Database Activity Monitoring User Guide
Configuring a Scan Profile
You can enable or disable data types and/or individual rules in any scan profile.
To configure a scan profile:
1. In the Main workspace, select Discovery & Classification > Scans Management.
2. Under the Scope Selection drop down, select Scan Profiles.
3. Select a scan profile.
4. In the Data Types tab:
◦ You can enable or disable any data type by selecting or de-selecting the appropriate check box.
◦ You can select any data type, and then enable or disable any of its rules by selecting or de-selecting the
appropriate check box.
5. In the Settings tab, configure the data classification options in accordance with the table below.
6. Click Save.
DB Data Classification Options
Option Description
Automatically Accept New Data: Automatically adds newly discovered tables that
are assigned to existing table groups, to the SecureSphere configuration. If left
deselected, all discovered data can be manually accepted or rejected in the
Discovered Data window.
Allow me to view results before updating: Displays discovered data but enables
you to manually review and accept results, and only then add them to SecureSphere
configuration for monitoring and protection.
Searches for and identifies views and synonyms on a database. For more information
Scan for Views and
on views and synonyms, see Understanding Table Views, Synonyms and Select into
Synonyms
Tables.
Sets SecureSphere to randomly sample 200 data entries to perform the classification
scan.
Random Sampling Data By default, the first 200 data entries are used to perform the classification scan. If you
check this option, those 200 entries are instead selected randomly.
This can have a negative performance impact when the quantities of data are very
large.
v14.7 Database Activity Monitoring User Guide 15
v14.7 Database Activity Monitoring User Guide
Option Description
Note: Oracle does not allow sampling of views. If you select both Scan Views and
Synonyms and Random Sampling Data, then you may see errors on some queries
ran on the database, for example: 'ORA-01446: cannot select ROWID from, or sample,
a view with DISTINCT, GROUP BY'.
If during classification, sensitive data is discovered, five samples from the matching
Save Sample Data column are saved and can be viewed in additional details Data Classification Results.
For more information see Classified DB Data Details.
Defines the level of confidence used to grade content based data classification rules.
Data Sample Accuracy A setting of 1 means that all rows tested for a specific sensitive data type would need
to match for the table to be included in the results.
Determines the focus of database and schema discovery based on the items
configured in the Databases table. Databases and Schemas check for names
containing the keywords entered in the scan.
• Exclude: Excludes the database or schema configured in table from discovery.
• Include: Limits discovery to the database or schema configured in the table. If
an included database or schema list is empty, it is ignored and all databases
and schemas are scanned.
Note: Selecting the Any option includes or excludes any databases or schemas and
disables all other options.
To add a new database or schema to the list, click Create, then type a Database or
Schema name.
Databases and Schemas
Include/Exclude Database Guidelines
Different databases have different infrastructures. Subsequently, when configuring
include or exclude of databases, use the following database guidelines:
• Oracle: Enable Any database, then complete schema info. Oracle databases
have one database and many schemas
• MSSQL: Complete both database and schema information
• DB2: Enable Any database, then complete schema info
• MYSQL: Complete database info, enable Any schema
• Sybase: Complete both database and schema information
• Informix: Complete both database and schema information
• Scan System Schemas: Scans internal schemas. This feature is optional.
• Teradata: Complete both database and schema information
• Postgres: Complete both database and schema information
v14.7 Database Activity Monitoring User Guide 16
v14.7 Database Activity Monitoring User Guide
Option Description
• Progress: Complete both database and schema information
• Netezza: Enable any database, then complete schema information
Lists database tables and columns to exclude from discovery.
To exclude a table or column from discovery, click Create. Then type a table or
Excluded Tables and
column name.
Columns
Note: Selecting the Any option excludes any databases or schemas and disables all
other options.
Throttle settings can be used to tune the performance of data classification.
Note: It is not recommended to change these settings.
Throttle Settings • Number of concurrent database connections: Defines the maximum number
of database connections that can be run at one time. Default: 3.
• Delay Between Queries: Defines the delay between queries. Default: 0 ms.
Notes:
• Names of databases, tables and schemas can be specified as full names or substrings. This
means that you cannot use regex expressions or wildcards. For example, to exclude
MOCK_DATA_SSN you cannot use MOCK_.+ or MOCK_* but you can use MOCK_ or
_DATA.
• The exclusion list takes precedence over the limit list. For example, if the same database is
listed both under Excluded Databases and Limit Databases, then that database is
excluded.
v14.7 Database Activity Monitoring User Guide 17
v14.7 Database Activity Monitoring User Guide
Creating a New DB Data Classification Scan
Once you have created a scan profile, you can create a new DB data classification scan.
To create a new DB data classification scan:
1. In the Main workspace, select Discovery & Classification > Scans Management.
2. Under the Scope Selection drop down, select Scans.
3. Click the New button . From the drop down menu, select DB Data Classification. The Create New DB Data
Classification Scan appears.
4. Enter a name and select a scan profile for the new scan.
5. Click Create.
v14.7 Database Activity Monitoring User Guide 18
v14.7 Database Activity Monitoring User Guide
Configuring a Scan
Each type of scan is configured differently. For more information on configuring scans, see:
• Configuring a Service Discovery Scan
• Configuring a DB Data Classification Scan
• Configuring a Database User Rights Scan
v14.7 Database Activity Monitoring User Guide 19
v14.7 Database Activity Monitoring User Guide
Configuring a Service Discovery Scan
Configuring a Service discovery scan involves configuring the various options available in the tabs located in the
Discovery Scan Details pane.
Note: IPv6 addresses will be scanned, even if they are members of an IP group.
To configure a Service Discovery scan:
1. In the Main workspace, select Discovery & Classification > Scans Management. The Scans Management
window appears displaying existing scans.
2. Select an existing Service Discovery Scan or click New and create a new Service Discovery Scan. Options for
the selected Service Discovery Scan appear in the pane on the right-hand side of the window.
3. In the Details pane, click the Services tab. Service discovery options are displayed.
4. Configure settings in accordance with the table below.
5. Click the Credentials tab and configure Service credentials options as described in Configuring Service
Credential Options.
6. Configure Scheduling if you’d like service discovery to run on a regular basis. For more information on
scheduling see Configuring Scheduling.
7. Click Save in the upper right of the screen. Your settings are saved.
Note: This procedure describes how to configure a basic scan. For details regarding available
advanced configuration options, see Customizing Service Discovery Advanced Options.
8. Run the scan. Right-click the scan in the scan window, then click Run the policy now. For more information on
running a scan, see Running a Scan.
