Open the compliance workflow automation results. (See Open Workflow Process Results.)
Expand the Distribution
Status panel by clicking the 
(Show Details) button.
Click the Close this window link (bottom, left).
Guardium’s Compliance Workflow Automation application automates the entire compliance workflow process, starting with discovery, assessment and hardening, to activity monitoring and audit reporting, report distribution, sign-off by key stakeholders, and escalations.
The results of each workflow process, including the review, sign-off trails, and comments can be archived and later restored and reviewed through the Investigation Center. See the Investigation Center Help Book for more information.
A compliance workflow automation process consists of:
A process definition
A distribution plan, which:
Defines receivers, who can be individual users, user groups, or roles. (See Process Receivers, below.)
Defines the review/sign responsibility for each receiver.
Defines the distribution sequence by setting the Continuous flag.
A set of tasks (see Process Task Types, below)
A schedule – The audit process can be run immediately, or a schedule can be defined to run the process on a regular basis
A workflow process may contain any number of tasks, each of which can be:
A custom or pre-defined report.
A security assessment, which produces a special type of report evaluating database security based on the results of one or more security assessment tests.
An entity audit trail, which produces a detailed report of activity relating to a specific entity (a client IP address or a group of addresses, for example).
A privacy set, which produces a report detailing access to a group of object-field pairs (a social security number and a date of birth, for example) during a specified time period.
A classification process, which scans existing database metadata and data, reporting on information that may be sensitive.
An external feed, which exports data to an external application (this is an extra-cost feature).
On a Central Manager, reports can reference data from remote datasources (managed units). Audit processes that use these reports will be accessible from the Central Manager only, and will not be visible from managed units. For more information, see Central Management.
Audit process receivers will be notified via e-mail and/or their to-do list of pending audit process results. You can designate any receiver as a signer for a process, in which case the results can optionally be held at that point on the distribution list, until that receiver electronically signs the results or releases them. Receivers can be individual users, user groups, or roles.
At least one receiver must be defined before a workflow automation process can be saved. You can define any number of receivers for a workflow automation process, and you control the order in which they receive results. In addition, receivers can notify additional receivers, using the Escalate function.
On the Process Definition panel, the drop-down list of receivers includes all Guardium users, user groups, and roles (groups and roles are labeled as such). When a group or role is selected, all users belonging to the group or having that role will receive the results.
If a group receiver is selected, and any workflow automation task uses the special run-time parameter ./LoggedUser in a query condition, the query will be executed separately for each user in the group, and each user will receive only their results.
For example, assume that your company has 3 DBAs, and each DBA is in charge of a different set of servers. Using the Custom Data Upload facility, the you could upload the areas of responsibilities of each DBA (which server IPs) to the Guardium appliance, and correlate that to the database activity domain, and then use a report in this custom domain as an audit task. If a user group that contains the 3 DBAs is designated as the receiver, each DBA will receive the report relevant for his or her collection of servers only.
If a group receiver is selected, and sign-off is required, each group member must sign the results separately (as explained above, each member of the group may be looking at a different set of results).
If a role receiver is selected, only one user with that role will need to sign the results, and other users with that role will be notified when the results have been signed.
Optionally, receivers can be notified of new process results via e-mail, and there are two options for distributing results via e-mail:
Link Only - The e-mail notification will contain a hypertext link to the results stored on the Guardium appliance. For the link to work, you must access your mail from a system that has access to the Guardium appliance. See the following topic for more information about e-mail links.
Full Results - A PDF file containing the results will be attached to the email, except for an Escalation that specifies a receiver not included in the original distribution list, in which case no PDF file will be attached. When the Full Results option is selected, care must be taken, since sensitive and private data may be included in the PDF file. If the process contains assessment or classifier tasks (which can be long-running tasks), the results will be queued until all tasks have completed. That queue will be checked every ten minutes, so there may be a delay of nearly ten minutes between the time that all tasks complete, and the time that an e-mail notification is sent.
In e-mail messages, there are conditions where links to process results on the Guardium appliance will not work. For example:
If you are accessing e-mail from a location where you cannot normally access the Guardium appliance, the links will not work. For example, when out of the office, you may have access to your e-mail over the Internet, but not to your company’s private network or LAN, where the appliance is installed.
If you have not accessed your e-mail for a longer period of time than the report results are kept, those results will not be available when you click the link. For example, if the results are kept for seven days but you have been on vacation for two weeks, your e-mail mail contain links to results older than seven days, and those links will not work.
Once a process has been run, the existing receiver list is frozen, which means:
You cannot delete receivers from the list.
