www.datasunrise.

com

DataSunrise Database Security 9.3

DataSunrise CLI Guide

DataSunrise Database Security CLI Guide

Copyright © 2015-2023, DataSunrise, Inc . All rights reserved.

All brand names and product names mentioned in this document are trademarks, registered trademarks or service
marks of their respective owners.
No part of this document may be copied, reproduced or transmitted in any form or by any means, electronic,
mechanical, photocopying, recording, or otherwise, except as expressly allowed by law or permitted in writing by the
copyright holder.
The information in this document is subject to change without notice and is not warranted to be error-free. If you
find any errors, please report them to us in writing.
 iii

Contents

Chapter 1: DataSunrise Command Line Interface Overview............................ 9

Running the CLI............................................................................................................................................... 9
Single-Process Mode..................................................................................................................................... 10
Universal commands......................................................................................................................................11
The "callRPC" command.....................................................................................................................12
The "arbitrary" command.................................................................................................................... 13
Error codes.....................................................................................................................................................14
Use case........................................................................................................................................................ 14

Chapter 2: The List of CLI Commands............................................................ 16

Chapter 3: Commands for Configuring System Settings............................... 24

Connecting to the DataSunrise's server........................................................................................................ 24
Disconnecting from DataSunrise....................................................................................................................24
Starting DataSunrise's Core...........................................................................................................................24
Stopping DataSunrise's Core.........................................................................................................................25
Restarting the Core........................................................................................................................................25
Checking restart necessity.............................................................................................................................25
Updating DataSunrise Server Parameters.................................................................................................... 25
Changing Web Console's password.............................................................................................................. 26
Displaying a license key................................................................................................................................ 26
Displaying license keys..................................................................................................................................26
Updating a license key.................................................................................................................................. 26
Updating multiple license keys...................................................................................................................... 26
Deleting an existing license key.................................................................................................................... 27
Displaying DataSunrise Server Parameters.................................................................................................. 27
Displaying DataSunrise servers..................................................................................................................... 27
Updating a server...........................................................................................................................................27
Changing the Audit Storage.......................................................................................................................... 28
Cleaning Audit Storage.................................................................................................................................. 29
Enabling Audit Rotation................................................................................................................................. 29
Showing audit.db Copies (Audit Rotation).....................................................................................................29
Creating an audit.db copy (Audit Rotation)................................................................................................... 29
Reading Audit Data from an audit.db Copy (Audit Rotation)........................................................................ 30
Creating a Dictionary Backup........................................................................................................................ 30
Displaying Dictionary backups....................................................................................................................... 30
Cleaning DataSunrise Dictionary................................................................................................................... 31
Recovering Dictionary from a Backup........................................................................................................... 31
Configuring Additional Parameters of DataSunrise....................................................................................... 32

Chapter 4: Configuring Instances.....................................................................33

Adding a new Instance.................................................................................................................................. 33
Adding a new Instance with an Interface and Proxy/Sniffer..........................................................................34
Adding a Trail DB Audit Logs........................................................................................................................38
Displaying an Instance...................................................................................................................................39
Displaying all Instances................................................................................................................................. 39
Displaying a Trail DB Audit Logs.................................................................................................................. 39
 iv
Removing an Instance................................................................................................................................... 40
Deleting a Trail DB Audit Logs......................................................................................................................40
Updating Instances.........................................................................................................................................41
Updating Database Credentials..................................................................................................................... 42
Updating a Trail DB Audit Logs.....................................................................................................................43

Chapter 5: Configuring Interfaces, Proxies, Sniffers...................................... 45

Adding an Interface to the Instance.............................................................................................................. 45
Adding a Proxy...............................................................................................................................................46
Updating a Proxy........................................................................................................................................... 46
Deleting a Proxy.............................................................................................................................................47
Displaying Proxy Information......................................................................................................................... 48
Displaying the most frequently blocked queries............................................................................................ 48
Adding a Sniffer............................................................................................................................................. 48
Displaying Sniffer Information........................................................................................................................ 49
Updating a Sniffer.......................................................................................................................................... 49
Deleting a Sniffer........................................................................................................................................... 50
Updating Metadata......................................................................................................................................... 50
Deleting a Server........................................................................................................................................... 50
Displaying Interfaces...................................................................................................................................... 51
Displaying queries most often blocked.......................................................................................................... 51

Chapter 6: Creating, Editing and Configuring Rules...................................... 52

Creating Rules................................................................................................................................................52
Creating and Editing Security Rules..............................................................................................................52
Creating and Editing Audit Rules.................................................................................................................. 56
Creating and Editing Learning Rules.............................................................................................................60
Creating Masking Rules.................................................................................................................................62
Rules on Specifying Names of DB elements................................................................................................ 68
Displaying a Rule........................................................................................................................................... 69
Displaying a List of Rules................................................................................................................... 69
Deleting a Rule....................................................................................................................................70

Chapter 7: Static Masking................................................................................. 71

Creating a Static Masking task......................................................................................................................71
Relaunching a Static Masking task............................................................................................................... 72
Retrieving a Static Masking Configuration.....................................................................................................72

Chapter 8: Configuring Hosts, Networks, IP addresses/ranges.................... 73

Adding a Host, Network or IP address/range................................................................................................73
Importing multiple Hosts using a CSV file.....................................................................................................73
Displaying a Host, Network or IP address/range.......................................................................................... 74
Updating a Host, Network or IP address/range.............................................................................................75
Deleting a Host, Network or IP address/range..............................................................................................75
Creating a Host Group...................................................................................................................................75
Displaying a Host group................................................................................................................................ 76
Updating a Host group...................................................................................................................................76
Deleting a Host group....................................................................................................................................76

Chapter 9: Database Users................................................................................77

Adding Database Users................................................................................................................................. 77
Importing multiple Users using a CSV file.....................................................................................................77
 v
Creating Groups of Database Users............................................................................................................. 78
Displaying Database Users............................................................................................................................78
Displaying database users.............................................................................................................................78
Displaying Groups of Database Users.......................................................................................................... 78
Updating a Database User Profile.................................................................................................................79
Updating a Group of Database Users........................................................................................................... 79
Deleting Database Users............................................................................................................................... 79
Deleting a Group of Database Users............................................................................................................ 80

Chapter 10: Access Roles................................................................................. 81

Creating an Access Role............................................................................................................................... 81
Creating a DataSunrise user......................................................................................................................... 81
Granting all permissions to a Role................................................................................................................ 82
Granting permissions to a Role..................................................................................................................... 82
Settings permissions to a Role......................................................................................................................85
Deleting an Access Role............................................................................................................................... 85
Revoking all permissions from a role............................................................................................................ 86
Revoking permissions from a Role................................................................................................................86
Deleting a DataSunrise user..........................................................................................................................86
Displaying an Access Role............................................................................................................................ 86
Displaying a list of Access Role.................................................................................................................... 87
Updating an Access Role.............................................................................................................................. 87

Chapter 11: Configuring Client Application Profiles.......................................88

Adding a client application profile..................................................................................................................88
Importing multiple Applications using a CSV file...........................................................................................88
Deleting a client application profile................................................................................................................89
Displaying a client application profile............................................................................................................ 89
Displaying a list of client applications............................................................................................................89
Editing a client application profile.................................................................................................................. 89

Chapter 12: Object Groups................................................................................90

Creating a new Object group.........................................................................................................................90
Deleting an Object group...............................................................................................................................91
Displaying an Object group........................................................................................................................... 91
Displaying all Object groups.......................................................................................................................... 91
Updating an Object group..............................................................................................................................92

Chapter 13: Query Groups................................................................................ 93

Creating a Query group................................................................................................................................. 93
Deleting a Query group................................................................................................................................. 93
Displaying contents of a Query group........................................................................................................... 93
Displaying a list of Query groups.................................................................................................................. 93
Renaming a Query group.............................................................................................................................. 93
Add a query to a Group................................................................................................................................ 94
Removing a query from a group................................................................................................................... 94
Editing a query from a Group........................................................................................................................94

Chapter 14: Configuring Schedules................................................................. 95

Adding a new Schedule.................................................................................................................................95
Deleting a Schedule.......................................................................................................................................95
Displaying a Schedule's settings................................................................................................................... 95
 vi
Showing a list of Schedules.......................................................................................................................... 96
Editing a Schedule......................................................................................................................................... 96

Chapter 15: Configuring Subscribers............................................................. 97

Adding a new Server for Subscribers............................................................................................................97
Deleting a Server profile................................................................................................................................ 97
Displaying Server's profile..............................................................................................................................98
Showing a list of Servers...............................................................................................................................98
Updating a Sending server profile................................................................................................................. 98
Add a Subscriber........................................................................................................................................... 99
Deleting a Subscriber's profile....................................................................................................................... 99
Displaying Subscriber's profile....................................................................................................................... 99
Showing a list of Subscribers........................................................................................................................ 99
Updating a Subscriber profile...................................................................................................................... 100

Chapter 16: Configuring CEF Groups............................................................ 101

Adding a CEF Group................................................................................................................................... 101
Adding a CEF Item...................................................................................................................................... 101
Updating a CEF Group................................................................................................................................ 102
Updating a CEF Item................................................................................................................................... 102
Deleting a CEF Group................................................................................................................................. 102
Deleting a CEF Item.................................................................................................................................... 103
Displaying CEF Groups............................................................................................................................... 103
Displaying CEF Group Parameters............................................................................................................. 103
Displaying a CEF Item.................................................................................................................................103

Chapter 17: Monitoring Events and Sessions............................................... 104

Monitoring Events.........................................................................................................................................104
Displaying session details............................................................................................................................105
Displaying active sessions........................................................................................................................... 105
Displaying network devices..........................................................................................................................105

Chapter 18: Data Discovery.............................................................................106

Adding Data Discovery filter attribute.......................................................................................................... 106
Adding Data Discovery Information Type.................................................................................................... 106
Copying a Data Discovery Information Type...............................................................................................107
Displaying a Data Discovery filter attribute..................................................................................................107
Displaying Data Discovery Information Types............................................................................................. 107
Displaying a Data Discovery Information Type........................................................................................... 107
Deleting a Data Discovery filter attribute..................................................................................................... 107
Removing Data Discovery Information type................................................................................................ 108
Updating Data Discovery filter attribute....................................................................................................... 108
Adding a Data Discovery periodic task....................................................................................................... 109
Updating a Data Discovery periodic task.................................................................................................... 111

Chapter 19: Report Generator.........................................................................113

Creating a Data Audit report........................................................................................................................113
Updating a Data Audit Task........................................................................................................................ 114
Creating a Data Security report...................................................................................................................115
Updating a Data Security Task....................................................................................................................116
Creating a Data Masking report.................................................................................................................. 117
Updating a Data Masking task.................................................................................................................... 118
 vii
Creating an Operation Errors report............................................................................................................ 119
Updating an Operation Errors Task.............................................................................................................120
Creating a Session report............................................................................................................................121
Updating a Session Report task..................................................................................................................122
Creating a System Events report................................................................................................................ 122
Updating a System Events task.................................................................................................................. 122
Creating a Report Gen task on Direct Sessions......................................................................................... 123
Updating a Report Gen task on Direct Sessions........................................................................................ 123
Creating an Instances Status report............................................................................................................ 124
Updating an existing Instances Status Task............................................................................................... 124
Displaying an existing Report Gen task...................................................................................................... 124
Displaying a list of existing Report Gen tasks.............................................................................................124
Displaying existing Report Gen reports....................................................................................................... 125
Deleting a Report Gen task......................................................................................................................... 125

Chapter 20: Configuring Database User Mapping Settings..........................126

Enabling Database User Mapping............................................................................................................... 126
Adding an LDAP server............................................................................................................................... 127
Updating an LDAP server............................................................................................................................128
Adding a Database User Mapping.............................................................................................................. 129
Showing Mapped Users...............................................................................................................................129
Displaying an LDAP server..........................................................................................................................129
Displaying LDAP servers............................................................................................................................. 130
Deleting Database User Mapping Configurations........................................................................................130
Deleting an LDAP server............................................................................................................................. 130
Disabling Database User Mapping.............................................................................................................. 130

Chapter 21: Periodic Tasks............................................................................. 131

Adding a Clean audit periodic task..............................................................................................................131
Updating a Clean audit periodic task.......................................................................................................... 131
Adding a Health check periodic task........................................................................................................... 132
Updating a Health check periodic task........................................................................................................132
Adding an Update metadata periodic task.................................................................................................. 132
Updating an Update metadata periodic task............................................................................................... 132
Adding a Backup Dictionary periodic task................................................................................................... 133
Updating a Backup Dictionary periodic task................................................................................................133
Adding a User Behavior task.......................................................................................................................133
Updating a User Behavior task....................................................................................................................134
Adding a Vulnerability Assessment periodic task........................................................................................ 134
Updating a Vulnerability Assessment periodic task.....................................................................................134
Adding a Query History Table Relation Learning periodic task...................................................................135
Adding a DDL Table Relation Learning periodic task................................................................................. 135
Updating a DDL Table Relation Learning periodic task.............................................................................. 136
Adding an Azure Remove Unused Servers periodic task........................................................................... 136
Updating an Azure Remove Unused Servers periodic task........................................................................ 136
Adding a Kubernetes Remove Unused Servers periodic task.................................................................... 136
Updating a Kubernetes Remove Unused Servers periodic task................................................................. 137
Adding a DB User Synchronization Periodic task....................................................................................... 137
Updating a DB User Synchronization Periodic task.................................................................................... 138
Adding a Test Bucket Accessibility periodic task........................................................................................ 138
Updating a Test Bucket Accessibility periodic task..................................................................................... 138
Deleting a periodic task............................................................................................................................... 139
Displaying a periodic task............................................................................................................................139
Chapter 22: SSL Key Groups.......................................................................... 140
Adding an SSL Key Group.......................................................................................................................... 140
Updating an SSL Key Group....................................................................................................................... 140
Deleting an SSL Key Group........................................................................................................................ 141
Displaying an SSL Key Group.....................................................................................................................141
Displaying SSL Key Groups........................................................................................................................ 141

Chapter 23: Configuring Application User Capturing................................... 142

Adding an Application User Capturing.........................................................................................................142
Updating an Application User Capturing..................................................................................................... 143
Deleting an Application User Capturing.......................................................................................................143
Displaying a list of Application User Capturings..........................................................................................144
Displaying an Application User Capturing settings......................................................................................144

Chapter 24: Tags.............................................................................................. 145

Adding a tag.................................................................................................................................................145
Deleting a tag...............................................................................................................................................145
Displaying a tag........................................................................................................................................... 145
Displaying tagged entities............................................................................................................................ 145
Displaying tags............................................................................................................................................. 146
Displaying untagged entities........................................................................................................................ 146
Updating a tag..............................................................................................................................................146

Chapter 25: Infrastructure-as-Code................................................................ 147

Export a Resource Group to a Template.................................................................................................... 147
Deploy a Resource Group from a Template............................................................................................... 148

Chapter 26: Miscellanious............................................................................... 149

showWorkers................................................................................................................................................ 149
Flush............................................................................................................................................................. 149
Displaying admin queries types................................................................................................................... 149
Checking the Core status............................................................................................................................ 149
Restarting the backend................................................................................................................................ 150
Displaying hosts........................................................................................................................................... 150
Displaying the most frequently blocked queries.......................................................................................... 150
Displaying query types.................................................................................................................................150
Displaying reports.........................................................................................................................................151
Displaying sessions......................................................................................................................................151
Displaying SSL Key Groups........................................................................................................................ 151
Displaying system errors..............................................................................................................................152
Displaying throughput history.......................................................................................................................152
Tracing Audit Counters................................................................................................................................ 152
Connecting to DataSunrise using SSO....................................................................................................... 152
Adding an SSO Service...............................................................................................................................152
Updating an SSO Service entry.................................................................................................................. 154
Displaying SSO Service Settings.................................................................................................................155
Deleting SSO Service.................................................................................................................................. 155
 1 DataSunrise Command Line Interface Overview | 9

1 DataSunrise Command Line

Interface Overview
Advanced DataSunrise users can use the Command Line Interface (CLI) instead of the Web Console to configure
DataSunrise. The CLI enables you to perform all the firewall functions.

Important: To use the CLI, you need to install JRE 8 at least but we recommend using Java 9 or higher because it
supports the TLS 1.3 encryption protocol.

1.1 Running the CLI

The CLI's executable file is located in the cmdline subfolder inside the DataSunrise installation folder
(executecommand.bat or executecommand.sh for Linux). Follow these steps to launch the CLI:
1. Launch the command prompt of your operating system. In order to work in multi-process mode, run CMD with
administrative privileges.
2. Use the cd command to navigate to the directory where the executable file is:

cd C:\Program Files\DataSunrise Database Security Suite\cmdline

3. Execute executecommand.bat (executecommand.sh for Linux):

C:\Program Files\DataSunrise Database Security Suite\cmdline>executecommand.bat

Then you will see a list of available commands.

Important: On a Linux machine, it is required to install Java. The example below is given for Ubuntu.

sudo apt-get install default-jre

sudo apt-get install default-jdk

Set the environment variables for Java.

export JAVA_HOME=/opt/jdk1.8.0_131
export JRE_HOME=/opt/jdk1.8.0_131/jre
export PATH=$PATH:/opt/jdk1.8.0_131/bin:/opt/jdk1.8.0_131/jre/bin

Connecting to a Host

To start working with the firewall you need to connect to the server using the connect command. If you run the
command without necessary parameters, the CLI will output a prompt, displaying missing attributes:

C:\Program Files\DataSunrise Database Security Suite\cmdline>executecommand.bat connect

Missing required options: host, login
usage: connect
Connect to firewall
-host <arg> host where server is running
-login <arg> login
 1 DataSunrise Command Line Interface Overview | 10
-password <arg> password
-port <arg> port where server is running. Default is 11000
-protocol <arg> protocol (http | https). Default is https.

Connect to localhost using admin as the login.

>executecommand.bat connect -host localhost -login admin -password <UI password>

Connect to https://localhost:11000
C:\Users\user\state.txt saved

If you don't specify the password in the command, the command will try to get it from the variable DS_PASSWORD.
If this variable is missing, a blank password will be used.
Every time you successfully connect to the server, a state.txt file is created. It contains encrypted information about
session ID, because if you execute a list of CLI commands, DataSunrise starts a separate process for each command.
On default, session is active for 10 minutes from the moment of the last server activity.
Session information may be saved in some other file. To specify a file name, use DS_STATE_FILE. This variable should
contain only the file name without its full path. For example, name the file “session_state.dat”:

SET DS_STATE_FILE=session_state.dat

To specify the folder, use DS_STATE_DIR. For example, create a folder named “myDir” and set the DS_STATE_DIR
environment variable as follows:

SET DS_STATE_DIR=C:\myDir

As a result, every time a session is started, the session status file is created in the following folder:

c:\myDir\session_state.dat

1.2 Single-Process Mode

The single-process mode provides higher speed of command execution. To activate the single-process mode, use
the -m (manual) option:

>executecommand.bat -m

After running a command with the -m option, you can execute CLI commands without the executecommand.bat
prefix.

C:\firewall\CmdLine>executecommand.bat -m
>connect -host localhost -login admin -password <UI password>
Connect to https://localhost:11000

Then you can execute other CLI commands.

To deactivate single-process mode, use the exit command. For example:

>exit
C:\firewall\CmdLine>
 1 DataSunrise Command Line Interface Overview | 11

1.3 Universal commands

The simplest way to execute a CLI command is to use JSON got from the Web Console. This enables you to create
complex scripts. To make you able to fulfill this task, the CLI provides you with two commands covered in this
subsection.
All CLI commands except callRPC and arbitrary work in the following way:
• When a CLI command is executed, the required JSON based on the command's options is created;
• The JSON is passed to the Backend and then the required RPC is called from the JSON.
callRPC and arbitrary commands in their turn enable you to omit the stage of customizing command's options in
the command line and enables you to jump directly to executing the corresponding JSON.
Let's assume that we need to create a Rule using the corresponding JSON. To get the JSON of interest, open the
Web Console in your web browser and create a Rule of interest. BEFORE saving the Rule, press F12 to show the
Developer Tools of your web browser, then save the Rule. Locate the function of interest in the list of called functions
(the "updateRule" function in our case) and copy its JSON (you might have to click "view parsed" or something
like that to display the function details). This JSON will enable us to create a similar Rule with callRPC or arbitrary
command. Before executing these commands, delete the Rule you've used to get JSON or rename the Rule in the
JSON to avoid name collision. See the example of JSON in the picture below .
 1 DataSunrise Command Line Interface Overview | 12

1.3.1 The "callRPC" command

To read JSON from a certain text file and call an included RPC, use the callRPC command. The following parameters
are available:
Parameter Description

-file <arg> File which contains the required JSON.

-e Replace variables specified in the JSON file with corresponding operating

system's variables.

To call an RPC from a certain file, get the JSON of the function of interest from the Web Console. Paste the JSON in a
new text file and name it somehow, "myfile.txt" for example.
Run the CLI and execute the callRPC command. As the -file option's value, input your file's name and specify its
path:

./executecommand.sh callRPC -file ./myfolder/myfile.txt

To increase the command's flexibility, you can use the -e parameter which enables you to replace the values of
variables specified in your .txt file with you operating system's counterparts. For example, if you use the word
"RULE_NAME" as the "name" parameter's value in your JSON and run callRPC without -e, you will get a Rule named
"RULE_NAME".
But if you add -e to your command, the CLI will search a counterpart of "RULE_NAME" among your operating
system variables and will replace "RULE_NAME" with the OS's "RULE_NAME" environment variable's value. Note that
you should create a RULE_NAME environment variable with some value first. Example:

set RULE_NAME=rule1

The -e parameter is useful for creating scripts because when executing some commands, you might have to use a
variable whose value depends on the result of the previous command execution. For example, this is how you can
create a database Instance, get its ID (id) and assign it as the value of an INSTANCE_ID environment variable:

INSTANCE_ID=$(./executecommand.sh callRPC -file createInstance.txt | jq '.id')

This is how you can create a Rule using the previously created INSTANCE_ID variable. In this case the CLI will take the
INSTANCE_ID variable's value and replace the corresponding fragment of the JSON read from the createRule.txt:

./executecommand.sh callRPC -file createRule.txt -e

This is what a createRule.txt contents might look like (abridged):

{
"data": {
"id": -1,
"name": "new",
"dbInstance_id": "INSTANCE_ID",
"sequence": 1,
"comment": "",
"action": 1,
"blockingType": 0,
"dbType": 4,
...
},
"func": "updateRule",
"queryID": 1241745845,
"session_id": 158490930
 1 DataSunrise Command Line Interface Overview | 13
}

Restriction: though we try our best to provide backward compatibility of JSON, there is a possibility that you will
need to update contents of some JSON files after updating DataSunrise to newer versions.

1.3.2 The "arbitrary" command

The arbitrary command enables you to pass any JSON to the Backend for execution as well. The difference from
callRPC is that arbitrary can't read JSON from an external file, it needs JSON to be specified as the -jsonContent
parameter's value.

Note: if your JSON contains spaces, it should be quoted. All quotes the JSON contains should be escaped using the
-itemEscaping parameter.

The arbitrary command's parameters:

Parameter Description

-function <arg> Function name. It should contain the contents of the "func" section of JSON
taken from your web browser.

-jsonContent <arg> Input your JSON here. It should contain the contents of the "data" section
of JSON taken from your web browser.

-itemEscaping <arg> Custom escaping symbol.

Examples for Windows:

>executecommand.bat arbitrary -function deleteDbUserMapping -jsonContent

{\"dbInstanceID\":2,\"ldap_server_id\":1,\"adUser\":\"mcweenyw_aps\"}"

>executecommand.bat arbitrary -function updatePeriodicTask -jsonContent "{\"id\":-1,\"storePeriodType

\":0,\"storePeriodValue\":0,\"name\":\"test\",\"type\":15,\"lastExecTime\":\"\",\"nextExecTime\":
\"\",\"lastSuccessTime\":\"\",\"lastErrorTime\":\"\",\"serverID\":8,\"forceUpdate\":false,\"params\":
{\"cleanAuditType\":3,\"removeDataOlderThan\":180},\"frequency\":{\"daily\":{\"beginDate\":\"2018-09-28
00:00:00\",\"repeatEvery\":1}},\"updateNextExecTime\":true}"

Examples for Linux:

./executecommand.sh arbitrary -function getCoreObjectsStatus -jsonContent

"{'type':8,'serverID':0}" -itemEscaping \'

./executecommand.sh arbitrary -function updateEventsSubscriber -jsonContent

"{`subscriber_id`:4,`eventIDGroups`:[52002]}" -itemEscaping `

./executecommand.sh arbitrary -function updateSubscriber -jsonContent "{`id`: -1,`address`:

`[email protected]`,`server_id`: 9,`name`: `logical name`,`forceUpdate`: false}" -itemEscaping `
 1 DataSunrise Command Line Interface Overview | 14

1.4 Error codes

Each command executed in multi-process mode displays a return code and a prompt message. When running in
single-process mode, the firewall doesn't start separate process for each command and doesn't display a return
code, but displays a prompt message.
Error codes and corresponding messages:

0, "OK"
65, "Validation Error". An error occurred when validating an input parameter
66, "Operation Failed". Operation was closed with an error
67, "Session Save Error". Encountered an error when saving session parameters
68, "Session Restore Error". An error occurred when restoring session
69, "Command not Found"
70, "DB is Not Available"
71, "Help printed". The command was executed with the "help" parameter (e.g., executecommand.bat connect
-h)
72, "Cancelled". Operation was cancelled by a user
73, "Server Error"
74, "Server is Not Available"
75, "Unused Parameter". The parameter was not used when executing the command
100, "Error". Other error

1.5 Use case

Now we will show the standard working process with DataSunrise, starting with connecting, configuring an Audit
storage, adding a new database in stance and finishing with creation of a new Rule. As a result, DataSunrise will
be configured to audit queries which include keyword "test" in the statement of queries coming from "user_1"
operating from a local PC.
1. First, we need to connect to the system and authorize in it. Note that session is active during 10 minutes since the
last action:

>executecommand.bat connect -host 127.0.0.1 -port 11000 -login admin -password 123123 -protocol https

2. Let's change the Audit Storage location from the SQLite database to a PostgreSQL. It is recommended if you
expect a large volume of traffic to be transferred to the Audit Storage.