◦ For information on reviewing discovered servers, see Analyzing Discovered Servers
◦ For information on scan history, see Understanding Scan History
Service Discovery Scan Options
v14.7 Database Activity Monitoring User Guide 20
v14.7 Database Activity Monitoring User Guide
Option Description
Automatically adds discovered server groups and services into SecureSphere’s
configuration.
Automatically add
discovered servers to Once new services have been discovered by a Service Discovery Scan, they appear in
SecureSphere the Sites > Server Groups information on the Servers tab.
configuration
Note: Discovered IP addresses are not protected automatically. To add discovered IP
addresses for protection click the Add to Protected IPs button on the Servers tab.
Allow me to manually
Enables you to manually accept or reject discovered server groups and services in the
review discovered servers
Discovered Servers window.
before updating
Determines how SecureSphere scans your network and resolves host names,
operating systems and port version. Options include the following:
• Scan existing Server Groups for new services: Enables discovery on server IP
addresses already configured in SecureSphere.
• Scan IP Ranges: Enables discovery on IP addresses as defined in IP groups.
IP Configuration Click the New button, then select a group of pre-defined IP Groups. For more
information on IP groups, see Configuring IP Groups.
Note:
• IPv6 addresses will be scanned, even if they are members of an IP group.
• To create or edit an IP Group, click Edit.
Enables you to configure cloud accounts to scan for the checked database service
types. Click the New button, then select a cloud service.
Cloud Configuration
You can click the Edit button to add more cloud accounts. For more information,
see Configuring Cloud Accounts.
Determines the types of services to discover. SecureSphere does not test for types
Service Types
that are not selected.
Advanced Configuration Offers a number of advanced options for configuring Service Discovery scans
including additional ports to scan, how to name discovered services that are added
v14.7 Database Activity Monitoring User Guide 21
v14.7 Database Activity Monitoring User Guide
Option Description
to SecureSphere, and more. For more information, see Customizing Service Discovery
Advanced Options.
v14.7 Database Activity Monitoring User Guide 22
v14.7 Database Activity Monitoring User Guide
Customizing Service Discovery Advanced Options
Service Discovery scans are preconfigured with the basic items that are required to discover services in your network.
You can optionally configure advanced options that enable you to resolve hostnames, operating systems and port
versions, determine what ports to scan, configure naming conventions for new services and have them automatically
added to the SecureSphere site tree, and more. This section reviews these advanced options.
To customize service discovery scans:
1. In the Main workspace, select Discovery & Classification > Scans Management. The Scans Management
window appears displaying existing scans.
2. In the Scans pane, click the scan you want to customize. The scan’s configuration options appears in the Details
pane. The table below details these options.
3. If you have made any changes, click Save. Settings are saved. If you are in delayed activation mode, you need to
activate these settings. For further information, see Activating Settings.
Service Discovery Scan Advanced Options
Option Description
• Resolve Hostnames: Looks up hostnames during discovery.
Note: The Resolve Hostnames function requires that a PTR record be defined for the
host in the DNS server.
Advanced Configuration • Resolve operating system and ports versions: Includes full details of the
operating system and services in the discovery results.
• Use enhanced scanning: Additionally scans non-default ports for services like
Oracle and MySQL.
• Discovery Timeout: The time period, in milliseconds, after which the discovery
attempt will be considered to have timed out.
Determines how services are identified according to their associated ports, and the
range of ports that are scanned. It is recommended use a port list unless used ports
are unknown, in which case it would be better to use a limited range of ports.
• Global Ports list: Select an existing Global Ports group global object. For more
Port Configuration information, see Working with Global Ports Groups.
Note: To create or edit the Global Ports list, click Edit.
To configure additional ports, add them as entries in port table below the global port
list.
v14.7 Database Activity Monitoring User Guide 23
v14.7 Database Activity Monitoring User Guide
Option Description
SecureSphere creates new configuration objects for discovered servers. This option
enables you to determine how these objects are created, as follows:
• Server Group naming template: Determines naming conventions for creating
new server groups from the results of service discovery. Can utilize the site
name ($SITE), service IP ($IP), Class A ($CLASS_A_SUBNET), Class B
New Entries Configuration ($CLASS_B_SUBNET), and Class C ($CLASS_C_SUBNET), as placeholders.
• Service naming template: Determines naming convention for creating new
services from the results of service discovery. The template can utilize the site
name ($SITE), service IP ($IP), service hostname ($HOST_NAME) and service
type ($SERVICE_TYPE) as placeholders.
v14.7 Database Activity Monitoring User Guide 24
v14.7 Database Activity Monitoring User Guide
Configuring Credentials
When working with SecureSphere scans you need to configure credentials in order to access the relevant items that
need to be scanned. Types of credentials that need to be configured include the following:
• Configuring Service Credential Options
• Configuring Database Credential Options
Note: If you are working with a MySQL database, you must have the correct driver
installed. For more information, see Working with MySQL.
v14.7 Database Activity Monitoring User Guide 25
v14.7 Database Activity Monitoring User Guide
Configuring Service Credential Options
Rules can be configured to test OS credentials during the service discovery stage. If successful, the credentials are
saved in the service’s direct access information and used for assessment tests. Alternatively when running on services
that exist in SecureSphere, credentials from the Direct Access Information tab are used. Rules can be configured for
individual IP addresses, IP address ranges, or subnets. In addition rules can be based on operating system type and
hostname by using the Host field. Each set of credentials are attempted only once to prevent a system from locking up
due to unsuccessful attempts.
Notes:
• In order to discover new credentials on existing services, you must enable the Scan Existing
option discussed in Configuring a Service Discovery Scan.
• Credentials cannot be defined for IPv6 addresses.
Note: For information on configuring database credentials, see Configuring Database Credential
Options.
To configure credential options:
1. In the Main workspace, select Discovery & Classification > Scans Management. The Scans Management
window appears.
2. In the Scans pane, select the Service Discovery scan you want to configure. That scan’s options are displayed in
the Details pane.
3. In the Details pane, click the Credentials tab. Credentials options are displayed.
4. Select the Run Credential Discovery checkbox. This tries the credentials when running a discovery scan, and if
credentials are valid automatically configures the resulting object with these credentials.
5. In the OS Credentials table, click New. A new row is added to the OS Credentials table.
Note: Alternatively, you can import existing credentials. For more information, see Importing
Credentials.
6. Configure in accordance with the table Service Credential Options below.
7. Click Save in the upper right of the screen. Your settings are saved.
v14.7 Database Activity Monitoring User Guide 26
v14.7 Database Activity Monitoring User Guide
Service Credential Options
Option Description
Determines the basic parameters for IP addresses on which to use the credentials.
Options include:
• Single: Uses the credential to attempt discovery on a single IP address.
Type
• Range: Uses the credential to attempt discovery on a range of IP addresses.
• Network: Uses the credential to attempt discovery on a network address.
