Alerting rule actions
Alert actions send email notifications to one or more configured recipients.
For each alert action, multiple types of notifications can be sent, and the notifications can be
a combination of one or more of the following types:
- Email messages
- Emails are sent to the configured alert recipients by using the SMTP server integration for Guardium Insights.
- Syslog messages
- Messages that are written to the syslog.
- Custom notifications
- User-created notifications for conditions that may be unique to a given environment or application.
Alert messages
The contents of an alert are defined by message templates.Tip: When the default SMTP option is enabled, a predefined alert template is
used.
The alerts that are triggered by policy rules include the following information:
- The description of the rule that triggered the alert. For example, "Policy alert on Multiple risk indicative errors by one database user".
- The time of the event.
- The name of the database user who violated the policy rule.
- The client and server IPs.
- The name of the database.
- A link to Guardium Insights to review the violation.
The alerts that are generated for reviewing and signing off on reports are sent to
assigned reviewers. These emails include the following information:
- The type of reports that are generated. For example: CCPA data compliance.
- The list of all the reports that require review and the option to view them on Guardium Insights or download to track internally.
Alert behaviors
You can select or modify the alerting behavior for each policy from the Policies screen.
Tip: The CCPA policy is read-only and cannot
be modified.
- Alert Once Per Session
- Sends notifications only once for each database session in which the rule is matched. This action might be appropriate in situations where you want to know that a certain event has occurred, but not for every instance of that event during a single database session. For example, you may want a notification sent when a certain sensitive object is updated, but if a program updates thousands of instances of that object in a single session, you would not want thousands of notifications sent to the receivers of the alert.