How to create a real-time alert

Send a real-time alert to the database administrator whenever there are more than three failed logins for the same user within five minutes.

About this task

Generate real-time security alerts whenever suspicious activity is detected or access policies are violated.

Follow these steps:

  1. Create a policy
  2. Add rules to the policy
  3. Add an action when the rule is triggered
  4. Install the policy

Prerequisites

Configure SMTP or SNMP in the Alerter. Open the Alerter by navigating to Setup > Tools and Views > Alerter, and then fill out the SMTP or SNMP information.

Note: Policy violations can also be seen in the Incident Management report.

Procedure

  1. Create a policy.
    1. Open the policy builder by navigating to Protect > Security Policies > Policy Builder for Data.
    2. Click the new icon to create a new policy or modify an existing policy by selecting the policy and clicking the edit icon.
    3. In the Name and properties panel, select the Data security policy type and provide a policy name.
  2. Add rules to the policy.
    1. Click to open the Rules panel for the policy.
    2. Click the new icon to add a new rule.
    3. In the Rule definition panel, use the Rule type menu to select the Exception rule type and use the Rule name field to provide a short descriptive name for the rule.
    4. Click to open the Rule criteria panel and define the triggering criteria for the rule.
      Use the following settings to create a rule that triggers when there are more than three failed logins for the same user within five minutes:
      Under Session level criteria:
      • Database user = .

        Count each individual database user value separately.

      Under SQL criteria:
      • Exception type = LOGIN_FAILED
      Under Other criteria:
      • Minimum count = 3

        Set the minimum number of times the rule is matched before the action is triggered. The count is reset each time the action is triggered or when the reset interval expires.

      • Reset interval = 5

        Set the number of minutes after which the rule counter is reset. The counter is also reset when the rule action is triggered.

      • Record values = 1 - Log full SQL in policy violation

        Define what is included in the policy violation report: no SQL, full SQL, or masked SQL.

      Select the Continue to next rule option. Continue testing rules once this rule is satisfied and its action is triggered. If this is not selected, no additional rules are tested after this rule is satisfied.

  3. Add an action when the rule is triggered.
    1. Click to open the Rule action panel and define actions to take when rule conditions are matched.
    2. For this example, select new > ALERT > ALERT PER MATCH to get a notification every time the rule is triggered.
    3. From the Add new action window, select a Message template, define a Notification type, and then click OK.
      For MAIL or SNMP notification types, you must configure the alerter at Setup > Tools and Views > Alerter.
    4. After defining rule actions, click OK to save the rule definition. Click OK again to save the policy.
  4. Install the policy.
    1. From the Policy Builder for Data, select the policy and then select Install > Install.
    2. From the Install policy window, select the Installation action you want and click OK.
      Your policy is now installed. Your alert receiver will receive real-time notifications when the policy rules are enacted.