>executecommand.bat changeStorage -dbType postgresql -host 192.168.1.123

-database postgres -schema public -password password -login test_user_1 -port 5433

3. Register the database that is required to be monitored (the target database). We will use a MySQL database that is
located at 192.168.1.71:3305. We need to open a proxy on a local interface port so that the database clients will be
able to connect to 127.0.0.1:1025 like to the real database server.

>executecommand.bat addInstancePlus -dbHost 192.168.1.71 -dbPort 3305

-proxyHost 127.0.0.1 -proxyPort 1025 -dbType mysql -database test
-password 1234 -login root -name test

4. We need to create several auxiliary objects that will help us to filter according to the specified IP address and user
name:

>executecommand.bat addHost -startIPv4 127.0.0.1 -name testhost -endIPv4 127.0.0.254

>executecommand.bat addDbUser -name user_1 -dbType mysql -instance test
 1 DataSunrise Command Line Interface Overview | 15
5. In order to filter queries by code, we need to create a group of queries. We will add a SQL query that is required
to be logged to this group of queries. A group can contain many SQL queries specified as regular expressions or as
full text of a SQL query.

>executecommand.bat addQueryGroup -name test_sql_gr

>executecommand.bat addQueryOfGroup -name test_sql_gr -sql ".*test.*" -regExp true

6. Sometimes it is necessary to restrict active period of a Rule. In that case you can use Schedules. To create a
Schedule, use the addSchedule command:

>executecommand.bat addSchedule -name test_schedule -intervals mo08:00:00-18:00:00;tu08:00:00-18:00:00;

we08:00:00-18:00:00;th08:00:00-18:00:00;fr08:00:00-18:00:00

7. Using all the objects specified above we create an audit Rule:

>executecommand.bat addRule -name "TestRule" -dbType mysql -instance test

-action audit -addUsers user_1 -addHosts testhost -intercSqlGr test_sql_gr
-filterType group -schedule test_schedule -logData true -logInStorage true
 2 The List of CLI Commands | 16

2 The List of CLI Commands

Note that the commands can be executed only after a connection to a DataSunrise server has been established.
Get a prompt for any CLI command by using -h, -help, --help.
Example (abridged):

>executecommand.bat showEvents –h
usage: showEvents
Show a list of Events
-app <arg> application
-appOpt <arg> options to search for app. One of Empty, Not Empty,
Like, Not Like, Match, Not Match, Any
-beginDate <arg> begin date formatted as yyyy-MM-dd HH:mm:ss
-data <arg> data
...

Important: If an object name contains a space symbol, enclose the full name in double quotes.

Note: CLI command names are case insensitive. Parameter names of commands are case sensitive.
 2 The List of CLI Commands | 17
Here's the complete list of CLI commands:
Command Description
addAccessRole Adds an Access Role
addApplication Creates a client application profile
addAppUserCapturingSetting Adds an App User Capturing entity
importApplications Adds multiple application profiles using a CSV file
addAuditReportGen Creates a Data Audit report task with Report Gen
addSecurityReportGen Creates a Data Security report task with Report Gen
addMaskingReportGen Creates a Data Masking report task with Report Gen
addOperationErrorsReportGen Creates a Operation Errors report task with Report Gen
addSessionReportGen Creates a Session Report task with Report Gen
addSystemEventsReportGen Creates a report on system events
addHost Adds a host, network or IP address/range
importHosts Adds multiple hosts using a CSV file
addCefGroup Creates a group of CEF items
addCefItem Adds a CEF item
addDSUser Adds a DataSunrise user
addDbUserGr Creates a group of database users
addDbUser Creates a database user profile
importUsers Adds multiple database users using a CSV file
addDbUserMapping Maps an Active Directory user to a database user
addHostGr Creates a host group
addInstancePlus Creates a database instance with instance interface and either Proxy or
Sniffer
addInstance Creates a new database instance
addInterface Creates an interface for the instance
addLdapServer Creates an LDAP server profile
addObjectGroup Creates a group of database objects
addPerCleanAudit Adds Periodic Clean audit task
addPerHealthCheck Adds Periodic Health check task
addPerUpdateMetadata Adds Periodic Update metadata task
addPerBackupDictionary Adds Periodic Backup Dictionary task
addPerUserBehavior Creates a User Behavior Periodic task
addPerTestBucketAccess Adds Periodic Test Bucket Accessibility task
addProxy Adds a proxy to the instance interface
addQueryOfGroup Adds an SQL query from the query group
addQueryGroup Creates a query group
addRule Creates a new security, audit, masking or learning Rule
addAuditRule Creates a new audit Rule
 2 The List of CLI Commands | 18

Command Description
addLearnRule Creates a new learning Rule
addMaskRule Creates a new masking Rule
addSecurityRule Creates a new security Rule
addSchedule Creates a schedule to automatically enable and disable DataSunrise Rules
addServer Adds an SMTP, SNMP or external server for configuring subscription to
DataSunrise notifications
addSniffer Adds a sniffer to the database instance interface
addSslKeyGroup Adds SSL Key Group
addSubscriber Adds a subscriber to receive DataSunrise notifications
addTag Adds a tag to specified Entity
addDiscoveryGr Creates a new DataDiscovery search filter (Information type)
addDiscoveryAttr Adds an attribute to an Information type
arbitrary Executes an arbitrary command using JSON
callRPC Calls an arbitrary RPC from a JSON file
changePwd Changes the password of a specified firewall user
cleanAudit Cleans Audit Storage (audit data storage)
cleanDictionary Resets DataSunrise settings to default and delete all objects created by the
firewall (user accounts, Rules, DB accounts, etc.)
connect Connects to DataSunrise's Web Console
copyDiscoveryGr Makes a copy of a Data Discovery search filter (Information type)
changeParameter Changes the value of a certain firewall parameter
changeStoraqe Changes Audit Storage
createAuditRotation Creates a new audit.db file
createDictionaryBackup Creates a backup of the dictionary (DataSunrise settings)
delAccessRole Deletes an Access Role
delPerTask Deletes a Periodic task
delApplication Deletes a client application entry
delAppUserCapturingSetting Deletes an App User Capturing entity
delCefGroup Deletes a group of CEF items
delCefItem Deletes a CEF item
delDbUserGr Deletes a group of database users
delDbUser Deletes a database user entry
delDbUserMapping Unmaps an Active Directory user from a database user
delHost Deletes a host, network or IP range entry
delHostGr Deletes a group of hosts
delInstance Deletes a database instance
delSslKeyGroup Deletes an SSL Key Group
delInterface Deletes an instance interface
 2 The List of CLI Commands | 19

Command Description
delLdapServer Deletes an existing LDAP server
delLicense Deletes an existing License
delObjectGroup Deletes object groups
delProxy Deletes a proxy from the instance interface
delQueryGroup Deletes a query group
delQuery Deletes a query from the group
delReport Deletes a Report Gen task
delRule Deletes a rule
delServer Deletes a mail server profile (subscribers)
delSchedule Deletes a schedule
delSniffer Deletes a sniffer from instance interface
delSubscriber Deletes a subscriber
delDiscoveryGr Deletes a Data Discovery search filter (Information type)
delDiscoveryAttr Deletes a Data Discovery Information type attribute
delDsServer Deletes a DataSunrise server
delDsUser Deletes a DataSunrise user
delTag Deletes a tag
disableDbUserMapping Disables mapping of AD users to DB users for a certain instance
disconnect Disconnects from DataSunrise Web Console
enableDbUserMapping Enables/disables mapping of Active Directory users to database users
isNeedRestart Checks whether it is necessary to restart Core and Backend processes
flush Updates Backend data and send synchronization command to the Core
grantAllPermToRole Grants ALL permissions to a Role
grantPermToRole Grants specified permissions to a Role
restart Restarts Core process
restartBackend Restarts the Backend
setAuditRotation Reads audit data from an old audit.db file
recoverDictionary Restores dictionary (DataSunrise settings) from a backup
restartStatMasking Relaunches previously performed static masking
revokeAllPermFromRole Revokes all permissions from an existing Access Role
revokePermFromRole Revokes permissions from an existing Access Role
setPermissionsToRole Sets specified permissions for a Role (all existing permissions will be reset)
showAccessRole Shows an existing Access Role
showAccessRoles Shows a list of existing Access Roles
showActiveSessions Shows a list of all active sessions
showApplications Shows a list of client applications
showApplication Shows certain client application entry
 2 The List of CLI Commands | 20

Command Description
showAuditRotations Shows a list of available audit.db files
showCefGroup Shows parameters of a CEF group
showCefGroups Shows a list of CEF groups
showCefItem Shows parameters of a CEF item
showCoreState Shows state of the Core process
showDbUserGr Shows a database user group
showDbUser Shows a database user entry
showDbUsers Shows a list of database users
showAdDbUserMapping Shows a list of mapped users
showAdminQueryTypes Shows types of Administrative queries
showAppUserCapturingList Displays a list of existing App User Capturings
showAppUserCapturingSetting Displays details of a specified App User Capturing
showDictionaryBackups Shows a list of Dictionary backups
showSslKeyGroups Shows a list of SSL Key Groups
showSslKeyGroup Shows an existing SSL Key Group
showPerTask Shows an existing Periodic task
showReports Displays a list of existing Report Gen reports
showReportGen Displays details of an existing Report Gen task
showReportsGen Display a list of existing Report Gen tasks
showTag Shows tag
showTagged Shows tagged entities
showTags Shows tags
showUntagged Shows untagged entities
showEvents Shows a list of events (Audit, Security, Masking events)
showEvent Shows an event from the list of events (Audit, Security, Masking events)
showHost Shows a host name or IP address
showHostGr Shows a group of hosts, networks or IP addresses
showHosts Shows a list of hosts
showInstances Shows a list of available database instances
showInstance Shows a database instance
showInterface Shows an instance interface
showInterfaces Shows a list of interfaces
showLdapServer Shows an existing LDAP server
showLdapServers Shows existing LDAP servers
showMostBlocked Reports on the most frequently blocked queries
showNetDevices Shows network devices and their IP addresses
showObjectGroups Shows a list of object groups
 2 The List of CLI Commands | 21

Command Description
showObjectGroup Shows an object group
showParameters Shows parameters for the changeParameter command
showProxies Shows a list of proxies
showProxy Shows a proxy
showQueryGroups Shows a list of query groups
showQueryGroup Shows a query group
showQueryTypes Shows a list of query types
showReports Shows reports
showRules Shows a list of Rules (Security, Masking, Audit, Learning)
showRule Shows a certain Rule
showServers Shows a list of mail servers (subscribers)
showServer Shows a mail server (subscribers)
showSession Shows a session description
showSessions Shows a list of sessions
showSchedules Shows a list of schedules
showSchedule Shows a schedule
showSniffer Shows a sniffer
showStatMasking Retrieves previously performed static masking configurations in JSON file
showSubscribers Shows a list of subscribers
showSubscriber Shows a subscriber of DataSunrise notifications
showSystemErrors Shows system errors over a certain period of time
showThroughputHistory Shows Throughput history
showDiscoveryGroups Shows a list of Data Discovery search filters (Information types)
showDiscoveryGr Shows a Data Discovery search filter (Information type)
showDiscoveryAttr Shows Data Discovery Information type attribute
showDsServer Shows a DataSunrise server
showDsServers Shows a list of DataSunrise servers
showWorkers Displays a list of available Workers
stop Stops Core process
start Starts Core process
statMask Performs static masking
updateAccessRole Updates an existing Access Role
updateApplication Edits a client application profile
updateAppUserCapturingSetting Updates a specified App User Capturing
updateAuditRule Edits an existing audit rule
updateCefGroup Changes parameters of a CEF group
updateCefItem Changes parameters of a CEF item
 2 The List of CLI Commands | 22

Command Description
updateHost Edits a host or IP address
updateHostGr Edits a host group
updateDbUser Edits a database user entry
updateDbUserGr Edits a group of database users
updateDsServer Updates a DataSunrise server
updateInstance Edits settings of a database instance
updateInterface Edits settings of an instance interface
updateLdapServer Updates an LDAP server profile
updateLearnRule Edits an existing learning rule
updateMaskRule Edits an existing masking rule
updateObjectGroup Edits an object group
updatePerCleanAudit Updates a Periodic Clean audit task
updatePerHealthCheck Updates a Periodic Health check task
updatePerUpdateMetadata Updates s Periodic Update metadata task
updatePerBackupDictionary Updates an existing Periodic Backup Dictionary task
updatePerUserBehavior Updates an existing User Behavior Periodic task
updatePerTestBucketAccess Updates Periodic Test Bucket Accessibility task
updateProxy Edits settings of an existing proxy
updateQueryGroup Edits a query group
updateQueryOfGroup Edits the query of a certain query group
updateRule Edits an existing rule
updateSchedule Edits a schedule
updateSecurityRule Edits an existing security rule
updateServer Edits settings of a subscriber server (SMTP, SNMP, external)
updateSniffer Edits sniffer settings
updateSslKeyGroup Updates an SSL Key Group
updateSubscriber Edits a subscriber profile
updateLicense Updates a license key
updateLicenses Uploads multiple license keys
updateMetadata Updates metadata
updateTag Updates a tag
updateAuditReportGen Updates a Data Audit report task
updateSecurityReportGen Updates a Data Security report task
updateMaskingReportGen Updates a Data Masking report task
updateOperationErrorsReportGen Updates a Operation Errors report task
updateSessionReportGen Updates a Session report task
 2 The List of CLI Commands | 23

Command Description
updateSystemEventsReportGen Updates a System Events report task

Each command has two obligatory additional parameters (see below). For the complete list of parameters see each
command's description.
Command Description
-json Show response from the Backend "as is" (JSON format)
-debug Show request to the server and response from the server (for debugging)
 3 Commands for Configuring System Settings | 24

3 Commands for Configuring System

Settings

3.1 Connecting to the DataSunrise's server

This is the first command you would use. To connect to the DataSunrise's server, use the connect command with the
following options:
Parameter Description
-host DataSunrise Web Console host.
-login <arg> User name to access the Web Console.
-password <arg> Password to access the Web Console.
-port <arg> Port used by the Web Console (11000 by default).
-protocol <arg> A protocol used to connect to the DataSunrise server (https by default).

Example:

>executecommand.bat connect -host localhost -login admin -password admin01 -port 11000

3.2 Disconnecting from DataSunrise

To disconnect from DataSunrise server, use the disconnect command with the following options:
Parameter Description
-f Disconnect without confirmation.

3.3 Starting DataSunrise's Core

To start DataSunrise's Core process, use the start command with the following options:
Parameter Description
-f Start service without confirmation.
-dsServer <arg> Logical name of the DataSunrise server.
-worker <arg> Worker name. To see the full list of all available workers, use the
"showWorkers" command. If an option is not specified, flush will be
executed for all workers.
 3 Commands for Configuring System Settings | 25

3.4 Stopping DataSunrise's Core

To stop DataSunrise's Core process, use the stop command with the following options:
Parameter Description
-f Stop service without confirmation.
-dsServer <arg> Logical name of the DataSunrise server.
-f Force execution. No confirmation is required
-worker <arg> Worker name. To view the full list of all available workers, use the
"showWorkers" command. If an option is not specified, flush will be
executed for all workers

3.5 Restarting the Core

To restart the Core, use the restart command with the following options:
Parameter Description
-f Restart without confirmation.
-dsServer <arg> Logical name of the DataSunrise server.
-worker <arg> Worker name. To see the full list of all available workers, use the "show
Workers" command. In an option is not specified, flush will be executed for
all workers.

3.6 Checking restart necessity

To check if restart is needed after certain changes were made, use the isNeedRestart command.

3.7 Updating DataSunrise Server Parameters

To update DataSunrise server parameters, use the updateDsServer command:
Parameter Description
-name <arg> Current name of the DataSunrise server.
-newName <arg> New name of the DataSunrise server.
-backendHost <arg> Backend's hostname.
-backendPort <arg> Backend's port number.
-corePort <arg> Core's port number.
-backendHttps <true | false> Enable/disable https for the Backend.
-coreHttps <true | false> Enable/disable https for the Core.
 3 Commands for Configuring System Settings | 26

3.8 Changing Web Console's password

To change DataSunrise administrator password, use the changePwd command with the following options:
Parameter Description

-currentPwd <arg> The current admin password.

-login <arg> Name of user to change password for ("admin" for administrator).

-newPwd <arg> A new password.

Example:

>executecommand.bat changePwd -currentPwd password -login admin -newPwd adminus

3.9 Displaying a license key

To display DataSunrise license key, use the showLicense command with the following options:
Parameter Description
-id <arg> License key ID

3.10 Displaying license keys

To display existing DataSunrise license keys, use the showLicenses command.

3.11 Updating a license key

To update a DataSunrise license key, use the updateLicense command with the following options:
Parameter Description
-key <arg> Specify a new license key.

3.12 Updating multiple license keys

To upload multiple DataSunrise license keys from a file, use the updateLicenses command with the following
options:
Parameter Description
-file <arg> Path to the file which contains the license keys.
 3 Commands for Configuring System Settings | 27

3.13 Deleting an existing license key

To remove an existing DataSunrise license key, use the delLicense command with the following options:
Parameter Description
-id <arg> License key ID.

3.14 Displaying DataSunrise Server

Parameters
To retrieve information about the DataSunrise server, use the showDsServer command:
Parameter Description

-name <arg> Logical name of the DataSunrise server.

3.15 Displaying DataSunrise servers

To display a list of DataSunrise servers, use the showDsServers command.

3.16 Updating a server

To update a DataSunrise server entry, use the updateDsServer command:
Parameter Description

-backendHost <arg> Backend host name

-backendHttps <true | false> Enable/disable HTTPS for the Backend

-backendPort <arg> Backend port number

-coreHttps <true | false> Enable/disable HTTPS for the Core

-corePort <arg> Core port number

-name <arg> Logical name of the server

-newName <arg> New name for the server

Example:

>executecommand.bat updateDsServer -backendHost localhost -backendHttp false -backendPort 11000 -

coreHttps true -core Port 11001 -name myserver -newName newserver
 3 Commands for Configuring System Settings | 28

3.17 Changing the Audit Storage

To change the Audit Storage database, use the changeStorage command with the following options:
Parameter Description

-connectionString <arg> Custom connection string. For PostgreSQL and MS SQL only

-database <arg> Audit Storage database name. For Aurora PostgreSQL, Aurora MySQL,
PostgreSQL, MySQL, MS SQL only

-schema <arg> Audit Storage database schema. For Aurora PostgreSQL, PostgreSQL only

-dbType <arg> Audit Storage DB type (aurora mysql | aurora postgresql | mysql | postgresql
| sqlite | mssql)

-folderName <arg> Folder name for SQLIte Audit Storage

-host <arg> Host of the Audit Storage database. For Aurora MySQL, Aurora PostgreSQL,
MySQL, MS SQL, PostgreSQL only
-login <arg> Database user login. For Aurora MySQL, Aurora PostgreSQL, MySQL, MS
SQL, PostgreSQL only
-password <arg> Database user password. For Aurora MySQL, Aurora PostgreSQL, MySQL,
MS SQL, PostgreSQL only
-port <arg> Port of the Audit Storage database. For Aurora MySQL, Aurora PostgreSQL,
MySQL, MS SQL, PostgreSQL only
-cyberArkFolder CyberArk folder name (not for SQLite)
-cyberArkSafe CyberArk safe name (not for SQLite)
-cyberArkObject CyberArk object name (not for SQLite)
-ssl Enable SSL

Example:

>executecommand.bat changeStorage -database audit -dbType postgresql - host 192.168.1.1.91 -login

adminus -password 123456 -port 5432
 3 Commands for Configuring System Settings | 29

3.18 Cleaning Audit Storage

To remove all audit data from DataSunrise Audit Storage (SqLite or external database), use the cleanAudit
command with the following options:
Parameter Description

-f Clean Audit Storage without confirmation.

-cleanType <arg> Method of cleaning:

• deleteAll: clean tables with DELETE
• dropAll: drop and recreate the tables
• deleteBefore: remove all events before the date specified with -date (For
MySQL only).

-date <arg> Used with -deleteBefore (see above)

-u Force Audit Storage cleaning even if some core processes have not been
stopped (when working in the High Availability mode).

Example:

>executecommand.bat cleanAudit -f -u

3.19 Enabling Audit Rotation

To enable Audit Rotation, use the changeParameter -name AuditRotationEnabled -value 1 command.
Example:

>executecommand.bat changeParameter -name AuditRotationEnabled -value 1

3.20 Showing audit.db Copies (Audit

Rotation)
To display all available audit.db files, use the showAuditRotations command.

3.21 Creating an audit.db copy (Audit

Rotation)
To create a new audit.db file copy, use the createAuditRotation command.
 3 Commands for Configuring System Settings | 30

3.22 Reading Audit Data from an audit.db

Copy (Audit Rotation)
To read old audit data from a previously-created audit.db file, use the setAuditRotation command with the
following parameters:
Parameter Description

-id <arg> ID of the backup.

3.23 Creating a Dictionary Backup

To create a Dictionary backup, use the createDictionaryBackup command:
Parameter Description

-o Backup Objects.

-s Backup Settings.

-u Backup Users.

Example:

>executecommand.bat createDictionaryBackup -o -s -u

3.24 Displaying Dictionary backups

To display a list of Dictionary backups, use the showDictionaryBackups command.
 3 Commands for Configuring System Settings | 31

3.25 Cleaning DataSunrise Dictionary

To remove all object created by DataSunrise (Rules, DB and User profiles etc.), use the cleanDictionary command
with the following options:
Parameter Description

-f Clean Dictionary without confirmation.

-d Clean Database entries.

-o Clean Object entries.

-r Clean Rule entries

-restart Restart the Core.

-s Clean the Settings.

-u Clean User entries.

Example:

>executecommand.bat cleanDictionary -f

3.26 Recovering Dictionary from a Backup

To recover dictionary (DataSunrise settings) from previously created backup, use the recoverDictionary command
with the following parameters:
Parameter Description

-dsServer <arg> Name of the DataSunrise server the backup file is located on

-id <arg> ID of the backup

Example:

>executecommand.bat recoverDictionary -id 2019-03-01_10_01_55 -dsServer local

3.27 Configuring Additional Parameters of
DataSunrise
To change the value of a certain firewall parameter, use the changeParameter command with the following
parameters:
Command Description
-name <arg> The name of the parameter you want to change.
-value <arg> New value of the parameter.
-dsServer <arg> DataSunrise server.

Example:

>executecommand.bat changeParameter -name AWSUsesHTTPS -value 0 -dsServer ds1

Use the showParameters command to see all parameters.

