Correlation Alerts
An alert is a message indicating that an exception or policy rule violation was detected.
Alerts are triggered in two ways:
- A correlation alert is triggered by a query that looks back over a specified time period to determine if alert threshold has been met. The Guardium® Anomaly Detection Engine runs correlation queries on a scheduled basis. By default, correlation alerts do not log policy violations, but they can be configured to do that.
- A real-time alert is triggered by a security policy rule. The Guardium Inspection Engine component runs the security policy as it collects and analyzes database traffic in real time.
Regardless of how they are triggered, Guardium logs all alerts the same way: the alert information is logged in the Guardium internal database. The amount and type of information logged depends on the specific alert type. The Guardium Alerter component, which also runs on a scheduled basis, processes each new alert, passing the logged information for each alert to any combination of the following notification mechanisms:
- SMTP – The SMTP (outgoing e-mail) server. The Alerter passes standard email messages to the SMTP server for which it has been configured.
- SNMP – The SNMP (network information and control) server. When SNMP is selected for an alert notification, the Alerter passes all alert messages of that type to the single trap community for which the Alerter has been configured.
- Syslog – The alert is written to syslog on the Guardium appliance (which may be configured
by the Guardium Administrator
to write syslog messages to a remote system). Note: For SNMP or SYSLOG, the maximum message length is 3000 characters. Any messages longer than that will be truncated.
- Custom – A user written Java™ class to handle alerts. The Alerter passes an alert message and timestamp to the custom alerting class. There can be multiple custom alerting classes, and one custom alerting class can be an extension of another custom alerting class.
Alerting Tasks for Administrators
Guardium administrators perform the following tasks:
- Customize the Alert Message Template, using the Global Profile.
- Configure and start the Alerter, which delivers messages to SMTP, SNMP, Syslog, or Custom alerting classes
- Start and stop the Anomaly Detection Engine, which runs the correlation alerts according to the schedules defined.
- Upload Custom Alerting Classes to the Guardium system.
Alerting Tasks for Users
Guardium users (and administrators) can perform these correlation alerting tasks:
- Define queries that can be used for correlation alerts
- Define correlation alerts
- Write custom alerting classes
About Correlation Alert Queries
A correlation alert is based on a query in any of the reporting domains. That query must be defined before the alert can be defined. To be available for use by a correlation alert, the query must contain at least one date field.
Create a Correlation Alert
- Click Alert Finder. to open the
- Click New in the Alerts Finder panel to display the Add Alert panel.
- Enter a unique name for the alert in the Name box. Do not include apostrophe characters in the alert name.
- Enter a short sentence that describes the alert in the Description box.
- Enter an optional category in the Category box.
- Enter an optional classification in the Classification box.
- For Recommended Action, the user can add free text as the recommended action for the specific alert.
- As in real-time alerts, the user can choose a template for the message that is sent in case the threshold alert fires. The template uses a predefined list of variables that are replaced with the appropriate value for the specific alert. The list of variables and a default template are detailed in the Named Templates section of the Global Profile help topic.
- Select a severity level from the Severity list. For an email alert, a setting of HIGH results in the email being flagged as HIGH.
- Enter the number of minutes between runs of the query in the Run Frequency field.
- Mark the Active box to activate the alert, or clear the box to save the alert definition without starting it running (it can be activated later). In a Central Manager environment, the alert will be activated (or stopped) on all managed units when this box is marked (or cleared). To disable the alert on a specific appliance in a Central Manager environment, use the Anomaly Detection panel of the Administrator Console.
- Mark the Log Policy Violation box to log a policy violation when this alert is triggered. By default, correlation alerts are logged in the Alert Tracking domain only. By marking this box, correlation alerts and real-time alerts (issued by the data access security policy) can be viewed together, in the Policy Violations domain.