You cannot move existing receivers up or down in the list.
You can add receivers to end of the list at any time, and reposition the new receivers at that time.
If the Guardium user account for a receiver on the list is deleted, the admin user account (which is never deleted) is substituted for that receiver. Thus the admin user receives any e-mail notifications that would have been sent to a deleted receiver, and the admin user must act upon any results released to that receiver.
If you need to create a totally different set of receivers for an existing process, deactivate the original process, make a clone of it, and then make the modifications to the receivers list in the cloned version before saving it.
Results are released to the Guardium users listed on the receivers list, proceeding from top to bottom, subject to the Continuous checkbox, as follows:
If the Continuous checkbox is marked, distribution continues to the next receiver on the list without interruption.
If the Continuous checkbox is cleared, distribution to the next receiver is held until the current receiver performs the required action (review or sign).
For example, assume you want to define a workflow process as follows:
DBAs - All DBAs should receive their results at the same time, with each DBA receiving a different result set based on the server IPs associated with him/her
Only when ALL DBAs have signed, the DBA Manger should see the results
Only when DBA Manager releases the report, the Auditors should see the results
All Auditors should receive the reports at the same time, but only one of them (any of them) needs to sign each result. The others will be updated when a result was signed.
An auditor can escalate a result to the Audit Manager.
To define this flow:
The DBAs group would be named as the first receiver, with sign-off required before continuing.
The DBA Manager would be next on the list, with sign-off required before continuing.
The Auditors role (not group) would be next on the list. Any Auditor could sign and others will be notified. Also, any auditor can escalate a results set to the Audit Manager.
Note: Process results that are exported to CSV or CEF files are sent to another network location by the Guardium archiving and exporting mechanism. These results are not subject to the receivers list or to any signing actions. They are subject to the Guardium CSV/CEF export schedule (if any is defined), and they are subject to the access permissions that have been granted for the directory in which they are ultimately stored.
Reports containing information that can be used by other applications, or reports containing large amounts of data, can be exported to other file formats. Report, Entity Audit Trail, and Privacy Set task output can be exported to CSV (Comma Separated Value) files, and output for database activity reports can be exported to an ArcSight Common Event Format (CEF) file. See the CEF Mapping appendix for information about how Guardium data is mapped to the CEF format.
In addition, CEF and CSV file output can be written to syslog. If the remote syslog capability is used, this will result in the immediate forwarding of the output CEF/CSV file to the remote syslog locations. The remote syslog function provides the ability to direct messages from each facility and severity combination to a specific remote system. See the remote syslog cli command description for more information.
Each record in the CSV or CEF file represents a row on the report.
The exported file is created in addition to the standard task output – it does not replace it. These files are useful when you need to:
Integrate with an existing SIEM (Security Incident and Event Manager) in your infrastructure (ArcSight, Network Intelligence, LogLogic, etc.).
Review and analyze very large compliance task results sets. (Task results sets that are intended for Web presentation are limited to 5,000 rows of output, whereas there is no limit to the number of rows that will be written to an exported CSV or CEF file.)
Exported CSV and CEF files are stored on the Guardium appliance, and are named in the format:
process_task_YYYY_MMM_DD-HHMMSS.<csv | cef>
Where process is a label you define on the audit process definition, task is a second-level label that you can define for each task within the process, and YYYY_MMM_DD-HHMMSS is a date-time stamp created when the task runs.
You cannot access the exported CSV or CEF files directly on the Guardium appliance. Your Guardium administrator must use the CSV/CEF Export function to move these files from the Guardium appliance to another location on the network. To access those files, check with your Guardium administrator to determine the location to which they have been copied.
The fact that exported files are sent outside of the Guardium appliance has two important implications:
The release of these files is not connected to the results distribution plan defined for the audit process. These files are exported on a schedule defined by the Guardium administrator.
Once the CSV/CEF Export function runs, all exported files will be available to anybody (Guardium user or not) who can access the destination directory defined for the CSV/CEF Export operation. For this reason, your Guardium administrator may want to schedule additional jobs (outside of the Guardium system) to copy sets of exported files from the Guardium CSV/CEF Export destination directory, to directories with appropriate access permissions.
CSV/CEF Export activity is available in the Aggregation/Archive Activity report.
Do one of the following to open Audit Process Finder:
Users with the admin role: Select Tools > Config & Control > Audit Process Builder.
All Others: Select Comply > Audit Process builder.
Click the New button to open the Audit Process Definition panel.
Enter a name in the Description box. Do not include apostrophe characters.