Note: for the list of additional parameters, refer to the User Guide, subs. 4.1.3
 4 Configuring Instances | 33

4 Configuring Instances

4.1 Adding a new Instance

To create a database Instance profile, use the addInstance command:
Parameter Description

-database <arg> Name of the database (for Aurora PostgreSQL, DB2, Greenplum, Hive, Informix,
Impala, MSSQL, MongoDB, Netezza, PostgreSQL, Redshift, SAP Hana, Sybase,
Teradata, Vertica)

-dbType <arg> Select the database type (athena | aurora mysql | aurora postgresql | cassandra
| db2 | dynamodb | elasticsearch | greenplum | hive | impala | informix | mariadb
| mongodb | mssql | mysql | netezza | oracle | postgresql | redshift | sap hana |
sybase | teradata | vertica)

-hostFQDN <arg> Kerberos host FQDN for Hive and Impala

-instance <arg> Instance name for Oracle database

-instanceType <arg> Instance type for Oracle (sid | name)

-kerberosName <arg> Kerberos service name

-kerberosRealm <arg> Kerberos realm for Hive and Impala

-login <arg> User name to access the database

-loginType <arg> Login type: Without Authentication | Regular | Active Directory | IAM Role

-name <arg> Logical name of the Instance

-sysDba <true | false> Connect to the Oracle database with SYSDBA privileges (Oracle-specific option)

-tableRelations <true | false> Search for table relations and include them in the default target database
relation
-queryGroups2FA <arg> Comma-separated list of query groups, queries of which are used to access the
database when configuring 2FA
-queryResultLocation <arg> Query result location for Amazon Athena
-serverName <arg> Server name for Informix
-awsRegion <arg> AWS Region for DynamoDB, Amazon Athena, Amazon Elasticsearch, Amazon
Aurora MySQL Amazon Aurora PostgreSQL
-metadataRetrievalMethod Metadata retrieval method: Regular | Via Stored Procedures (for Aurora MySQL,
<arg> MariaDB, MySQL only)
-protocolType <arg> Protocol type for MySQL-like databases: Usual | HTTP | XProtocol
-acceptOnly2FAUsers <arg> Accept only users authenticated with 2FA
 4 Configuring Instances | 34

4.2 Adding a new Instance with an Interface

and Proxy/Sniffer
The addInstancePlus command enables you to create an Instance, assign an interface and a proxy or a sniffer.
Below is an example of adding an instance to a MySQL database along with opening a proxy on a local interface
(127.0.0.1):

>executecommand.bat addInstancePlus -dbType mysql -dbHost 192.168.1.71

-dbPort 3306 -proxyHost 0.0.0.0 -proxyPort 3309 -name Inst2
-login root -password 1234
 4 Configuring Instances | 35
The addInstancePlus command's parameters:
Parameter Description
-acceptSslConnectionsOnly Accept only SSL-encrypted connections
<arg>
-account <arg> Cloud service name for Snowflake
-awsRegion <arg> AWS Region for DynamoDB, Amazon Athena, Amazon Aurora PostgreSQL,
Aurora MySQL, Elasticsearch
-awsSmId <arg> AWS Secrets Manager ID
-azureKeyVault <arg> MS Azure Key Vault
-azureSecretName <arg> MS Azure Secret Name

-connString <arg> Custom connection string for Aurora PostgreSQL, Cassandra, DB2, Greenplum,
Hive, Impala, Informix, MongoDB, MSSQL, Netezza, Oracle, PostgreSQL, Sybase,
Redshift, SAP Hana, Snowflake, Teradata, Vertica

-cyberArkFolder <arg> CyberArk Folder

-cyberArkObject <arg> CyberArk Object
-cyberArkSafe <arg> CyberArk Safe

-dsServer <arg> Logical name of the DataSunrise server

-hostFQDN <arg> Kerberos Host FQDN

-database <arg> Name of the database (for DB2, Greenplum, Hive, SQL Server, Netezza,
PostgreSQL, Aurora PostgreSQL, Redshift, Teradata, Mongo, SAP Hana, Vertica,
Impala, Sybase). For DynamoDB, this option is used for Dynamo region

-dbType <arg> (aurora mysql | aurora postgresql | db2 | greenplum | hive | mariadb | mysql |
mssql | netezza | oracle | postgresql | redshift | teradata | sap hana | vertica |
mongo | dynamo | impala | cassandra | sybase | snowflake | elasticsearch)

-dbPort <arg> Database port number

-dbHost <arg> Database host name

-enableAgent <true | false> Enable agent

-envAutoCreate <true | false> Create DS Environment automatically (available for: MariaDB, Aurora MySQL,
Oracle,Aurora PostgreSQL, PostgreSQL, Redshift, Greenplum, MSSQL

-envName <arg> DS Environment Name (available for: MariaDB, Aurora MySQL, Oracle, Aurora
PostgreSQL, PostgreSQL, Redshift, Greenplum, MSSQL

-instance <arg> Instance name for Oracle database.

-instanceType <arg> Instance type for Oracle (sid | name).

-keyGroupName <arg> Name of the group of Certificates to be used for client.

-dbKeyGroupName <arg> Name of the group of Certificates to be used for database connection

-login <arg> User name to access the database.

-loginType <arg> Login type: Without Authentication | Regular | Active Directory | IAM Role
 4 Configuring Instances | 36

Parameter Description

-password <arg> Password to access the database.

-name <arg> Logical name of the Instance.

-sysDba Connect to an Oracle database with SYSDBA privileges (Oracle-specific option).

-ipVersion <arg> IP version ( IPv4 | IPv6 | Auto ). Auto is selected by default.

-kerberosName <arg> Kerberos service name

-kerberosRealm <arg> Kerberos Realm

-proxyHost <arg> Proxy host name

-proxyPort <arg> Proxy port number

-roleARN <arg> AWS Role ARN

-sid Use SID for connection instead of Service Name (default). (Oracle-specific,
optional)

-snifferDevice <arg> Network adapter the traffic of which will be sniffed. Only several first letters of
Interface name are permitted

-ssl Use SSL when connecting to the database. For DynamoDB, this option is used
for https connection. Otherwise, http will be used

-tableRelations <true | false> Search for table relations and include them in the default target database
relation
-queryGroups2FA <arg> Comma-separated list of query groups, queries of which are used to access the
database when configuring 2FA
-queryResultLocation <arg> Query result location for Amazon Athena
-metadataRetrievalMethod Metadata retrieval method: Regular | Via Stored Procedures (for Aurora MySQL,
<arg> MariaDB, MySQL only)
-protocolType <arg> Protocol type for MySQL-like databases, S3, Athena, ElasticSearch: Usual | HTTP
| XProtocol | HTTP Proxy:
• HTTP Proxy: -protocolType "HTTP Proxy"
• HTTP Reverse proxy: -protocolType "HTTP"
• HTTPS Proxy: -protocolType "HTTP Proxy" -ssl
• HTTPS Reverse proxy: -protocolType "HTTP" -ssl

-verifyCA <arg> Verify CA

-savePassword <arg> Password storage type: no | ds | ca | awssm | azurekv
-serverName <arg> Server name for Informix

Example (Athena Instance):

addInstancePlus -name athena_example -dbType athena -dbPort 443 -dbHost athena.us-east-1.amazonaws.com

-loginType "Regular" -savePassword ds -login <access key> -password <secret key> -proxyHost 0.0.0.0 -
proxyPort 648 -queryResultLocation <path> -protocolType HTTP -ssl -awsRegion us-east-1
 4 Configuring Instances | 37
Example (Sniffer):

addInstancePlus -name s3_example -dbType s3 -dbPort 443 -dbHost s3.amazonaws.com -loginType "Regular"
-savePassword ds -login <access key> -password <secret key> -snifferDevice "Intel(R) Wi-Fi 6 AX201
160MHz" -dsServer local -protocolType "HTTP -ssl

Example (S3):

addInstancePlus -name s3_example -dbType s3 -dbPort 443 -dbHost s3.amazonaws.com -loginType "Regular"
-savePassword ds -login <access key> -password <secret key> -proxyHost 0.0.0.0 -proxyPort 547 -ssl -
protocolType "HTTP Proxy"
 4 Configuring Instances | 38

4.3 Adding a Trail DB Audit Logs

To add a Trail DB Audit Logs entity to a database Instance profile, use the addLogTrail command with the following
parameters:
Parameter Description
-accessKey <arg> Access key
-awsSmId <arg> AWS Secrets Manager ID
-azureKeyVault <arg> MS Azure Key Vault
-azureSecretName MS Azure Secret Name
<arg>
-blobContainerName Blob container name for Azure Connection Type
<arg>
-clientId <arg> Client ID for Azure Connection Type
-clientSecret <arg> Client secret for Azure Connection Type
-connectType Connection type: AWS | SMB | Local Folder | Oracle Package | Azure
-cyberArkFolder <arg> CyberArk Folder
-cyberArkObject <arg> CyberArk Object
-cyberArkSafe <arg> CyberArk Safe
-dbIdentifier <arg> DB Identifier
-delLogs <true | false> Delete processed logs
-dsServer <arg> DataSunrise server the proxy or sniffer is used on
-enable <true | false> Enable/disable trailing
-formatType <arg> Format type: Database | XML | CSV | JSON
-host <arg> Host name
-instance <arg> Logical name of the Instance
-interfaceHost <arg> Interface host
-interfacePort <arg> Interface port number
-localPath <arg> Local path
-login <arg> Login
-loginType <arg> Login Type: Without Authentication | Regular | Active Directory | IAM Role
-oraclePackage <arg> Oracle Package
-path <arg> Log Path
-period <arg> Periodicity of requesting data
-pwd <arg> Password
-region <arg> AWS Region
-roleARN <arg> Role ARN
-savePassword <arg> Password storage type: ds | ca | awssm | azurekv
-secretKey <arg> Secret key
 4 Configuring Instances | 39

Parameter Description
-storageAccountName Storage Account name for Azure Connection Type
<arg>
-tenantId <arg> Tenant ID for Azure Connection Type
-testConnection Test connection before creating a task. If test fails a task will not be created

Example:

executecommand.sh addLogTrail -instance PostgreSQL -interfaceHost tin-

testdb.postgres.database.azure.com -interfacePort 5432 -formatType JSON -connectType Azure -
storageAccountName svsstorageacc -blobContainerName insights-logs-postgresqllogs -clientSecret
78B8Q~ybA9Kcv5jLrW7Kj7t2P6vcv3 -tenantId d2dcbfee-4e37-8d6a-6178dbe3f07f -clientId cea24ab8-47f1-9b86-
b9c175f2ece7 -testConnection

4.4 Displaying an Instance

To view an existing Instance, use the showInstance command with the following options:
Parameter Description

-name <arg> Logical name of the Instance to view. Use showInstances command to
search for the Instance of interest.

4.5 Displaying all Instances

To view a list of all existing Instances, use the showInstances command.

4.6 Displaying a Trail DB Audit Logs

To display an existing Trail DB Audit Logs entity, use the showLogTrail command:
Parameter Description
-dsServer <arg> DataSunrise server the proxy or sniffer is used on
-instance <arg> Logical name of the Instance
-interfaceHost <arg> Interface host
-interfacePort <arg> Interface port number
 4 Configuring Instances | 40

4.7 Removing an Instance

To remove an existing Instance from DataSunrise, use the delInstance command with the following parameters:
Parameter Description

-name <arg> Logical name of the instance to remove. Use the showInstances command
to search for the Instance of interest.

4.8 Deleting a Trail DB Audit Logs

To delete an existing Trail DB Audit Logs entity, use the delLogTrail command:
Parameter Description
-dsServer <arg> DataSunrise server the proxy or sniffer is used on
-instance <arg> Logical name of the Instance
-interfaceHost <arg> Interface host
-interfacePort <arg> Interface port number
 4 Configuring Instances | 41

4.9 Updating Instances

To update an existing Instance, use the updateInstance command with the following parameters:
Parameter Description

-database <arg> Name of a database to update an Instance for. For DB2, Greenplum, MySQL,
PostgreSQL, Redshift, Teradata only. For DynamoDB, this option is used for
Dynamo region.

-envAutoCreate <true | false> Create DS Environment automatically (available for: MariaDB, Aurora MySQL,
Oracle,Aurora PostgreSQL, PostgreSQL, Redshift, Greenplum, MSSQL

-envName <arg> DS Environment Name (available for: MariaDB, Aurora MySQL, Oracle, Aurora
PostgreSQL, PostgreSQL, Redshift, Greenplum, MSSQL

-instance <arg> Instance name for Oracle database.

-instanceType <arg> Instance type for Oracle database (sid | name).

-keyGrId <arg> ID of a group of certificates.

-login <arg> User name to access the database.

-name <arg> Logical name

-newName <arg> New Instance name.

-sysDba <true | false> Connect to Oracle database with SYSDBA privileges.

-tableRelations <true | false> Search for table relations and include them in the default target database
relation
-queryGroups2FA <arg> Comma-separated list of query groups, queries of which are used to access the
database when configuring 2FA
-queryResultLocation <arg> Query result location for Amazon Athena
-awsRegion <arg> AWS Region for DynamoDB, Amazon Athena, Amazon Elasticsearch,
PostgreSQL, MySQL
-metadataRetrievalMethod Metadata retrieval method: Regular | Via Stored Procedures (for Aurora MySQL,
<arg> MariaDB, MySQL only)
-protocolType <arg> Protocol type for MySQL-like databases: Usual | HTTP | XProtocol
-acceptOnly2FAUsers <arg> Accept only users authenticated with 2FA
 4 Configuring Instances | 42

4.10 Updating Database Credentials

To set new login and password for an existing database Instance, use the updateInstanceCredentials command:
Parameter Description

-instance <arg> Database Instance name

-login <arg> User name to access the database

-password <arg> New password

 4 Configuring Instances | 43

4.11 Updating a Trail DB Audit Logs

To edit an existing Trail DB Audit Logs entity, use the updateLogTrail command with the following parameters:
Parameter Description
-accessKey <arg> Access key
-awsSmId <arg> AWS Secrets Manager ID
-blobContainerName Blob container name for Azure Connection Type
<arg>
-clientId <arg> Client ID for Azure Connection Type
-clientSecret <arg> Client secret for Azure Connection Type
-connectType Connection type: AWS | SMB | Local Folder | Oracle Package | Azure
-cyberArkFolder <arg> CyberArk Folder
-cyberArkObject <arg> CyberArk Object
-cyberArkSafe <arg> CyberArk Safe
-dbIdentifier <arg> DB Identifier
-delLogs <true | false> Delete processed logs
-dsServer <arg> DataSunrise server the proxy or sniffer is used on
-enable <true | false> Enable/disable trailing
-formatType <arg> Format type: Database | XML | CSV
-host <arg> Host name
-instance <arg> Logical name of the Instance
-interfaceHost <arg> Interface host
-interfacePort <arg> Interface port number
-localPath <arg> Local path
-login <arg> Login
-loginType <arg> Login Type: Without Authentication | Regular | Active Directory | IAM Role
-oraclePackage <arg> Oracle Package
-path <arg> Log Path
-period <arg> Periodicity of requesting data
-pwd <arg> Password
-region <arg> AWS Region
-roleARN <arg> Role ARN
-savePassword <arg> Password storage type: ds | ca | awssm
-secretKey <arg> Secret key
-storageAccountName Storage Account name for Azure Connection Type
<arg>
-tenantId <arg> Tenant ID for Azure Connection Type
Parameter Description
-testConnection Test connection before creating a task. If test fails a task will not be created
 5 Configuring Interfaces, Proxies, Sniffers | 45

5 Configuring Interfaces, Proxies,

Sniffers

5.1 Adding an Interface to the Instance

If your database has several client connection points, each of the connection points can have its own proxy. Note
that in order to maintain proper functioning of a sniffer, all database interfaces must be specified, including IPv4 and
IPv6. Only in this case DataSunrise will intercept the whole network traffic. To add an interface to the instance, use
the addInterface command.

>executecommand.bat addInterface -instance Inst2 -newHost 192.168.1.71 -newPort 3306

The addInterface command's parameters:

Parameter Description

-instance <arg> Logical name of the Instance.

-ipVersion <arg> IP version ( IPv4 | IPv6 | Auto ). Auto is default value.

-newHost <arg> IP address or host name of the database server.

-newPort <arg> Port number to connect to the database.

-ssl <arg> Use SSL when connecting to Oracle or DB2 ( no | ssl ). For DynamoDB, this
option is used for http and https connections respectively.

To retrieve information about an Interface, use the showInterface command:

>executecommand.bat showInterface -instance Inst2 -host 192.168.1.71 -port 3306

Host : 192.168.1.71
Port : 3306
IP Version : Auto
Encryption : No

Parameter Description

-host <arg> IP address or hostname of the interface.

-instance <arg> Logical name of the interface's Instance.

To change host or port numbers of an interface use the updateInterface command:

>executecommand.bat updateInterface -instance Inst2 -newPort 3310 -prevPort 3306

-prevHost 192.168.1.71 -newHost 192.168.1.71
 5 Configuring Interfaces, Proxies, Sniffers | 46

Parameter Description

-newHost <arg> A new IP address or hostname of the database server.

-newPort <arg> A new port number to connect to the database.

-prevHost <arg> The current IP address or hostname.

-prevPort <arg> The current port number.

To delete an Interface use the delInterface command:

>executecommand.bat delInterface -instance Inst2 -host 192.168.1.71 -port 3310

Parameter Description

-host <arg> IP address or hostname of the interface.

-port <arg> Port number of the interface.

-instance Logical name of the interface's Instance

5.2 Adding a Proxy

To add a new proxy to the instance interface, use the addProxy command. You can add several proxies to one
instance and create different security policies for each proxy.

>executecommand.bat addProxy -instance Inst2 -interfaceHost 192.168.1.71

-interfacePort 3306 -proxyHost 0.0.0.0 -proxyPort 3310

The addProxy command's parameters:

Parameter Description
-instance <arg> Logical name of the Instance for which the proxy will be created.
-interfaceHost <arg> Host of the Instance Interface to which the proxy traffic will be transferred.
-interfacePort <arg> Port of the Instance Interface to which the proxy traffic will be transferred.
-proxyHost <arg> Local network interface in which proxy will be opened.
-proxyPort <arg> Port on which the proxy will be opened.
-dsServer <arg> Logical name of the DataSunrise server for which the proxy will be created
(optional). In case you don't specify the DataSunrise server, the proxy will be
created for the server you are connected to.

5.3 Updating a Proxy

To change proxy settings, use the updateProxy command:

>executecommand.bat updateProxy -instance Inst2 -interfaceHost 192.168.1.71

 5 Configuring Interfaces, Proxies, Sniffers | 47
-interfacePort 3306 -prevProxyHost 0.0.0.0 -prevProxyPort 3310 -proxyHost
0.0.0.0 -proxyPort 3309

The updateProxy command's parameters:

Parameter Description
-prevProxyHost <arg> Current proxy hostname.
-prevProxyPort <arg> Current proxy port number.
-instance <arg> Logical name of the Instance which the proxy will be created for.
-proxyHost <arg> New proxy hostname.
-proxyPort <arg> New proxy port name.
-interfaceHost <arg> Hostname of the Instance Interface to which the proxy traffic will be
transferred.
-interfacePort <arg> Port number of the Instance Interface to which the proxy traffic will be
transferred.
-enable <true | false> Enable/disable the proxy.
-dsServer <arg> Logical name of the DataSunrise server.

5.4 Deleting a Proxy

To delete an existing proxy, use the delProxy command:

>executecommand.bat delProxy -instance Inst2 -interfaceHost 192.168.1.71

-interfacePort 3309 -proxyHost 0.0.0.0 -proxyPort 3310

The delProxy command's parameters:

Parameter Description
-instance <arg> Logical name of the Instance proxy of which to delete
-interfaceHost <arg> Host of the Instance Interface proxy traffic is transferred to
-interfacePort <arg> Port of the Instance Interface proxy traffic is trasferred to
-proxyHost <arg> Proxy host
-proxyPort <arg> Proxy port
 5 Configuring Interfaces, Proxies, Sniffers | 48

5.5 Displaying Proxy Information

To display the information about a proxy, use the showProxy command:
Parameter Description
-instance <arg> Logical name of the Instance.
-interfaceHost <arg> Hostname of the Instance.
-interfacePort <arg> Port number of the Instance.
-proxyHost <arg> Hostname of the proxy.
-proxyPort <arg> Port number of the proxy.
-dsServer <arg> Logical name of the DataSunrise server.

5.6 Displaying the most frequently blocked

queries
To display a report on the most frequently blocked queries, use the showMostBlocked command with the following
parameters:
Parameter Description

-beginDate <arg> Begin date (yyyy-MM-dd HH:mm:ss)

-endDate <arg> End date (yyyy-MM-dd HH:mm:ss).

-instance <arg> Logical name of the instance or "any".

5.7 Adding a Sniffer

If you want to intercept mirrored traffic, you need to create a sniffer. To add a new sniffer to the instance interface,
use the addSniffer command:

>executecommand.bat addSniffer -device Realtek -instance Inst2 -interfaceHost 192.168.1.71 -

interfacePort 3306
 5 Configuring Interfaces, Proxies, Sniffers | 49
The addSniffer command's parameters:
Parameter Description
-device <arg> Device to sniff traffic.
-instance <arg> Logical name of the instance.
-interfaceHost <arg> Host name or an IP address of an existing instance interface.
-interfacePort <arg> Port of an existing instance interface.
-dsServer <arg> Logical name of the DataSunrise server for which the sniffer will be created
(optional). In case you don't specify the DataSunrise server, the sniffer will
be created for the server you are connected to.

5.8 Displaying Sniffer Information

To retrieve information about a sniffer, use the showSniffer command:

>executecommand.bat showSniffer -device Realtek -instance Inst2 -interfaceHost 192.168.1.71 -

interfacePort 3306
Name : Realtek PCIe GBE Family Controller
Device : \Device\NPF_{4A615D2B-FD87-4FAC-A0E7-9CD007BAA376}

The showSniffer command's parameters:

Parameter Description
-device <arg> Device to sniff traffic.
-instance <arg> Logical name of the Instance.
-interfaceHost <arg> Host name or an IP address of an existing instance interface.
-interfacePort <arg> Port of an existing instance interface.
-dsServer <arg> Logical name of the DataSunrise server.

5.9 Updating a Sniffer

To update a sniffer, use the updateSniffer command:
Parameter Description
-device <arg> Device to sniff traffic.
-instance <arg> Logical name of the Instance.
-interfaceHost <arg> Host name or an IP address of an existing instance interface.
-interfacePort <arg> Port of an existing instance interface.
-enable <true | false> Enable/disable the sniffer.
-dsServer <arg> Logical name of the DataSunrise server.
 5 Configuring Interfaces, Proxies, Sniffers | 50

5.10 Deleting a Sniffer

To delete a sniffer, use the delSniffer command:

>executecommand.bat delSniffer -device Realtek -instance Inst2 -interfaceHost 192.168.1.71 -

interfacePort 3306

The delSniffer command's parameters:

Parameter Description
-device <arg> Device to sniff traffic.
-instance <arg> Logical name of the Instance.
-interfaceHost <arg> Host name or an IP address of an existing instance interface.
-interfacePort <arg> Port of an existing instance interface.

5.11 Updating Metadata

Database firewall requires information about internal structure of the database. When a new instance is added,
metadata is updated automatically, but sometimes, if you have modified tables directly in the database, you need to
use the updateMetadata command to detect changes in the database from network traffic.

>executecommand.bat updateMetadata -instance test_db -login admin -password adminus

The updateMetadata command's parameters:

Parameter Description
-instance <arg> Logical name of Instance.
-interfaceHost <arg> Hostname of the Interface. Optional if only one Interface exists.
-interfacePort <arg> port of Port number of the Interface. Optional if only one Interface exists.
Interface.
-login <arg> Database user login.
-password <arg> Database user password.

5.12 Deleting a Server

To delete an existing DataSunrise server, use the delDsServer command:

>executecommand.bat delDsServer -name ds1

The delDsServer command's parameters:

Parameter Description
-name <arg> Logical name of the DS server to be deleted
 5 Configuring Interfaces, Proxies, Sniffers | 51

5.13 Displaying Interfaces

To display a list of interfaces, use the showInterfaces command:
Parameter Description

-instance <arg> Logical name of the instance.

5.14 Displaying queries most often blocked

To display a list of queries most often blocked by the firewall, use the showMostBlocked command.
 6 Creating, Editing and Configuring Rules | 52

6 Creating, Editing and Configuring

Rules

6.1 Creating Rules

Below is the basic scheme of a rule creation:
1. To create a new rule, use the addRule command. Note that there are dedicated commands for audit, learning,
masking and security rules (addAuditRule, addLearnRule, addMaskRule, addSecurityRule correspondingly).
2. Select Rule type with -action <arg> for a security, audit, masking or learning rule.
3. Select database type (-dbType <arg>).
4. Select an Instance (-instance <arg>).
5. Add required Hosts, Users, Subscribers, Applications which will be affected by the rule.
6. Use additional parameters for certain rule types that will be covered in detail further.

6.2 Creating and Editing Security Rules

DataSunrise Firewall intercepts all user queries to target database and blocks unauthorized queries and SQL
injections according to security rule settings.
To edit an existing security rule, use the updateSecurityRule command with the parameters given in the table
below.
To create a new security rule, use one of the following commands: addSecurityRule, addRule -action block or
addRule -action allow with required parameters.

>executecommand.bat addSecurityRule -action block -dbType mysql -instance Inst2 -name "Block ObjGr" -
blockType sqlerror -filterType object -intercSqlSelect false -intercSqlSelectWJ false

Above is the example of a rule for blocking INSERT, DELETE, UPDATE commands and function calls, leaving
SELECT and SELECT in WHERE & JOIN statements available to execute. By default settings, all parameters of these
statements are at true state, so you need to switch off the ones you don't need. -name <arg> parameter is used to
assign a rule name.
 6 Creating, Editing and Configuring Rules | 53
Here is the list of security rule parameters for allowing and blocking queries:
Parameter Description

-action <arg> Select a rule type (block | allow).

-addHosts <arg> Add a host for the rule.

-addOsUserGroups <arg> Add Operating system user groups to the Rule's settings
-addOsUsers <arg> Add a list of comma-separated OS users or regular expression

-addUserGroups <arg> Add group of DB users for the rule.

-addUsers <arg> Add a DB user for the rule.

-addHostGroups <arg> Add a group of hosts for the rule.

-addSubscribers <arg> Add email addresses (separated by commas) to receive notification when
the rule is triggered.

-affectedRows <arg> Trigger the rule only if the number of affected rows is not less that a
specified number.

-app <arg> Intercept application requests (any | <application name>).

-blockSeparator <arg> Assign a character as a separator between blocks of database elements (';' is
assigned by default).

-blockType <arg> Selecting a blocking method:

<sqlerror> query is blocked and a notification is sent to the user
<disconnect> query is blocked and the user is disconnected from the
server

-comment <arg> Commentary

-dbType <arg> Select database type: aurora mysql | aurora postgresql | db2 | greenplum
| hive | mariadb | mysql | mssql | netezza | oracle | postgresql | redshift |
teradata | sap hana | vertica | mongodb | dynamodb | impala | cassandra |
sybase | snowflake | any.
By default, it is set to ‘any database’, so the firewall will intercept queries
targeted to all available databases.

-ddlSelectAll <true | false> Intercept all DDL-statements

-ddlTypes <arg> Intercept CREATE/DROP/ALTER TABLE statements separated by ',' by default

-delHostGroups <arg> Comma-separated list of host groups for deleting

-delHosts <arg> Comma-separated list of hosts for deleting

-delOsUserGroups <arg> Comma-separated list of OS user groups for deleting

-delOsUsers <arg> Comma-separated list of OS users or {regexp name} for deleting

-delSubscribers <arg> Delete subscribers (comma-separated list of email addresses)

-delUserGroups <arg> Comma-separated list of database user groups for deleting

 6 Creating, Editing and Configuring Rules | 54

Parameter Description
-delUsers <arg> Comma-separated list of database users for deleting or {regexp name}

-enable <true | false> Enable or disable the rule.

