Predefined alerts
Guardium comes with a set of predefined alerts that can be found in the Alert Builder.
Open the Alert Builder by going to . When you open the Alert Builder, you are presented with a list of all existing alerts. Select an alert from the finder and click Modify to edit it.
In the Modify Alert page, modify any part of the alert, such as receivers or threshold.
You cannot modify the default queries that the alerts are based on. If you want to modify a query, click the Edit this Query icon for any query to open the Query-Report Builder. Once in the builder, clone any query, and then modify the clone to suit your needs.
After making changes to an alert, click Apply to save them.
This table describes all predefined alerts.
Alert | Description |
---|---|
Active Risky Users - Risky Users Score | |
Active S-TAPs Changed | Checks for changes to Active S-TAP® inspection engines done during the last accumulation interval. The alert will trigger if at least one inspection engine has been changed during the period. By default the alert checks every 1/2 hour and checks the last hour. |
Aggregation/Archive Errors | Alert once a day on all aggregation or archive tasks that did not complete successfully. |
Connection Profiling Alert | Alert runs every 60 minutes and sends the list of allowed (trusted) connections that were found during the time interval to the Connection Profiling List predefined group. |
CAS Instance Config Changes | Alert once a day on any CAS instance configuration changes. |
CAS Templates Changes | Alert once a day on any CAS template configuration changes. |
Data Source Changes | Alert once a day on any data source definition changes. |
Discovered Instances Rules Alert | Alert when a discovered instance is added or replaced. Displays in the alert builder list as Discovered Instances Rules Alert: Discovered Instance Add or Replace. |
Database disk space | Alert every 10 minutes if internal database is more than 80% filled. For more information about Disk Space (% full) and the Guardium® Nanny process, see Self Monitoring. |
Enterprise No Traffic | Alert runs only on central manager systems. It is based on a query similar to the query on the No Traffic alert and retrieves the records with: timestamp between X and Y, when X is a query parameter and Y is query from date generated by the alert mechanism based on the accumulation interval (same way the existing no traffic alert works). |
Enterprise S-TAPs changed | Alert runs on central manager systems only. |
Failed Logins to Guardium | Every 10 minutes alert if there have been more than 5 failed login attempts on the Guardium appliance. |
Guardium - Add/Remove Users | Alert once a day if any Guardium users have been added or removed. |
Guardium - Credential Activity | Alert once a day if there have been any Guardium credential changes, including LDAP configuration changes. |
Inactive Managed Unit | Alert runs 30 minutes and sends a notice once a day to the predefined group that is called "Managed Units Alert". |
Inactive S-TAPs Since | Alert once an hour on all S-TAPs that have not been heard from. |
Inspection Engines and S-TAP | Alert once a day on any activity related to inspection engine and S-TAP configuration. |
Investigation Dashboard Issues | New issue detected and cannot be resolved automatically |
No Traffic | Alert to indicate whether there is no traffic from specific database servers.
This alert will alert when there is no traffic collected from a server from which the Guardium system was collecting traffic at some point during
the last 48 hours. The alert will trigger when there is no traffic within the period defined in the
accumulation interval. For example if the accumulation interval is 60 minutes the alert will send an email if there was no traffic from a specific database server in the last hour but there was some traffic in the last 48 hours. The alert will send an email (by default) only every 24 hours. Parameters such as accumulation interval, notification interval, run frequency etc. can be customized. Parameters such as Threshold, Per Line, operator, query etc. should not be changed, as changes to these parameters will cause the alert not to work properly. Note the No Traffic query should not be cloned. |
No Traffic by Server/Protocol | Similar to the regular No traffic alert with
the following differences: The alert is per service Name/Net Protocol,
and will report per line. There is a new additional parameter: Active
Traffic Interval that determines when the last request from each server
was received. The alert will trigger under the following conditions:
There was No traffic during the alert interval from each server/net
protocol but there was traffic since: Active Traffic Interval for
that combination. Unlike the regular No traffic alert that will trigger if there was no traffic during the alert interval but there was traffic in the previous 48 hours per server IP. |
Outlier Analysis Failure | Triggered by failure of the outlier mining process. |
Alert once an hour if an outlier with anomaly score 90 and above is encountered. | |
Policy Changes Alert | Alert once a day if there have been any security policy changes. |
QWR Exceptions Alert | Alerts once per session to Syslog if during one hour at least one QWR exception was triggered. The QRW exception occurs when Query Rewrite cannot mask data because the query returns more than 16,000 characters. |
Queries Running Long Time | Notify if a query takes more than 900 seconds to run. |
Scheduled Job Exceptions | Alert every 10 minutes on any scheduled job exception (including assessment jobs). |
S-TAP Uninstall Alert | Alerts hourly (default) if an S-TAP is uninstalled
from a database server. Alert results are also reported in the S-TAP Uninstall
Events report in My Dashboard. Tip: Best practice is to
leave the alert settings at their defaults. If yon need to change the configuration, run the CLI
command restart gui so the changes take effect.
|