Database Monitoring with FIM

Databases often store an organization’s most sensitive and business-critical information, such as customer data, financial records, and intellectual property. Because of this, they are a prime target for unauthorized access, misconfigurations, and malicious activity.

FIM can monitor and detect changes within your database environments by tracking records in your database tables. This helps you gain visibility into configuration changes, unauthorized access, or suspicious activity affecting your critical databases.

Detected database events are displayed on the FIM > Events > Scan Based tab. The first event action is Baseline, and all subsequent events have the action Content, with their event names appended with the word Drift.

You can create report rules, incidents, and dashboard widgets as required for the database events.

Configuring FIM for database monitoring requires the Qualys Custom Assessment and Remediation (CAR) subscription. CAR is used to create a parameterized script that runs on your database for monitoring.

Follow these steps to configure FIM for database monitoring:

1. Select the CAR module from the module picker.
2. Create a parameterized script.

   For more information on creating a parameterized script, refer to CAR Online Help.

   While creating a parameterized script, make sure to complete these steps:

   1. Select the Define Script Parameters checkbox.

   2. Provide the following script parameters:

      • Database Vault URL: The vault URL that stores the database credentials (username and password).

      • Server: The IP address of the database server.

      • Database: The name of the database to connect to.

      • Query: The query to execute on the database table.

      The following screenshot displays the required parameters:
      

      Click to view a sample script for monitoring the databaseClick to view a sample script for monitoring the database

      param (
      [Parameter(Mandatory = $true)] [string]$vaultUrl,
      [Parameter(Mandatory = $true)] [string]$sqlServer,
      [Parameter(Mandatory = $true)] [string]$database,
      [Parameter(Mandatory = $true)] [string]$query
      )function Write-Log {
      param ([string]$msg)
      Write-Output "$(Get-Date -Format 'yyyy-MM-dd HH:mm:ss') $msg"
      }function Get-CyberArkCredential {
      param ([string]$vaultUrl)try {
      Write-Log "Requesting credentials from CyberArk: $vaultUrl"
      $response = Invoke-RestMethod -Uri $vaultUrl -Method GET -UseBasicParsingif ($response -and $response.UserName -and $response.Content) {
      return $response
      } else {
      throw "CyberArk response is missing 'UserName' or 'Content'."
      }
      }
      catch {
      throw "Failed to retrieve credentials from CyberArk: $_"
      }
      }function Execute-SqlQuery {
      param (
      [string]$server,
      [string]$database,
      [string]$username,
      [string]$password,
      [string]$query
      )try {
      $connStr = "Server=$server;Database=$database;User Id=$username;Password=$password;Encrypt=False;"
      $conn = New-Object System.Data.SqlClient.SqlConnection $connStr
      $conn.Open()$cmd = $conn.CreateCommand()
      $cmd.CommandText = $query
      $adapter = New-Object System.Data.SqlClient.SqlDataAdapter $cmd
      $table = New-Object System.Data.DataTable
      $adapter.Fill($table) | Out-Null
      $conn.Close()return $table
      }
      catch {
      throw "Error executing SQL query: $_"
      }
      }# Main Execution
      Write-Log "===== Script Started ====="try {
      $creds = Get-CyberArkCredential -vaultUrl $vaultUrl
      Write-Log "Retrieved credentials for user: $($creds.UserName)"$results = Execute-SqlQuery -server $sqlServer -database $database -username $creds.UserName -password $creds.Content -query $query
      Write-Log "Query executed successfully. Rows returned: $($results.Rows.Count)"$results | Format-Table -AutoSize
      }
      catch {
      Write-Log "$_"
      }Write-Log "===== Script Ended =====" 
      

      You must create a script that returns a code 1 in case of failures. For more information, refer to Handling Failure Events in Database Monitoring.

3. Once the script is created, execute it.

   For more information on executing scripts, refer to CAR Online Help.

   While configuring the script execution, ensure that you turn on the Monitor this script’s output for any changes toggle. This ensures that the script monitors your database and sends any detected changes to FIM, where they are displayed as events under FIM > Events > Scan Based.