• Any: Scans all IP ranges configured in the services tab of the selected discovery
scan.
The first IP address in a range, or only IP address when configuring credentials for a
Start IP
single or network IP address. Use CIDR notation.
End IP The last IP address in a range.
Not required. Enables configuring a rule to use a single set of credentials for multiple
Host (RegExp)
hosts, when a system was used for creating host names.
Auth Authentication used to connect.
Login OS login used to connect to the service (required).
Password Authorized password for the Operating System (required).
Confirm Password Same as the password.
Used to determine in which order credentials are attempted and as a means of
Order identification when reporting on the success or failure of authenticating an operating
system.
v14.7 Database Activity Monitoring User Guide 27
v14.7 Database Activity Monitoring User Guide
Configuring Database Credential Options
Database credentials are required for data classification to access the data stored in databases. SecureSphere
attempts to connect to databases using either the rules configured in the DB Credentials table or the authentication
information in the service’s Direct Access Information screen. Rules can be configured for individual IP addresses, IP
address ranges, or subnets. In addition rules can be based on operating database service type and hostname. Each set
of credentials are attempted only once to prevent a system from locking up due to unsuccessful attempts.
Notes:
• For information on configuring service credentials, see Configuring Service
Credential Options.
• In order to discover new credentials on existing services, you must enable the
Scan Existing option discussed in Configuring a Service Discovery Scan.
• If you are working with a MySQL database, you must have the correct driver
installed. For more information, see Working with MySQL.
To configure database credential options:
1. In the Main workspace, select Discovery & Classification > Scans Management. The Scans Management
window appears.
2. In the Scans pane, select the Service Discovery scan you want to configure. That scan’s options are displayed in
the Details pane.
3. In the Details pane, click the Credentials tab. Credentials options are displayed.
4. Select the Run Credential Validation checkbox. This tries the configured credentials when running a discovery
scan, and if credentials are valid automatically configures the resulting object with these credentials.
5. In the DB Credentials table, click New. A new row is added to the DB Credentials table.
Note: Alternatively, you can import existing credentials. For more information, see Importing
Credentials.
6. Configure in accordance with the table below.
7. Click Save in the upper right of the screen. Your settings are saved.
Credential Tab Options
v14.7 Database Activity Monitoring User Guide 28
v14.7 Database Activity Monitoring User Guide
Option Description
Determines the basic parameters for IP addresses on which to use the credentials.
Options include:
• Single: Uses the credential to attempt discovery on a single IP address.
Type
• Range: Uses the credential to attempt discovery on a range of IP addresses.
• Network: Uses the credential to attempt discovery on a network address.
• Any: Scans all IP ranges configured in the services tab of the selected discovery
scan.
The first IP address in a range, or only IP address when configuring credentials for a
Start IP
single or network IP address. Use CIDR notation.
End IP The last IP address in a range.
Not required. Enables configuring a rule (regular expression) to use a single set of
credentials for multiple databases, when a system was used for creating host names.
Host (RegExp) Example: A corporate network is divided into logical segments, naming conventions
and correlated credentials are used for host names. Every computer with the prefix
"dev" in its host name has a login "dev_admin" whereas every computer with a prefix
"fin" might have a login of "fin_admin".
Service The type of database service that is being connected to.
Only relevant for Oracle and DB2 databases, for which it is required. Type the Service
Service ID
ID assigned to the database.
Server Name Name of service when credentials are used with an Informix database service.
Login DB login used to connect to the service (required).
Password Authorized password for the Database (required).
v14.7 Database Activity Monitoring User Guide 29
v14.7 Database Activity Monitoring User Guide
Option Description
Confirm Password Same as the password.
Used to determine in which order credentials are attempted and as a means of
Order identification when reporting on the success or failure of authenticating an operating
system.
v14.7 Database Activity Monitoring User Guide 30
v14.7 Database Activity Monitoring User Guide
Importing Credentials
As opposed to manually configuring credentials, you can import them from a Comma Separated Values (.csv) file. This
can save time and trouble. Files for upload should be formatted as follows:
• Server Credentials: Should include the following fields: IP, User, and Password. When imported, type is
automatically set to single and authentication method is set as SSH.
• Database Credentials: Should include the following fields: IP, Service Type (Oracle, MSSQL, DB2, Sybase,
Informix), Service ID, Server Name, User, and Password. When imported, Type is automatically set to single.
To upload credentials from a file:
1. In the Main workspace, select Discovery & Classification > Scans Management. The Scans Management
window appears.
2. In the Scans pane, select the service discovery scan you want to configure. That scan’s options are displayed in
the Details pane.
3. In the Details pane, click the Credentials tab. Credentials options are displayed.
4. Click Upload from below the relevant table.
5. Browse to the file containing the credentials.
6. Check the option The File Includes Title if the file contains a row with the column titles in it.
7. Click Upload. The credentials are imported into SecureSphere.
v14.7 Database Activity Monitoring User Guide 31
v14.7 Database Activity Monitoring User Guide
Configuring a DB Data Classification Scan
You can configure how your scan runs, on what services, and at what times.
Configure Direct Access Information for the Database service you want to scan. For information on configuring Direct
Database Information, see Configuring Database Direct Access Information.
Note: Before applying a scan to a Server Group, verify that you configured the credentials on the
service level in the sites page.
To configure data classification options:
1. In the Main workspace, select Discovery & Classification > Scans Management. The Scans window appears.
2. Select an existing Data Classification Scan or click New and create a new Data Classification Scan.
3. In the Details pane, click the Settings tab. Data Classification options are displayed.
4. If you so desire, you can change the scan profile you wish the scan to use. You can configure the profile if you
want, adding data types and rules, and deleting data types and user-defined rules. For more information, see
Configuring a Scan Profile.
5. Click the Apply to tab and select the services on which you want to run data classification. For more information
on Apply to, see Applying Policies.
6. Click the Scheduling tab and configure scheduling options if you want service discovery to run on a regular
basis. For more information on scheduling see Configuring Scheduling.
7. Click Save in the upper right of the screen. Your settings are saved.
8. Once the scan has been configured, it can be run by selecting Action > Run Now. For more information on
running a scan, see Running a Scan.
◦ For information on managing discovered and classified data, see Managing Classified DB Data
◦ For information on scan history, see Understanding Scan History
v14.7 Database Activity Monitoring User Guide 32
v14.7 Database Activity Monitoring User Guide
Configuring Cloud Accounts
Cloud accounts refer to databases whose traffic you want to monitor and that reside in the cloud. These databases are
grouped in various locations in Amazon Web Services, and these groupings are your cloud accounts.