Mark the Archive Results box if you want to store the results offline after the retention period (described below) has expired. When results have been archived, you can restore them to the appliance for viewing again, later.
In the Keep for a minimum of (n) days or (n) runs boxes, specify how long to keep the results, as either a number of days (0 by default) or a number of runs (5 by default). After that, the results will be archived (if the above box is marked) and purged from the appliance.
If one or more tasks create CSV or CEF files, you can optionally enter a label to be included in all file names, in the CSV/CEF File Label box.
In the Receivers pane, add the receivers for the process. See Add Receivers.
You must define at least one task before you can save the process. Perform the appropriate procedure for each audit task you want to include in the audit process:
Optionally assign security roles. See Assign Security Roles.
Optionally add comments. See Add or View Comments.
Click Save.
Report, Entity Audit Trail, and Privacy Set audit task output can be exported to CSV files, and Report audit task output can be exported to a CEF file.
Mark either Export CSV file or Export CEF file.
Note: CEF file output is appropriate for data access domain reports only (Access, Exceptions, or Policy Violations, for example). Other domains like the Guardium self-monitoring domains (Aggregation/Archive, Audit Process, Guardium Logins, etc.) do not map to CEF extensions. See the CEF Mapping appendix for a description of what Guardium attributes map to which CEF fields.
Enter an optional label for the file in the CSV/CEF File Label box. The default is from the Description for the task. This label will be one component of the generated file name (another will be the label defined for the workflow automation process).
If Export CEF file was selected, optionally mark the Write CEF to Syslog box to write the CEF records to syslog. If the remote syslog facility is enabled, the CEF file records will thus be written to the remote syslog.
If you have not yet started to define compliance workflow automation process, see Create a Workflow Process before performing this procedure. If the report to be used has not yet been defined, do that first - see Audit & Report.
If the Add New Task pane is not open, click Add Audit Task.
Click the Report button.
Optionally create CSV or CEF file output and write to syslog. See Export a CSV or CEF File.
Enter all parameter values in the Task Parameters pane. The parameters will vary depending on the report selected.
Click Apply.
If you have not yet started to define a compliance workflow automation process, see Create a Workflow Process before performing this procedure. If the assessment to be used has not yet been defined, do that first - see Vulnerability Assessment.
If the Add New Task pane is not open, click Add Audit Task.
Click the Security Assessment button.
Select a security assessment from the Security Assessment list.
Click Apply.
If you have not yet started to define a compliance workflow automation process, see Create a Workflow Process before performing this procedure.
If the Add New Task pane is not open, click Add Audit Task.
Click the Entity Audit Trail button.
Select the type of entity to be audited. Depending on the type selected, you will be required to supply the following information:
Object: Enter an object name.
Object Group: Select an object group from the list. See Groups.
Client IP: Enter a client IP address.
Client Group IP: Select a client IP group. See Groups.
Server IP: Enter a server IP address.
Application User Name: Enter an application user name.
Optionally create CSV file output. See Export a CSV or CEF File.
In the Task Parameters pane, supply run-time parameter values (only the From and To periods are required).
Click Apply.
If you have not yet started to define a compliance workflow automation process, see Create a Workflow Process before performing this procedure. If the privacy set to be used has not yet been defined, do that first - see Privacy Sets.
If the Add New Task pane is not open, click Add Audit Task.
Click the Privacy Set button.
Select a privacy set from the Privacy Set list.
Select either Report by Access Details or Report by Application User to indicate how you want the results sorted and displayed.
Optionally create CSV file output. See Export a CSV or CEF File.
Enter starting and ending dates for the report in the Period Start and Period End boxes.
Click Apply.
If you have not yet started to define a compliance workflow automation process, see Create a Workflow Process before performing this procedure. If the classification process to be used has not yet been defined, do that first - see Classification Processes.
If the Add New Task pane is not open, click Add Audit Task.
Click the Classification Process button.
Note: You will be alerted that classification processes may return sensitive data, and those results will be appended to PDFs.
Select a classification process from the Classification Process list.
Click Apply.
This type of workflow automation task feeds data collected by Guardium to an external application, mapping the data to a format recognized by that application. This task type is an extra-cost feature, enabled by a patch.
Note: If this feature is used in a Central Manager environment, the External Feed Patch must be installed on the Central Manager, and on all managed units on which the task will run.
For more information about how the data is mapped from Guardium to the external application, refer to the documentation for the option that was purchased.
If you have not yet started to define a compliance workflow automation process, see Create a Workflow Process before performing this procedure.
If the Add New Task pane is not open, click Add Audit Task.
Click External Feed.
Select a feed type from the Feed Type list.
