All users

The Security Incidents: all users template provides a number of rules that track and report on possible security incidents that might be encountered at run time. You can choose which rules you need for your security scenario.

Some rule definitions are tagged as either PCI or GDPR. These tags indicate that the rule can help meet compliance with either payment card information (PCI) or General Data Protection Regulation (GDPR) rules.

Many rules include the MARK SESSION action, which sets the trust for this session to LOW and generates an exception in the Security Incidents report.
Note: The security incident policies analyze authentication methods, but do not log or analyze passwords.
The Security Incidents: all users contains the following rules:
DB user using plain text password
This rule identifies when plain-text passwords are used in the authentication process for database users. Any connection to a database that uses a driver or a database that allows sending a password in clear text over the network generates a security incident.
This rule generates exception messages in the Security Incident report for each unique DB_USER and SERVER_IP.
Password spraying attack detection
This rule identifies when an attacker attempts to gain unauthorized access to user accounts or systems by systematically trying commonly used passwords or a small set of passwords against multiple user accounts. This rule generates an exception message when more than 10 connection attempts are made by different users with the same password.
Source application using plain text password
This rule identifies when plain-text passwords are used in the authentication process for applications and programs. Any program or application that allows sending a password in clear text over the network generates a security incident.
This rule generates exception messages in the Security Incident report for each unique CLIENT_IP and SOURCE_PROGRAM.
Repeated failed login per server IP and user (5 in 3 minutes)
This rule generates a security incident for repeated failed log-ins.
Note: This rule is similar to the User Activity Monitoring policy Failed Login - Alert if repeated rule. However, the rule triggers only when a user unsuccessfully attempts to log on to the same server five times within 3 minutes (rather than logging in to multiple servers within 5 minutes).
This rule generates exception messages in the report for each unique DB_USER and SERVER_IP.
Password sent using vulnerable encryption method
Guardium® generates a security incident when passwords are sent using insufficiently secure methods. For example, when a database uses a driver with outdated encryption methods or a database sends passwords that use outdated or vulnerable encryption methods over the network.
This rule generates exception messages in the Security Incident report for each unique DB_USER, CLIENT_IP, and SOURCE_PROGRAM.
Repeated login failures from same Program and different DB users per period of time (5 in 3 minutes)
Repeated failed log-ins by a database user (specified as five log-ins within 3 minutes) generates a security incident.
Note: This rule is similar to the User Activity Monitoring policy Failed Login - Alert if repeated rule. However, the rule triggers only when a user unsuccessfully logs on to the same server five times within 3 minutes (rather than logging in to multiple servers within 5 minutes).
This rule generates exception messages in the Security Incident report for each unique DB_USER and SERVER_IP.
Data exfiltration setup
Data exfiltration that exceeds a defined threshold during a session or in a session generates a security incident. This rule sets the thresholds for session and response exfiltration. In the CONFIGURE rule action, define the thresholds for SESSION, RESPONSE, or both.
Prerequisite: The Session Data Exfiltration or Response Data Exfiltration rules must be installed.
Session data exfiltration
This rule identifies data exfiltration by monitoring the amount of information that is extracted from the database during a single session.
This rule generates the following exception message in the Security Incident report when the data exfiltration threshold is reached:
SESSION DATA EXFILTRATION: DATA EXCEEDED (SESSION_EXFILTRATION_LIMIT).
Prerequisite: The data exfiltration threshold for SESSION is defined by the Data exfiltration setup rule.
Response data exfiltration
This rule identifies data exfiltration by monitoring the amount of information that is extracted from the database from a specified response.
This rule generates the following exception message in the Security Incident report when the data exfiltration threshold for a response is reached:
RESPONSE DATA EXFILTRATION: DATA EXCEEDED (RESPONSE_EXFILTRATION_LIMIT).
Prerequisite: The data exfiltration threshold is defined by the Data exfiltration setup rule.