Send a real-time alert to the database administrator whenever there are more than three
failed logins for the same user within five minutes.
About this task
Generate real-time security alerts whenever suspicious activity is detected or access
policies are violated.Follow these steps:
- Create a policy
- Add rules to the policy
- Add an action when the rule is triggered
- Install the policy
Prerequisites
Configure SMTP or SNMP in the Alerter. Open the
Alerter by navigating to , and then fill out the SMTP or SNMP
information.
Note: Policy violations can also be seen in the Incident
Management report.
Procedure
- Create a policy.
- Open the policy builder by navigating to .
- Click the icon
to create a new policy or modify an existing policy by selecting the policy and clicking the icon.
- In the Name and properties panel, select the Data
security policy type and provide a policy name.
- Add rules to the policy.
- Click to open the Rules panel for the policy.
- Click the icon
to add a new rule.
- In the Rule definition panel, use the Rule
type menu to select the Exception rule type and use the
Rule name field to provide a short descriptive name for the
rule.
- Click to open the Rule criteria panel and define the triggering
criteria for the rule.
Use the following settings to create a rule that triggers when
there are more than three failed logins for the same user within five minutes:
Under
Session level criteria:
Under
SQL criteria:
- Exception type = LOGIN_FAILED
Under
Other criteria:
- Minimum count = 3
Set the minimum number of times the rule is matched
before the action is triggered. The count is reset each time the action is triggered or when the
reset interval expires.
- Reset interval = 5
Set the number of minutes after which the rule
counter is reset. The counter is also reset when the rule action is triggered.
- Record values = 1 - Log full SQL in policy violation
Define what is
included in the policy violation report: no SQL, full SQL, or masked SQL.
Select the Continue to next rule option. Continue testing rules
once this rule is satisfied and its action is triggered. If this is not selected, no additional
rules are tested after this rule is satisfied.
- Add an action when the rule is triggered.
- Click to open the Rule action panel and define actions to take
when rule conditions are matched.
- For this example, select to get a notification every time the rule is triggered.
- From the Add new action window, select a Message
template, define a Notification type, and then click
OK.
For MAIL or SNMP
notification types, you must configure the alerter at .
- After defining rule actions, click OK to save the rule
definition. Click OK again to save the policy.
- Install the policy.
- From the Policy Builder for Data, select the policy and then
select
.
- From the Install policy window, select the
Installation action you want and click
OK.
Your policy is now installed. Your alert receiver will
receive real-time notifications when the policy rules are enacted.