• Enabling Cloud Discovery in AWS
• Adding a New Cloud Account
• Configuring a Cloud Account
v14.7 Database Activity Monitoring User Guide 33
v14.7 Database Activity Monitoring User Guide
Enabling Cloud Discovery in AWS
In order for SecureSphere to be able to discover your AWS cloud accounts databases, you need to configure AWS by
creating a policy that enables SecureSphere to view the RDS and EC2 instances.
Note: This procedure assumes that you already have an AWS user with an already-defined access
key.
To create a policy that enables SecureSphere to view RDS and EC2 instances:
1. Enter the AWS Management Console.
2. Under Services, click IAM.
3. In the navigation pane, click Policies.
4. Click the Create Policy button. The Create Policy window appears.
5. Select the json tab.
6. Enter the following text in the window:
"Version": "2012-10-17",
"Statement": [
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"ec2:DescribeInstances",
"rds:DescribeDBInstances",
"ec2:DescribeSecurityGroups"
],
"Resource": "*"
v14.7 Database Activity Monitoring User Guide 34
v14.7 Database Activity Monitoring User Guide
7. Click the Review Policy button. The Review Policy window appears.
8. Give the policy a Name and a Description.
9. Click the Create Policy button. The policy is created and the Polices window appears.
10. In the navigation plane, click Users.
11. Click your user.
12. Click the Add Permissions button. The Add Permissions window appears.
13. Select Attach existing policies directly. A list of policies appears, including the new one you created.
14. Check the new policy.
15. Click the Next: Review button. The Permissions summary appears.
16. Click the Add permissions button. The policy is now associated with your AWS user.
v14.7 Database Activity Monitoring User Guide 35
v14.7 Database Activity Monitoring User Guide
Adding a New Cloud Account
You can add a new cloud account as a global object.
To add a new cloud account:
1. In the Main workspace, select Setup > Global Objects.
2. From the Scope Selection drop down list, select Cloud Accounts.
3. Select AWS and click the New button.
The Create AWS account dialog box appears.
4. Type a Name and select either From Scratch or Use existing. If you checked Use existing, select and existing
account from the drop down list.
5. Click Create.
6. The new cloud account appears in the main window.
7. Click Save.
The new account can be configured from this interface, or from the Global Objects interface. For more information,
see Configuring a Cloud Account.
v14.7 Database Activity Monitoring User Guide 36
v14.7 Database Activity Monitoring User Guide
Configuring a Cloud Account
ou can configure the parameters of a cloud account at any time.
To configure a cloud account:
1. In the Main workspace, select Setup > Global Objects.
2. From the Scope Selection drop down list, select Cloud Accounts.
3. In the Globals Tree, select the account you wish to configure. The cloud account's parameters appear in the
main window.
4. Type in values for any parameters you wish to configure. See the tables below for details.
5. Click Save.
AWS Account Parameters
Name Description
Name Display name
Access Key The AWS account's access key
Secret Key The AWS account's secret key
Region Select the AWS region in which the databases are located.
v14.7 Database Activity Monitoring User Guide 37
v14.7 Database Activity Monitoring User Guide
Running a Scan
Once you have configured a scan as required you can choose to run it immediately.
Note: When scanning Solaris systems, tests may take an extended period of time to complete. This
is due to Solaris having a built in rate limit for sending RST packets used to determine if the port is
open. You can turn off this feature in Solaris using the following command:
ndd -set /dev/tcp tcp_rst_sent_rate_enabled 0
Alternatively, you can create a group scan to make this change on all Solaris systems used in the
organization.
To run a scan now:
1. In the Main workspace, select Discovery & Classification > Scans Management. The Scans Management
window appears.
2. In the Scans pane, select the scan you want to run. That scan’s options are displayed in the Details pane.
3. In the Details pane, click the Scheduling tab. Schedule options are displayed.
4. Click Run the Scan Now. The discovery scan is run.
Note: You can also run a Discovery scan by right-clicking that scan in the Discovery Scans
pane and choosing Run the Scan Now.
v14.7 Database Activity Monitoring User Guide 38
v14.7 Database Activity Monitoring User Guide
Understanding Scan History
The History tab displays details of all executions of the scan.
The active icon is used to identify which execution's results are displayed in the discovery results area. Errors and
warnings generated by the scan can be viewed by clicking on the link in the status column.
v14.7 Database Activity Monitoring User Guide 39
v14.7 Database Activity Monitoring User Guide
Configuring Database Data Types
Database data types are used to identify database tables, table columns and actual content. They assist SecureSphere
in a variety of actions that include configuring policies to protect data that may be marked as sensitive and of a
specific type such as account numbers and payment card information.
You configure database data types by creating new rules or deleting existing ones.
For DB Data Classification scans, you can also enable or disable rules in Data Types that belong to Scan Profiles. For
more information, see Configuring a Scan Profile.
Note: SecureSphere comes with a number of data types are pre-configured by Imperva
ADC.
• Creating a Data Type Rule
• Configuring a Data Type Rule
• Deleting a Data Type Rule
v14.7 Database Activity Monitoring User Guide 40
v14.7 Database Activity Monitoring User Guide
Creating a Data Type Rule
You can configure a data type by creating a new rule.
To create a data type rule:
1. In the Main workspace, select Discovery & Classification > Scans Management.
2. From the Scope Selection drop down, select Data Types Configuration.
3. Select a Data Type.
4. Under DB Classification Rules, click New Rule. The Add New Rule to Data Type dialog box appears.
5. Enter a Rule Name and click Create. The new rule appears under Data Classification Rules.
6. Click Save.
v14.7 Database Activity Monitoring User Guide 41
v14.7 Database Activity Monitoring User Guide
Configuring a Data Type Rule
You can configure a new rule by adding entries, each with parameter values to be looked for. You can add as many
entries as you want. SecureSphere uses the OR operator when you enter multiple entries.
Each entry can have values for any or all of three parameters: table name, column name and content. SecureSphere
uses the AND operator for parameters in the same entry.
To configure a data type rule:
1. In the Main workspace, select Discovery & Classification > Scans Management.
2. From the Scope Selection drop down, select Data Types Configuration.
3. Select a Data Type.
4. Under DB Classification Rules, select the rule you wish to configure.
5. Under Rule Details, click the New button.
6. Enter a value for the Table Name, Column Name and/or Content. For more information, see the table below.
7. Repeat steps 5 and 6 as required.
8. Click Save.
Custom Pattern Options
Option Description
Type a string for matching with discovered databases table names.
Table Name
Type a string for matching with discovered databases column names.
Column Name
Searches for data based on custom patterns enabling you to use a regular expression
to search for content. To use content based patterns, enable the checkbox, and click
Create. A new row is added to the table.