-filterSessionsFile <arg> Filter session rules JSON file

-filterType <arg> Filter type arguments:

<object> is an argument for blocking or allowing SQL statements (SELECT,
INSERT, UPDATE, DELETE) and function calls in selected schemas, tables and
columns
<group> – certain group of SQL statements
<ddl> – selected DDL operations
<inject> – SQL injection

-injConcat <arg> Set a number of penalties for Concatenation of single Characters (many
types of attacks)

-injPenComm <arg> Set a number of penalties for comments in a query code.

-injPenConst <arg> Set a number of penalties for the expression which is always true.

-injPenDq <arg> Set a number of penalties for multiple SQL statements separated by
semicolon.

-injPenKw <arg> Set a number of penalties for comments containing one or multiple SQL
keywords.

-injPenOr <arg> Set a number of penalties for OR SQL statement.

-injPenUnion <arg> Set a number of penalties for UNION SQL statement.

-injWarnLevel <arg> Set a number of penalties a query should achieve to be considered as

suspicious.

-injErrLevel <arg> Set a number of penalties a query should achieve to be considered as SQL-
injected.

-injSuspicCondit <arg> Suspicious condition to check for Boolean Blind Attack

-injSuspicConv <arg> Suspicious convertion: Blind Error Attack

-injSuspicFunc <arg> Suspicious function call

-instance <arg> Select an instance ('any' instance is set by default).

-intercFunc <arg> Intercept queries targeted to certain functions.

-intercFuncCall <true | false> Intercept Function Call.

-intercObjGr <arg> Intercept queries targeted to specified databases, schemas, tables, columns
from a list of Object Groups separated by semicolons (<groups> | false).
 6 Creating, Editing and Configuring Rules | 55

Parameter Description

-intercPack <arg> Intercept the whole package of DDL statements. Use empty quoted string
to delete all the packages and functions.

-intercSqlDelete <true | false> Intercept DELETE statements.

-intercSqlGr <arg> Intercept statements from a certain SQL group.

-intercSqlInsert <true | false> Intercept INSERT statements.

-intercSqlSelect <true | false> Intercept SELECT statements.

-intercSqlSelectWithoutFrom <true | Intercept SELECT without FROM statements.

false>

-intercSqlSelectWJ <true | false> Intercept SELECT in WHERE & JOIN statements.

-intercSqlUpdate <true | false> Intercept UPDATE statements.

-intercTab <arg> Intercept queries targeted to certain databases,

schemas, tables, columns formatted like
"orcl.alex.customers.id;orcl.bob.orders.id" ("alex.customers.id;bob.orders.id" for
MySQL, MariaDB, Aurora databases, Teradata, PostgreSQL).

-listSeparator <arg> Separator for a list of values. Used together with -addHosts, -
addHostGroups, -delHosts, -delHostGroups, -addUsers, -addUserGroups, -
delUsers, -delUserGroups, -addOsUsers, -addOsUserGroups, -delOsUsers,
-delOsUserGroups, -addSubscribers, -delSubscribersddlTypes, -
functionParams. Default is ","

-login <arg> Database user login.

-logInStorage <true | false> Log events in storage (true by default).

-logInSyslog <true | false> Log events in syslog (false by default).

-name <arg> Logical name of the rule.

-newName <arg> New logical name for the Rule

-nameSeparator <arg> Assign a character as a separator between database elements ('.' is assigned
by default).

-password <arg> Database user password.

-proxy <arg> ((host:port) | any)

-schedule <arg> Schedule for the rule (no | (schedule name)).

-skipFunc <arg> Skip statements for functions.

-skipObjGr <arg> Skip statements for databases, schemas, tables, columns from the comma
separated list of object groups ((groups) | false).

-skipPack <arg> Skip statements for the whole package of functions.

 6 Creating, Editing and Configuring Rules | 56

Parameter Description

-skipSqlGr <arg> Do not intercept statements from a group of SQL statements.

-skipTab <arg> Skip statements for databases, schemas, tables, columns formatted
like "orcl.alex.customers.id;orcl.bob.orders.id". For Aurora databases,
MariaDB, MySQL, PostgreSQL, Teradata the format is the following
"alex.customers.id;bob.orders.id".

-sniffer <arg> (host | any)

-sysLogGr <arg> Use Syslog Group. Default value is NO

To block SQL injections, use the command with the following parameters as shown in the example below addRule -
action block -filterType inject:

>executecommand.bat addRule -name "Block SQLinj" -action block -dbType mysql -instance Inst2 -
addHostGroups bank -filterType inject -injErrLevel 10 -injPenComm 15 -injPenConst 10 -injPenDq 10 -
injPenKw 10 -injPenOr 10 -injPenUnion 10 -injWarnLevel 10
OK

6.3 Creating and Editing Audit Rules

DataSunrise performs real-time tracking and logging of all user actions and changes made to the target database.
In order to create an audit or skip rule, use commands addAuditRule,addRule -action audit or addRule -action
skip.
Intercepting query parameters for the audit/skip rules are similar to the ones for security rules. Here is the list of
parameters for audit rules:

>executecommand.bat addAuditRule -action audit -dbType postgresql -instance mydb -name "Audit_all"
-filterType object -intercSqlSelect true -intercSqlSelectWJ true -login postgres -password 1234 -
logInStorage true -logData true -intercTab test.public.customers

Note: Operation type ID's for DDL commands are shown in parentheses.
 6 Creating, Editing and Configuring Rules | 57
To edit an existing audit rule, use the updateAuditRule command with the parameters given in the table below:
Parameter Description

-action <arg> Select a rule type (audit | skip).

-addHostGroups <arg> Add a group of hosts for the rule.

-addHosts <arg> Add a host for the rule.

-addOsUserGroups <arg> Comma-separated list of operating system user groups.

-addOsUsers <arg> Comma-separated list of operating system users or regular expression.

-addSubscribers <arg> Add email addresses (separated by commas) to receive notification when the
rule is triggered.

-addUserGroups <arg> Comma-separated list of database user groups

-addUsers <arg> Comma-separated list of database users or {regexp name}

-affectedRows <arg> Trigger the rule only if the number of affected rows is not less than a specified
number.

-app <arg> Process application requests (any | <application name>).

-blockSeparator <arg> Assign a character as a separator between blocks of database elements (';'
is assigned by default). Used together with -maskColumns, -intercTab, -
intercPack, -intercFunc, -skipTab, -skipPack, -skipFunc.

-checkNextRule <true | false> Keep Checking the List of Rules

-comment <arg> Leave a comment.

-dbType <arg> Select database type: aurora mysql | aurora postgresql | db2 | greenplum | hive
| mariadb | mysql | mssql | netezza | oracle | postgresql | redshift | teradata | sap
hana | vertica | mongodb | dynamodb | impala | cassandra | sybase | snowflake
| any.
By default, it is set to ‘any database’, so the firewall will intercept queries
targeted to all available databases

-ddlSelectAll <true | false> Intercept all DDL-statements

-ddlTypes <arg> Intercept CREATE/DROP/ALTER TABLE statements separated by ',' by default.

-delHostGroups <arg> Comma-separated list of host groups for deleting

-delHosts <arg> Comma-separated list of hosts for deleting

-delOsUserGroups <arg> Comma-separated list of OS user groups for deleting

-delOsUsers <arg> Comma-separated list of OS users or {regexp name} for deleting

-delSubscribers <arg> Delete subscribers (comma-separated list of email addresses)

-delUserGroups <arg> Comma-separated list of database user groups for deleting

-delUsers <arg> Comma-separated list of database users for deleting or {regexp name}
 6 Creating, Editing and Configuring Rules | 58

Parameter Description
-depersQueries <true | false> Depersonalize queries
-enable <true | false> Enable/disable the rule
-filterSessionsFile <arg> Filter session rules JSON file

-filterType <arg> Filter type arguments:

<object>: is the argument for blocking or allowing SQL statements (SELECT,
INSERT, UPDATE, DELETE) and function calls in selected schemas, tables and
columns
<group>: certain group of SQL statements
<ddl>: selected DDL operations
<inject>: SQL injection attempts
-injConcat <arg> Concatenation of single Characters for many types of attacks

-injErrLevel <arg> Number of penalties a query should get to be considered an SQL-injection

-injPenComm <arg> Number of penalties for comments in query code

-injPenConst <arg> Number of penalties for an expression which is always true

-injPenDq <arg> Number of penalties for multiple SQL statements separated by semicolons

-injPenKw <arg> Number of penalties for comments containing one or multiple SQL keywords

-injPenOr <arg> Number of penalties for OR SQL statement

-injPenUnion <arg> Number of penalties for UNION SQL statement

-injSuspicCondit <arg> Suspicious condition to check for Boolean Blind Attack

-injSuspicConv <arg> Suspicious convertion: Blind Error Attack

-injSuspicFunc <arg> Suspicious function call

-injWarnLevel <arg> Number of penalties a query should get to be considered suspicious

-instance <arg> Select an instance ('any' instance is set by default).

-intercFunc <arg> Intercept queries targeted to certain functions.

-intercFuncCall <true | false> Intercept Function Call.

-intercObjGr <arg> Intercept queries targeted to specified databases, schemas, tables, columns
from a list of Object Groups separated by semicolons (<groups> | false).

-intercPack <arg> Intercept the whole package of DDL statements. Use empty quoted string to
delete all the packages and functions.

-intercSqlDelete <true | false> Intercept DELETE statements.

-intercSqlGr <arg> Intercept statements from a certain SQL group.

 6 Creating, Editing and Configuring Rules | 59

Parameter Description

-intercSqlInsert <true | false> Intercept INSERT statements.

-intercSqlSelect <true | false> Intercept SELECT statements.

-intercSqlSelectWithoutFrom Intercept SELECT without FROM statements.

<true | false>

-intercSqlSelectWJ <true | false> Intercept SELECT in WHERE & JOIN statements.

-intercSqlUpdate <true | false> Intercept UPDATE statements.

-intercTab <arg> Intercept queries targeted to certain databases, schemas, tables,

columns formatted like "orcl.alex.customers.id;orcl.bob.orders.id"
("alex.customers.id;bob.orders.id" for MySQL, PostgreSQL, MariaDB, Aurora
databases, Teradata).

-listSeparator <arg> Separator for a list of values. Used together with -addHosts, -addHostGroups,
-delHosts, -delHostGroups, -addUsers, -addUserGroups, -delUsers,
-delUserGroups, -addOsUsers, -addOsUserGroups, -delOsUsers, -
delOsUserGroups, -addSubscribers, -delSubscribersddlTypes, -functionParams.
Default separator is comma ","

-login <arg> Database user login.

-log1Event <true | false> Log first event only.

-logData <true | false> Log the result set of query returned to the user.

-logBindVariables <true | false> Log Bind Variables

-logInStorage <true | false> Log events in storage (true by default).

-logMaxRowCount <arg> Log max number of rows returned to the user (number | unlimited).

-name <arg> Logical name of the rule.

-newName <arg> New logical name for the Rule

-nameSeparator <arg> Assign a character as a separator between database elements ('.' is assigned by
default).

-password <arg> Database user password.

-proxy <arg> ((host:port) | any)

-schedule <arg> Schedule for the rule (no | (schedule name)).

-skipFunc <arg> Skip statements for functions.

-skipObjGr <arg> Skip statements for databases, schemas, tables, columns from the comma
separated list of object groups ((groups) | false).

-skipPack <arg> Skip statements for the whole package of functions.

-skipSqlGr <arg> Do not intercept statements from a group of SQL statements.

 6 Creating, Editing and Configuring Rules | 60

Parameter Description

-skipTab <arg> Skip statements for databases, schemas, tables, columns formatted like
"orcl.alex.customers.id;orcl.bob.orders.id". For Aurora, PostgreSQL, MariaDB,
MySQL, Teradata the format is the following: "alex.customers.id;bob.orders.id".

-sniffer <arg> (<host1-server1;host2-server2> | any)

-sysLogGr <arg> Use Syslog Group. Default value is NO

6.4 Creating and Editing Learning Rules

Self-learning capability is designed to simplify customization of the firewall. It analyzes all user operations and
generates an allow list which includes queries typical for the given database environment.
To edit an existing learning rule, use the updateLearnRule command with the parameters given in the table below.
 6 Creating, Editing and Configuring Rules | 61
To create a new learning rule, use the addLearnRule command with the following parameters:
Parameter Description

-action <arg> Select a rule type (learn | skip).

-addHosts <arg> Add a host for the rule.

-addUserGroups <arg> Add group of DB users for the rule.

-addUsers <arg> Add a DB user for the rule.

-addHostGroups <arg> Add a group of hosts for the rule.

-affectedRows <arg> Trigger the rule only if the number of affected rows is not less than a
specified number.

-app <arg> Intercept application requests (any | <application name>).

-blockSeparator <arg> Assign a character as a separator between blocks of database elements (';' is
assigned by default).

-comment <arg> Leave a comment.

-dbType <arg> Select database type: aurora mysql | aurora postgresql | db2 | greenplum
| hive | mariadb | mysql | mssql | netezza | oracle | postgresql | redshift |
teradata | sap hana | vertica | mongodb | dynamodb | impala | cassandra |
sybase | snowflake | any.
By default, it is set to ‘any database’, so the firewall will intercept queries
targeted to all available databases.

-enable <true | false> Enable or disable the rule.

-instance <arg> Select an instance ('any' instance is set by default).

-login <arg> Database user login.

-learnDelete <true | false> Learning based on DELETE operations.

-learnFuncCall <true | false> Learning based on Function CALL operations.

-learnInsert <true | false> Do not intercept statements from a specified SQL group.

-learnObjectGroup <arg> Save names of databases, schemas, tables, columns to the Object Group for
the Learning Rule ( false | <group name>).

-learnSelect <true | false> Learning based on SELECT operation.

-learnSqlGroup <arg> Save SQL Statements to the Group for the Learning Rule ( false | <group
name>).

-learnUpdate <true | false> Learning based on UPDATE operation.

-learnUserGroup <arg> Save Users in the Learning Rule Group (true | false | <group name>). The
"true" option allows to save users out of any group.

-learnAppSave <true | false> Save applications for the Learning Rule.

 6 Creating, Editing and Configuring Rules | 62

Parameter Description

-name <arg> Logical name of the rule.

-nameSeparator <arg> Assign a character as a separator between database elements ('.' is assigned
by default).

-password <arg> Database user password.

-proxy <arg> ((host:port) | any)

-schedule <arg> Schedule for the rule (no | (schedule name)).

-sniffer <arg> (host | any)

6.5 Creating Masking Rules

DataSunrise rules allow you to perform masking dynamically, preventing sensitive data exposure by replacing
original data with pre-defined characters or random values on-the-fly.
Note that priority of security rule is higher than masking rule’s priority, so requested data will be masked only if it
doesn’t meet filtration criteria of security rules.
To edit an existing masking rule, use the updateMaskRule command with the parameters given in the table below.
Here is an example of a simple masking rule for two columns:

executecommand.bat addMaskRule -name script-rules -instance aurora -login aurorauser -password

aurorauser -dbType aurora -maskType fixedStr -fixedVal XXXXXXXX -action mask -maskColumns
'test.table1.column2;test.table1.column1;'

In order to create a masking rule, use the addMaskRule or addRule -action mask commands.
 6 Creating, Editing and Configuring Rules | 63
Here is the list of parameters for masking rules:
Parameter Description
-action mask | skip

-addHostGroups <arg> Add a group of hosts for the rule

-addHosts <arg> Add a host for the rule

-addOsUserGroups <arg> Add a list of group of OS users

-addOsUsers <arg> A list of OS users separated with a comma or {regexp name}

-addSubscribers <arg> Add email addresses (separated by commas) to receive a notification when
the rule is triggered.

-addUserGroups <arg> Add a group of DB users for the rule

-addUsers <arg> Add a DB user for the rule

-app <arg> Process application requests (any | <application name> | {regexp name})

-blockSeparator <arg> Assign a character as a separator between blocks of database elements (';' is
assigned by default). Used in conjunction with -maskColumns, -intercTab, -
intercPack, -intercFunc, -skipTab, -skipPack, -skipFunc

-columnDelimeter <arg> Column delimeter. Applicable to CSV files only. It shouldn't contain quote
characters. The default one is \t
-columns <arg> Comma-separated names or numbers of columns to mask for CSV, or text
inside tags to mask for XML

-comment <arg> A comment

-date <arg> Replace date value with a fixed value. Use if -maskType is fixDate

-dateTime <arg> replace date and time value with a fixed value. Use if -maskType is
fixDateTime

-days <arg> Replace date values with random values from a predefined range. Use if -
maskType
is dateDisp or dateTimeDisp

-dbType <arg> Select database type: aurora mysql | aurora postgresql | db2 | greenplum
| hive | mariadb | mysql | mssql | netezza | oracle | postgresql | redshift |
teradata | sap hana | s3 | vertica | mongodb | dynamodb | impala | cassandra
| sybase | snowflake | <any>)
By default, it is set to "any database", so the firewall will intercept queries
targeted to all available databases

-delHostGroups <arg> Comma-separated list of host groups to delete

-delHosts <arg> Comma-separated list of hosts to delete

-delOsUserGroups <arg> Comma-separated list of OS user groups to delete
-delOsUsers <arg> Comma-separated list of OS users or {regexp name} to delete
-delSubscribers <arg> Comma-separated list of subscriber Email addresses to delete
 6 Creating, Editing and Configuring Rules | 64

Parameter Description
-delUserGroups <arg> Comma-separated list of DB user groups to delete
-delUsers <arg> Comma-separated list of DB users or {regexp name} to delete

-enable <true | false> Enable or disable the rule

-endDate <arg> Minimum value of the random date value interval. Use if -maskType is
rndDate

-endDateTime <arg> Minimum value of the random time and value interval. Use if -maskType is
rndDateTime

-endTime <arg> Minimum value of the random time value interval. Use if -maskType is
rndTime

-fileName <arg> Path to the file that should be masked

-fileType <arg> Type of the file which should be masked (CSV | JSON | XML |
UNSTRUCTURED. CSV is default

-filler <arg> A placeholder to replace the masked values with. Note that it should be one
character. Default is "*"

-filterSessionsFile <arg> Filter session rules JSON file

-fixedVal <arg> Replace masked value with a fixed value. Use if -maskType is fixedNum

-functionName <arg> Call a custom function for masking. Use if -maskType is function

-functionParams <arg> comma-separated input parameters for -functionName. Use = to specify

a value for parameter. Available parameter names: masked_column |
column_from_same_table | session_id | user_name | os_user_name |
app_name | sql_statement | client_host | text_value | sql_value

-hours <arg> Replace date or date/time value with a value from the end of available
range. Use if -maskType is timeDisp or dateTimeDisp

-instance <arg> Select an instance (instance name | <any>). 'any' is set by default

-jsonPath <arg> Keys' values of a JSON file to be masked. Note that the values should be
comma-separated

-keepRowCount <true | false> Keep row count of the original data set if the query includes the DISTINCT
operator or a GROUP BY, HAVING, or ORDER BY clause. Default is false

-listSeparator <arg> Separator of values in a list. Used in conjunction with -addHosts, -

addHostGroups, -delHosts, -delHostGroups, -addUsers, -addUserGroups, -
delUsers, -delUserGroups, -addOsUsers, -addOsUserGroups, -delOsUsers, -
delOsUserGroups, -addSubscribers, -delSubscribersddlTypes, -functionParams.
Default is ","

-login <arg> The database user login

-log1Event <true | false> Log only the first event

-logData <true | false> Log the result set of a query returned to the user
 6 Creating, Editing and Configuring Rules | 65

Parameter Description

-logInStorage <true | false> Log events in storage (true by default).

-logInSyslog <true | false> Log events in syslog (false by default).

-logMaxRowCount <arg> Log max number of rows returned to the user (number | unlimited).

-maskColumns <arg> Columns formatted like:

orcl.alex.customers.id;orcl.bob.orders.id

For Aurora MySQL, MariaDB, MySQL, Teradata the format is:

alex.customers.id;bob.orders.id

-maskCount <arg> Number of masked characters. Use if -maskType is (maskFirst | maskLast |

maskFirstLast | showFirst | showLast | showFirstLast)

-maskMax <arg> Maximum value of the range. Default value is 100. Use if -maskType is
intervalRandom

-maskMin <arg> Minimum value of the range. Default value is 0. Use if -maskType is
intervalRandom

-maskPattern <arg> A pattern that should be found and replaced with the text specified by -
replaceBy option. Use if -maskType is regexpReplace

-maskSelectOnly <arg> Mask SELECTs only. Default is false

-maskType <arg> Masking method to use: bankCard | default | emailDefault | emailLogin
| emailFull | empty | fixedNum | fixedStr | function | maskFirst | maskLast
| maskFirstLast | showFirst | showLast | showFirstLast | random |
intervalRandomregexpReplace | rndTime | rndDate | rndDateTime | fixTime
| fixDate | rnd2Date | fixDateTime | timeDisp | dateDisp | dateTimeDisp |
bankCardFpt | bankCardFpeFf3 | emailFpt | emailFpeFf3 | ssnFpt | ssnFpeFf3
| numFpt | numFpeFf3 | stringFpt | stringFpeFf3
Default value is "random".

-minutes <arg> Replace date or date/time value with a value from the end of available
range. Use if -maskType is timeDisp or dateTimeDisp

-name <arg> Logical name of the rule.

-nameSeparator <arg> Name separator. Used in conjunction with -maskColumns, -intercTab, -

intercPack,
-intercFunc, -skipTab, -skipPack, -skipFunc. Default is "."

-paddingText <arg> Replace masked characters with a predefined character. Default character
is *. Use if -maskType is: maskFirst | maskLast | maskFirstLast | showFirst |
showLast | showFirstLast

-password <arg> The database user password.

-proxy <arg> Select a proxy ((host:port) | any).

 6 Creating, Editing and Configuring Rules | 66

Parameter Description
-quote <arg> Applicable only to CSV files. Default is "\"
-replaceBy <arg> The text used instead of the pattern specified by -maskPattern. Use if -
maskType is regexpReplace

-rowDelimeter <arg> Applicable to CSV files only. It shouldn't contain quote characters. Default is
"\n"

-schedule <arg> Schedule for the rule (no | (schedule name)).

-seconds <arg> Replace date or date/time value with a value from the end of available
range. Use if -maskType is timeDisp or dateTimeDisp

-sniffer <arg> Select a sniffer (host | any).

-startDate <arg> Maximum value of the random date value interval. Use if -maskType is
rndDate

-startDateTime <arg> Maximum value of the random time and date value interval. Use if -
maskType is rndDateTime

-startTime <arg> Maximum value of the random time value interval. Use if -maskType is
rndTime

-sysLogGr <arg> Use Syslog group. Default is "NO"

-time <arg> Replace time value with a fixed value. Use if -maskType is fixTime

-withHeader <true | false> Applicable to CSV only. Whether a SCV file has headers or not
-xmlPath <arg> Keys' values of an XML file to be masked. Note that the values should be
comma-separated
 6 Creating, Editing and Configuring Rules | 67
The -maskType <arg> parameter is used for selecting a masking type. By default, the masking type is set to
"random". Here is the list of DataSunrise masking types:
Argument for - Masking type Description and subparameters
maskType parameter
bankCard Credit Card Number Use this argument to mask credit card numbers. It replaces
all card number digits except the last four with "X" character.
(XXXX-XXXX-XXXX-1234)
dateTimeDisp Date/Time Dispersion Date/Time Dispersion (when -masktype is dateTimeDisp)
default Default INT-type values are replaced with zeroes (0) and STRING-type
values are replaced with empty spaces
emailDefault Default E-mail Masking Email address characters are replaced with "*" symbols,
except the first one and the last one in a row. For example:
***@**.**m
emailFull Full E-mail Masking Email address is replaced with asterisks "*" except for the "@"
character and the top-level domain name (***@**.com)
emailLogin Mask login of E-Mail Email user name is replaced with asterisks
address (**@datasunrise.com)
empty Empty STRING-type values are replaced with an empty space
fixedNum Fixed Number NUMBER-type and INT-type values are replaced with a
predefined value (-fixedVal <arg>)
fixedStr Fixed String STRING-type values are replaced with a predefined string
function Function Call Call a stored procedure (-functionName <arg>) for data
obfuscation

-functionName <arg> Function Call Function call value (when -masktype is function)

-hours <arg> Date Time Dispersion Max value of 'hours' (when -masktype is dateDisp or
dateTimeDisp)

-fixedVal <arg> Fixed Number Fixed number value (when -masktype is fixedNum)

maskFirst Mask First Mask a specified number (-maskCount <arg>) of database

entry's first symbols
maskLast Mask Last Mask a specified number (-maskCount <arg>) of database
entry's last symbols
maskFirstLast Mask First and Last Mask a specified number (-maskCount <arg>) of database
entry's first and last symbols
showLast Show Last Show a specified number (-maskCount <arg>) of database
entry's last symbols
showFirst Show First Show a specified number (-maskCount <arg>) of database
entry's first symbols
showFirstLast Show First and Last Show a specified number (-maskCount <arg>) of database
entry's first and last symbols
random Random Value Database entry is replaced with random values
intervalRandom Random from Interval INT-type values are replaced with values from a specified
range (-maskMin <arg> and -maskMax <arg>, default values
are 0 and 100)
 6 Creating, Editing and Configuring Rules | 68

Argument for - Masking type Description and subparameters

maskType parameter
regexpReplace Regexp Replace Replace regular expressions with a predefined string.
-maskPattern <arg> – specify a pattern that should be found
and replaced by text specified by -replaceBy option.
-replaceBy <arg> – specify a text being substituted instead of
a pattern specified by -maskPattern

fixDateTime Fixed Date and Time Replace date and time values with a fixed value (-dateTime
<arg>)
fixDate Fixed Date Replace date values with a fixed value (-date <arg>)
fixTime Fixed Time Replace time values with a fixed value (-time <arg>)
rndDateTime Random Date and Time Replace date and time values with random values from a
predefined range.
-startDateTime <arg>
-endDateTime <arg>

rndDate Random Date Interval Replace date values with random values from a predefined
range:
-startDate <arg>
-endDate <arg>

rndTime Random Time Replace time values with random values from a predefined
range. Specify a range for random time values:
-startTime <arg>
-endTime <arg>

dateDisp Date Dispersion Replace date values with random values from a predefined
range. Specify the maximum deviation of the "masked" date:
-days <arg>

timeDisp Time Dispersion Replace time values with random values from predefined
range. Specify the maximum deviation of the "masked" time:
-hours <arg>, -minutes <arg>, -seconds <arg>

6.6 Rules on Specifying Names of DB

elements
orcl.test.table1;orcl.test.table2 two table names without regular expressions
are specified

orcl.test.{table.}.{^ab.+} all columns starting with "ab" in tables

starting with ‘table’ and consisting of
6 symbols

orcl.test.{table.} all tables of the "orcl" scheme with names

consisting of 6 symbols, 5 of which are
‘table’ and the last one can be any symbol
 6 Creating, Editing and Configuring Rules | 69

orcl.test.{table.}.{^ab.+} all columns starting with "ab" in tables

starting with ‘table’ and consisting of
6 symbols

orcl.test.table. a table with the exact name "table"

Important: For MySQL, MariaDB, Aurora, Teradata use a format like test.table;test.table2.

