Alerting rule actions

Alert actions send email notifications to one or more configured recipients.

For each alert action, multiple types of notifications can be sent, and the notifications can be a combination of one or more of the following types:
Email messages
Emails are sent to the configured alert recipients by using the SMTP server integration for Guardium Insights.
Syslog messages
Messages that are written to the syslog.
Custom notifications
User-created notifications for conditions that may be unique to a given environment or application.

Alert messages

The contents of an alert are defined by message templates.
Tip: When the default SMTP option is enabled, a predefined alert template is used.
The alerts that are triggered by policy rules include the following information:
  • The description of the rule that triggered the alert. For example, "Policy alert on Multiple risk indicative errors by one database user".
  • The time of the event.
  • The name of the database user who violated the policy rule.
  • The client and server IPs.
  • The name of the database.
  • A link to Guardium Insights to review the violation.
The alerts that are generated for reviewing and signing off on reports are sent to assigned reviewers. These emails include the following information:
  • The type of reports that are generated. For example: CCPA data compliance.
  • The list of all the reports that require review and the option to view them on Guardium Insights or download to track internally.

Alert behaviors

You can select or modify the alerting behavior for each policy from the Policies screen.

Tip: The CCPA policy is read-only and cannot be modified.
Alert Once Per Session
Sends notifications only once for each database session in which the rule is matched. This action might be appropriate in situations where you want to know that a certain event has occurred, but not for every instance of that event during a single database session. For example, you may want a notification sent when a certain sensitive object is updated, but if a program updates thousands of instances of that object in a single session, you would not want thousands of notifications sent to the receivers of the alert.