Content
Type a regular expression to match against content in the database tables. For more
information on regular expressions in data, see Sample Regular Expressions for
Sensitive Data.
v14.7 Database Activity Monitoring User Guide 42
v14.7 Database Activity Monitoring User Guide
Sample Regular Expressions for Sensitive Data
The following table lists some suggested regular expressions for defining several types of sensitive data, which you
can adapt to your specific requirements.
Sample Regular Expressions for Sensitive Data
Data type Regular expression
US Social Security number ^([0-6]\d{2}|7[0-6]\d|77[0-2])([ \-]?)(\d{2})\2(\d{4})$
Credit Card numbers for ^((4\d{3})|(5[1-5]\d{2}))(-?|\040?)(\d{4}(-?|\040?)){3}|^(3[4,7]\d{2})(-?|\040?)\d{6}(-?|
AMEX, VISA, MasterCard \040?)\d{5}
email address ^[A-Z0-9._%+-]+@[A-Z0-9.-]+\.[A-Z]{2,4}$
v14.7 Database Activity Monitoring User Guide 43
v14.7 Database Activity Monitoring User Guide
Deleting a Data Type Rule
You can delete a user-defined rule from a data type.
To delete a user-defined data type rule:
1. In the Main workspace, select Discovery & Classification > Scans Management.
2. From the Scope Selection drop down, select Data Types Configuration.
3. Select a Data Type.
4. Under DB Classification Rules, select the rule you wish to configure.
5. Click Delete. Confirm the deletion.
6. Click Save.
v14.7 Database Activity Monitoring User Guide 44
v14.7 Database Activity Monitoring User Guide
Managing Discovered Servers
Once a service discovery scan has been run, discovered servers are displayed in the Discovery Results window in
which they can be viewed, modified, accepted into the SecureSphere architecture, or rejected. SecureSphere provides
both graphic and tabular means of examining discovered servers, then enables you to determine a means of
managing discovered servers. This section reviews the various aspects of working with discovered servers including
the following:
• Analyzing Discovered Servers
v14.7 Database Activity Monitoring User Guide 45
v14.7 Database Activity Monitoring User Guide
Analyzing Discovered Servers
Analyzing discovered servers involves viewing the results of service discovery using the various discovery views, then
taking action as required.
To view the results of service discovery:
• In the Main workspace, choose Discovery & Classification > Discovered Servers. Discovered Servers are
displayed in tabular format.
The Discovered Servers window displays a summary of discovered servers and their details by default, and enables
you to configure a variety of parameters regarding the discovered servers. It additionally offers a number of graphical
views with charts that assist in visually analyzing discovery results.
SecureSphere offers two primary ways of viewing discovered servers:
• Viewing Discovered Server Details in Tabular View
• Viewing Discovered Servers in Graphical Views
v14.7 Database Activity Monitoring User Guide 46
v14.7 Database Activity Monitoring User Guide
Viewing Discovered Server Details in Tabular View
Discovered servers can be viewed and managed from Tabular view. Various parameters regarding the discovered
servers can be configured directly from Tabular view including assigned service and action regarding whether to
accept or reject the discovered service. The following table displays the various options available in the Discovered
Servers window. For information on how to manage discovered servers, see Working with Discovered Servers.
Discovered Servers Description
Field Name Description
Scan Name of the discovery scan that discovered the services.
Host Hostname of the discovered service.
IP IP address of the discovered service.
Port Port of the discovered service.
Status Whether the service is newly discovered or exists in SecureSphere.
Data Whether sensitive data was found on the service.
Details of the operating system the service runs on. Hovering over the field displays
OS
additional information such as service pack level.
OS Whether operating system credentials were configured for this service.
Details of the service type found, hovering over the field displays full details of the
Service Type
service.
DB Whether database credentials were configured for this service.
v14.7 Database Activity Monitoring User Guide 47
v14.7 Database Activity Monitoring User Guide
Field Name Description
Site Site in the SecureSphere site tree the scan was created for.
Server group the discovered service is currently. Enables you to assign the service to
Server Group
a different server group if scan is not configured to automatically accept.
Service the discovered service currently belongs to. Enables you to manually edit the
Service
service name if scan is not configured to do so automatically.
Date The date the service was discovered.
v14.7 Database Activity Monitoring User Guide 48
v14.7 Database Activity Monitoring User Guide
Viewing Discovered Servers in Graphical Views
In addition to Tabular view, SecureSphere enables you to view discovered servers in intuitive, easy to read charts that
represents the services discovered in your network.
To view discovered servers in graphical format:
1. In the Main workspace, select Discovery & Classification > Discovered Servers. The Discovery Results
window appears. Discovered Servers are displayed in tabular format.
2. From the Views pane, select the desired view. For example, Server by Location. That view is displayed.
SecureSphere has a number of discovered servers views that show data in comprehensible format. Views display data
in graphic format using tables and charts. The following table list the views that are available for the specific scan
selected in the Scope pane.
Discovered Servers Views
v14.7 Database Activity Monitoring User Guide 49
v14.7 Database Activity Monitoring User Guide
Name Description
Displays discovered servers in table format and enabled you to configure service
Service Discovery Results
names. For more information, see Analyzing Discovered Servers.
Displays data in a number of graphs to assist in understanding discovered basic
Summary View information regarding these services including IP addresses, Operating System types,
services with credentials discovered, and more.
Displays discovered servers who actions is pending, or in other words, that need to
Pending Servers accepted or rejected into SecureSphere. This is done from the Sever Discovery
Results window as described inManually Accepting and Rejecting Discovered Servers.
Services that have previously been discovered but rejected. For more information see
Rejected Services
Editing Discovered Servers.
Displays discovered servers based on their location including SecureSphere site and
server group. Available views include:
Server By Location: Shows discovered servers by IP addresses and server types.
Discovered Service Type: Shows number of IP addresses by service types as well as
discovered subnets, ports and versions by service type.
Discovered Servers
Operating System Distribution: Shows discovered service IP addresses by operating
system as well as discovered subnets, versions and service types by operating
system.
Servers with Sensitive Data: Shows the number of servers discovered with sensitive
data by IP address and a breakdown of discovered servers by service type.
Displays discovered servers based on the policy which discovered them. Available
views include:
Discovered Policy Discovered Servers by Policy: Shows discovered service IP addresses by policy as
Effectiveness well as service type, operating systems by policy; and services with sensitive data.
Servers with No Discovered Credentials: Shows discovered servers by whether or
not credentials have been discovered. Shows a breakdown of servers with no
credentials by policy name.
v14.7 Database Activity Monitoring User Guide 50
v14.7 Database Activity Monitoring User Guide
Name Description
Host Name Resolution: Shows the rate of successful host name resolution and a
breakdown of successful resolution by policy name.