Real names and regular expressions can be used when defining names of databases, schemes, tables and columns.
Dot symbol ‘.’ in regular expressions means any symbol.
Semicolon is used as a separator between blocks. Blocks consist of 4 parts: database, scheme, table, and column.
Between these four parts ‘.’ is used as a separator.
addRule, updateRule, addObjectGroup, updateObjectGroup commands have a -nameSeparator parameter, that
allows to assign any other symbol or a combination of symbols as a separator between database elements instead
of a dot symbol ".".
Limitations:
The semicolon symbol ’;’ cannot be used in the names of database objects, because it is used as a delimiter between
blocks.
Names cannot be enclosed in curly brackets '{}', as it is the sign of a regular expression.

6.7 Displaying a Rule

To view an existing Rule, use the showRule command with the following options:
Parameter Description

-name <arg> Logical name of the Rule to view. Use the showRules command to search
for the Rule of interest.

6.7.1 Displaying a List of Rules

To view a list of all existing Rules, use the showRules command with the following options:
Parameter Description

-action <arg> Type of a Rule to display (audit | security | mask | learn).

-instance <arg> Show Rules for specified Instance only.

Example:

>executecommand.bat showRules -action security -instance Inst2

6.7.2 Deleting a Rule
To delete an existing Rule, use the delRule command with the following options:
Parameter Description
-name <arg> Logical name of the Rule to delete. Use showRules command to search for
the Rule of interest.
 7 Static Masking | 71

7 Static Masking

7.1 Creating a Static Masking task

To perform static masking, use the statMask command with the following options:
Parameter Description
-c Create target tables if they don't exist.
-d Create target default constraints if they don't exist.
-i Create target indexes if they don't exist.
-k Create target foreign keys if they don't exist.
-o Create target check constraints if they don't exist.
-r Create target constraints if they don't exist.
-t Truncate target table before masking.
-sourceInstance <arg> Name of the instance containing tables with private data.
-sourceLogin <arg> Source instance user login.
-sourcePassword <arg> Source instance user password.
-sourceSysDba Connect as the SYSDBA to a source database (Oracle-specific).
-tableFile <arg> Specify the location of the JSON file that contains names of tables to be
masked and contains masking types (Specify only file name if your file is
in the same directory as the CLI's executable file). To create such a file, see
notes below.

Note: Refer to the following example of the file: https://

www.datasunrise.com/documents/CLI_stat_mask_example.json

Important: Do not specify the same target schema as the source schema.
Otherwise the masked values will be inserted into the same table. The
target table name should be the same as the source table name.

-targetInstance <arg> The target instance name.

-targetLogin <arg> Target instance user login.
-targetPassword <arg> Target instance user password.
-targetSysDba Connect as the SYSDBA to a target database (Oracle-specific).
7.2 Relaunching a Static Masking task
To repeat a previously executed Static Masking task, use the restartStatMasking command:
Parameter Description
-id <arg> ID of the previously executed static masking procedure. Can be found in the
Data Masking → Static Masking section of the DataSunrise Web Console

7.3 Retrieving a Static Masking

Configuration
To retrieve a previously-executed static masking configurations or save them to a file, use the showStatMasking
command with the following parameters:
Parameter Description
-id <arg> ID of the previously executed static masking procedure. Can be found in
the Data Masking → Static Masking subsection of the DataSunrise Web
Console
-file <arg> Directory and file name for the output JSON file with static masking
configuration

Use the command without the -file parameter to view information about previously executed static masking
procedure.

./executecommand.sh showStatMasking -id 19

To save a static masking configuration, execute the following:

./executecommand.sh showStatMasking –id 19 –file static_masking_conf.json

If a directory is not specified, the file will be saved in the /datasunrise/cmdline folder. The file can be used for the -
tableFile parameter of the statMask command to perform static data masking with the same masking types for the
same columns.
 8 Configuring Hosts, Networks, IP addresses/ranges | 73

8 Configuring Hosts, Networks, IP

addresses/ranges

8.1 Adding a Host, Network or IP address/

range
DataSunrise enables to filter DB traffic to intercept queries from certain hosts, IP addresses or networks.
To create a new profile for hosts, networks or IP ranges, use the addHost command. For example:

>executecommand.bat addHost -name cashiers -startIPv4 192.168.1.55 -endIPv4 192.168.1.65

The addHost command:

Parameter Description

-name <arg> Logical name of the host, network or IP range.

-host <arg> A host name when a single host is added.

-netMaskV4 <arg> Network mask when a network is added.

-netIPv4 <arg> IPv4 address of the host when a network is added.

-netIPv6 <arg> IPv6 address of the host when a network is added.

-startIPv4 <arg> First IPv4 address of the added range.

-startIPv6 <arg> First IPv6 address of the added range.

-endIPv4 <arg> Last IPv4 address of the added range.

-endIPv6 <arg> Last IPv6 address of the added range.

8.2 Importing multiple Hosts using a CSV file

You can create multiple Host profiles at once by using a CSV file containing a list of host names or IP addresses:
For this, prepare a .CSV file which contains a list of host names to be added to DataSunrise.
Each line should begin with the "host;" keyword, followed by a host name or IP address.
Example:

host;10.10.0.1
host;10.10.0.25
host;10.10.0.30
 8 Configuring Hosts, Networks, IP addresses/ranges | 74
If you need to upload a range of IP addresses, begin each .CSV file line with the "range" key word (for IPv4
addresses) or "range_ipv6" key word (for IPv6 addresses), then enter initial IP address and ending IP address of the
range separated with a semicolon:

range;10.0.0.1;10.0.0.100 (for IPv4)

range_ipv6;0:0:0:0:0:ffff:7f00:1;0:0:0:0:0:ffff:7f00:6 (for IPv6)

If you need to upload network settings, each line of a .CSV file should begin with the "network" key word (for IPv4
addresses) or "network_ipv6" key word (for IPv6 addresses):

network;10.0.0.1;255.255.255.0 (for IPv4)

network_ipv6;fe80:0:0:0:200:f8ff:fe21:67cf (for IPv6)

Then use the importHosts command:

Parameter Description

-fileName <arg> Name of the CSV file which contains the list of hosts to be added to
DataSunrise configuration.

Example:

>executecommand.bat importHosts -fileName myhosts.csv

8.3 Displaying a Host, Network or IP

address/range
To retrieve information about the existing host, network or IP address/range, use the showHost command with -
name <arg> parameter:
Parameter Description

-name <arg> Logical name of the host, network or IP range.

Example:

>executecommand.bat showHost -name cashiers

Name : cashiers
Address Type : RANGE_IPv4
IPv4 Start : 192.168.1.55
IPv4 End : 192.168.1.65
 8 Configuring Hosts, Networks, IP addresses/ranges | 75

8.4 Updating a Host, Network or IP address/

range
To change host or port number of the interface, use the updateHost command:
Parameter Description

-name <arg> Logical name of the host, network or IP range.

-host <arg> Host name when a single host is added.

-netMaskV4 <arg> Network mask when a network is added.

-netIPv4 <arg> IPv4 address of the host when a network is added.

-netIPv6 <arg> IPv6 address of the host when a network is added.

-startIPv4 <arg> The first IPv4 address of the added range.

-startIPv6 <arg> The first IPv6 address of the added range.

-endIPv4 <arg> The last IPv4 address of the added range.

-endIPv6 <arg> The last IPv6 address of the added range.

8.5 Deleting a Host, Network or IP address/

range
To delete a host, network or an IP address/range, use the delHost command with the following parameters:
Parameter Description

-name <arg> Logical name of the host, network or IP range.

8.6 Creating a Host Group

To add hosts, networks, IP adress/ranges to the group, use the addHostGrcommand:

>executecommand.bat addHostGr -name bank -addMembers cashiers,ITdep

The addHostGrcommand:
Parameter Description

-name <arg> The name of the group.

-addMembers <arg> A comma-separated list of addresses required to add to the group.

-removeMembers <arg> A comma-separated list of addresses required to remove from the group.

8.7 Displaying a Host group

To retrieve information about an existing group of hosts, networks or IP addresses/ranges, use the showHost
command:
Parameter Description

-name <arg> Logical name of the host, network or IP range.

8.8 Updating a Host group

To edit address group parameters, use the updateHost command:
Parameter Description

-name <arg> Logical name of the group.

-newName <arg> New logical name of the group.

-addMembers <arg> A comma-separated list of members to add to the group.

-removeMembers <arg> A comma-separated list of members to remove from the group.

8.9 Deleting a Host group

To delete a group of hosts, use the delHostGr command with the following options:
Parameter Description

-name <arg> Name of the host group.

 9 Database Users | 77

9 Database Users

9.1 Adding Database Users

To add a database user profile, use the addDbUser command with the following options:
Parameter Description

-dbType <arg> Select database type: aurora mysql | aurora postgresql | db2 | greenplum
| hive | mariadb | mysql | mssql | netezza | oracle | postgresql | redshift |
teradata | sap hana | vertica | mongodb | dynamodb | impala | cassandra |
sybase | snowflake | any

-instance <arg> Instance name: <instance name> | any

-name <arg> Name of user

Example:

>executecommand.bat addDbUser -dbType mysql -instance Inst2 -name Bob

9.2 Importing multiple Users using a CSV file

You can create multiple User profiles at once by using a CSV file containing a list of Users:
For this, prepare a .CSV file which contains a list of database user names to be added to DataSunrise.
Each line should begin with the "user;" keyword, followed by a user name.
Example:

user;user_name1
user;user_name2
user;user_name3

Then use the importUsers command:

Parameter Description

-fileName <arg> Name of the CSV file which contains the list of Users to be added to
DataSunrise configuration.

Example:

>executecommand.bat importUsers -fileName myusers.csv

 9 Database Users | 78

9.3 Creating Groups of Database Users

To create a group of users or to delete users from the group, use the addDbUserGr command with the following
options:
Parameter Description

-dbType <arg> Select database type: aurora mysql | aurora postgresql | db2 | greenplum
| hive | mariadb | mysql | mssql | netezza | oracle | postgresql | redshift |
teradata | sap hana | vertica | mongodb | dynamodb | impala | cassandra |
sybase | snowflake | any

-instance <arg> DB Instance: <instance name> | any

-name <arg> User group name

-removeMembers <arg> A comma-separated list of members to remove from Group

-addMembers <arg> A comma-separated list of members to add to Group

Example:

>executecommand.bat addDbUserGr -dbType mysql -instance Inst2 -addMembers alex,bob -name room20

9.4 Displaying Database Users

To retrieve information about a database user, use the showDbUser command with the following options:
Parameter Description

-name <arg> The name of the user.

9.5 Displaying database users

To display a list of database users, use the showDbUsers command.

9.6 Displaying Groups of Database Users

To retrieve information about a group of database users, use the showDbUserGr command with the following
options:
Parameter Description

-name <arg> User group name

 9 Database Users | 79

9.7 Updating a Database User Profile

To edit a profile of a database user, use the updateDbUser command with the following options:
Parameter Description

-instance <arg> DB Instance: <instance name> | any

-dbType <arg> Select database type: aurora mysql | aurora postgresql | db2 | greenplum
| hive | mariadb | mysql | mssql | netezza | oracle | postgresql | redshift |
teradata | sap hana | vertica | mongodb | dynamodb | impala | cassandra |
sybase | snowflake | any

-name <arg> User name

-newName <arg> New user name

9.8 Updating a Group of Database Users

To edit parameters of a group of database users, use the updateDbUserGr command with the following options:
Parameter Description

-dbType <arg> Select database type: aurora mysql | aurora postgresql | db2 | greenplum
| hive | mariadb | mysql | mssql | netezza | oracle | postgresql | redshift |
teradata | sap hana | vertica | mongodb | dynamodb | impala | cassandra |
sybase | snowflake | any

-instance <arg> Instance name: <instance name> | any

-name <arg> User group name

-newName <arg> New User group name

-removeMembers <arg> A comma-separated list of members to remove from the Group

-addMembers <arg> A comma-separated list of members to add to the Group.

9.9 Deleting Database Users

To delete a database user profile, use the delDbUser command with the following options:
Parameter Description

-name <arg> The database user name.

9.10 Deleting a Group of Database Users
To delete a group of database users, use the delDbUserGr command with the following options:
Parameter Description

-name <arg> The name of the User group to be deleted.

 10 Access Roles | 81

10 Access Roles

10.1 Creating an Access Role

To create an Access Role, use the addAccessRole command with the following options:
Parameter Description
-name <arg> Name of a Role
-groupDN <arg> A group of Distinguished names (DN).

Example:

>executecommand.bat addAccessRole -name myadmin -groupDN mygroupDN

10.2 Creating a DataSunrise user

To create a DataSunrise user, use the addDSUser command with the following options:
Parameter Description
-allowLogin <true | false> Allow the user to log in into the Web Console and CLI
-blackGroups <arg> A Deny list of groups (entries separated with commas)
-blackHosts <arg> A Deny list of hosts (entries separated with commas)
-email <arg> Email address of the user
-enableADAuth <true | false> Enable/disable Active Directory authentication
-login <arg> Login of the user
-password <arg> Password of the user
-role <arg> An Access Role to be assigned to the user
-twoFactorAuth <arg> Two-factor authentication type: Disabled | Email
-whiteGroups <arg> An Allow list of groups (entries separated with commas)
-whiteHosts <arg> An Allow list of hosts (entries separated with commas)

Example:

>executecommand.bat addDSUser -allowLogin true -email [email protected] -login myuser -password 123456 -
role admin
 10 Access Roles | 82

10.3 Granting all permissions to a Role

To grant an Access Role all permissions, use the grantAllPermToRole command with the following options:
Parameter Description
-name <arg> Role's name.

Example:

>executecommand.bat grantAllPermToRole -name myrole

10.4 Granting permissions to a Role

To grant specific permissions to a Role, use the grantPermToRole command with the following options:
Parameter Description
-delete <arg> Enable Delete for comma-separated list of objects.
-edit <arg> Enable Edit permission for the comma-separated list of objects.
-execute <arg> Enable Execute permission for the comma-separated list of objects.
-insert <arg> Enable Insert permission for the comma-separated list of objects.
-list <arg> Enable List permission for the comma-separated list of objects.
-name <arg> Name of the Role.
-view <arg> Enable View permission for the comma-separated list of objects.

Example:

>executecommand.bat grantPermToRole -delete public,my -view public, my

For the parameter -execute, the following values are possible:

• Audit Cleaning
• Audit Storage Changing
• Change Audit Partition Enable State Ready
• Change Audit Storage Encryption Settings
• Change Dictionary Encryption Settings
• Change Password Settings
• Check Messages Queues
• DataSunrise Starting
• DataSunrise Stopping
• DataSunrise Updating
• Dictionary Cleaning
• Dictionary Restoring
• Discovery Column Content Displaying
• Flush
• Logs Management
• Manual Audit Rotation
 10 Access Roles | 83
• Manual Dictionary Backing-up
• Original Query Displaying
• Query Bindings Displaying
• Query Results Displaying
• Reading Database Data
• Run System Shell Scripts
• Synchronous Flush
• View Dynamic Masking Events
• View Event Description
• View Operation Group
• View Query Parsing Errors
• View Security Events
• View Session Description
• View Session Trails
• View Top Blocked Queries Per Day
• View Transaction Trails
• Workers
For parameters -delete, -edit, -insert, -list, and -view the following values are possible:
• AI Detection of Users
• AWS S3 Inventory Items
• Access Custom File
• Active Directory Mapping
• Agents
• Application Data Model
• Application User Settings
• Applications
• Audit Rules
• Blocked Users
• Compliance Manager
• DSAR Configuration
• DSAR Field
• Data Discovery Filters
• Data Discovery Groups
• Data Discovery Incremental Data
• Data Discovery Incremental Group
• Data Discovery Matched Columns
• Data Discovery Task Error
• Data Format Converters
• DataSunrise Servers
• Database Instance Users
• Database Instances
• Database Interfaces
• Database Properties
• Database Services
• Database Users
• Database Users Properties
• Databases
• Deferred Task Info
• Deferred Task Pool Failed
• Dynamic SQL Replacements
 10 Access Roles | 84
• Encryptions
• Entity Groups
• Event Tagging
• Events
• External Users
• External Users Mapping
• External Users Properties
• Function Replacements
• Groups of Database Users
• Groups of Hosts
• Hosts
• Instance Properties
• Instance Users
• LDAP Servers
• Lexicon Groups
• Lexicon Items
• License Keys
• Lua Script
• Masking Caches
• Masking Rules
• Metadata Columns
• Metadata Functions
• Metadata Objects
• Metadata Schemas
• Object Filters
• ObjectGroups
• Pair of Associated Columns
• Periodic Tasks
• Proxies
• Queries
• Queries Map
• Query Groups
• Resource Manager Deployment
• Resource Manager Templates
• Results of VA Scanner
• Roles
• Routine Parameters
• Rule Format Preserving Keys
• Rule Limits
• Rule Subscribers
• Rules
• SDG Generators
• SDG Results
• SSL Key Groups
• SSL Keys
• SSL Session Cache Entry
• SSO Services
• Schedules
• Security Guidelines
• Security Rules
• Security Standards
 10 Access Roles | 85
• Self Access
• Session Cache Entry
• Sessions
• Sniffers
• Sub-item Filter
• Subscriber Servers
• Subscribers
• Syslog Configuration Groups
• Syslog Configuration Item
• System Settings
• Table Reference
• Tags
• Tasks
• Temporary Files
• Trailing DB Audit Logs
• Update Rules Checker
• Users

10.5 Settings permissions to a Role

To set specific permissions to a Role, use the setPermToRole command with the following options (all existing
permissions will be reset):
Parameter Description
-delete <arg> Enable Delete for comma-separated list of objects.
-edit <arg> Enable Edit permission for the comma-separated list of objects.
-execute <arg> Enable Execute permission for the comma-separated list of objects.
-insert <arg> Enable Insert permission for the comma-separated list of objects.
-list <arg> Enable List permission for the comma-separated list of objects.
-name <arg> Name of the Role.
-view <arg> Enable View permission for the comma-separated list of objects.

See the possible values for different parameters in the section 10.4 Granting permissions to a Role.

10.6 Deleting an Access Role

To delete an existing Access Role, use the delAccessRole command with the following options:
Parameter Description
-name <arg> Name of a Role to delete.

Example:

>executecommand.bat delAccessRole -name myrole

 10 Access Roles | 86

10.7 Revoking all permissions from a role

To revoke all permissions from an Access Role, use the revokeAllPermFromRole command with the following
options:
Parameter Description
-name <arg> Role's name.

10.8 Revoking permissions from a Role

To revoke specific permissions from a Role, use the revokePermFromRole command with the following options:
Parameter Description
-delete <arg> Enable Delete for comma-separated list of objects.
-edit <arg> Enable Edit permission for the comma-separated list of objects.
-execute <arg> Enable Execute permission for the comma-separated list of objects.
-insert <arg> Enable Insert permission for the comma-separated list of objects.
-list <arg> Enable List permission for the comma-separated list of objects.
-name <arg> Name of the Role.
-view <arg> Enable View permission for the comma-separated list of objects.

See the possible values for different parameters in the section 10.4 Granting permissions to a Role.

10.9 Deleting a DataSunrise user

To delete an existing DataSunrise user, use the delDSUser command with the following options:
Parameter Description
-login <arg> Login of a user to delete

Example:

>executecommand.bat delDSUser -login myuser

10.10 Displaying an Access Role

To display an existing Access Role, use the showAccessRole command with the following options:
Parameter Description
-name <arg> Name of a Role to display.
 10 Access Roles | 87

10.11 Displaying a list of Access Role

To display a list of existing Access Roles, use the showAccessRoles command.

10.12 Updating an Access Role

To update an existing Access Role, use the updateAccessRole command with the following options:
Parameter Description
-name <arg> Name of a Role
-newName <arg> New name of a Role
-groupDN <arg> A group of Distinguished names (DN).
 11 Configuring Client Application Profiles | 88

11 Configuring Client Application

Profiles

11.1 Adding a client application profile

DataSunrise enables its user to configure traffic filtering by client application names. To do this, a profile for each
application should be created (it can be created by self-learning engine as well).
To create a new Client application profile, use the addApplication command with the following options:
Parameter Description

-name <arg> Assign a name for the client application profile.

Example:

>executecommand.bat addApplication -name DBclient

11.2 Importing multiple Applications using a

CSV file
You can create multiple Application profiles at once by using a CSV file containing a list of Applications:
For this, prepare a .CSV file which contains a list of client applications to be added to DataSunrise.
Each line should begin with the "app;" keyword, followed by an application name.
Example:

app;application_name1
app;application_name2
app;application_name3

Then use the importApps command:

Parameter Description

-fileName <arg> Name of the CSV file which contains the list of Applications to be added to
DataSunrise configuration.

Example:

>executecommand.bat importApps -fileName myapps.csv

 11 Configuring Client Application Profiles | 89

11.3 Deleting a client application profile

To delete an existing Client application prtofile, use the delApplication command with the following options:
Parameter Description

-name <arg> Name of Client application which profile should be deleted.

Example:

>executecommand.bat delApplication -name DBClient

11.4 Displaying a client application profile

To display an existing application profile, use the showApplication command with the following options:
Parameter Description

-name <arg> Name of Client application which profile should be displayed.

11.5 Displaying a list of client applications

To display a list of all existing Client application profiles, use the showApplications command.

11.6 Editing a client application profile

To edit an existing сlient application prtofile, use the updateApplication command with the following options:
Parameter Description

-name <arg> A current name of the client application.

-newName <arg> A new name for the client application.

Example:

>executecommand.bat updateApplication -name DBclient -newName

 12 Object Groups | 90

12 Object Groups

12.1 Creating a new Object group

When running, DataSunrise self-learning engine creates a list of database objects addressed by incoming queries.
Names of these objects are saved into groups (Object groups) which enables to treat all the objects a group consists
of, as a single unit (it simplifies firewall configuring). To create a new Object group, use the addObjectGroup
command with the following options:
The addObjectGroup command's parameters:
Parameter Description

-functions <arg> Functions to include in a Group. The function path should be formatted as
follows: "orcl.alex.pack1.func1;orcl.bob.pack2.func2"

-functionsCsvFile <arg> The parameter to add a list of functions from the cvs file. Use a file
name as an argument (use the full path to the file, if the file is not in the
same directory as the CLI executable file). The list of functions should be
formatted as shown below. Start a new line for each function path:
orcl,alex,pack1,func1
orcl,bob,pack2,func2
orcl,carl,pack3,func3

-instance <arg> Database Instance objects of which to include in a Group (<instance name>
| any)

-name <arg> Logical name of an Object group

-nameSeparator <arg> Name separator. Used together with - tables, -functions

-tables <arg> Tables to include in Group. The table path should be expressed in the
following format: "orcl.alex.customers.id;orcl.bob.orders.id"

-tablesCsvFile <arg> The parameter to add a list of tables from a CSV file. Use file name as an
argument (use the full path to the file, if the file is not in the same directory
as the CLI executable file). The list of tables should be formatted as shown
below. Start a new line for each table path:
postgres,public,tab1,col1
postgres,public,tab1,col2
postgres,public,tab2

Example:

>executecommand.bat addObjectGroup -name MyObjGr -instance Inst2 -tables

orcl.alex.customers.id;orcl.bob.orders.id
 12 Object Groups | 91

12.2 Deleting an Object group

To delete an existing Object group, use the delObjectGroup command with the following options:
Parameter Description

-name <arg> Logical name of an Object group to delete.

