An alert is a message indicating that an exception or policy rule violation was detected. Alerts are triggered in two ways:
A correlation alert is triggered by a query that looks back over a specified time period to determine if alert threshold has been met. The Guardium Anomaly Detection Engine runs correlation queries on a scheduled basis. By default, correlation alerts do not log policy violations, but they can be configured to do that.
A real-time alert is triggered by a security policy rule. The Guardium Inspection Engine component runs the security policy as it collects and analyzes database traffic in real time.
Regardless of how they are triggered, Guardium logs all alerts the same way: the alert information is logged in the Guardium internal database. The amount and type of information logged depends on the specific alert type. The Guardium Alerter component, which also runs on a scheduled basis, processes each new alert, passing the logged information for each alert to any combination of the following notification mechanisms:
SMTP – The SMTP (outgoing e-mail) server. The Alerter passes standard email messages to the SMTP server for which it has been configured.
SNMP – The SNMP (network information and control) server. When SNMP is selected for an alert notification, the Alerter passes all alert messages of that type to the single trap community for which the Alerter has been configured.
Syslog – The alert is written to syslog on the Guardium appliance (which may be configured by the Guardium Administrator to write syslog messages to a remote system).
Note: For SNMP or SYSLOG, the maximum message length is 3000 characters. Any messages longer than that will be truncated.
Custom – A user written Java class to handle alerts. The Alerter passes an alert message and timestamp to the custom alerting class. There can be multiple custom alerting classes, and one custom alerting class can be an extension of another custom alerting class.
Guardium administrators perform the following tasks from the administrator portal:
Customize the Alert Message Template, using the Global Profile panel of the Administrator Console
Configure and start the Alerter, which delivers messages to SMTP, SNMP, Syslog, or Custom alerting classes
Start and stop the Anomaly Detection Engine, which runs the correlation alerts according to the schedules defined
Upload Custom Alerting Classes to the Guardium appliance
For more information on all of these topics, see the Guardium Administration Guide.
Guardium users (and administrators) can perform the correlation alerting tasks described below:
Define queries that can be used for correlation alerts (see Queries)
Define correlation alerts (see Add a Correlation Alert)
Write custom alerting classes (see Custom Alerting).
A correlation alert is based on a query in any of the reporting domains. That query must be defined before the alert can be defined. To be available for use by a correlation alert, the query must contain at least one date field. For information about building queries, see Queries.
Navigate to the Alert Finder:
Users with the admin role: Select Tools > Config & Control > Alert Builder.
All Others: Select Protect > Correlation Alerts > Alert Builder.
Click the New button in the Alerts Finder panel to display the Add Alert panel.
Enter a unique name for the alert in the Name box. Do not include apostrophe characters in the alert name.
Enter a short sentence that describes the alert in the Description box.
Enter an optional category in the Category box.
Enter an optional classification in the Classification box.
Select a severity level from the Severity list. For an email alert, a setting of HIGH results in the email being flagged as urgent.
Enter the number of minutes between runs of the query (identified below) in the Run Frequency field.
Mark the Active box to activate the alert, or clear the box to save the alert definition without starting it running (it can be activated later). In a Central Manager environment, the alert will be activated (or stopped) on all managed units when this box is marked (or cleared). To disable the alert on a specific appliance in a Central Manager environment, use the Anomaly Detection panel of the Administrator Console. (See Anomaly Detection in the Guardium Administration Guide.)
Mark the Log Policy Violation box to log a policy violation when this alert is triggered. By default, correlation alerts are logged in the Alert Tracking domain only. By marking this box, correlation alerts and real-time alerts (issued by the data access security policy) can be viewed together, in the Policy Violations domain.
From the Query list in the Alert Definition panel, select the query to run for this alert. The list of queries displayed will include all queries defined that:
Contain at least one date field
Can be accessed by your Guardium user account
If the selected query contains run-time parameters, a Query Parameters panel will appear in the Alert Definition pane. Supply parameter values as appropriate for your application.
In the Accumulation Interval box, enter the length of the time interval (in minutes) that the query should examine in the audit repository, counting back from the current time (for example, enter 10 to examine the last 10 minutes of data).
Mark the Log Full Query results box to have the full report logged with the alert.
If the selected query contains one or more columns of numeric data, select one of those columns to use for the test. The default, which will be the last item listed, is the last column for the query, which is always the count of occurrences aggregated in that row.
In the Alert Threshold pane, define the threshold at which a correlation alert is to be generated, as follows:
In the Threshold field, enter a threshold number that will apply as described by the remaining fields in the panel.
Select per report if the threshold number applies to a report total, or select per line if the threshold applies to a single line of the report (the report being the output of the query selected above, run by looking back over the specified accumulation time).
If there is no data during the specified Accumulation Interval (see above):
If the threshold is per report, the value for that interval is 0 (zero), and an alert will be generated if the threshold condition is met (for example, if the condition specified is “Alert when value is < 1”).
If the threshold is per line, no alert will be generated, regardless of the specified condition (this is because there are no lines of output).
Select As absolute limit to indicate that the threshold entered is an absolute number or select As a percentage change within period (described below) to indicate that the threshold represents a percentage of change within the time period identified in the From and To fields.
If the As percentage … option is selected, use the date picker controls to select the From and To dates.
From the Alert when value is list, select an operator indicating how the report value is to relate to the threshold to produce an alert (greater than, greater than or equal to, less than, etc.).
Indicate in the Notification Frequency box how often (in minutes) the Alert Receivers should be notified when the alert condition has been satisfied.
Click the Save button to save the alert definition.
Note: You cannot assign receivers or roles, or enter comments until the definition has been saved.
In the Alert Receivers panel, optionally designate one or more persons or groups to be notified when this alert condition is satisfied. To add a receiver, click the Add Receiver button to open the Add Receiver Selection panel. For information about adding receivers, see Notifications.
Optionally click the Roles button to assign roles for the alert. See Assign Security Roles.
Optionally click the Comments button to add comments to the definition. See Commenting.
Click the Done button when you have finished.
Navigate to the Alert Finder:
Users with the admin role: Select Tools > Config & Control > Alert Builder.
All Others: Select Protect > Correlation Alerts > Alert Builder.
Select the correlation alert you want to modify, in the Alerts Finder panel.
Click the Modify button to open the Modify Alert panel.
Referring to Add a Correlation Alert topic above, make changes to the alert definition.
Click the Save button.
Navigate to the Alert Finder:
Users with the admin role: Select Tools > Config & Control > Alert Builder.
All Others: Select Protect > Correlation Alerts > Alert Builder.
Select the correlation alert you want to remove, in the Alerts Finder panel.
Click the Remove button. You will be prompted to confirm the action.