Displays discovered servers based on their status as configured in SecureSphere. For
example, if a discovered service has been added to the SecureSphere site tree.
Available views include:
Distribution by Action: Shows discovered servers by the action that has been taken
on them since being discovered, service types and operating systems by action.
Workflow Analysis Pending Servers by Age: Displays discovered servers that have yet to be managed
(accepted or rejected) by the amount of time passed since they were discovered.
Accepted Servers Configuration: Shows discovered servers that have been accepted
and the methods by which they were accepted. Additionally shows accepted servers
by service type and by operating system.
Rejects Services: Displays discovered servers that have been rejected.
Displays discovered service and whether or not data was discovered on the service.
Available views include:
Data Analysis
Data: Shows the number of services on which data was discovered by service, the
number of services on which sensitive data was discovered.
v14.7 Database Activity Monitoring User Guide 51
v14.7 Database Activity Monitoring User Guide
Working with Discovered Servers
After a discovery scan is run, discovered servers are displayed in the Discovered Servers window and can be accepted
into SecureSphere's site tree, adding them to the relevant SecureSphere site.
Note: The Discovered Servers window only displays results from the Last Scan.
Subsequently, the filter is permanently set to Last Scan Only is True. If you try to remove
this filter criteria and then apply the change, the filter will not be modified and will retain
the Last Scan Only field as true.
• Editing Discovered Servers
• Manually Accepting and Rejecting Discovered Servers
• Reinstating Rejected Discovered Servers
v14.7 Database Activity Monitoring User Guide 52
v14.7 Database Activity Monitoring User Guide
Editing Discovered Servers
Once discovery has been conducted, discovered items are displayed in the Discovered Servers window. You can edit
various parameters about the discovered servers.
To edit discovered servers:
1. In the Main workspace, select Discovery & Classification > Discovered Servers. Discovered Servers and their
options are displayed.
2. In the Views pane, select Server Discovery Results. Discovered servers are displayed. The table Discovered
Server Parameters below shows the discovered server parameters that can be edited.
3. Modify the parameters as required.
Note: To modify multiple entries at once, select the desired rows and right-click, then choose
Multiple Edit. Configure the parameters as required.
4. Click Save. Your changes are saved, If you accepted a service, it is added to the site tree. If you rejected a service,
it is removed from the Discovered Servers window and can be reinstated at a later time if desired. For more
information on reinstating rejected services, see Reinstating Rejected Discovered Servers.
Discovered Server Parameters
Option Description
Enables you to assign the discovered service to an existing SecureSphere server
Server Group
group.
Service Enables you to modify service name of the discovered service.
Enables you to accept (add it to the site tree) or reject a service that has been
discovered. For further information about accepting or rejecting a service, see
Action Manually Accepting and Rejecting Discovered Servers.
Note: Rejected services are excluded from future scan runs.
v14.7 Database Activity Monitoring User Guide 53
v14.7 Database Activity Monitoring User Guide
Manually Accepting and Rejecting Discovered Servers
Services that have been discovered can be manually accepted or rejected from the Discovered Servers window. For
information on having them automatically accepted, see Using Service Discovery to Populate a SecureSphere Site.
To accept or reject discovered servers:
1. In the Main workspace, select Discovery & Classification > Discovered Servers. Discovered Servers are
displayed.
2. In the Views pane, select Service Discovery Results.
3. Select one or more services, then right-click the services, the right-click menu appears.
4. Select the desire option. Services are accepted and added to the site tree, or rejected as desired.
Note: You can additionally accept or reject a service by selecting the desired option from
the Action column on the right-hand side of the Discovered Servers window.
v14.7 Database Activity Monitoring User Guide 54
v14.7 Database Activity Monitoring User Guide
Reinstating Rejected Discovered Servers
Services that have been previously rejected can be reinstated. This enables you to resolve issues where you’ve
mistakenly rejected a service without having to re-run a discovery scan.
To reinstate a rejected service:
1. In the Main workspace, select Discovery & Classification > Discovered Servers. The Discovered Servers
window appears.
2. In the Views pane, select Rejected Servers. The Rejected Servers window opens.
3. In the Rejected Servers window, click reinstate the service. The service reappears in the Discovered Servers
window. You can now modify its parameters, accept it or reject it as required.
v14.7 Database Activity Monitoring User Guide 55
v14.7 Database Activity Monitoring User Guide
Managing Classified DB Data
Once a DB Data Classification scan has been run, classified data is displayed in the Classified DB Data window in which
it can be viewed and modified. SecureSphere provides both graphic and tabular means of examining classified data,
then enables you to determine a means of managing new data. This section reviews the various aspects of working
with classified data including the following:
• Analyzing Classified DB Data
• Managing Classified DB Data
Note: If you are working with a MySQL database, you must have the correct driver
installed. For more information, see Working with MySQL.
v14.7 Database Activity Monitoring User Guide 56
v14.7 Database Activity Monitoring User Guide
Analyzing Classified DB Data
Once data has been classified you can analyze and manage it. Analyzing classified data involves viewing data that has
been classified with the various classification views, then taking action as required.
To view the results of a classified DB data scan:
1. In the Main workspace, select Discovery & Classification > Classified DB Data. The Classified DB Data window
appears.
2. From the Views pane, select DB Data Classification Results. DB Data classification results are displayed.
Note: The Classified DB Data window only displays results from the Last Scan.
Subsequently, the filter is permanently set to Last Scan Only is True. If you try to remove
this filter criteria and then apply the change, the filter will not be modified and will retain
the Last Scan Only field as true.
The DB Data Classification Results window displays classified data, and enables you to configure parameter regarding
the classified data. It additionally offers a number of graphical views with charts that assist in visually analyzing
classification results.
SecureSphere offers two primary ways of viewing classified data:
• Analyzing Classified DB Data in Tabular View
• Viewing Classified DB Data in Graphical Views
v14.7 Database Activity Monitoring User Guide 57
v14.7 Database Activity Monitoring User Guide
Analyzing Classified DB Data in Tabular View
Classified data can be both viewed and managed from the DB Data Classification Results (tabular) view. Some
parameters regarding the classified data can be configured directly from this view. table displays the various options
available in the Classified DB Data window.
• For information regarding details displayed on each scan result when the row is expanded, see Classified DB
Data Details.
• For information on how to manage classified data, see Managing Classified DB Data.
Classified Data Options
Field Name Description
Policy Policy that discovered the data.
Name of the database containing data. For example, for Oracle and DB2 databases,
DB the value displayed here is the SID. In MSSQL, the value displayed is the database
name.
Schema Name of the schema containing data.
Table Name of the table containing data.
Table Type Whether the items is a Table, View, or Synonym.
Table Status Whether the table is newly classified or exists in a table group in SecureSphere.