12.3 Displaying an Object group

To display contents of an existing Object group, use the showObjectGroup command with the following options:
Parameter Description

-name <arg> Logical name of an Object group to display.

12.4 Displaying all Object groups

To display a list of all existing Object groups, use the showObjectGroups.
12.5 Updating an Object group
To change existing Object Group, use the updateObjectGroup command with the following options:
Parameter Description
-functions <arg> Functions to include into Group. The function path should be formatted as
follows: "orcl.alex.pack1.func1;orcl.bob.pack2.func2"
-functionsCsvFile <arg> The parameter to add a list of functions from a CSV file. Use file name as an
argument (use the full path to the file, if the file is not in the same directory
as the CLI executable file). The list of functions should be formatted as
shown below. Start a new line for each function path:
orcl,alex,pack1,func1
orcl,bob,pack2,func2
orcl,carl,pack3,func3

-instance <arg> Database Instance objects from which to include into Group (<instance
name> | any)
-login <arg> User name to access the database if metadata update is required
-name <arg> Logical name of an Object group
-newName <arg> New logical name of an Object group
-nameSeparator <arg> Name separator. Used together with - tables, -functions
-password <arg> Password to access the database if metadata update is required
-tables <arg> Tables to include into Group. The table path should be expressed in the
following format: orcl.alex.customers.id;orcl.bob.orders.id
-tablesCsvFile <arg> The parameter to add a list of tables from a CSV file. Use file name as an
argument (use the full path to the file, if the file is not in the same directory
as the CLI executable file). The list of tables should be formatted as shown
below. Start a new line for each table path:
postgres,public,tab1,col1
postgres,public,tab1,col2
postgres,public,tab2

Example:

>executecommand.bat updateObjectGroup -name MyObjGr -newName OtherObjGr -instance Inst2 -tables

orcl.alex.customers.id;orcl.bob.orders.id -login admin -password 123456
 13 Query Groups | 93

13 Query Groups

13.1 Creating a Query group

To create a new query group, use the addQueryGroup command with the following parameters:
Parameter Description
-name <arg> Assign a name of the query group.

Example:

>executecommand.bat addQueryGroup -name MyQueGr

13.2 Deleting a Query group

To delete an existing Query group, use the delQueryGroup command with the following options:
Parameter Description
-name <arg> Name of a Query group to be deleted.

13.3 Displaying contents of a Query group

To display contents of existing Query group, use the showQueryGroup command:
Parameter Description
-name Name of a Query group to display.

13.4 Displaying a list of Query groups

To display a list of existing query groups, use the showQueryGroups command.

13.5 Renaming a Query group

To rename a Query group, use the updateQueryGroup command with the following options:
Parameter Description
-name <arg> Name of a Query group to update.
-newName <arg> Assign a new name for a Query group.
13.6 Add a query to a Group
To add a single SQL query to an existing Query group, use the addQueryOfGroup command with the following
options:
Parameter Description
-name <arg> Name of a Query group to add a query to.
-regExp <true | false> Treat a query as a regular expression.
-sql <arg> SQL code of the query.

Example:

>executecommand.bat addQueryOfGroup -name MyQuerGr -regExp false -sql "select * from

orcl.alex.customers.id"

13.7 Removing a query from a group

To remove a query from an existing Query group, use the delQuery command with the following options:
Parameter Description
-name <arg> Name of the Query group to remove a query from.
-sql <arg> SQL code of the query.

Example:

>executecommand.bat delQuery -name queries1 -sql "select * from test_table"

13.8 Editing a query from a Group

To edit a single query from a Group, use the updateQueryOfGroup command with the following options:
Parameter Description
-name <arg> Name of a Query group to update.
-regExp <true | false> Treat a query as a regular expression.
-sql <arg> SQL code of the query to be updated.
-newSql <arg> New SQL query code.

Example:

>executecommand.bat updateQueryOfGroup -name MyQueGr -regExp false -sql "select * from

orcl.alex.customers.id" -newSql "select * from orcl.bob.orders.id"
 14 Configuring Schedules | 95

14 Configuring Schedules

14.1 Adding a new Schedule

To enable and disable DataSunrise Rules at predefined time, Schedules are used. To create a Schedule, use the
addSchedule command with the following options:
Parameter Description
-beginDate <arg> Schedule's start date and time. Should be specified in the following format :
"yyyy-MM-dd HH:mm:ss". Note: since there's a space between the date and
time, use brackets for the complete string.
-endDate <arg> Schedule's end date and time. Should be specified in the following format :
"yyyy-MM-dd HH:mm:ss".
-intervals <arg> Time intervals at which the Schedule should be active. It includes a list of
intervals separated with semicolons. Use su, mo, tu, we, th, fr, sa to specify
a day of week. For example: mo09:00:00-18:00:00;fr09:00:00-18:00:00. Thus
this Schedule activates the affiliated Rule on Mondays from 09.00 to 18.00
and on Fridays from 09.00 to 18.00.
-name <arg> Schedule's logical name.

Example:

>executecommand.bat addSchedule -name MySchedule -beginDate "2017-01-20 12:30:00" -endDate "2017-02-20

13:30:00"

14.2 Deleting a Schedule

To delete existing Schedule, use the delSchedule command with the following options:
Parameter Description
-name <arg> Logical name of the Schedule to delete. Use showSchedules command to
search for the Schedule of interest.

14.3 Displaying a Schedule's settings

To view a Schedule, use the showSchedule command with the following options:
Parameter Description
-name <arg> Logical name of the Schedule to display. Use showSchedules command to
search for the schedule of interest
14.4 Showing a list of Schedules
To view a list of all existing Schedules, use the showSchedules command.

14.5 Editing a Schedule

To change Schedule's settings, use the updateSchedule command with the following options:
Parameter Description
-beginDate <arg> Schedule's start date and time. Should be specified in the following format:
"yyyy-MM-dd HH:mm:ss". Note: since there's a space between the date and
time, use brackets for the complete string.
-endDate <arg> Schedule's end date and time. Should be specified in the following format :
"yyyy-MM-dd HH:mm:ss".
-intervals <arg> Time intervals at which the Schedule should be active. It includes a list of
intervals separated with semicolons. Use su, mo, tu, we, th, fr, sa to specify
a day of week. For example: mo09:00:00-18:00:00;fr09:00:00-18:00:00. Thus
this Schedule activates the affiliated Rule on Mondays from 09.00 to 18.00
and on Fridays from 09.00 to 18.00.
-name <arg> Logical name of a Schedule to edit.
-newName <arg> Assign new logical name of Schedule.
 15 Configuring Subscribers | 97

15 Configuring Subscribers

15.1 Adding a new Server for Subscribers

To configure notification of interested parties via email or instant messengers, you should create a profile of a server
used to send notifications (sending server). To create such a profile, use the addServer command with the following
options:
Parameter Description
-cert <arg> Type of SSL certificate for SMTP server (Enabled | Disabled |
StartTlsPreferred | StartTlsRequired). Default value is Enabled.
-command <arg> External server command.
-host <arg> IP address of the sending server.
-login <arg> User name to access the Sending server.
-mailFrom <arg> Email address the sending server uses to send notifications.
-name <arg> Logical name of the server.
-password <arg> Password to access the Sending server.
-port <arg> port number of the Sending server.
-serverType <arg> Type of the Sending server (smtp | snmp | external). Use external for
external applications (instant messengers for example).
-tls <true | false> Enable/disable TLS (SMTP).

Example:

>executecommand.bat addServer -serverType smtp -cert selfsigned -host smtp.server.com -port 465 -login
test -password test -mailFrom [email protected] -tls false

15.2 Deleting a Server profile

To delete an existing Sending server profile, use the delServer command with the following options:
Parameter Description
-name <arg> Logical name of the Server.
-id <arg> ID of a Server's profile to delete. Use the showServers command to search
for the Server of interest.
 15 Configuring Subscribers | 98

15.3 Displaying Server's profile

To view a profile of a certain Sending server, use the showServer command with the following options:
Parameter Description
-name <arg> Logical name of the Server.
-id <arg> ID of the Server's profile to view (ID is generated automatically while
creating a Server's profile). Use the showServers command to search for
the server of interest.

15.4 Showing a list of Servers

To view a list of all existing Sending servers, use the showServers command. You can use this command to know a
certain Server's ID to use it for updating Server's profile for example.

15.5 Updating a Sending server profile

To change settings of an existing Sending server profile, use the updateServer command with the following
options:
Parameter Description
-name <arg> Logical name of the Server.
-newName <arg> New logical name of the Server.
-command <arg> External Server command.
-cert <arg> Type of SSL certificate for SMTP server (Enabled | Disabled |
StartTlsPreferred | StartTlsRequired). Default value is Enabled.
-host <arg> Address of the sending server.
-id <arg> ID of the Server profile to edit (ID is generated automatically while creating
a Server's profile). Use showServers command to search for the Server
profile of interest.
-login <arg> User name to access the Sending server.
-mailFrom <arg> Email address the sending server uses to send notifications.
-password <arg> Password to access the Sending server.
-port <arg> Port number of the Sending server.
-serverType <arg> Type of the Sending server (smtp | snmp | external). Use external for
external applications (instant messengers for example).
-tls <true | false> Enable/disable TLS.
 15 Configuring Subscribers | 99

15.6 Add a Subscriber

To notify interested parties about DataSunrise system events via email or instant messengers, you should create a
subscriber profile first. To do this, use the AddSubscriber command with the following parameters:
Parameter Description
-name Logical name of the Subscriber
-sendAddress <arg> Email address to send notification at
-serverId <arg> Deprecated
-serverName <arg> Subscriber server name (logical name of the server associated with the
Subscriber)

Example:

>executecommand.bat addSubscriber -name mysubscriber -sendAddress [email protected] -serverName

myserver

15.7 Deleting a Subscriber's profile

To delete an existing Subscriber's profile, use the delSubscriber command with the following options:
Parameter Description
-name <arg> Logical name of the Subscriber.
-id <arg> ID of a Subscriber's profile to delete. Use the showSubscribers command
to search for the subscriber profile of interest.

15.8 Displaying Subscriber's profile

To view a profile of a certain Subscriber, use the showSubscriber command with the following options:
Parameter Description
-name <arg> Logical name of the Subscriber.
-id <arg> ID of the Subscriber profile to display (ID is generated automatically while
creating a subscriber's profile). Use showSubscribers command to search
for the subscriber profile of interest.

15.9 Showing a list of Subscribers

To view a list of all existing Subscriber profiles, use the showSubscribers command. You can use this command to
get a certain subscriber's ID to use it with updateSubscriber or delSubscriber.
15.10 Updating a Subscriber profile
To edit a Subscriber profile, use the updateSubscriber command with the following parameters:
Parameter Description
-id <arg> Deprecated
-name <arg> Logical name of the Subscriber
-newName <arg> New logical name of the Subscriber
-sendAddress <arg> Email address to send notifications at
-serverId <arg> Deprecated
-serverName <arg> Sebscriber server name (logical name of the server associated with
Subscriber)

>executecommand.bat updateSubscriber -sendAddress [email protected] -serverID smtp.server.com:465

 16 Configuring CEF Groups | 101

16 Configuring CEF Groups

16.1 Adding a CEF Group

DataSunrise can export data collected by Data Audit module to external SIEM systems via Syslog. This subsection
enables creating groups of events that DataSunrise transfers to a Syslog server.
There is a prebuilt "default group".
To create a new group of events in CEF (Common Event Format), use the addCefGroup command with the following
parameters:
Parameter Description

-name <arg> Assign a name for the group.

-enable <true | false> Enable/disable the group.

16.2 Adding a CEF Item

To add a new CEF item to the existing group, use the addCefItem command with the following paramters:
Parameter Description

-name <arg> Name of CEF item

-groupName Name of CEF group for Item

-enable <true | false> Enable/disable item

-type <arg> Types of operations to be logged. Available options: Session Open | Session
Close | Operation Open | Operation Close | Operation Exec Start | Operation
Exec Stop | Operation Data | Operation Masking | Operation Blocking
| Operation Meta | Session Failed | Operation Failed | Operation Rule |
Session Rule | Execution Rule

-cef <arg> System events and corresponding CEF code of messages transferred to
Syslog server
 16 Configuring CEF Groups | 102

16.3 Updating a CEF Group

To rename or enable/disable the existing CEF group, use the UpdateCefGroup command with the following
parameters:
Parameter Description

-enable <true | false> Enable/disable the group.

-name The current name of selected CEF group.

-newName <arg> Assign a new name for the group.

16.4 Updating a CEF Item

To change the parameters of a CEF item, use the updateCefItem command with the following parameters:
Parameter Description

-enable <true | false> Assign a name for the client application profile.

-groupName <arg> The name of the CEF group.

-name <arg> Current name of the CEF item.

-newName <arg> New name for the CEF item.

-type <arg> Types of operations to be logged. Available options: Session Open | Session
Close | Operation Open | Operation Close | Operation Exec Start | Operation
Exec Stop | Operation Data | Operation Masking | Operation Blocking
| Operation Meta | Session Failed | Operation Failed | Operation Rule |
Session Rule | Execution Rule

-cef <arg> Specify system events and corresponding CEF code of messages transferred
to the Syslog server.

16.5 Deleting a CEF Group

To delete a CEF group, use the delCefGroup command with the following parameters:
Parameter Description

-name <arg> The name of the CEF group to delete.

 16 Configuring CEF Groups | 103

16.6 Deleting a CEF Item

To delete a CEF item, use the DelCefItem command with the following parameters:
Parameter Description

-name <arg> The name of a CEF item to delete.

16.7 Displaying CEF Groups

To see the list of existing CEF groups, use the showCefGroups command. The command doesn't require any
parameters.

16.8 Displaying CEF Group Parameters

To see the parameters of a CEF group, use the showCefGroup command with the following parameters:
Parameter Description

-name <arg> The name of the required CEF group.

16.9 Displaying a CEF Item

To see the parameters of a CEF itme, use the showCefItem command with the following parameters:
Parameter Description

-groupName <arg> The name of the CEF group.

-name <arg> The name of the required CEF item.

 17 Monitoring Events and Sessions | 104

17 Monitoring Events and Sessions

17.1 Monitoring Events

To view the information about database user operations, you can use the showEvents command and specify a
session ID and an event type (audit, security, masking). For example:

>executecommand.bat showEvents -id 50 -type audit

ID : OperID : ExecID : Time : SQL
117 : 17 : 1 : 26.10 12:58 : SHOW CREATE TABLE `bank1`.`clients`

The showEvents command's parameters:

Attribute Description
-app <arg> Client application
-appOpt <arg> Options to search for application: One of Empty | Not Empty | Like | Not
Like | Match | Not Match | Any
-beginDate <arg> Events starting date formatted as follows: yyyy-MM-dd HH:mm:ss
-data <arg> Options to search for data in result set: One of | Like | Any
-endDate <arg> Ending date formatted as follows: yyyy-MM-dd HH:mm:ss
-id <arg> Session ID
-instance <arg> DB Instance name
-login <arg> DB user name
-loginOpt <arg> Options to search for Login: One of Empty | Not Empty | Like | Not Like |
Match | Not Match | Any
-queryTypes <arg> Semicolon-separated list of query types. To display a list of available
query types, use the showQueryTypes command
-rule <arg> Rule name
-sql <arg> SQL code
-sqlOpt <arg> Options to search for SQL: One of Empty | Not Empty | Like | Not Like |
Match | Not Match | Any
-type <arg> Rule type: audit | security | mask

To view more detailed information about a certain event, use the showEvent command with the following
attributes:

Attribute Description
-eid <arg> Execution ID
-oid <arg> Operation ID
-sid <arg> Session ID
 17 Monitoring Events and Sessions | 105

17.2 Displaying session details

To display session details, use the showSession command with the following options:
Parameter Description
-id <arg> Session ID.

17.3 Displaying active sessions

To display a list of all active sessions, use the showActiveSessions command.

17.4 Displaying network devices

To display a list of all available network devices and their IP addresses, use the showNetDevices command..
 18 Data Discovery | 106

18 Data Discovery

18.1 Adding Data Discovery filter attribute

To create a new attribute to an existing Data Discovery Information Type, use the addDiscoveryAttr command with
the following options.

Parameter Description
-colNames <arg> Column names separated by -nameSeparator. Default value of separator is
<;>

-colNamesCS <true | false> Case-sensitive column names

-colType <arg> Column data type: String | Number | Date
-contTemplate <arg> Template for column content. Only for String column types.

-contTemplateCS <true | false> Case sensitive template for column content

-group <arg> Name of the Data Discovery Information Type

-max <arg> Maximum value for column content. Only for Number column types.

-maxDate <arg> Maximum date for column content. Only for Date column types.

-min <arg> Minimum value for column content. Only for Number column types.

-minDate <arg> Minimum date for column content. Only for Date column types.

-name <arg> Logical name of the Attribute

-nameSeparator <arg> Name separator. Used together with -colNames. Default is <;>

18.2 Adding Data Discovery Information

Type
To create a new Data Discovery Information Type, use the addDiscoveryGr command with the following options.

Parameter Description
-name <arg> Logical name of the Information Type
 18 Data Discovery | 107

18.3 Copying a Data Discovery Information

Type
To make a copy of an existing Data Discovery search filter, use the copyDiscoveryGr command with the following
options.

Parameter Description
-name <arg> Logical name of the Information Type to make a copy of

18.4 Displaying a Data Discovery filter

attribute
To display an attribute of an existing Data Discovery Information Type, use the showDiscoveryAttr command with
the following options.

Parameter Description
-group <arg> Logical name of the Information Type
-name <arg> Logical name of the attribute

18.5 Displaying Data Discovery Information

Types
To display a list of all Data Discovery Information Types, use the showDiscoveryGroups command.

18.6 Displaying a Data Discovery

Information Type
To display an existing Data Discovery Information Type, use the showDiscoveryGr command with the following
options.

Parameter Description
-name <arg> Logical name of the Information Type

18.7 Deleting a Data Discovery filter attribute

To delete an attribute of an existing Data Discovery Information Type, use the delDiscoveryAttr command with the
following options.
 18 Data Discovery | 108

Parameter Description
-group <arg> Logical name of the Information type
-name <arg> Logical name of the attribute

18.8 Removing Data Discovery Information

type
To delete an existing Data Discovery Information Type, use the delDiscoveryGr command with the following
options.

Parameter Description
-name <arg> Logical name of the Information Type

18.9 Updating Data Discovery filter attribute

To update an existing attribute of a Data Discovery Information Type, use the updateDiscoveryAttr command with
the following options.

Parameter Description
-colNames <arg> Column names separated by -nameSeparator. Default value of separator is
<;>

-colNamesCS <true | false> Case-sensitive column names

-colType <arg> Column data type: String | Number | Date
-contTemplate <arg> Template for column content. Only for String column types.

-contTemplateCS <true | false> Case sensitive template for column content

-group <arg> Name of the Data Discovery Information Type

-max <arg> Maximum value for column content. Only for Number column types.

-maxDate <arg> Maximum date for column content. Only for Date column types.

-min <arg> Minimum value for column content. Only for Number column types.

-minDate <arg> Minimum date for column content. Only for Date column types.

-name <arg> Logical name of the Attribute

-newName <arg> New logical name of the Attribute
-nameSeparator <arg> Name separator. Used together with -colNames. Default is <;>
 18 Data Discovery | 109

18.10 Adding a Data Discovery periodic task

To create a new Discovery task, use the addPerDiscovery command:
Parameter Description
-additionalMetrics <true | false> Enable Additional Metrics
-analysedRow <arg> Number of table rows to analyze
-days <arg> Month days (1...31 | last) for Startup separated by [;]

-delResults <true | false> Remove old discovery results

-dsServer <arg> DataSunrise server name | any
-enableStatDataSpeed <true | false> Enable statistics on data processing speed for an AWS S3 Instance
-enableStatOnAttr <true | false> Enable statistics on attributes
-excludedTables <arg> Excluded Discovery Schemas, Tables, Columns formatted like:
"orcl.alex.customers.id;orcl.bob.orders.id" . For Aurora MySQL, MariaDB,
MySQL, Teradata, PostgreSQL the format is "alex.customers.id;bob.orders.id"

-excludeS3Objects <arg> Path to the folder that should be excluded from search for AWS S3 instance.
Note that it should start with "/". Paths are separated by ; by default.
Example:

/bucket1/folder1/folder2/;/bucket2/

-externalCommand <arg> External command

-freqAmount <arg> Startup frequency value
-freqUnit <arg> Startup frequency: Manual | Once | Minutely | Hourly | Daily | Weekly |
Monthly

-generateReport <true | false> Generate a report. False is by default

-instance <arg> Name of the database instance to search across
-keepAmount <arg> Keep results, amount
-keepUnit <arg> Keep results for: Hours | Days | Weeks | Months

-login <arg> Database user login

-maxPerNull <arg> Max percentage of NULL
-minPerMatch <arg> Min percentage of match
-months <arg> Months for startup separated by semicolon [;]
(jan;feb;mar;apr;may;jun;jul;aug;sep;oct; nov;dec)

-name <arg> Task's logical name

-objGroup <arg> Save Search Results in an Object Group: (<IdName> | false)

-password <arg> Database user password

-reportColumns <arg> Columns of the report separated by comma (,) by default (see -
blockSeparator). After ':' name of the report can be specified. For example:
Col1:ColInReport1,Col2,Col3:ColInReport3 (see 'nameSeparator' option)
 18 Data Discovery | 110

Parameter Description
-reportFormat <arg> Report file format (csv | pdf)
-searchByInfoTypes <arg> Information Types separated by semicolon (;) by default

-searchByStandards <arg> Security Standards separated by semicolon (;) by default

-searchDb <arg> Database to search across. Empty value if database is not specified

-searchS3Objects <arg> Path to the folder that should be searched across for AWS S3 instance. Note
that each path should start with "/". Paths are separated by ; by default.
Example:

/bucket1/folder1/folder2/;/bucket2/

All buckets and their subfolders will be scanned if this parameter's value is
empty

-searchSchema <arg> Schema to search at. Empty value if schema is not specified

-searchTable <arg> Table to search at. Empty value if table is not specified

-skipNull <true | false> Skip NULL

-startDate <arg> Starting date: yyyy-MM-dd HH:mm:ss
-subscribers <arg> Subscribers separated by '-blockSeparator'

-weekDays <arg> Day of Week for Startup Separated by semicolon [;] (mo;tu;we;th;fr;sa;su)

-withoutCredentials Do not check database credentials

-writeToSyslog <true | false> Write messages to Syslog

Example (AWS S3):

addPerDiscovery -dsServer local -instance s3 -withoutCredentials -name s3_first_obj_wrng

-searchByStandards HIPAA -freqUnit Manual -searchS3Objects /ahelge/_csv/ne_csv/
csv/,/ahelge/csv/csv/csv/ -excludeS3Objects /alias3test/CSV/,/alias3test/CSV1/,/
angelinatest/1/1/1/1/1/1/1/1/1/1/1/1/1/11/1/1/1/1/11/1/,/ahelge/

Example (PostgreSQL):

addPerDiscovery -dsServer local -instance pg_local -withoutCredentials -name pg_cli -searchByStandards

HIPAA -freqUnit Manual -searchDb demo -searchSchema bookings -searchTable aircrafts
 18 Data Discovery | 111

18.11 Updating a Data Discovery periodic

task
To update an existing Discovery task, use the updatePerDiscovery command:
Parameter Description
-additionalMetrics <true | false> Enable Additional Metrics
-analysedRow <arg> Number of table rows to analyze
-days <arg> Month days (1...31 | last) for Startup separated by [;]

-delResults <true | false> Remove old discovery results

-dsServer <arg> DataSunrise server name | any
-enableStatDataSpeed <true | false> Enable statistics on data processing speed for an AWS S3 Instance
-enableStatOnAttr <true | false> Enable statistics on attributes
-excludedTables <arg> Excluded Discovery Schemas, Tables, Columns formatted like
"orcl.alex.customers.id;orcl.bob.orders.id" . For Aurora MySQL, MariaDB,
MySQL, PostgreSQL, Teradata the format is "alex.customers.id;bob.orders.id"

-excludeS3Objects <arg> Path to the folder that should be excluded from search for AWS S3 instance.
Note that it should start with "/". Paths are separated by ; by default.
Example:

/bucket1/folder1/folder2/;/bucket2/

-externalCommand <arg> External command

-freqAmount <arg> Startup frequency value
-freqUnit <arg> Startup frequency: Manual | Once | Minutely | Hourly | Daily | Weekly |
Monthly

-generateReport <true | false> Generate a report. False is by default

-instance <arg> Name of the database instance to search across
-keepAmount <arg> Keep results, amount
-keepUnit <arg> Keep results for: Hours | Days | Weeks | Months

-login <arg> Database user login

-maxPerNull <arg> Max percentage of NULL
-minPerMatch <arg> Min percentage of match
-months <arg> Months for startup separated by semicolon [;]
(jan;feb;mar;apr;may;jun;jul;aug;sep;oct; nov;dec)

-name <arg> Task's logical name

-newName <arg> New logical name of the Task
-objGroup <arg> Save Search Results in an Object Group: (<IdName> | false)

-password <arg> Database user password

Parameter Description
-reportColumns <arg> Columns of the report separated by comma (,) by default (see -
blockSeparator). After ':' name of the report can be specified. For example:
Col1:ColInReport1,Col2,Col3:ColInReport3 (see 'nameSeparator' option)

-reportFormat <arg> Report file format (csv | pdf)

-searchByInfoTypes <arg> Information Types separated by semicolon (;) by default

-searchByStandards <arg> Security Standards separated by semicolon (;) by default

