GIM Category: database
The Database category is for events generated by database management systems that record query execution, data modifications, and schema changes. These events are typically captured through database audit logs and provide visibility into how data is accessed, modified, or administered.
Database activity logs are important for monitoring sensitive data access, detecting suspicious behavior such as mass queries or deletions, and auditing administrative actions like creating or dropping tables. They support investigations into data exfiltration, data integrity issues, and compliance with regulatory requirements.
query
Database query events represent the execution of statements used to retrieve data, typically SELECT operations. These events capture when a user or process accesses tables, views, or other database objects in order to read information.
Query events are critical for identifying who accessed sensitive data, detecting large-scale extraction attempts, and monitoring unusual access patterns (such as privileged accounts querying tables outside their normal scope).
| gim_event_type_code | gim_event_class | gim_event_category | gim_event_subcategory | gim_event_type | description |
|---|---|---|---|---|---|
|
150000 |
database |
database.query |
database query |
A database query used to retrieve data was executed |
update
Database update events represent modification of existing rows within a database table, typically through UPDATE statements. These events capture changes to stored values, including alterations to sensitive fields such as account information, financial records, or configuration settings.
Tracking update activity is important for auditing data integrity, detecting unauthorized changes, and correlating modifications with the users or applications that performed them.
| gim_event_type_code | gim_event_class | gim_event_category | gim_event_subcategory | gim_event_type | description |
|---|---|---|---|---|---|
|
150500 |
database |
database.update |
update rows |
A request to update rows in a database table was made |
add
Database insert events represent the addition of new rows into a table, typically through INSERT statements. These events capture the creation of new records in application data, logs, or system tables.
Insert activity is important for understanding how data enters the system, tracking the creation of sensitive or high-value records, and detecting anomalies such as automated bulk inserts or unexpected application behavior.
| gim_event_type_code | gim_event_class | gim_event_category | gim_event_subcategory | gim_event_type | description |
|---|---|---|---|---|---|
|
151000 |
database |
database.add |
insert rows |
A request to insert rows in a database table was made |
|
|
151001 |
database |
database.add |
add table |
A request to add a table to a database was made |
|
|
151002 |
database |
database.add |
create database |
A request to create a new database was made |
delete
Database delete events represent the removal of existing rows from a database table, typically through DELETE statements. These events capture when records are intentionally erased from a dataset.
Delete activity is important for monitoring potential data destruction, detecting unauthorized removals, and ensuring compliance with retention policies. Unusual or large-scale deletions may indicate malicious activity or insider threats.
| gim_event_type_code | gim_event_class | gim_event_category | gim_event_subcategory | gim_event_type | description |
|---|---|---|---|---|---|
|
151500 |
database |
database.delete |
delete rows |
A request to delete rows from a database table was made |
|
|
151501 |
database |
database.delete |
drop table |
A request to drop a database table from a database was made |
|
|
151502 |
database |
database.delete |
drop database |
A request to drop a database was made |
default
The default subcategory is used for database-related events that do not fit into a more specific subcategory such as query, update, insert, or delete. These may include vendor-specific messages, system informational logs, or events that lack sufficient detail to be classified more precisely.
This ensures that all database activity can be captured in the model, even when normalization is not possible.
| gim_event_type_code | gim_event_class | gim_event_category | gim_event_subcategory | gim_event_type | description |
|---|---|---|---|---|---|
|
159999 |
database |
database.default |
database message |
Default database message |