Site Site the classified data belongs to.
Server group Server group the classified data belongs to.
Details of the service type found. Hovering over the field displays full details of the
Service Type
service.
v14.7 Database Activity Monitoring User Guide 58
v14.7 Database Activity Monitoring User Guide
Field Name Description
Service Service the classified data belongs to.
Service Status Status of the service.
Data Type Type of data that was found on the service.
Table group the classified table is assigned to.
Table Group
Note: Table groups are assigned to a service based on existing Database /Schema
mapping rules when applicable.
Whether the table group already exists in SecureSphere or is newly created as a result
TG Status
of discovery.
Sensitive Whether the table group is flagged as sensitive.
Date Date the data was classified.
Actions that can be taken on this table group and table. If the scan is configured to
Action automatically accept data this shows accepted, otherwise the value is pending until
the data is manually accepted.
v14.7 Database Activity Monitoring User Guide 59
v14.7 Database Activity Monitoring User Guide
Classified DB Data Details
In addition to overall information about the scan run, table status, site information, etc. You can see details about the
specific data that was classified in a column, and also preview a sample of that data if the scan that classified the data
was configured with the Save Sample Data option enabled.
Note: Data details can be hidden by disabling the Save Sample Data option in the DB Data
classification scan options then running the scan again.
The following table lists the details that are displayed in this expanded row.
Expanded Classified Data Details
Field Name Description
Column Name Name of the column in which the sensitive data was classified.
DB Type Type of database containing data.
Length The maximum length of the column as defined in the database.
Discovery Accuracy For content based rules, the percent of samples that matched the rule.
Discovery Rule Name Name of the rule used to identify the sensitive data.
Discovery Method Method used to discover the sensitive data.
v14.7 Database Activity Monitoring User Guide 60
v14.7 Database Activity Monitoring User Guide
Field Name Description
Displays up to five unique samples of data in the matched column in order to give
you insight to the specific data in the column. Samples are displayed for content
based rules only.
Samples
Note: If less than five samples appear in this column, it may be due to less than five
unique instances of data being present, meaning the same data may be repeated in
multiple records.
v14.7 Database Activity Monitoring User Guide 61
v14.7 Database Activity Monitoring User Guide
Viewing Classified DB Data in Graphical Views
In addition to Tabular view, SecureSphere enables you to view classified data in intuitive, easy to read charts that
represents the data classified in your network.
To view classified data in graphical format:
1. In the Main workspace, select Discovery & Classification > Classified DB Data. The Classified DB Data window
appears.
2. From the Views pane, select the desired view. For example, Distribution by Data Type. That view is displayed.
SecureSphere has a number of classified data views that show data in comprehensible format. Views display data in
graphic format using tables and charts. The following table list the views that are available for the specific scan
selected in the Scope pane.
Classified Data Views
v14.7 Database Activity Monitoring User Guide 62
v14.7 Database Activity Monitoring User Guide
Name Description
Displays classified data in table format and enabled you to configure a number of
parameters regarding this data such as Data Type, and more.
For more information, see Managing Classified DB Data.
DB Data Classification
Results
It additionally can provide a sample of data by displaying the first few records of the
table classified when discovered using content based rules. In order to see a sample
of data, the Save Sample Data option in the DB Data classification scan needs to have
been enabled before the scan was run.
Displays data in a number of graphs to assist in understanding basic information
Summary View regarding classified data including at what locations data was classified (IP
addresses), database types and more.
Displays tables that have been classified but not yet accepted or rejected and
Pending Tables
provides some details regarding this data.
Rejected Tables/Columns Displays rejected tables and columns by site.
Servers with Sensitive Data: Shows sensitive data that’s been classified by service.
Distribution by Data Type: Shows classified data and the service types on which this
data was classified by data type.
Classified Data
Distribution by Database Type: Shows classified data and the service types on
which this data was classified by database type.
Distribution by Network Location: Shows classified data and their data type
classified by location (IP address).
Scan Effectiveness Classified Tables Shows a list of classified tables.
Distribution by Action: Shows classified data by the actions taken on it (pending,
Workflow Analysis
added by user, etc.), shows service type and data type by workflow action, and
displays classified tables.
v14.7 Database Activity Monitoring User Guide 63
v14.7 Database Activity Monitoring User Guide
Name Description
Accepted Tables: Shows tables that have been accepted by how they were accepted
(manual, automatic), broken down by site and server group, by the server type on
which they are located, and by their location (IP).
v14.7 Database Activity Monitoring User Guide 64
v14.7 Database Activity Monitoring User Guide
Managing Classified DB Data
After a DB Data Classification has been run, classified data is displayed in the Classified DB Data window, can be
accepted into a table group, and configured. The various actions that can be taken on classified data include the
following:
• Editing Classified DB Data
• Manually Accepting or Rejecting Classified DB Data
v14.7 Database Activity Monitoring User Guide 65
v14.7 Database Activity Monitoring User Guide
Editing Classified DB Data
Once classification has been conducted, classified items are displayed in the Classification window. You can edit
various parameters about classified data.
To edit classified data:
1. In the Main workspace, select Discovery & Classification > Classified DB Data. The Classified DB Data window
appears.
2. From the Views pane, select DB Data Classification Results. The DB Data Classification Results window
appears. The table Classified Data Parameters below shows the classified data parameters that can be edited.
3. Modify parameters as required.
Note: To modify multiple entries at once, select the desired rows and right-click, then choose
Multiple Edit. Configure the parameters as required.
4. Click Save in the upper right of the screen. Your settings are saved.
Classified Data Parameters
Option Description
Determines the data type to which the data is assigned. You can select a type from
Data Type
the Drop-down list.
Enables you to mark the table as containing sensitive data which can be used to
Sensitive prevent data leakage. For more information about protecting sensitive data, see
Configuring Sensitive Data Protection.
v14.7 Database Activity Monitoring User Guide 66
v14.7 Database Activity Monitoring User Guide
Manually Accepting or Rejecting Classified DB Data
Data that has been classified can be manually accepted or rejected from the Classified DB Data window.
• Accepting data: Adds it to the relevant table group based on the parameters detailed in the Classified DB Data
window.
• Rejecting data: Removes it from classification results.
To accept or reject classified data:
1. In the Main workspace, select Discovery & Classification > Classified DB Data. The Classified DB Data window
appears.
2. In the Views pane, select DB Data Classification Results. Classified Data is displayed.
3. Select one or more rows, then right-click, the right-click menu appears.
4. Select the desire option. Data is accepted or rejected as selected and added to the relevant table group.
Notes:
• You can additionally accept or reject data by selecting the desired option from the
Action column on the right-hand side of the Classified DB Data window.