-searchDb <arg> Database to search across. Empty value if database is not specified

-searchS3Objects <arg> Path to the folder that should be searched across for AWS S3 instance. Note
that each path should start with "/". Paths are separated by ; by default.
Example:

/bucket1/folder1/folder2/;/bucket2/

All buckets and their subfolders will be scanned if this parameter's value is
empty

-searchSchema <arg> Schema to search at. Empty value if schema is not specified

-searchTable <arg> Table to search at. Empty value if table is not specified

-skipNull <true | false> Skip NULL

-startDate <arg> Starting date: yyyy-MM-dd HH:mm:ss
-subscribers <arg> Subscribers separated by '-blockSeparator'

-weekDays <arg> Day of Week for Startup Separated by semicolon [;] (mo;tu;we;th;fr;sa;su)

-withoutCredentials Do not check database credentials

-writeToSyslog <true | false> Write messages to Syslog
 19 Report Generator | 113

19 Report Generator

19.1 Creating a Data Audit report

To create a new Report Gen report on audit events, use the addAuditReportGen command with the following
parameters:
Parameter Description
-beginDate <arg> Starting date to include in a report: "yyyy-MM-dd HH:mm:ss"
-blockSeparator <arg> Block separator. "," (comma) is used by default
-dataFilter <arg> Data Filter
-endDate <arg> Ending date to report on: "yyyy-MM-dd HH:mm:ss"
-externalCommand <arg> Execute an external command
-groupingPeriod <arg> Grouping period, minutes
-instances <arg> List of database instances to report on. They should be separated from each
other with "-blockSeparator". An object Group also can be specified using "-
nameSeparator". For example: Inst1:ObjGr1,Inst2:ObjGr2
-nameSeparator <arg> Name separator. ":" (colon) is used by default
-operationsWithError <true | false> Include operations that caused errors
-queryLenghtLimit <arg> Query length limit
-queryTypes <arg> Query Types separated with -blockSeparator (comma by default). To display
a list of all available query types, use the "showQueryTypes" command
-reportColumns <arg> Columns in a report separated with -blockSeparator (comma by default).
-reportFormat <arg> Output file format (csv | pdf)
-reportPeriod <arg> Reporting period: <currentDay | currentWeek | currentMonth | lastNDay |
lastNWeek | lastNMonth | manual>
-reportPeriodValue <arg> Reporting period value ('1' is by default)
-requestsPerGroupPeriod <arg> Requests per Grouping Period (Any | Less Than | Equal | More Than)
-requestsPerGroupPeriodValue Used together with -requestsPerGroupPeriod
<arg>
-rules <arg> Report on events captured by the specified Rules only. If multiple Rules
should be reported on, their logical names in a list should be separated with
a comma ( , )
-subscribers <arg> Names of Subscribers separated with commas
-totalNumOfReturnedRows <arg> Total number of returned rows (Any | Less Than | Equal | More Than)
-totalNumOfReturnedRowsValue Used together with -totalNumberOfReturnedRows
<arg>
-writeToSyslog <true | false> write messages to Syslog

In addition to the above parameters, you can also use the parameters available for all periodic task types (refer to
Periodic Tasks).
 19 Report Generator | 114

19.2 Updating a Data Audit Task

To update an existing Report Gen Audit task, use the updateAuditReportGen command with the following
parameters:
Parameter Description
-newName <arg> New Logical name of the task

Also available all the parameters of the addAuditReportGen command (refer to Creating a Data Audit report)
 19 Report Generator | 115

19.3 Creating a Data Security report

To create a new Report Gen report on security events, use the addSecurityReportGen command with the following
parameters:
Parameter Description
-beginDate <arg> Starting date to include in a report. yyyy-MM-dd HH:mm:ss
-blockSeparator <arg> Block separator. "," (comma) is used by default
-dataFilter <arg> Data Filter
-endDate <arg> The ending date to report on. yyyy-MM-dd HH:mm:ss
-externalCommand <arg> Execute an external command
-groupingPeriod <arg> Grouping period, minutes
-instances <arg> List of database instances to report on. They should be separated from each
other with the '-blockSeparator'. An object Group also can be specified
using '-nameSeparator'. For example: Inst1:ObjGr1,Inst2:ObjGr2
-nameSeparator <arg> Name separator. ":" (colon) is used by default
-pageSize <arg> Page size (small | regular | large)
-queryLenghtLimit <arg> Query length limit
-queryTypes <arg> Query Types separated with -blockSeparator (comma by default). To display
a list of all available query types, use the 'showQueryTypes' command
-reportColumns <arg> Columns in a report separated with -blockSeparator (comma by default).
-reportFormat <arg> Output file format (csv | pdf)
-reportPeriod <arg> Reporting period: <currentDay | currentWeek | currentMonth | lastNDay |
lastNWeek | lastNMonth | manual>
-reportPeriodValue <arg> Reporting period value ('1' is by default)
-requestsPerGroupPeriod <arg> Requests per Grouping Period (Any | Less Than | Equal | More Than)
-requestsPerGroupPeriodValue Used together with -requestsPerGroupPeriod
<arg>
-subscribers <arg> Names of Subscribers separated with -blockSeparator
-totalNumberOfReturnedRows Total number of returned rows (Any | Less Than | Equal | More Than)
<arg>
-totalNumberOfReturnedRowsValue Used together with -totalNumberOfReturnedRows
<arg>
-writeToSyslog <true | false> write messages to Syslog

In addition to the above parameters, you can also use the parameters available for all periodic task types (refer to
Periodic Tasks).
 19 Report Generator | 116

19.4 Updating a Data Security Task

To update an existing Report Gen task on security events, use the updateSecurityReportGen command with the
following parameters:
Parameter Description
-newName <arg> New Logical name of the Task

Also available all the parameters of the addSecurityReportGen command (refer to Creating a Data Security report)
 19 Report Generator | 117

19.5 Creating a Data Masking report

To create a new Report Gen report on masking events, use the addMaskingReportGen command with the
following parameters:
Parameter Description
-beginDate <arg> Starting date to include in a report: <yyyy-MM-dd HH:mm:ss>
-blockSeparator <arg> Block separator. "," (comma) is used by default
-dataFilter <arg> Data Filter
-endDate <arg> Ending date to report on: <yyyy-MM-dd HH:mm:ss>
-externalCommand <arg> Execute an external command
-groupingPeriod <arg> Grouping period, minutes
-instances <arg> List of database instances to report on. They should be separated from each
other with the "-blockSeparator". An object Group also can be specified
using "-nameSeparator". For example: "Inst1:ObjGr1,Inst2:ObjGr2"
-nameSeparator <arg> Name separator. ":" (colon) is used by default
-pageSize <arg> Page size <small | regular | large>
-queryTypes <arg> Query Types separated with -blockSeparator (comma by default). To display
a list of all available query types, use the "showQueryTypes" command
-reportColumns <arg> Columns in a report separated with -blockSeparator (comma by default).
-reportFormat <arg> Output file format <csv | pdf>
-reportPeriod <arg> Reporting period: <currentDay | currentWeek | currentMonth | lastNDay |
lastNWeek | lastNMonth | manual>
-reportPeriodValue <arg> Reporting period value ("1" is by default)
-requestsPerGroupPeriod <arg> Requests per Grouping Period: <Any | Less Than | Equal | More Than>
-requestsPerGroupPeriodValue Should be used together with -requestsPerGroupPeriod
<arg>
-rules <arg> Existing Rules to report on. Should be separated with "," (comma)
-subscribers <arg> Names of Subscribers separated with -blockSeparator
-totalNumberOfReturnedRows Total number of returned rows <Any | Less Than | Equal | More Than>
<arg>
-totalNumberOfReturnedRowsValue Should be used together with -totalNumberOfReturnedRows
<arg>
-writeToSyslog <true | false> write messages to Syslog

In addition to the above parameters, you can also use the parameters available for all periodic task types (refer to
Periodic Tasks).
 19 Report Generator | 118

19.6 Updating a Data Masking task

To update an existing Masking Report Gen task, use the updateMaskingReportGen command with the following
parameters:
Parameter Description
-newName <arg> New logical name of the reporting Task

Also available all the parameters of the addMaskingReportGen command (refer to Creating a Data Masking report)
 19 Report Generator | 119

19.7 Creating an Operation Errors report

To create a new Report Gen report on operation errors, use the addOperationErrorsReportGen command with the
following parameters:
Parameter Description
-beginDate <arg> Starting date to include in a report: <yyyy-MM-dd HH:mm:ss>
-blockSeparator <arg> Block separator. "," (comma) is used by default
-dataFilter <arg> Data Filter
-endDate <arg> The ending date to report on: <yyyy-MM-dd HH:mm:ss>
-externalCommand <arg> Execute an external command
-groupingPeriod <arg> Grouping period, minutes
-instances <arg> List of database instances to report on. They should be separated from each
other with the "-blockSeparator". An object Group also can be specified
using "-nameSeparator". For example: "Inst1:ObjGr1,Inst2:ObjGr2"
-nameSeparator <arg> Name separator. ":" (colon) is used by default
-pageSize <arg> Page size <small | regular | large>
-queryLenghtLimit <arg> Query length limit
-queryTypes <arg> Query Types separated with -blockSeparator (comma by default). To display
a list of all available query types, use the "showQueryTypes" command
-reportColumns <arg> Columns in a report separated with -blockSeparator (comma by default).
-reportFormat <arg> Output file format <csv | pdf>
-reportPeriod <arg> Reporting period: <currentDay | currentWeek | currentMonth | lastNDay |
lastNWeek | lastNMonth | manual>
-reportPeriodValue <arg> Reporting period value ("1" is by default)
-requestsPerGroupPeriod <arg> Requests per Grouping Period: <Any | Less Than | Equal | More Than>
-requestsPerGroupPeriodValue Should be used together with -requestsPerGroupPeriod
<arg>
-subscribers <arg> Names of Subscribers separated with -blockSeparator
-totalNumberOfReturnedRows Total number of returned rows: <Any | Less Than | Equal | More Than>
<arg>
-totalNumberOfReturnedRowsValue Should be used together with -totalNumberOfReturnedRows
<arg>
-writeToSyslog <true | false> write messages to Syslog

In addition to the above parameters, you can also use the parameters available for all periodic task types (refer to
Periodic Tasks).
 19 Report Generator | 120

19.8 Updating an Operation Errors Task

To create a new Report Gen report on operation errors, use the updateOperationErrorsReportGen command with
the following parameters:
Parameter Description
-newName <arg> New Logical name of the task

Also available all the parameters of the addOperationErrorsReportGen command (refer to Creating an Operation
Errors report)
 19 Report Generator | 121

19.9 Creating a Session report

To create a new Report Gen report on sessions, use the addSessionReportGen command with the following
parameters:
Parameter Description
-beginDate <arg> Starting date to include in a report: <yyyy-MM-dd HH:mm:ss>
-blockSeparator <arg> Block separator. "," (comma) is used by default
-dataFilter <arg> Data Filter
-endDate <arg> The ending date to report on: <yyyy-MM-dd HH:mm:ss>
-externalCommand <arg> Execute an external command
-groupingPeriod <arg> Grouping period, minutes
-instances <arg> List of database instances to report on. They should be separated from each
other with the "-blockSeparator". An object Group also can be specified
using "-nameSeparator". For example: "Inst1:ObjGr1,Inst2:ObjGr2"
-nameSeparator <arg> Name separator. ":" (colon) is used by default
-pageSize <arg> Page size: <small | regular | large>
-queryLenghtLimit <arg> Query length limit
-queryTypes <arg> Query Types separated with -blockSeparator (comma by default). To display
a list of all available query types, use the "showQueryTypes" command
-reportColumns <arg> Columns in a report separated with -blockSeparator (comma by default).
-reportFormat <arg> Output file format: <csv | pdf>
-reportPeriod <arg> Reporting period: <currentDay | currentWeek | currentMonth | lastNDay |
lastNWeek | lastNMonth | manual>
-reportPeriodValue <arg> Reporting period value ("1" is by default)
-requestsPerGroupPeriod <arg> Requests per Grouping Period: <Any | Less Than | Equal | More Than>
-requestsPerGroupPeriodValue Used together with -requestsPerGroupPeriod
<arg>
-rules <arg> Rules to report on
-sessionReportType <arg> Report Type: <All sessions | Error sessions | Auth error sessions only>
-subscribers <arg> Names of Subscribers separated with -blockSeparator
-totalNumberOfReturnedRows Total number of returned rows: <Any | Less Than | Equal | More Than>
<arg>
-totalNumberOfReturnedRowsValue Used together with -totalNumberOfReturnedRows
<arg>
-writeToSyslog <true | false> write messages to Syslog

In addition to the above parameters, you can also use the parameters available for all periodic task types (refer to
Periodic Tasks).
 19 Report Generator | 122

19.10 Updating a Session Report task

To update an existing Session report Report Gen task, use the updateSessionReportGen command with the
following parameters:
Parameter Description
-newName <arg> New Logical name of the task

Also available all the parameters of the addSessionReportGen command (refer to Creating a Session report)

19.11 Creating a System Events report

To create a new Report Gen report on system events, use the addSystemEventsReportGen command with the
following parameters:
Parameter Description
-beginDate <arg> Starting date to include in a report: <yyyy-MM-dd HH:mm:ss>
-endDate <arg> The ending date to report on: <yyyy-MM-dd HH:mm:ss>
-externalCommand <arg> Execute an external command
-pageSize <arg> Page size <small | regular | large>
-reportColumns <arg> Columns in a report separated with -blockSeparator (comma by default)
-reportFormat <arg> Output file format <csv | pdf>
-reportPeriod <arg> Reporting period: <currentDay | currentWeek | currentMonth | lastNDay |
lastNWeek | lastNMonth | manual>
-reportPeriodValue <arg> Reporting period value ("1" is by default)
-subscribers <arg> Names of Subscribers separated with -blockSeparator
-writeToSyslog <true | false> write messages to Syslog

In addition to the above parameters, you can also use the parameters available for all periodic task types (refer to
Periodic Tasks).

19.12 Updating a System Events task

To update an existing System Events Report Gen task, use the updateSystemEventsReportGen command with the
following parameters:
Parameter Description
-newName <arg> New logical name of the reporting Task

Also available all the parameters of the addSystemEventsReportGen command (refer to Creating a System Events
report)
 19 Report Generator | 123

19.13 Creating a Report Gen task on Direct

Sessions
To create a new Report Gen report on direct sessions, use the addDirectSessionReportGen command with the
following parameters:
Parameter Description
-blockSeparator <arg> Block separator. "," (comma) is used by default
-externalCommand <arg> Execute an external command
-generateReport <true | false> Generate a report. False by default
-instance <arg> Database Instance to report on: <instance_name> | any
-nameSeparator <arg> Name separator. ":" (colon) is used by default
-reportFormat <arg> Output file format <csv | pdf>
-subscribers <arg> Names of Subscribers separated with -blockSeparator
-writeToSyslog <true | false> Write messages to Syslog

In addition to the above parameters, you can also use the parameters available for all periodic task types (refer to
Periodic Tasks).

19.14 Updating a Report Gen task on Direct

Sessions
To update an existing Report Gen task on direct sessions, use the updateDirectSessionReportGen command with
the following parameters:
Parameter Description
-newName <arg> New logical name of the reporting Task

Also available all the parameters of the addDirectSessionReportGen command (refer to Creating a Report Gen task
on Direct Sessions)
 19 Report Generator | 124

19.15 Creating an Instances Status report

To create a new Report Gen report on Database Instances' status, use the addInstStatusReportGen command with
the following parameters:
Parameter Description
-blockSeparator <arg> Block separator. "," (comma) is used by default
-externalCommand <arg> Execute an external command
-generateReport <true | false> Create a report
-nameSeparator <arg> Name separator. ":" (colon) is used by default
-reportFormat <arg> Output file format (csv | pdf)
-subscribers <arg> Names of Subscribers separated with commas
-writeToSyslog <true | false> Write messages to Syslog

In addition to the above parameters, you can also use the parameters available for all periodic task types (refer to
Periodic Tasks).

19.16 Updating an existing Instances Status

Task
To edit an existing Report Gen Task on Database Instances' status, use the updateInstStatusReportGen command
with the following parameters:
Parameter Description
-newName <arg> New logical name of Task

Also available all the parameters of the addInstStatusReportGen command (refer to Creating an Instances Status
report)

19.17 Displaying an existing Report Gen task

To display details of an existing Report Gen task, use the showReportGen command with the following parameters:
Parameter Description
-name <arg> Report Gen Task logical name

19.18 Displaying a list of existing Report

Gen tasks
To display a list of existing Report Gen tasks, use the showReportsGen command.
 19 Report Generator | 125

19.19 Displaying existing Report Gen reports

To display existing Report Gen reports, use the showReports command with the following parameters:
Parameter Description
-beginDate <arg> Report starting date (yyyy-MM-dd HH:mm:ss). Default starting date is the
current date's starting
-endDate <arg> Report ending date (yyyy-MM-dd HH:mm:ss). Default ending date is the
current date's ending
-eventType <arg> Event type: <a> is for audit, <s> - is for security and <m> is for masking
Rules respectively
-instance <arg> Database Instance name.
-reportType <arg> Report type: <app> is for application, <host> is for hosts, <user> is for
database users, <ip> is for IP addresses

19.20 Deleting a Report Gen task

To delete an existing Report Gen task, use the delReportGen command:
Parameter Description
-name <arg> Logical name of the Report Gen Task to be deleted
 20 Configuring Database User Mapping Settings | 126

20 Configuring Database User

Mapping Settings

20.1 Enabling Database User Mapping

To enable the user mapping function for the specified instance, use the enableDbUserMapping command with the
following parameters:
Parameter Description
-mapType <arg> Mapping type (config | file | db)
-database <arg> Database name (only for -mapType db)
-dbHost <arg> Database host (only for -mapType db)
-dbType <arg> Database type (greenplum | postgresql | redshift | vertica | netezza)
-dbPort <arg> Database port number
-file <arg> File name (only for -mapType file)
-instance <arg> Instance name
-login <arg> Database user login (only for -mapType db)
-password <arg> Database user password (only for -mapType db)

The -mapType <arg> parameter has 3 options on how to store the list of mapped users.
• -mapType config
The list of mapped users will be stored in DataSunrise configurations.

executecommand.bat enableDbUserMapping -instance vertica -mapType config

• mapType file
The list of mapped users will be stored in the text format. -file <arg> is used to assign a name for the txt-file.
There is no need to create the file.

executecommand.bat enableDbUserMapping -instance vertica -mapType file -file mapped_users.txt

• -mapType db
The list of mapped users will be stored in an external database.

Example:

executecommand.bat enableDbUserMapping -mapType db -database mssql -dbHost 127.0.0.1 -dbPort 2014 -

dbType mssql -instance mssql2014 -login sa -password 1234
 20 Configuring Database User Mapping Settings | 127

20.2 Adding an LDAP server

To add an LDAP server, use the addLdapServer command with the following options:
Parameter Description
-awsSmID <arg> AWS Secrets Manager ID
-azureKeyVault <arg> MS Azure Key Vault
-azureSecretName <arg> MS Azure Secret Name
-baseDn <arg> Database DN
-cyberArkFolder <arg> CyberArk folder
-cyberArkObject <arg> CyberArk object
-cyberArkSafe <arg> CyberArk safe
-default <true | false> Use the current LDAP server as a default one
-domain <arg> LDAP server domain
-groupAttr <arg> Group attribute
-host <arg> LDAP server host
-login <arg> LDAP login
-loginAttr <arg> Login Attribute
-loginCustomFormat <arg> Login Custom Format (see the Admin Guide for description)
-loginType <arg> (Custom | Microsoft Active Directory | Open LDAP | Directory Server |
Apache Directory Studio)
-mailAttr <arg> Email Attribute
-name <arg> Logical name of the LDAP server
-password <arg> LDAP password
-port <arg> LDAP server port number
-roleARN <arg> Role ARN
-savePassword <arg> Password storage type: ds | ca | awssm | azurekv
-ssl <true | false> Use SSL for connection
-userFilter <arg> User filter

Example:

>executecommand.bat addLdapServer -baseDn cn=users,dc=db,dc=local -default true -domain DB -host

192.168.1.51 -login aduser -loginCustomFormat aduser -loginType Custom -name Custom -password 84218421
-port 389 -ssl false -userFilter “(&(objectCategory=User)(sAMAccountName=<name>))”
 20 Configuring Database User Mapping Settings | 128

20.3 Updating an LDAP server

To update an existing LDAP server, use the updateLdapServer command with the following options:
Parameter Description
-baseDn <arg> Database DN
-cyberArkFolder <arg> CyberArk folder
-cyberArkObject <arg> CyberArk object
-cyberArkSafe <arg> CyberArk safe
-default <true | false> Use the current LDAP server as a default one
-domain <arg> LDAP server domain
-groupAttr <arg> Group attribute
-host <arg> LDAP server host
-login <arg> LDAP login
-loginAttr <arg> Login Attribute
-loginCustomFormat <arg> Login Custom Format (see the Admin Guide for description)
-loginType <arg> (Custom | Microsoft Active Directory | Open LDAP | Directory Server |
Apache Directory Studio)
-mailAttr <arg> Email Attribute
-name <arg> Logical name of the LDAP server
-password <arg> LDAP password
-port <arg> LDAP server port number
-ssl <true | false> Use SSL for connection
-userFilter <arg> User filter
 20 Configuring Database User Mapping Settings | 129

20.4 Adding a Database User Mapping

To map an Active Directory user to a database user, use the addDbUserMapping command with the following
parameters:
Parameter Description
-instance <arg> Instance name
-adLogin <arg> Active Directory user login
-dbLogin <arg> Database user login
-dbPassword <arg> Database user password
-hashType <arg> HashType (MD5 | SHA-256 | SHA-512 | crypto). SHA-512 is available for
Vertica only, SHA-256 and crypto are available for Netezza only.
-adminLogin <arg> User login to access the database where the salt for the user is stored (only
for SHA-***).
-adminPassword <arg> User password to access the database where salt for the user is stored (only
for SHA-***).

You can use MD5 or SHA-512 encryption algorithms (for now, SHA-512 is available only for Vertica DB).
• To use MD5 encryption algorithm, perform the following:

executecommand.bat addDbUserMapping -instance vertica -adLogin <AD_user> -dbLogin <DB_user> -

dbPassword <DB_password> -hashType MD5

• To use SHA-512 encryption algorithm, perform the following:

executecommand.bat addDbUserMapping -instance vertica -adLogin <AD_login> -dbLogin <DB_user_1> -

dbPassword <password> -hashType SHA-512 -login <DB_user_2> -password <DB_user_password_2>

DB_user_2 and DB_user_password_2 are required to access the database where the salt for the user is stored.

20.5 Showing Mapped Users

To get the information about existing mapping configurations, use the showAdDbUserMapping command with the
following parameters:
Parameter Description
-instance <arg> Instance name.

20.6 Displaying an LDAP server

To view an existing LDAP server, use the showLdapServer command with the following options:
Parameter Description
-name <arg> Logical name of the LDAP server to show
Example:

>executecommand.bat showLdapServer -name ghg

20.7 Displaying LDAP servers

To view existing LDAP servers, use the showLdapServers command:
Example:

>executecommand.bat showLdapServers

20.8 Deleting Database User Mapping

Configurations
To delete existing database user mapping configurations, use the delDbUserMapping command with the following
parameters:
Parameter Description
-adGroup <arg> Active Directory group.
-adLogin <arg> Active Directory login.
-instance <arg> Instance name.
-ldapServer <arg> LDAP server name.

20.9 Deleting an LDAP server

To delete an existing LDAP server, use the delLdapServer command with the following options:
Parameter Description
-name <arg> Logical name of the LDAP server to delete

Example:

>executecommand.bat delLdapServer -name ghg

20.10 Disabling Database User Mapping

To disable the user mapping function for the specified instance, use the disableDbUserMapping command with the
following parameters:
Parameter Description
-instance <arg> Instance name
 21 Periodic Tasks | 131

21 Periodic Tasks
The following parameters are available for each periodic task types because related to the periodicity of starting:

Parameter Description
-name <arg> Logical Name
-days <arg> Month Days (1...31 | last) for Startup Separated by [;]

-delResults <true | false> Remove Old Results

-dsServer <arg> DataSunrise <server name> | any
-freqAmount <arg> Frequency of performing the task
-freqUnit <arg> Startup Frequency: Manual | Once | Minutely | Hourly | Daily | Weekly |
Monthly
-keepAmount <arg> Number of results to keep
-keepUnit <arg> Keep Results for: Hours | Days | Weeks | Months
-months <arg> Months for Startup Separated by [;]
(jan;feb;mar;apr;may;jun;jul;aug;sep;oct;nov;dec)

-startDate <arg> Start Date: yyyy-MM-dd HH:mm:ss

-weekDays <arg> Day of Week for Startup Separated by [;] (mo;tu;we;th;fr;sa;su)

21.1 Adding a Clean audit periodic task

To create a periodic task for Cleaning the Audit Storage, use the addPerCleanAudit command:
Parameter Description
-cleanType <arg> How to clean the storage: Delete | Drop | KeepDays
-keepDays <arg> Keep auditing data, days

In addition to the above parameters, you can also use the parameters available for all periodic task types (refer to
Periodic Tasks on page 142).

