How to signify events through Correlation Alerts

Trigger a correlation alert if there are more than fifteen SQL Errors in the last three hours from any individual user of the application.

About this task

Use correlation alerts to inform about events accumulated over time. Applications do not normally have SQL errors. An increase in SQL Errors in an application is a warning sign that a possible SQL Injection is being attempted. See the online help topics, Correlation Alerts and Queries for further information.

Prerequisites

  • Configure email (SMTP) server (Setup > Tools and Views >Alerter)
  • After fully configuring the correlation alert, make sure it is active and running (Setup > Tools and Views> Anomaly Detection)

An alert is a message indicating that an exception (correlation alert) or policy rule violation (real-time alert) was detected.

A correlation alert is triggered by a query that looks back over a specified time period to determine if an alert threshold has been met.

Overview of correlation alert steps

  1. Create a custom query from Exceptions Tracking with a field of SQL Errors (with a count) and a condition of application users. In order to use this custom query in the Alert Builder, a date field (timestamp) is required.
  2. Click Protect > Database Intrusion Detection > Alert Builder to open the Alert Finder.
  3. Click on New. Complete the fields per the instructions after the Alert Builder menu screen.
  4. Add Receiver.
Query Builder SQL Errors

Exceptions domain, SQL Errors query

Procedure

  1. Exceptions Tracking - Open the Query Finder
    • Users: Select Tools > Report Building, and then select the Exceptions domain only.
  2. Open the drop-down choices for Query. Select SQL Errors. This will open a configuration screen with SQL Errors at the main title.
  3. Clone this selection, typing in a unique name in the text box for the query. Do not include apostrophe characters in the query name.
  4. In your custom query, under Query fields, from Client/Server entity list, add a date field (timestamp) and change the database error text field to count field mode. Under Query conditions, change the run time parameters of exception types to attribute and choose Exception.App. User Name.
  5. Click Save. This custom query for SQL Errors from any application user is now available for use in the Alert Builder.
    Alert Builder correlation query

    Alert Builder menu screen

  6. Alert Builder - Create a Correlation Alert
  7. Click Protect > Database Intrusion Detection > Alert Builder to open the Alert Finder.
  8. Click the New button in the Alerts Finder panel to display the Add Alert panel.
  9. Enter a unique name for the alert in the Name box. Do not include apostrophe characters in the alert name.
  10. Enter a short sentence that describes the alert in the Description box.
  11. Enter an optional category in the Category box. In this instance, Self Monitoring was used.
  12. Enter an optional classification in the Classification box.
  13. Select a severity level from the Severity list. For an email alert, a setting of HIGH results in the email being flagged as urgent.
  14. Enter the number of minutes between runs of the query in the Run Frequency field.
  15. Mark the Active box to activate the alert.
  16. Mark the Log Policy Violation box to log a policy violation when this alert is triggered. By default, correlation alerts are logged in the Alert Tracking domain only. By marking this box, correlation alerts and real-time alerts (issued by the data access security policy) can be viewed together, in the Policy Violations domain.
  17. From the Query list in the Alert Definition panel, select the query to run for this alert. The list of queries displayed will include all queries defined that:
    • Contain at least one date field (timestamp) - a timestamp field is required
    • Contain a Count field - a count field is required
    • Can be accessed by your Guardium® user account

    Troubleshooting tip: If a custom query has been created in any Query Builder in Report Building, and it does not appear in the Query list, then make sure that the custom query has a timestamp (date field).

    Troubleshooting tip: After selecting a query from the Query list in the Alert Definition panel of the Add Alert screen, and there is need to edit the query (Edit icon), and the query can not be edited, then go to Query Builder (Tools > Report Building) to edit the query.

  18. If the selected query contains run-time parameters, a Query Parameters panel will appear in the Alert Definition pane. Supply parameter values as appropriate for your application.
  19. In the Accumulation Interval box, enter the length of the time interval (in minutes) that the query should examine in the audit repository, counting back from the current time (for example, enter 10 to examine the last 10 minutes of data).
  20. Mark the Log Full Query results box to have the full report logged with the alert.
  21. If the selected query contains one or more columns of numeric data, select one of those columns to use for the test. The default, which will be the last item listed, is the last column for the query, which is always the count of occurrences aggregated in that row.
  22. In the Alert Threshold pane, define the threshold at which a correlation alert is to be generated, as follows:
    • In the Threshold field, enter a threshold number that will apply as described by the remaining fields in the panel.
    • From the Alert when value is list, select an operator indicating how the report value is to relate to the threshold to produce an alert (greater than, greater than or equal to, less than, etc.).
    • Select per report if the threshold number applies to a report total.

    If there is no data during the specified Accumulation Interval: If the threshold is per report, the value for that interval is 0 (zero), and an alert will be generated if the threshold condition is met (for example, if the condition specified is “Alert when value is < 1”).

  23. Indicate in the Notification Frequency box how often (in minutes) the Alert Receivers should be notified when the alert condition has been satisfied.
  24. Click the Apply button to save the alert definition.
    Note: You cannot assign receivers or roles, or enter comments until the definition has been saved.
  25. In the Alert Receivers panel, optionally designate one or more persons or groups to be notified when this alert condition is satisfied. To add a receiver, click the Add Receiver button to open the Add Receiver Selection panel. For information about adding receivers, see notifications.
  26. Optionally click the Roles button to assign roles for the alert. See Security Roles.
  27. Optionally click the Comments button to add comments to the definition.
  28. Click the Apply button and then the Done button when you have finished.

    If there are more than fifteen SQL errors in the last three hours by any application user, then an alert will be sent to the designated receiver.

Parent topic: Protect