Create a Dynamic Auditing policy

Learn how to create and install a policy for Dynamic Auditing, to maximize your Risk Spotter results.

Procedure

  1. Access the Policy Builder for Data.
  2. Filter for Risk Assessment Dynamic Policy Selective [template], and click copy.
    The Create New Policy window opens.
  3. Modify and save the policy as relevant:
    • There must be one rule with Session level criteria: Client IP/Source application/Database user/Server IP/Service name = Risk Spotter – Risky Audited Users group. This rule is included in the Risk Assessment Dynamic Policy Selective [template]. Recommended sctions are Audit only or Log full details
    • Best practice: To make sure Risk spotter audits as many risky users as possible without overloading your system resources, include a rule to ignore users with high volume activity (like app users), by limiting the number of activities that are audited per user. See limit count rule guideline. This rule is included in the Risk Assessment Dynamic Policy Selective [template].
    • Clear the Selective audit trail check box (in the Name and properties section) if your installed policies do not use Selective audit trail. See Selective audit trail.
    • Make any other required changes.
  4. Install the policy.
    1. In the Policy Builder, select the policy and click Install > Install. TheInstall policy policy window opens.
    2. Select an Installation action. By default the policy is installed as the last policy on the target collectors. The correct position of the risk spotter policy is based on the specific details of each installed policy. Make sure you understand your policy details before installing the risk spotter policy.
      • Installing the risk spotter dynamic policy first might overload system by overriding the basic session level criteria rule described in step 3.
      • Installing the risk spotter dynamic policy last might result in some risky users being ignored by prior ignore policies.
    3. Select the collectors on which to install the policy.
    4. Click OK. The system responds with a message indicating success, or not.