The controls that appear next depend on the feed type selected. See the Help Contents to the left, for additional information on specific External Feed Types.
Select an event type from the Event Type list.
Select a report from the Report list. Depending on the report selected, a variable number of parameters will appear in the Task Parameters pane.
In the Extract Lag box, enter the number of hours by which the feed is to lag, or mark the Continuous box to include data right up to the time that the audit task runs.
In the Datasources pane, identify one or more datasources for the external feed. For instructions on how to define or select datasources, see Datasources in the Common Tools book.
Enter all parameter values in the Task Parameters pane. The parameters will vary depending on the report selected.
Click Apply.
Open the compliance workflow automation results. (See Open Workflow Process Results.)
If signing is required, click the Sign Results button.
Optional. To forward these results to another user, click Escalate, and see Forward Results to Additional Receivers (Escalation).
Click the Close this window link (bottom, left).
Open your To-Do List panel. (See Open the To-Do List.)
Click the Continue button for the results you want to release to the next receiver on the distribution list.
Click the Close this window link (bottom, left).
Open the compliance workflow automation results. (See Open Workflow Process Results.)
Expand the Distribution
Status panel by clicking the (Show Details) button.
Click the Close this window link (bottom, left).
Open the compliance workflow automation results. (See Open Workflow Process Results.)
Expand the Comments
panel by clicking the (Show Details) button.
Note: These are the comments that were attached to the results when the report page was retrieved from the Guardium appliance. If you add comments of your own, or if other receivers are adding comments simultaneously, you will not see those comments until you refresh your page (using your browser Refresh function).
Click the Close this window link (bottom, left).
A receiver of process results can forward the results notification for review and/or sign-off to additional receivers. If you escalate the results to a receiver outside of the original audit and sign-off trail, and the results include a PDF file, that file will not be included with the notification.
If the compliance workflow automation results you want to forward are not open, open them now. (See Open Workflow Process Results.)
Click the Escalate button.
Select the receiver from the Receiver list. If the name you want does not appear in the list, that receiver is already on the distribution list for these results.
In the Action Required column, select Review (the default) or Review and Sign.
Click the Escalation button to complete the operation.
In the Receiver column, select a receiver from the drop-down list of Guardium users, groups, or roles. If you select a group or a role, all members of the group or users with that role will receive the results; and if signing is required, only one member or user will need to sign the results.
In the Action Required column, select one option:
Review (the default) – Indicates that this receiver does not need to sign the results (see below).
Review and Sign – Indicates that this receiver must sign the results (electronically, by clicking the Sign Results button when viewing the results online).
In the To-Do List column, either mark or clear the Add checkbox to indicate whether this receiver should be notified of pending results in their Audit Process To-Do List.
In the E-mail Notification column, select one option:
No – E-mail will not be sent to the receiver.
Link Only – E-mail will contain a hypertext link to the results (on the Guardium appliance).
Results – E-mail will contain a copy of the results in PDF format. Be aware that the results from Classification or Assessment tasks may return sensitive information.
The checkbox in the Continuous column controls whether or not distribution of results continues to the next receiver (the default), or stops until this receiver has taken the appropriate action (Review or Review and Sign). If the Continuous box is cleared, and this receiver is a group or a role, when any user who is a member or that group or role performs the selected action, the results will be released to the next receiver on the list.
Click the Add button to add the receiver to the end of the list, and repeat these steps for each receiver. (One receiver is required.)
Do one of the following to open Audit Process Finder:
Users with the admin role: Select Tools > Config & Control > Audit Process Builder.
All Others: Select Comply > Audit Process builder.
Select the process from the Process Selection List.
Click Modify to open the Audit Process Definition panel.
To run the process once, click Run Once Now, or to define a schedule for the process, click Modify Schedule. See Scheduling for instructions on using the general purpose scheduling module.
Note: After a schedule has been defined for a process, the process runs according to that schedule only when it is marked active. To activate or deactivate an audit process, see Activate or Deactivate an Audit Process.
After a schedule has been defined for an audit process, it runs according to that schedule, only when it is marked active. To activate or deactivate an audit process:
Do one of the following to open Audit Process Finder:
Users with the admin role: Select Tools > Config & Control > Audit Process Builder.
All Others: Select Comply > Audit Process builder.
Select the audit process from the Process Selection List.
Click Modify.
In the Audit Process Definition panel, mark the Active box to start running the process according to the schedule; or clear the Active box to stop running the process (ignoring any schedule defined).
Note: If you are activating the process but there is no schedule, click Modify Schedule to define a schedule for running the process.
Click Save.