cancel
Showing results for 
Search instead for 
Did you mean: 

DQL report to show sensitive files/user activities for a given path

DQLNewbie
Level 2

As you can tell, I'm brand new to the world of DQL and looking for help.

My Data Insight 6.1 instance is integrated with Symantec DLP and gets the list of sensitive files from DLP.  I created the dql below to report on ALL sensitive files in my environment, and it works good:

FROM path
GET absname, device.name, permissions.readable_permission
IF issensitive = 1
FORMAT permissions as CSV AND device as CSV

What I'm trying to do is get a list of sensitive files for a particular Windows file directory, not just everything, as well as output to CSV all user activites for those files within a given time period. 

Is that something that can be done within DQL?

Thanks for your help with this one.

 

1 REPLY 1

Rod_p1
Level 6
Employee Accredited Certified

Newbie in coming back around to see if there were questions on my answer I do not see my post in the thread. Either I improperly saved it but do not have a draft, it was flagged for removal or I failed to save it altogether. Unfortunate let me try to recreate it for you.

You are currently pulling all data from your DI  environment across all indexes where an object is marked as sensitive. I assume you us a third party app like Symantec's DLP and not a CSV file and are tryign to filer down to a more granular dataset in your output?

We have a SDK (programmer's guide) called Veritas_Data_Insight_SDK_Guide.pdf which is located in the root of where ever you extracted the full media kit for your version of DI. This guide is the list of column values you can use in your filtering.

To filter you would add values to your get statement and then utilize them in the IF to further filer your results.

As example the parent.absname would get you the list of folders as a result where the filer\Share\foldername would be presented whereas the parent.name would result in directory or path under the share to the location of objects.

 

so an example of modifying your report could be:

FROM path
GET parent.name as folder, absname as filePath, size, device.name, permissions.readable_permission,

formatdate(last_accessed, "YYYY/MM/DD HH:mm") as last_accessed_time WHERE last_accessed < datetime("2017/05/01 00:00", "YYYY/MM/DD HH:mm")
AND issensitive = 1 AND type = "FILE" AND matchi(parent.name, "*finance*") = 1 AND parent.type = "DIR"
sortby parent.name asc

FORMAT permissions as CSV AND device as CSV

where finance is contained in the folder name you wish to focus on.
Note: the change to where from IF

 

You could filter by limiting devices to check, returning only results within a parameter like time or location, type or name, etc. The logic of refining your query to be more granular is to not eliminate every result at the same time as eliminating the undesirable ones.

Hopefully this saves properly this time and assists you with the logic required to complete your query.


Rod