Correlation Alerts

Alerting Overview

An alert is a message indicating that an exception or policy rule violation was detected. Alerts are triggered in two ways:

Regardless of how they are triggered, Guardium logs all alerts the same way: the alert information is logged in the Guardium internal database. The amount and type of information logged depends on the specific alert type. The Guardium Alerter component, which also runs on a scheduled basis, processes each new alert, passing the logged information for each alert to any combination of the following notification mechanisms:

Note: For SNMP or SYSLOG, the maximum message length is 3000 characters. Any messages longer than that will be truncated.

Alerting Tasks for Administrators

Guardium administrators perform the following tasks from the administrator portal:

For more information on all of these topics, see the Guardium Administration Guide.

Alerting Tasks for Users

Guardium users (and administrators) can perform the correlation alerting tasks described below:

About Correlation Alert Queries

A correlation alert is based on a query in any of the reporting domains. That query must be defined before the alert can be defined. To be available for use by a correlation alert, the query must contain at least one date field. For information about building queries, see Queries.

Create a Correlation Alert

  1. Navigate to the Alert Finder:

  2. Click the New button in the Alerts Finder panel to display the Add Alert panel.

  3. Enter a unique name for the alert in the Name box. Do not include apostrophe characters in the alert name.

  4. Enter a short sentence that describes the alert in the Description box.

  5. Enter an optional category in the Category box.

  6. Enter an optional classification in the Classification box.

  7. Select a severity level from the Severity list. For an email alert, a setting of HIGH results in the email being flagged as urgent.

  8. Enter the number of minutes between runs of the query (identified below) in the Run Frequency field.

  9. Mark the Active box to activate the alert, or clear the box to save the alert definition without starting it running (it can be activated later). In a Central Manager environment, the alert will be activated (or stopped) on all managed units when this box is marked (or cleared). To disable the alert on a specific appliance in a Central Manager environment, use the Anomaly Detection panel of the Administrator Console. (See Anomaly Detection in the Guardium Administration Guide.)

  10. Mark the Log Policy Violation box to log a policy violation when this alert is triggered. By default, correlation alerts are logged in the Alert Tracking domain only. By marking this box, correlation alerts and real-time alerts (issued by the data access security policy) can be viewed together, in the Policy Violations domain.

  11. From the Query list in the Alert Definition panel, select the query to run for this alert. The list of queries displayed will include all queries defined that:

  12. If the selected query contains run-time parameters, a Query Parameters panel will appear in the Alert Definition pane. Supply parameter values as appropriate for your application.

  13. In the Accumulation Interval box, enter the length of the time interval (in minutes) that the query should examine in the audit repository, counting back from the current time (for example, enter 10 to examine the last 10 minutes of data).

  14. Mark the Log Full Query results box to have the full report logged with the alert.

  15. If the selected query contains one or more columns of numeric data, select one of those columns to use for the test. The default, which will be the last item listed, is the last column for the query, which is always the count of occurrences aggregated in that row.

  16. In the Alert Threshold pane, define the threshold at which a correlation alert is to be generated, as follows:

If there is no data during the specified Accumulation Interval (see above):

If the As percentage … option is selected, use the date picker controls to select the From and To dates.

  1. Indicate in the Notification Frequency box how often (in minutes) the Alert Receivers should be notified when the alert condition has been satisfied.

  2. Click the Save button to save the alert definition.

Note: You cannot assign receivers or roles, or enter comments until the definition has been saved.

  1. In the Alert Receivers panel, optionally designate one or more persons or groups to be notified when this alert condition is satisfied. To add a receiver, click the Add Receiver button to open the Add Receiver Selection panel. For information about adding receivers, see Notifications.

  2. Optionally click the Roles button to assign roles for the alert. See Assign Security Roles.

  3. Optionally click the Comments button to add comments to the definition. See Commenting.

  4. Click the Done button when you have finished.

  5. Back to top

Modify a Correlation Alert

  1. Navigate to the Alert Finder:

  2. Select the correlation alert you want to modify, in the Alerts Finder panel.

  3. Click the Modify button to open the Modify Alert panel.

  4. Referring to Add a Correlation Alert topic above, make changes to the alert definition.

  5. Click the Save button.

Remove a Correlation Alert

  1. Navigate to the Alert Finder:

  2. Select the correlation alert you want to remove, in the Alerts Finder panel.

  3. Click the Remove button. You will be prompted to confirm the action.