How to create a real-time alert
Send a real-time alert to the database administrator whenever there are more than three failed logins for the same user within five minutes.
About this task
Follow these steps:
- Create a policy
- Add rules to the policy
- Add an action when the rule is triggered
- Install the policy
Configure SMTP or SNMP in the Alerter. Open the Alerter by navigating to , and then fill out the SMTP or SNMP information.
- Create a policy.
- Open the policy builder by navigating to .
- Click the icon to create a new policy or modify an existing policy by selecting the policy and clicking the icon.
- In the Name and properties panel, select the Data security policy type and provide a policy name.
- Add rules to the policy.
- Click to open the Rules panel for the policy.
- Click the icon to add a new rule.
- In the Rule definition panel, use the Rule type menu to select the Exception rule type and use the Rule name field to provide a short descriptive name for the rule.
- Click to open the Rule criteria panel and define the triggering
criteria for the rule. Use the following settings to create a rule that triggers when there are more than three failed logins for the same user within five minutes:Under Session level criteria:
Under SQL criteria:
- Database user = .
Count each individual database user value separately.
Under Other criteria:
- Exception type = LOGIN_FAILED
- Minimum count = 3
Set the minimum number of times the rule is matched before the action is triggered. The count is reset each time the action is triggered or when the reset interval expires.
- Reset interval = 5
Set the number of minutes after which the rule counter is reset. The counter is also reset when the rule action is triggered.
- Record values = 1 - Log full SQL in policy violation
Define what is included in the policy violation report: no SQL, full SQL, or masked SQL.
Select the Continue to next rule option. Continue testing rules once this rule is satisfied and its action is triggered. If this is not selected, no additional rules are tested after this rule is satisfied.
- Database user = .
- Add an action when the rule is triggered.
- Click to open the Rule action panel and define actions to take when rule conditions are matched.
- For this example, select to get a notification every time the rule is triggered.
- From the Add new action window, select a Message
template, define a Notification type, and then click
OK. For MAIL or SNMP notification types, you must configure the alerter at.
- After defining rule actions, click OK to save the rule definition. Click OK again to save the policy.
- Install the policy.
- From the Policy Builder for Data, select the policy and then select .
- From the Install policy window, select the
Installation action you want and click
OK. Your policy is now installed. Your alert receiver will receive real-time notifications when the policy rules are enacted.