Skip to content

Matchers

Result set matcher

Use this matcher to identify specific data elements in any field of the result set. For example, to detect result sets that contain the string EU or eu use the following tag:

tags:
  - display_name: "EU data"
    tag: data_eu
    matcher_id: cloumn_data_contain
    matcher_data:
      match:
        - EU
        - eu

Query filter matcher

Use this tag to identify queries that contain a WHERE clause with a specific value. For example, assume a projects table contains information about multiple projects, identified by a project_id column. To identity queries that filter based on project_id values, use the following custom tag definition:

tags:
  - display_name: "Filtered by project"
    tag: "filtered_by_{{tagger_alias}}"
    matcher_id: "columns_exact_filter"
    matcher_data:
      match:
        - table: projects
          column: project_id
      tagger_alias:
        flying_cars: 1
        laser_swords: 12
        ceo: [1,12]

The custom tag definition will generate tags based on the filter values applied in the query. The actual filter values in the query must be a subset of the tags defined in the tagger_alias section. For the above example:

  • select * from projects → No filter by project_id applies, no tag will be generated
  • select * from projects where project_id=1filtered_by_flying_cars, filtered_by_ceo
  • select * from projects where project_id=12filtered_by_flying_laser_swords, filtered_by_ceo
  • select * from projects where project_id in (1, 12)filtered_by_ceo
  • select * from projects where project_id in (1, 14) → No tag will be generated

The match section can be modified to apply to any table with a given column by ommitting the table paramater:

      match:
        - column: project_id

The match section can be used to specify a json path within the data:

      match:
        - table: projects 
          column: project_id
          json_path: \"*['metadata'][0]['internal_id']\"

Wildcard Query matcher

Use this matcher to identify queries which are accessing all columns in a given table(s) (i.e. wildcard query)

tags:
  - display_name: "Detect wildcard queries on sensetive tables"
    tag: "wildcard_query"
    matcher_id: wildcard_tables
    matcher_data:
     match: 
      - table: customer_data
      - table: customer_purchases 

The match section can be modified to apply to any table by ommitting the table paramater:

      match: