Managing correlation alerts
An alert is a message that indicates that an exception or policy rule violation was detected. Create and manage correlation alerts from the Add Alert page.
Alerts are triggered in two ways:
- A correlation alert is triggered by a query that looks back over a specified time period to determine whether the alert threshold is met. The Guardium anomaly detection engine runs correlation queries on a scheduled basis. By default, correlation alerts do not log policy violations, but they can be configured to do that.
- A real-time alert is triggered by a security policy rule. The Guardium inspection engine component runs the security policy as it collects and analyzes database traffic in real time. For more information about real-time alerts, see Understanding policies and Alerting rule actions.
Regardless of how they are triggered, Guardium logs all alerts the same way: the alert information is logged in the Guardium internal database. The amount and type of information that is logged depends on the specific alert type. The Guardium Alerter component, which also runs on a scheduled basis, processes each new alert, passing the logged information for each alert to any combination of the following notification mechanisms:
- MAIL - A Guardium user role email (User), or an
external email (Email).
When MAIL is selected, you can now tick the checkbox for Attach alert reports as CSV. Select User or Email. If Email is selected proceed to type in receivers email address. Otherwise if User is selected a user menu is displayed, choose wanted user.
Select Save to add a receiver, or Back to exit Alert Receiver Selection window.
- SNMP - The SNMP (network information and control) server. When SNMP is selected for an Alert Notification, the Alerter passes all alert messages of that type to the single trap community for which the Alerter was configured.
- Syslog - The alert is written to syslog on the Guardium appliance (which
might be configured by the Guardium Administrator to write syslog messages to a remote system).
Note: For SNMP or SYSLOG, the maximum message length is 3000 characters. Any messages longer than that are truncated.
- Custom - A user written Java™ class to handle alerts. The Alerter passes an alert message and timestamp to the custom alerting class. You can have multiple custom alerting classes, and one custom alerting class can be an extension of another custom alerting class.
- Ticket - An external ticketing service
- Alerts are not evaluated in the context of user.
- The alert might be related to databases that are associated with multiple users.
- To avoid situations where no one gets the alert notification.
Alerting tasks for administrators
Guardium administrators perform the following tasks:
- Customize the alert message template from the global profile.
- Configure and start the alerter, which delivers messages to SMTP, SNMP, Syslog, or custom alerting classes.
- Start and stop the anomaly detection engine, which runs the correlation alerts according to the schedules defined.
- Upload custom alerting classes to the Guardium system.
Alerting tasks for users
Guardium users (and administrators) can perform the following tasks for correlation alerts,
- Define queries that can be used for correlation alerts.
- Define correlation alerts.
- Write custom alerting classes.
Creating a correlation alert
A correlation alert is based on a query in any of the reporting domains. The query must be defined before you can define the alert. The query must contain at least one date field to be available to a correlation alert.
- Click Alert Finder. to open the
- Click New in the Alerts Finder page to open the Add Alert page.
- Under Settings, enter the following information
- Name - Enter a unique name for the alert. Do not include apostrophe characters in the alert name.
- Description - Enter a short sentence that describes the alert.
- Category - Enter an optional category.
- Classification - Enter an optional classification.
- For Recommended Action, add free text as the recommended action for the specific alert.
- Message Template - As with real-time alerts, you can choose a template for the message that is sent in case the threshold alert fires. The template uses a predefined list of variables that are replaced with the appropriate value for the specific alert. For more information about the message template, see The alert message template.
- Severity - Select a severity level from the Severity list. For an email
alert, if the alert is set to HIGH, then the email is also flagged as HIGH.
For more information on how severity affects syslog facility and priority, see Facility and priority of syslog messages.
- Run Frequency - Enter the number of minutes between runs of the query.
- Select Active to activate the alert, or clear the box to save the alert definition without starting it running (it can be activated later). In a central manager environment, the alert is activated (or stopped) on all managed units when this box is marked (or cleared). To disable the alert on a specific appliance in a central manager environment, use the Anomaly Detection page of the Administrator Console.
- Select Log Policy Violation to log a policy violation when this alert is triggered. By default, correlation alerts are logged in the Alert Tracking domain only. By marking this box, correlation alerts and real-time alerts (issued by the data access security policy) can be viewed together, in the Policy Violations domain.
- Select View in deployment health dashboard if you want to include this alert in the deployment health dashboard.
- Under Alert Definition, enter the following information.
- Query - Select the query to run for this alert. The list of queries that
are displayed includes all queries that meet the following criteria,
- Contain at least one date field (timestamp).