• You can see previously rejected data in the Rejected Tables/Columns view.
EXAMPLE: Editing and Accepting Classified Data
SecureSphere classified a table named "accountinformation" that lists information regarding customer accounts. You
might want to assign this table to the Financial Transactions data type, accept the proposed table group, and make
sure the data is marked as sensitive. Then accept the row.
v14.7 Database Activity Monitoring User Guide 67
You might also like
- COMSOL Multiphysics: Model Manager Server ManualNo ratings yetCOMSOL Multiphysics: Model Manager Server Manual164 pages
- 10 Advanced Oracle DB Tuning TechniquesNo ratings yet10 Advanced Oracle DB Tuning Techniques27 pages
- DataFlux Data Management Studio 2.8 - Administrator's GuideNo ratings yetDataFlux Data Management Studio 2.8 - Administrator's Guide128 pages
- trellix_enterprise_security_manager_11.6.x_product_guide_3-30-2025No ratings yettrellix_enterprise_security_manager_11.6.x_product_guide_3-30-2025319 pages
- Class:Xii: Chapter 5: My SQL - SQL Revision TourNo ratings yetClass:Xii: Chapter 5: My SQL - SQL Revision Tour3 pages
- Mcafee Database Security 4.7.x Product Guide 1-12-2024No ratings yetMcafee Database Security 4.7.x Product Guide 1-12-2024213 pages
- Mirth Data Sheet Mirth Connect 3 5 User GuideNo ratings yetMirth Data Sheet Mirth Connect 3 5 User Guide350 pages
- Utility Applications of Time Sensitive Networking - White Paper - Final ReviewNo ratings yetUtility Applications of Time Sensitive Networking - White Paper - Final Review17 pages
- SSL Certificates Cloud - Application - and - Network - Security - Web - Protection - SSL - Tls - 2024-06-04No ratings yetSSL Certificates Cloud - Application - and - Network - Security - Web - Protection - SSL - Tls - 2024-06-0498 pages
- Applications of Artificial Intelligence AI in LibrariesNo ratings yetApplications of Artificial Intelligence AI in Libraries19 pages
- Password - Changing Passwords For All On-Premises (Securesphere) Users 8-1-2022No ratings yetPassword - Changing Passwords For All On-Premises (Securesphere) Users 8-1-20225 pages
- Mcafee Epolicy Orchestrator 5.10.0 Product Guide 1-31-2023No ratings yetMcafee Epolicy Orchestrator 5.10.0 Product Guide 1-31-2023483 pages
- EnterpriseReporter 2.6.0 ConfigurationManagerUserGuide EN PDFNo ratings yetEnterpriseReporter 2.6.0 ConfigurationManagerUserGuide EN PDF147 pages
- Knowledge Base Licensing - What Is A Challenge Key and How Can I Find Mine 2024-05-06-13-09-33No ratings yetKnowledge Base Licensing - What Is A Challenge Key and How Can I Find Mine 2024-05-06-13-09-334 pages
- Cloud Based Bus Pass System Project ReportNo ratings yetCloud Based Bus Pass System Project Report73 pages
- Imperva VirtualAppliances Datasheet 2024No ratings yetImperva VirtualAppliances Datasheet 20243 pages
- Data Risk Analytics User Guide Installing Custom Certificate in Admin Server for Ssl Communication With Browser 2025-07!03!11!16!07No ratings yetData Risk Analytics User Guide Installing Custom Certificate in Admin Server for Ssl Communication With Browser 2025-07!03!11!16!073 pages
- ICT (Information and Communication Technology)No ratings yetICT (Information and Communication Technology)2 pages
- SAP HANA EIM Installation and Configuration Guide enNo ratings yetSAP HANA EIM Installation and Configuration Guide en598 pages
- Database, File, Or SharePoint Activity MonitoringNo ratings yetDatabase, File, Or SharePoint Activity Monitoring1 page
- System Administration Guide: SAP Adaptive Server Enterprise 16.0 SP02 Document Version: 1.3 - 2016-06-30No ratings yetSystem Administration Guide: SAP Adaptive Server Enterprise 16.0 SP02 Document Version: 1.3 - 2016-06-30154 pages
- Dell OpenManage Network Manager User Guide 6.2 SP2No ratings yetDell OpenManage Network Manager User Guide 6.2 SP2722 pages
- v14.3 Database Activity Monitoring User GuideNo ratings yetv14.3 Database Activity Monitoring User Guide10 pages
- Everything You Wanted To Know About The Health of Your DAM Deployment!No ratings yetEverything You Wanted To Know About The Health of Your DAM Deployment!28 pages
- Dell Compellent Enterprise Manager: 2014 R1 Administrator's GuideNo ratings yetDell Compellent Enterprise Manager: 2014 R1 Administrator's Guide636 pages
- Configuring Teradata Vantage™ After InstallationNo ratings yetConfiguring Teradata Vantage™ After Installation57 pages
- AUTONOMOUS - NRIA18 II-I - CSE - Course - Structure - and - SyllabusNo ratings yetAUTONOMOUS - NRIA18 II-I - CSE - Course - Structure - and - Syllabus34 pages
- Sap Businessobjects Explorer Administrator'S GuideNo ratings yetSap Businessobjects Explorer Administrator'S Guide59 pages
- Certification Study Guide Series IBM Tivoli Application Dependency Discovery Manager V7.1 Sg247764No ratings yetCertification Study Guide Series IBM Tivoli Application Dependency Discovery Manager V7.1 Sg247764224 pages
- Compellent Enterprise Manager Administrators GuideNo ratings yetCompellent Enterprise Manager Administrators Guide436 pages
- Resume, CV, Data Scientist, Data Science, Machine Learning PDFNo ratings yetResume, CV, Data Scientist, Data Science, Machine Learning PDF1 page
- TNPM 1.3.1 Administration Guide Wireless ComponentNo ratings yetTNPM 1.3.1 Administration Guide Wireless Component234 pages
- BusinessObjects Enterprise™ XI Release 2No ratings yetBusinessObjects Enterprise™ XI Release 2312 pages
- OpenScape Business V1, Accounting Manager, User Guide, Issue 1 PDFNo ratings yetOpenScape Business V1, Accounting Manager, User Guide, Issue 1 PDF29 pages
- Blog Smarter, Not Harder: SEO, Blogging, and AI Strategies to Skyrocket Your TrafficFrom EverandBlog Smarter, Not Harder: SEO, Blogging, and AI Strategies to Skyrocket Your TrafficNo ratings yet
- Securing ChatGPT: Best Practices for Protecting Sensitive Data in AI Language ModelsFrom EverandSecuring ChatGPT: Best Practices for Protecting Sensitive Data in AI Language ModelsNo ratings yet