Database Activity Monitoring (DAM) policies : Data policies : Configuring a table policy : Configuing alert rules for a table policy
 
Configuing alert rules for a table policy
1. Click the triangle icon of the Alert Rules section to expand it.
2. In the Combination Rule field, select one from the dropdown list:
Options
Descriptions
Issue alert if ANY of the enabled rules are triggered
if you select this, each rule generates alerts individually.
Issue alert if ALL of the enabled rules are triggered
If you select this, the combination of selected policies generates alerts.
3. Mark the check box of your interests from the following rules:
Options
Descriptions
Security Violation
Alert any failed attempt to access selected object without proper permission.
Suspicious OS User
Alert any successful access to selected object by certain OS users.
You can specify one or more OS usernames by typing the specific name or using a regular expression.
a. Click Add
b. Select an operator from the dropdown list.
c. Enter OS username depending on the operator you selected.
To generate alerts for the OS user(s) you specified in the list, check "Alert any successful access if the OS user is specified in the list" check box.
To generate alerts for the OS user(s) you didn't specified in the list, check "Alert any successful access if the OS user is not specified in the list" check box.
Suspicious Location
Alert any successful access to selected object from certain locations.
You can specify one or more locations by typing the specific location or using a regular expression.
a. Click Add.
b. Select an operator from the dropdown list.
c. Enter a location name depending on the operator you selected.
d. Repeat steps 1 to 3 if necessary.
To generate alerts for any successful access from locations you specified in the list, check "Alert any successful access from locations in the list" check box.
To generate alerts for any successful access from locations not in the list, check "Alert any successful access from locations in the list Alert any successful access from locations not in the list" check box.
Suspicious Database Users
Alert any successful access to selected object by certain database users.
You can specify one or more users as follows:
a. Select one or more users from the Users list.
b. Click the right arrow to move the selections the Selected Users list.
Note: If you want to remove the users from the selected users list, select the users you want to remove and click the left arrow.
To generate alerts for the database user(s) you specified in the list, check "Alert any successful access if the database user is in the list" check box.
To generate alerts for the database user(s) you didn't specified in the list, check "Alert any successful access if the database user is not in the list" check box.
Suspicious Login Names
Alert any successful access to selected object by certain login users.
You can specify one or more users as follows:
a. Select one or more users from the Users list.
b. Click the right arrow to move the selections the Selected Users list.
Note: If you want to remove the users from the selected users list, select the users you want to remove and click the left arrow.
To generate alerts for login user(s) you specified in the list, check "Alert any successful access if the login user is in the list" check box.
To generate alerts for login user(s) you didn't specified in the list, check "Alert any successful access if the login user is not in the list" check box.
Suspicious Client Application (Client Id)
Alert any successful access to selected object by certain client applications.
You can specify one or more client applications by typing the specific client application or using a regular expression.
a. Click Add.
b. Select an operator from the dropdown list.
c. Enter a client application depending on the operator you selected.
d. Repeat steps 1 to 3 if necessary.
To generate alerts for the client application you specified in the list, check "Alert any successful access if the client application is in the list" check box.
To generate alerts for the client application you didn't specified in the list, check "Alert any successful access if the client application is not in the list" check box.
Excessive Access Violation
Alert excessive access to selected object within the specified time slot.
You can specify the maximum accesses allowed within a certain time period.
a. Enter the number of accesses allowed.
b. Enter the number of hours, days, minutes, or seconds after selecting one from the dropdown list.
Tracking Strategy - Tracking rule selection for time violation.
The threshold you set for time violation can be incremented by OS User, Location, Client Application, or Database User separately, depending on your selection. If you don't select any rule, any access to the selected audit settings will be counted.
Time Range Violation
Alert any access to selected object by certain time range.
You can specify one or more time range.
a. Click Add.
b. Enter hour and minute values in "Received from" and "To" for time range, with 24 hours format.
c. Repeat above if necessary.
To generate alerts for the access within the time range, select the "Alert any access if the timestamp is between time range".
To generate alerts for the access out of the time range, select the "Alert any access if the timestamp is not between time range".
Suspicious Client IP (only for Collection Method "TCP/IP Sniffer")
Alert any successful access to selected object by certain client IPs. This rule only has effect for monitoring with Collection Method "TCP/IP Sniffer".
You can specify one or more IP address, IP address Range or subnet.
a. Click Add.
b. Enter Start/End IP address, or IP/Netmask. For example, "192.168.1.1" - "192.168.1.254" for IP range, "192.168.2.0/255.255.255.0" for subnet.
c. Repeat above if necessary.
To generate alerts for the client which's IP is in the specified IP range or subnet, select the "Alert any successful access if the client's IP is in the list".
To generate alerts for the client which's IP is not in the specified IP range or subnet, select the "Alert any successful access if the client's IP is not in the list".
4. Select Save.
See also
Table policy alert rules for different databases