Correlation Alerts

An alert is a message indicating that an exception or policy rule violation was detected.

Alerts are triggered in two ways:

Regardless of how they are triggered, Guardium logs all alerts the same way: the alert information is logged in the Guardium internal database. The amount and type of information logged depends on the specific alert type. The Guardium Alerter component, which also runs on a scheduled basis, processes each new alert, passing the logged information for each alert to any combination of the following notification mechanisms:

Note: Alerts definition and notification are not subject to Data Level Security. Reasons for this include alerts are not evaluated in the context of user, the alert may be related to databases associated to multiple users and to avoid situations where no one gets the alert notification.
Note: If there is an alert using a query that contains 30 fields or more (including counters) the anomaly detection will fail with an Array out of bound exception error message Queries with 30 columns (or more) can not be used for alerts. Such queries do not appear in the list of available queries for threshold alerts.

Alerting Tasks for Administrators

Guardium administrators perform the following tasks:

  • Customize the Alert Message Template, using the Global Profile.
  • Configure and start the Alerter, which delivers messages to SMTP, SNMP, Syslog, or Custom alerting classes
  • Start and stop the Anomaly Detection Engine, which runs the correlation alerts according to the schedules defined.
  • Upload Custom Alerting Classes to the Guardium system.

Alerting Tasks for Users

Guardium users (and administrators) can perform these correlation alerting tasks:

  • Define queries that can be used for correlation alerts
  • Define correlation alerts
  • Write custom alerting classes

About Correlation Alert Queries

A correlation alert is based on a query in any of the reporting domains. That query must be defined before the alert can be defined. To be available for use by a correlation alert, the query must contain at least one date field.

Create a Correlation Alert

  1. Click Protect > Database Intrusion Detection > Alert Builder to open the Alert Finder.
  2. Click New in the Alerts Finder panel to display the Add Alert panel.
  3. Enter a unique name for the alert in the Name box. Do not include apostrophe characters in the alert name.
  4. Enter a short sentence that describes the alert in the Description box.
  5. Enter an optional category in the Category box.
  6. Enter an optional classification in the Classification box.
  7. For Recommended Action, the user can add free text as the recommended action for the specific alert.
  8. As in real-time alerts, the user can choose a template for the message that is sent in case the threshold alert fires. The template uses a predefined list of variables that are replaced with the appropriate value for the specific alert. The list of variables and a default template are detailed in the Named Templates section of the Global Profile help topic.
  9. Select a severity level from the Severity list. For an email alert, a setting of HIGH results in the email being flagged as HIGH.
  10. Enter the number of minutes between runs of the query in the Run Frequency field.
  11. Mark the Active box to activate the alert, or clear the box to save the alert definition without starting it running (it can be activated later). In a Central Manager environment, the alert will be activated (or stopped) on all managed units when this box is marked (or cleared). To disable the alert on a specific appliance in a Central Manager environment, use the Anomaly Detection panel of the Administrator Console.
  12. Mark the Log Policy Violation box to log a policy violation when this alert is triggered. By default, correlation alerts are logged in the Alert Tracking domain only. By marking this box, correlation alerts and real-time alerts (issued by the data access security policy) can be viewed together, in the Policy Violations domain.
  13. From the Query list in the Alert Definition panel, select the query to run for this alert. The list of queries displayed will include all queries defined that:
    • Contain at least one date field (timestamp) - a timestamp field is required
    • Contain a Count field - a count field is required
    • Can be accessed by your Guardium user account
    Troubleshooting tips
    • If a custom query has been created in any Query Builder in Report Building, and it does not appear in the Query list, then make sure that the custom query has a timestamp (date field).
    • After selecting a query from the Query list in the Alert Definition panel of the Add Alert screen, and there is need to edit the query (Edit icon), and the query can not be edited, then go to Query Builder (Tools > Report Building) to edit the query.
  14. If the selected query contains run-time parameters, a Query Parameters panel will appear in the Alert Definition pane. Supply parameter values as appropriate for your application.
  15. In the Accumulation Interval box, enter the length of the time interval (in minutes) that the query should examine in the audit repository, counting back from the current time (for example, enter 10 to examine the last 10 minutes of data).
    Note: Alerts that run on aggregators are based only on data with the defined merge period.
  16. Check the Log Full Query Results box to have the full report logged with the alert.
  17. If the selected query contains one or more columns of numeric data, select one of those columns to use for the test. The default, which will be the last item listed, is the last column for the query, which is always the count of occurrences aggregated in that row.
  18. In the Alert Threshold pane, define the threshold at which a correlation alert is to be generated, as follows:
    • In the Threshold field, enter a threshold number that will apply as described by the remaining fields in the panel.
    • From the Alert when value is list, select an operator indicating how the report value is to relate to the threshold to produce an alert (greater than, greater than or equal to, less than, etc.).
    • Select per report if the threshold number applies to a report total, or select per line if the threshold applies to a single line of the report (the report being the output of the selected query, run by looking back over the specified accumulation time).

      If there is no data during the specified Accumulation Interval:

      If the threshold is per report, the value for that interval is 0 (zero), and an alert will be generated if the threshold condition is met (for example, if the condition specified is “Alert when value is  < 1”).

      If the threshold is per line, no alert will be generated, regardless of the specified condition (this is because there are no lines of output).

    • Select As absolute limit to indicate that the threshold entered is an absolute number or select As a percentage change within period to indicate that the threshold represents a percentage of change within the time period identified in the From and To fields.

      If the As percentage change within period option is selected, use the date picker controls to select the From and To dates.

      If the As percentage change for the same "Accumulation Period" on a relative time is selected , one relative date will be entered and the alert will execute the query for the current period and for the relative period (using the same interval), and will check the values as a percentage of the base period value.
      Note: If relative period is used, each time the alert is checked it will execute the query twice, once for the current period and once for the relative period.  
  19. Indicate in the Notification Frequency box how often (in minutes) the Alert Receivers should be notified when the alert condition has been satisfied.
  20. Click Save to save the alert definition.
    Note: You cannot assign receivers or roles, or enter comments until the definition has been saved.
  21. In the Alert Receivers panel, optionally designate one or more persons or groups to be notified when this alert condition is satisfied. To add a receiver, click the Add Receiver button to open the Add Receiver Selection panel.
    Note: If the receiver of an alert is the admin user then admin needs to be assigned an email for the alert to fire.
    Note: An additional receiver for threshold alerts is Owner (the owner/s of the database). If the query associated with the alert contains Server IP and Service name and if the alert is evaluated Per Row, then the receiver can be Owner. The alert notification must have: Alert Notification Type: Mail, Alert User ID: 0, Alert Destination: Owner. See Alerting Actions in Policiesfor additional receivers for real-time alerts.
  22. Optionally click Roles to assign roles for the alert.
  23. Optionally click Comments to add comments to the definition.
  24. Click Apply and then  Done when you have finished.

Modify a Correlation Alert

  1. Click Protect > Database Intrusion Detection > Alert Builder to open the Alert Finder.
  2. Select the correlation alert you want to modify, in the Alert Finder panel.
  3. Click Modify to open the Modify Alert panel.
  4. Referring to Create a Correlation Alert topic, make changes to the alert definition.
  5. Click Save.

Remove a Correlation Alert

  1. Click Protect > Database Intrusion Detection > Alert Builder to open the Alert Finder.
  2. Select the correlation alert you want to remove, in the Alerts Finder panel.
  3. Click the Delete button. You will be prompted to confirm the action.
Parent topic: Protect