Creating a real-time alert

Generate real-time security alerts by creating a policy with rules and actions to detect and respond to suspicious activity and policy violations.

Before you begin

Configure SMTP or SNMP in the Alerter. Open the Alerter by clicking Setup > Tools and Views > Alerter, and then complete the SMTP or SNMP information.

Tip: Policy violations can also be seen in the Incident Management report.

About this task

Send a real-time alert to the database administrator whenever there are more than three failed logins for the same user within five minutes.

Procedure

  1. Create a policy.
    1. Click Protect > Security Policies > Policy Builder for Data.
    2. Click the Add icon to create a new policy or modify an existing policy by selecting the policy and clicking the Edit icon.
    3. In the Name and properties window, select the Data security policy type and provide a policy name.
  2. Add rules to the policy.
    1. Click to open the Rules pane for the policy.
    2. Click the Add icon to add a rule.
    3. In the Rule definition pane, use the Rule type menu to select the Exception rule type and use the Rule name field to provide a short descriptive name for the rule.
    4. Click to open the Rule criteria pane and define the triggering criteria for the rule.
      Use the following settings to create a rule that triggers when there are more than three failed logins for the same user within five minutes.
      Session level criteria
      Database user = .

      Count each individual database user value separately.

      SQL criteria
      Exception type = LOGIN_FAILED
      Other criteria
      Minimum count = 3

      Set the minimum number of times the rule is matched before the action is triggered. The count is reset each time that the action is triggered or when the reset interval expires.

      Reset interval = 5

      Set the number of minutes after which the rule counter is reset. The counter is also reset when the rule action is triggered.

      Record values = 1 - Log full SQL in policy violation

      Define what is included in the policy violation report: no SQL, full SQL, or masked SQL.

    5. Optional: Select the Continue to next rule option. Continue testing rules after this rule is satisfied and its action is triggered. If this option is not selected, no additional rules are tested after this rule is satisfied.
  3. Add an action when the rule is triggered.
    1. Click to open the Rule action pane and define actions to take when rule conditions are matched.
    2. In this example, select new > ALERT > ALERT PER MATCH to get a notification every time the rule is triggered.
    3. From the Add new action window, select a Message template, define a Notification type, and then click OK.
      For MAIL or SNMP notification types, you must configure the alerter at Setup > Tools and Views > Alerter.
    4. After defining rule actions, click OK to save the rule definition. Click OK again to save the policy.
  4. Install the policy.
    1. From the Policy Builder for Data, select the policy and then select Install > Install.
    2. From the Install policy window, select the Installation action you want and click OK.
      Your policy is now installed. Your alert receiver receives real-time notifications when the policy rules are enacted.