   

Viewing Database Event Details

To view database event details, click the specific database event on the Events > Scan Based tab. The About Asset section displays the asset information on which the script is executed. On the left pane, the following information is displayed:

• Last Scan Time: Displays the date and time when the script was last executed on the database.
• Script Name: Displays the name of the parameterized CAR script used to monitor the database. You can click the script name to view the script details.
• Change Event Type: Displays the name of the event, specifying whether it is a Baseline event or a Drift event (Content).

You can click Show Difference to view the changes found in the records of the database table.

You can click Actions to perform the following:

• Find Similar Events: Search for other similar events. You can filter the events using the following filters:
  • Script Name: Filter events generated by the same script.
  • Severity: Filter events by the severity level of the selected event.
  • Platform: Filter events by the platform type.
• Ignore: Click to add this event to the Ignored list if it is a false-positive.
• Make it Baseline: Click to make the current event a baseline event.

Handling Failure Events in Database Monitoring

The FIM may receive database events that indicate failure due to various reasons, such as:

• Database timeout errors
• Invalid database credentials (incorrect username or password)
• Other connectivity or execution issues

In these cases, the script may still generate output, but this output does not contain valid event data. For example, a failed script may return an error message instead of the expected database records. Comparing this error message with valid execution results does not provide any useful data.

To discard such events, you must write or update your scripts to return code 1 if any failure scenarios are expected. See the sample script below:

Sample Script configured to return code 1 in case of failureSample Script configured to return code 1 in case of failure

param (
[Parameter(Mandatory = $true)] [string]$vaultUrl,
[Parameter(Mandatory = $true)] [string]$sqlServer,
[Parameter(Mandatory = $true)] [string]$database,
[Parameter(Mandatory = $true)] [string]$query
)
function Write-Log {
param ([string]$msg)
Write-Output "$(Get-Date -Format 'yyyy-MM-dd HH:mm:ss') $msg"
}
function Get-CyberArkCredential {
param ([string]$vaultUrl)
try {
Write-Log "Requesting credentials from CyberArk: $vaultUrl"
$response = Invoke-RestMethod -Uri $vaultUrl -Method GET -UseBasicParsing
if ($response -and $response.UserName -and $response.Content) {
return $response
} else {
Write-Log "CyberArk response is missing 'UserName' or 'Content'."
exit 1;
}
}
catch {
Write-Log "Failed to retrieve credentials from CyberArk: $_"
exit 1;
}
}
function Execute-SqlQuery {
param (
[string]$server,
[string]$database,
[string]$username,
[string]$password,
[string]$query
)
try {
$connStr = "Server=$server;Database=$database;User Id=$username;Password=$password;Encrypt=False;"
$conn = New-Object System.Data.SqlClient.SqlConnection $connStr
$conn.Open()
$cmd = $conn.CreateCommand()
$cmd.CommandText = $query
$adapter = New-Object System.Data.SqlClient.SqlDataAdapter $cmd
$table = New-Object System.Data.DataTable
$adapter.Fill($table) | Out-Null
$conn.Close()
return $table
}
catch {
Write-Log "Error executing SQL query: $_"
exit 1;
}
}
# Main Execution
Write-Log "===== Script Started ====="
try {
$creds = Get-CyberArkCredential -vaultUrl $vaultUrl
Write-Log "Retrieved credentials for user: $($creds.UserName)"
$results = Execute-SqlQuery -server $sqlServer -database $database -username $creds.UserName -password $creds.Content -query $query
Write-Log "Query executed successfully. Rows returned: $($results.Rows.Count)"
$results | Format-Table -AutoSize
}
catch {
Write-Log "$_"
exit 1;
}
Write-Log "===== Script Ended ====="

Limitations of FIM for Database Monitoring

• If you change the name of the script, FIM cannot display the difference between the previous and updated versions of the events.
• Alert generation using the event.hostType and script.name tokens is not supported for any events. This will be supported in the upcoming FIM release.