- Contain a Count field.
- Can be accessed by your Guardium user account.
If the selected query contains runtime parameters, a Query Parameters window displays in the Alert Definition page. Supply appropriate parameter values for your application.
Troubleshooting tips- If a custom query was created in the Query-Report Builder, but the query does not appear in the Query list, then make sure that the custom query has a timestamp (date field).
- If you select a query from the Query list that needs editing, but you cannot edit the query, go to the Query-Report Builder to make the changes you need.
- Accumulation Interval - Enter the length of the time interval (in minutes) that the query examines the audit repository, counting back from the current time (for example, enter 10 to examine the last 10 minutes of data).
- Move interval window earlier by - GBDI data is not available immediately.
Use this field to move the accumulation interval backwards in time, in minutes, so that the entire
time interval of your query has data. Usually 120 minutes is sufficient.Note: Alerts that run on aggregators are based only on data within the defined merge period.
- Select Log Full Query Results to have the full report logged with the alert.
- Column - If the selected query contains one or more columns of numeric data, select a column to use for the test. The default is the last column for the query, which is always the count of occurrences aggregated in that row.
- Query - Select the query to run for this alert. The list of queries that
are displayed includes all queries that meet the following criteria,
- Under Alert Threshold, define the threshold at which a correlation alert
is to be generated, as follows:
- Threshold - Enter a threshold number that applies as described by the remaining fields in the window.
- Alert condition - Select an operator that indicates how the report value relates to the threshold to produce an alert. Choose from > (greater than), >= (greater than or equal to), <= (less than or equal to), or < (less than).
- Threshold Evaluated - Select per report if the
threshold number applies to a report total, Select per line if the threshold
applies to a single line of the report (the report contains the output of the selected query, which
looks back over the specified accumulation time). If there is no data during the specified Accumulation Interval:
- If the threshold is per report, the value for that interval is 0 (zero), and an alert is generated if the threshold condition is met. For example, if the condition specified is “Alert when value is < 1”.
- If the threshold is per line, no alert is generated, regardless of the specified condition (because there are no lines of output).
- Threshold Used - Select As absolute limit to indicate that the threshold entered is an absolute number. Select As a percentage change within period to indicate that the threshold represents a percentage of change within the time period that you select in From and To.
- As percentage change within period for the same Accumulation Period on a relative
time - One relative date is entered and the alert runs the query for the current period
and for the relative period (using the same interval), and checks the values as a percentage of the
base period value. Note: If you use a relative period, each time the alert is checked it runs the query twice; once for the current period and once for the relative period.
- Notification Frequency - Indicate how often (in minutes) to notify alert receivers when the alert condition is satisfied.
- Under Managed Units, you can assign or exclude correlation alerts to
individual managed units or managed unit groups from the central manager.Under Select Units, select the managed units that you want to include for this alert,
- This Central Manager - By default, the central manager receives alerts. Clear the checkbox to exclude the central manager.
- All - Send alerts to all managed units.
- Single Unit - Send alerts to the specified unit only.
- Exclude Single Unit - Send alerts to all managed units except for the specified unit.
- Managed Unit Group - Click Select Group to select a managed unit group (or create a new group). Send alerts to all units in the specified managed unit group.
- Exclude Managed Unit Group - Click Select Group to select a managed unit group (or create a new group). Send alerts to all managed units except for the units specified in this group.
- Under Alert Receivers, you can optionally designate one or more persons
or groups to notify when this alert condition is satisfied. To add a receiver, click Add
Receiver to open the Alert Receiver Selection page. Note: If the receiver of an alert is the admin user, then admin must have an assigned email address for the alert to fire.Note: An additional receiver for threshold alerts is Owner (the owner/s of the database). If the query associated with the alert contains Server IP and Service name and if the alert is evaluated Per Row, then the receiver can be Owner. The Alert Notification must have: Alert Notification Type: Mail, Alert User ID: 0, Alert Destination: Owner. For more information, see Alerting rule actions.
- Optionally click Add Comments to add comments to the definition or click Roles to assign roles for the alert.
- Click Apply and then Done to save your alert.
Modifying a correlation alert
- Click Alert Finder. to open the
- Select the correlation alert that you want to modify in the Alert Finder page.
- Click Modify to open the Modify Alert window.
- Modify the alert definition as needed.
- Click Apply.
Removing a correlation alert
- Click Alert Finder. to open the
- Select the correlation alert that you want to remove in the Alerts Finder window.
- Click Delete. You are prompted to confirm the action.