- From the Query list in the Alert Definition panel, select the
query to run for this alert. The list of queries displayed will include
all queries defined that:
- Contain at least one date field (timestamp) - a timestamp field is required
- Contain a Count field - a count field is required
- Can be accessed by your Guardium user account
Troubleshooting tips- If a custom query has been created in any Query Builder in Report Building, and it does not appear in the Query list, then make sure that the custom query has a timestamp (date field).
- After selecting a query from the Query list in the Alert Definition panel of the Add Alert screen, and there is need to edit the query (Edit icon), and the query can not be edited, then go to Query Builder (Tools > Report Building) to edit the query.
- If the selected query contains run-time parameters, a Query Parameters panel will appear in the Alert Definition pane. Supply parameter values as appropriate for your application.
- In the Accumulation Interval box, enter the length of the time
interval (in minutes) that the query should examine in the audit repository,
counting back from the current time (for example, enter 10 to examine
the last 10 minutes of data). Note: Alerts that run on aggregators are based only on data with the defined merge period.
- Check the Log Full Query Results box to have the full report logged with the alert.
- If the selected query contains one or more columns of numeric data, select one of those columns to use for the test. The default, which will be the last item listed, is the last column for the query, which is always the count of occurrences aggregated in that row.
- In the Alert Threshold pane, define the threshold at which a correlation
alert is to be generated, as follows:
- In the Threshold field, enter a threshold number that will apply as described by the remaining fields in the panel.
- From the Alert when value is list, select an operator indicating how the report value is to relate to the threshold to produce an alert (greater than, greater than or equal to, less than, etc.).
- Select per report if the threshold number applies to a report
total, or select per line if the threshold applies to a single line
of the report (the report being the output of the selected query,
run by looking back over the specified accumulation time).
If there is no data during the specified Accumulation Interval:
If the threshold is per report, the value for that interval is 0 (zero), and an alert will be generated if the threshold condition is met (for example, if the condition specified is “Alert when value is < 1”).
If the threshold is per line, no alert will be generated, regardless of the specified condition (this is because there are no lines of output).
- Select As absolute limit to indicate that
the threshold entered is an absolute number or select As
a percentage change within period to indicate that the
threshold represents a percentage of change within the time period
identified in the From and To fields.
If the As percentage change within period option is selected, use the date picker controls to select the From and To dates.
If the As percentage change for the same "Accumulation Period" on a relative time is selected , one relative date will be entered and the alert will execute the query for the current period and for the relative period (using the same interval), and will check the values as a percentage of the base period value.Note: If relative period is used, each time the alert is checked it will execute the query twice, once for the current period and once for the relative period.
- Indicate in the Notification Frequency box how often (in minutes) the Alert Receivers should be notified when the alert condition has been satisfied.
- Click Save to save the alert definition.
Note: You cannot assign receivers or roles, or enter comments until the definition has been saved.
- In the Alert Receivers panel, optionally designate one or more persons or groups to be notified
when this alert condition is satisfied. To add a receiver, click the Add Receiver button to open the
Add Receiver Selection panel. Note: If the receiver of an alert is the admin user then admin needs to be assigned an email for the alert to fire.Note: An additional receiver for threshold alerts is Owner (the owner/s of the database). If the query associated with the alert contains Server IP and Service name and if the alert is evaluated Per Row, then the receiver can be Owner. The alert notification must have: Alert Notification Type: Mail, Alert User ID: 0, Alert Destination: Owner. See Alerting Actions in Policiesfor additional receivers for real-time alerts.
- Optionally click Roles to assign roles for the alert.
- Optionally click Comments to add comments to the definition.
- Click Apply and then Done when you have finished.
Modify a Correlation Alert
- Click Alert Finder. to open the
- Select the correlation alert you want to modify, in the Alert Finder panel.
- Click Modify to open the Modify Alert panel.
- Referring to Create a Correlation Alert topic, make changes to the alert definition.
- Click Save.
Remove a Correlation Alert
- Click Alert Finder. to open the
- Select the correlation alert you want to remove, in the Alerts Finder panel.
- Click the Delete button. You will be prompted to confirm the action.