21.2 Updating a Clean audit periodic task

To update a periodic task for Cleaning the Audit Storage, use the updatePerCleanAudit command:
Parameter Description
-newName <arg> New logical name of the task

Also available all the parameters of the addPerCleanAudit command (refer to Adding a Clean audit periodic task)
 21 Periodic Tasks | 132

21.3 Adding a Health check periodic task

To create a periodic task for Health check, use the addPerHealthCheck command:
Parameter Description
-instance <arg> Database instance to perform a health check for
-lbAddress <arg> Load Balancer public address
-lbPort <arg> Load Balancer port
-sendErrors <true | false> Send errors to Events
-testMethod <arg> Proxy testing method: ExecSys || WebCheck

In addition to the above parameters, you can also use the parameters available for all periodic task types (refer to
Periodic Tasks on page 142).

21.4 Updating a Health check periodic task

To update a periodic task for Health check, use the updatePerHealthCheck command:
Parameter Description
-newName <arg> New logical name of the task

Also available all the parameters of the addPerHealthCheck command (refer to Adding a Health check periodic task)

21.5 Adding an Update metadata periodic

task
To create a periodic task for Metadata update, use the addPerUpdateMetadata command
Parameter Description
-Instance <arg> Database instance to update metadata of

In addition to the above parameters, you can also use the parameters available for all periodic task types (refer to
Periodic Tasks on page 142).

21.6 Updating an Update metadata periodic

task
To update a periodic task for Metadata update, use the updatePerUpdateMetadata command:
Parameter Description
-newName <arg> New logical name of the task
 21 Periodic Tasks | 133
Also available all the parameters of the addPerUpdateMetadata command (refer to Adding an Update metadata
periodic task)

21.7 Adding a Backup Dictionary periodic

task
To create a periodic task for the Dictionary backing-up, use the addPerBackupDictionary command:
Parameter Description
-backupName <arg> Logical name of the backup
-backupObjects <true | false> Backup DataSunrise Objects
-backupSettings <true | false> Backup DataSunrise Settings
-backupUsers <true | false> Backup DataSunrise Users
-command <arg> Execute external command after backing up

In addition to the above parameters, you can also use the parameters available for all periodic task types (refer to
Periodic Tasks on page 142).

21.8 Updating a Backup Dictionary periodic

task
To update and existing Dictionary Backup task, use the updatePerBackupDictionary command:
Parameter Description
-newName <arg> New logical name of the task

Also available all the parameters of the addPerBackupDictionary command (refer to Adding a Backup Dictionary
periodic task)

21.9 Adding a User Behavior task

To create a User Behavior Periodic task, use the addPerUserBehavior commands:
Parameter Description
-number <arg> Number value for lastNDay, lastNWeek, lastNDay

-repPerType <arg> Reporting Period Type: lastNDay | lastNWeek | lastNMonth | currentMonth |

currentWeek | currentDay | manual

-trEndDate <arg> Training End Date. Date format: yyyy-MM-dd

-trStartDate <arg> Training Start Date. Date format: yyyy-MM-dd

In addition to the above parameters, you can also use the parameters available for all periodic task types (refer to
Periodic Tasks on page 142).
 21 Periodic Tasks | 134

21.10 Updating a User Behavior task

To update an existing User Behavior Periodic task, use the updatePerUserBehavior command:
Parameter Description
-newName <arg> New logical name of the task

Also available all the parameters of the addPerUserBehavior command (refer to Adding a Uset Behavior task)

21.11 Adding a Vulnerability Assessment

periodic task
To create a periodic task for Vulnerabilty Assessment, use the addPerVulnAssessment command:
Parameter Description
-instances <arg> Comma-separated DB Instances; Levae it blank if you want to add all
existing Instances
-subscribers <arg> Comma-separated SMTP subscriber names

In addition to the above parameters, you can also use the parameters available for all periodic task types (refer to
Periodic Tasks on page 142).

21.12 Updating a Vulnerability Assessment

periodic task
To update a periodic task for Vulnerabilty Assessment, use the updatePerVulnAssessment command:
Parameter Description
-newName <arg> New logical name of the task

Also available all the parameters of the addPerVulnAssessment command (refer to Adding a Vulnerability
Assessment periodic task)
 21 Periodic Tasks | 135

21.13 Adding a Query History Table Relation

Learning periodic task
To create a Table Relation Learning Task, use the addQueryHisTabRelLearnPerTask command:
Parameter Description
-auditDataDmlFilters <arg> Columns that should be processed. The list of columns should be formatted
as follows: "orcl.alex.customers.id;orcl.bob.orders.id"
-auditSkipDmlFilters <arg> Columns that should be skipped. The list of columns should be formatted
as follows: "orcl.alex.customers.id;orcl.bob.orders.id"
-includeObjectGroups <arg> Object groups that should be skipped. Comma-separated names of groups
-instance <arg> Instance name
-tableRel <arg> Table Relation name

In addition to the above parameters, you can also use the parameters available for all periodic task types (refer to
Periodic Tasks on page 142).

21.14 Adding a DDL Table Relation Learning

periodic task
To create a DDL Table Relation Learning Task, use the addDDLTabRelLearnPerTask command:
Parameter Description
-analyzeProcAndFunc <true | false> Analyze Stored Procedures and Functions DDLs

-analyzeView <true | false> Analyze View DDLs

-instance <arg> Instance name
-login <arg> Instance login
-password <arg> Instance password
-sysDba <true | false> Connect to Oracle instance with SYSDBA privileges

-tableRel <arg> Table Relation name

In addition to the above parameters, you can also use the parameters available for all periodic task types (refer to
Periodic Tasks on page 142).
 21 Periodic Tasks | 136

21.15 Updating a DDL Table Relation

Learning periodic task
To update an existing DDL Table Relation Learning Task, use the updateDDLTabRelLearnPerTask command:
Parameter Description
-newName <arg> New logical name of the Task

Also available all the parameters of the addDDLTabRelLearnPerTask command (refer to Adding a DDL Table
Relation Learning periodic task)

21.16 Adding an Azure Remove Unused

Servers periodic task
To create a periodic task for removal of unused MS Azure servers, use the addPerAzureRemoveServ command:
Parameter Description
-instance <arg> Database Instance name

In addition to the above parameters, you can also use the parameters available for all periodic task types (refer to
Periodic Tasks on page 142).

21.17 Updating an Azure Remove Unused

Servers periodic task
To update a periodic task for removal of unused MS Azure servers, use the updatePerAzureRemoveServ command:
Parameter Description
-newName <arg> New logical name of the task

Also available all the parameters of the addPerAzureRemoveServ command (refer to Adding an Azure Remove
Unused Servers periodic task)

21.18 Adding a Kubernetes Remove Unused

Servers periodic task
To create a Kubernetes Remove Unused Servers task, use the addPerKuberRemoveServ command:
Parameter Description
-namespace <arg> Namespace
 21 Periodic Tasks | 137
In addition to the above parameters, you can also use the parameters available for all periodic task types (refer to
Periodic Tasks on page 142).

21.19 Updating a Kubernetes Remove

Unused Servers periodic task
To update an existing Kubernetes Remove Unused Servers task, use the updatePerKuberRemoveServ command:
Parameter Description
-newName <arg> New logical name of the task

Also available all the parameters of the addPerKuberRemoveServ command (refer to Adding a Kubernetes Remove
Unused Servers periodic task)

21.20 Adding a DB User Synchronization

Periodic task
To create a periodic task to download a list of database users from a target database, use the addPerDbUserSync
command:
Parameter Description
-distrByResp <true | false> Distribute by responsibilities. Only for Oracle EBS Source of User Type
-instance <arg> Instance name to download a user list for
-ldapSearchFilter <arg> Search Filter
-ldapServer <arg> LDAP server
-ldapUserNameAttr <arg> User Name attribute
-login <arg> DB Instance login
-password <arg> Instance password
-responsibilities <arg> Database responsibilities. Comma-separated names of roles. Only for Oracle
EBS Source

-roles <arg> Database roles. Comma-separated names of roles. Only for MSSQL, MySQL,
Oracle, PostgreSQL, Redshift

-sysDba <true | false> Connect to Oracle instance with SYSDBA privileges

-userGroup <arg> User Group

-userSource <arg> Source of Users: Database, LDAP, Oracle EBS, SAP ECC

In addition to the above parameters, you can also use the parameters available for all periodic task types (refer to
Periodic Tasks on page 142).
 21 Periodic Tasks | 138

21.21 Updating a DB User Synchronization

Periodic task
To update an existing periodic task to download a list of database users from a target database, use the
updatePerDbUserSync command:
Parameter Description
-newName <arg> New logical name of the Task

Also available all the parameters of the addPerDbUserSync command (refer to Adding a DB User Synchronization
Periodic task)

21.22 Adding a Test Bucket Accessibility

periodic task
To create a periodic task for Test Bucket Accessibility, use the addPerTestBucketAccess command:
Parameter Description
-crawlerTasks <arg> Crawler Tasks separated by comma.
-instance <arg> Instance Name for Test Bucket Accessibility
-skipDuplicates <true | false> Skip duplicate buckets

In addition to the above parameters, you can also use the parameters available for all periodic task types (refer to
Periodic Tasks on page 142).

21.23 Updating a Test Bucket Accessibility

periodic task
To update a periodic task for Test Bucket Accessibility, use the updatePerTestBucketAccess command:
Parameter Description
-newName <arg> New logical name of the task

Also available all the parameters of the addPerTestBucketAccess command (refer to Adding a Test Bucket
Accessibility periodic task).
 21 Periodic Tasks | 139

21.24 Deleting a periodic task

To delete an existing periodic task, use the delPerTask command:
Parameter Description
-name <arg> Logical name of the task
-taskType <arg> Periodic task type: Clean Audit || Backup Dictionary || User Behavior ||
Query History Table Relation Learning || Vulnerability Assessment || Update
Metadata || Periodic Data Discovery || Health Check || Azure Remove
Unused Servers || AWS Remove Unused Servers || DDL Table Relation
Learning || Database User Synchronization || Kubernetes Remove Unused
Servers || Transfer Audit to Elasticsearch || Test Bucket Accessibility || AWS S3
Crawler

21.25 Displaying a periodic task

To show the details of an existing periodic task, use the showPerTask command:
Parameter Description
-name <arg> Logical name of the task
-taskType <arg> Periodic task type: "Clean Audit" || "Update Metadata" || "Health Check" ||
"Backup Dictionary" || "AWS Remove Unused Servers" || "User Bahavior" ||
"Query History Table Relation Learning" || "DDL Table Relation Learning" ||
"Database User Synchronization" || "Azure Remove Unused Servers"
 22 SSL Key Groups | 140

22 SSL Key Groups

22.1 Adding an SSL Key Group

To add a new SSL Key Group, use the addSslKeyGroup command with the following options:
Parameter Description
-ca <arg> File which contains the CA Certificate. The file name can include an absolute
or relative path.
-cert <arg> File which contains a Certificate. The file name can include an absolute or
relative path.
-dh <arg> File which contains Diffie-Hellman parameters. The file name can include an
absolute or relative path.
-ec <arg> File which contains Elliptic Curve Diffie-Hellman parameters. The file name
can include an absolute or relative path.
-name <arg> Logical name of the Key Group.
-priv <arg> File which contains the Private key. The file name can include an absolute or
relative path.
-type <arg> Type of Key Group: Proxy, Sniffer, Interface. Proxy is used by default.

22.2 Updating an SSL Key Group

To update an existing SSL Key Group, use the updateSslKeyGroup command with the following options:
Parameter Description
-ca <arg> File which contains the CA Certificate. The file name can include an absolute
or relative path.
-cert <arg> File which contains a Certificate. The file name can include an absolute or
relative path.
-dh <arg> File which contains Diffie-Hellman parameters. The file name can include an
absolute or relative path.
-ec <arg> File which contains Elliptic Curve Diffie-Hellman parameters. The file name
can include an absolute or relative path.
-name <arg> Logical name of the Key Group.
-newName <arg> New logical name of the Key Group.
-priv <arg> File which contains the Private key. The file name can include an absolute or
relative path. To clear a private key file, use <""> as parameter's value:

updateSslKeyGroup -name myname -priv ""

-type <arg> Type of Key Group: Proxy, Sniffer, Interface. Proxy is used by default.
 22 SSL Key Groups | 141

22.3 Deleting an SSL Key Group

To delete an existing SSL Key Group settings, use the delSslKeyGroup command with the following options:
Parameter Description
-name <arg> Logical name of the Key Group.

22.4 Displaying an SSL Key Group

To display an existing SSL Key Group settings, use the showSslKeyGroup command with the following options:
Parameter Description
-name <arg> Logical name of the Key Group.

22.5 Displaying SSL Key Groups

To display a list of existing SSL Key Group, use the showSslKeyGroups command.
 23 Configuring Application User Capturing | 142

23 Configuring Application User

Capturing

23.1 Adding an Application User Capturing

To add an App User Capturing, use the addAppUserCapturingSetting command with the following parameters:
Parameter Description
-capturingType <arg> Type of capturing: query | resultSet | bindVars | sessionParams | sapEcc |
orclEBS

-caseSensitive <true | false> Match Pattern case-sensitivity

-columnIndex <arg> Column Index
-columnName <arg> Column Name
-enable <true | false> Enable Application User Capturing
-instance <arg> Name of the Instance
-matchPattern <arg> Full Match Pattern
-name <arg> App User Capturing logical name

Example:

addAppUserCapturingSetting -name first -instance psg -capturingType query -matchPattern hello

 23 Configuring Application User Capturing | 143

23.2 Updating an Application User Capturing

To update an existing App User Capturing, use the updateAppUserCapturingSetting command with the following
parameters:
Parameter Description
-capturingType <arg> Type of capturing: query | resultSet | bindVars | sessionParams | sapEcc |
orclEBS

-caseSensitive <true | false> Match Pattern case-sensitivity

-columnIndex <arg> Column Index
-columnName <arg> Column Name
-enable <true | false> Enable Application User Capturing
-instance <arg> Name of the Instance
-matchPattern <arg> Full Match Pattern
-name <arg> App User Capturing logical name
-newName <arg> New App User Capturing logical name

Example:

updateAppUserCapturingSetting -name first -newName 11 -instance psg -capturingType query -matchPattern

hello

23.3 Deleting an Application User Capturing

To delete an existing App User Capturing, use the delAppUserCapturingSetting command with the following
parameters:
Parameter Description
-instance <arg> Name of the Instance
-name <arg> App User Capturing logical name

Example:

delAppUserCapturingSetting -instance psg -name bindVars

23.4 Displaying a list of Application User
Capturings
To display a list of existing App User Capturings, use the showAppUserCapturingList command with the following
parameters:
Parameter Description
-instance <arg> Name of the Instance

Example:

showAppUserCapturingList -instance psg

23.5 Displaying an Application User

Capturing settings
To display an existing App User Capturing, use the showAppUserCapturingSetting command with the following
parameters:
Parameter Description
-instance <arg> Name of the Instance
-name <arg> App User Capturing logical name

Example:

showAppUserCapturingSetting -instance psg -name bindVars

 24 Tags | 145

24 Tags

24.1 Adding a tag

To add a tag, use the addTag command:
Parameter Description
-entityName <arg> Name of the entity to add a tag for
-entityType <arg> Entity type: Rule | Periodic Task | Object Group
-name <arg> Tag's key
-value <arg> Tag's value

24.2 Deleting a tag

To delete a tag, use the delTag command:
Parameter Description
-entityName <arg> Name of the entity to add a tag for
-entityType <arg> Entity type: Rule | Periodic Task | Object Group
-name <arg> Tag's key

24.3 Displaying a tag

To display a tag, use the showTag command:
Parameter Description
-entityName <arg> Name of the entity to add a tag for
-entityType <arg> Entity type: Rule | Periodic Task | Object Group
-name <arg> Tag's key

24.4 Displaying tagged entities

To display tagged entities, use the showTagged command:
Parameter Description
-name <arg> Tag's key
-value <arg> Tag's value
24.5 Displaying tags
To display existing tags, use the showTags command:
Parameter Description
-entityName <arg> Name of the entity to add a tag for
-entityType <arg> Entity type: Rule | Periodic Task | Object Group

24.6 Displaying untagged entities

To display untagged entities, use the showUntagged command:
Parameter Description
-name <arg> Tag's key

24.7 Updating a tag

To update a tag, use the updateTag command:
Parameter Description
-entityName <arg> Name of the entity to add a tag for
-entityType <arg> Entity type: Rule | Periodic Task | Object Group
-name <arg> Tag's key
-newName <arg> New tag's key
-value <arg> Tag's value
 25 Infrastructure-as-Code | 147

25 Infrastructure-as-Code

25.1 Export a Resource Group to a Template

To export a Resource Group to a Template, use the exportResourceGroup command with the following options:
Parameter Description

-auditRules <arg> Names of Audit Rules separated by -nameSeparator. Default value of

separator is ;
-auditRulesExt <arg> Names of external Audit Rules separated by -nameSeparator. Default value
of separator is ;

-learningRules <arg> Names of Learning Rules separated by -nameSeparator. Default value of

separator is ;

-learningRulesExt <arg> Names of external Learning Rules separated by -nameSeparator. Default

value of separator is ;

-maskingRules <arg> Names of Dynamic Masking Rules separated by -nameSeparator. Default

value of separator is ;
-maskingRulesExt <arg> Names of external Dynamic Masking Rules separated by -nameSeparator.
Default value of separator is ;
-nameSeparator <arg> Name separator. Used together with -auditRules, -auditRulesExt, -
securityRules, -securityRulesExt, -maskingRules, -maskingRulesExt, -
learningRules, -learningRulesExt. Default is ;
-resourceGroup <arg> Name of the Resource Group
-securityRules <arg> Names of Security Rules separated by -nameSeparator. Default value of
separator is ;
-securityRulesExt <arg> Names of external Security Rules separated by -nameSeparator. Default
value of separator is ;
-templateFormat <arg> Format of the Template: JSON
-templateName <arg> Name of the Template
25.2 Deploy a Resource Group from a
Template
To deploy a Resource Group from a template, use the deployResourceGroupFromTemplate command with the
following options:
Parameter Description
-fileName <arg> Name of the file with list of parameters
-parametersName <arg> Name of the list of parameters

-resourceGroupName <arg> Name of the Resource Group

-templateName <arg> Name of the Template

-url <arg> URL with list of parameters
 26 Miscellanious | 149

26 Miscellanious

26.1 showWorkers
To display a list of all available Workers, use the showWorkers command:
Parameter Description

-dsServer <arg> Name of the server the proxy or sniffer is located on. If this option is not
set, DataSunrise will display workers list for your current server.

26.2 Flush
To update the Backend data and send synchronization command to the Core, use the flush command:
Parameter Description

-dsServer <arg> Name of the server the proxy or sniffer is located on

-worker <arg> Worker name. To see the full list of workers user the "showWorkers"
command (showWorkers on page 149). If this option is not specified, flush
will be applied to all available workers.

26.3 Displaying admin queries types

To display types of administrative queries. use the showAdminQueryTypes command.

26.4 Checking the Core status

To check the Core status, use the showCoreState command:
Parameter Description

-dsServer <arg> Name of the DataSunrise server the proxy or sniffer is running on

-worker <arg> Worker name. To view the full list of all available workers, use the
showWorkers command. If an option is not specified, flush will be
executed for all workers
 26 Miscellanious | 150

26.5 Restarting the backend

To restart the Backend, use the restartBackend command:
Parameter Description

-dsServer <arg> Name of a DataSunrise server.

-f Restart without confirmation.

26.6 Displaying hosts

To display a list of hosts, use the showHosts command.

26.7 Displaying the most frequently blocked

queries
To display a report on the most frequently blocked queries, use the showMostBlocked command:
Parameter Description

-beginDate <arg> Begin date (yyyy-MM-dd HH:mm:ss)

-endDate <arg> End date (yyyy-MM-dd HH:mm:ss).

-instance <arg> Logical name of the instance or "any".

26.8 Displaying query types

To display query types, use the showQueryTypes command.
 26 Miscellanious | 151

26.9 Displaying reports

To display reports, use the showReports command:
Parameter Description

-beginDate <arg> Begin date (yyyy-MM-dd HH:mm:ss)

-endDate <arg> End date (yyyy-MM-dd HH:mm:ss).

-eventType <arg> Event type: "a", "s", "m" for audit, security and masking rules respectively.

-reportType <arg> Report type: app, host , user, ip.

-instance <arg> Logical name of the instance or "any".

26.10 Displaying sessions

To display a list of sessions, use the showSessions command:
Parameter Description

-a Show only active sessions

-app <arg> application

-appOpt <arg> Options to search for application. Empty, Not empty, Like, Not Like, Match,
Not Match, Any.

-beginDate <arg> Begin date (yyyy-MM-dd HH:mm:ss)

-endDate <arg> End date (yyyy-MM-dd HH:mm:ss).

-host <arg> Host.

-hostOpt <arg> Options to search for host. Empty, Not empty, Like, Not Like, Match, Not
Match, Any.

-i show only inactive sessions.

-loginOpt <arg> Options to search for login. Empty, Not empty, Like, Not Like, Match, Not
Match, Any.

-instance <arg> Logical name of the instance or "any".

26.11 Displaying SSL Key Groups

To display SSL Key groups, use the showSSLKeyGroups command.
 26 Miscellanious | 152

26.12 Displaying system errors

To display a report on system errors, use the showSystemErrors command:
Parameter Description

-beginDate <arg> Begin date (yyyy-MM-dd HH:mm:ss)

-endDate <arg> End date (yyyy-MM-dd HH:mm:ss).

26.13 Displaying throughput history

To display a throughput history, use the showThroughputHistory command:
Parameter Description

-beginDate <arg> Begin date (yyyy-MM-dd HH:mm:ss)

-endDate <arg> End date (yyyy-MM-dd HH:mm:ss).

26.14 Tracing Audit Counters

To trace Audit Counters, use the traceAuditCounters command:
Parameter Description

-dsServer <arg> Name of the server the proxy or sniffer is located on. If this option is not
set, DataSunrise will display workers list for your current server

-worker <arg> Worker name. To see a complete list of all available workers use the
showWorkers command. If no option is specified, flush will be executed for
all workers

26.15 Connecting to DataSunrise using SSO

To connect to DataSunrise using the Single Sign-On technology, use the connectSso command:
Parameter Description
-host <arg> Name of the host DataSunrise server is running on
-port <arg> Port number DataSunrise server is running on (11000 by default)
-protocol <arg> Protocol (https | http). HTTPS is used by default
-token <arg> Access token

26.16 Adding an SSO Service

To add new SSO Service to DataSunrise's settings, use the addSsoService command:
 26 Miscellanious | 153

Parameter Description
-action <arg> Action: Deny Access | Create a New User | Create or Update User
Based on Response

-assertionConsumeServiceEndpoint <arg> Assertion consume service endpoint

-authorizationTokenEndpointURL <arg> Authorization token endpoint URL

-dontCheckSignedAssertions <true | Don't check signed assertions

false>
-dontSignAuthenticationofRequests <true Don't sign authentication of requests
| false>
-dSUserNameAttr <arg> DS user name attribute
-endpoint <arg> Endpoint
-entityID <arg> Entity ID
-name <arg> SSO service name
-nameIDFormat <arg> Name ID format
-OIDCClientID <arg> OIDC client ID
-OIDCClientSecret <arg> OIDC client secret
-privateKeyForSignSAMLMessages <arg> File with private key for Sign SAML Messages

-role <arg> Role. Execute the showAccessRoles command to see all available roles

-setEndpointsManually <true | false> Set endpoints manually

-singleLogoutEndpoint <arg> Single logout endpoint
-spMetadataValidUntil <arg> SP metadata valid until

-tokenEndpointURL <arg> Token endpoint URL

-tokenKeysEndpointURL <arg> Token keys endpoint URL

-type <arg> Type: OpenID Connect | SAML

x509CertificateForVerifySAMLMessages File with an X509 Certificate for Verify SAML Messages

<arg>
-xmlMetadata <arg> XML metadata file
 26 Miscellanious | 154

26.17 Updating an SSO Service entry

To update an existing SSO Service, use the updateSsoService command:
Parameter Description
-action <arg> Action: Deny Access | Create a New User | Create or Update User
Based on Response

-assertionConsumeServiceEndpoint <arg> Assertion consume service endpoint

-authorizationTokenEndpointURL <arg> Authorization token endpoint URL

-dontCheckSignedAssertions <true | Don't check signed assertions

false>
-dontSignAuthenticationofRequests <true Don't sign authentication of requests
| false>
-dSUserNameAttr <arg> DS user name attribute
-endpoint <arg> Endpoint
-entityID <arg> Entity ID
-name <arg> SSO service name
-nameIDFormat <arg> Name ID format
-newName <arg> New SSO service name
-OIDCClientID <arg> OIDC client ID
-OIDCClientSecret <arg> OIDC client secret
-privateKeyForSignSAMLMessages <arg> File with private key for Sign SAML Messages

-role <arg> Role. Execute the showAccessRoles command to see all available roles

-setEndpointsManually <true | false> Set endpoints manually

-singleLogoutEndpoint <arg> Single logout endpoint
-spMetadataValidUntil <arg> SP metadata valid until

-tokenEndpointURL <arg> Token endpoint URL

-tokenKeysEndpointURL <arg> Token keys endpoint URL

-type <arg> Type: OpenID Connect | SAML

x509CertificateForVerifySAMLMessages File with an X509 Certificate for Verify SAML Messages

<arg>
-xmlMetadata <arg> XML metadata file
 26 Miscellanious | 155

26.18 Displaying SSO Service Settings

To display existing SSO Services, use the showSsoService command:
Parameter Description
-name <arg> SSO service name

26.19 Deleting SSO Service

To delete an existing SSO Service, use the delSsoService command:
Parameter Description
-name <arg> SSO service name