Imperva Cyber Community

⭐Imperva Insights: Why am I observing false positives on failed login policies when using Agent Monitoring Rules with excluded users?

  • 1.  ⭐Imperva Insights: Why am I observing false positives on failed login policies when using Agent Monitoring Rules with excluded users?

    Community Manager
    Posted 01-06-2020 12:05
    Hello Impervians! 

    Let's start this week off with a Database Activity Monitoring #impervainsights! What frequently asked question has our Support team received recently? 

    I use Agent Monitoring Rules with excluded users, but I observe some False Positives on failed login policies. Why is this and how do I solve this problem? 

    What do our product experts have to say?

    When monitoring database activity, it may be desirable to exclude certain user accounts from auditing due to high traffic volume, known-safe accounts, etc. However, if an Agent Monitoring Rule designed solely to exlude a particular user is used, it can generate false positives on audit or security policies designed to catch failed logins. 

    There are two potential solutions for this situation: ​
    1. Add a match criteria to your Failed Login policy set to exlude the user.
      • This will solve the false positive issue, but will also prevent auditing/alerting on truly failed logins for this acount.  
    2. Add the "Authentication Result" criteria to your Agent Monitoring Rule and set it to "Successful."
      • This will solve the false positive issue while still allowing auditing/alerting on truly failed logins for the account. 

    Have you run into this situation before? What additional obstacles have you faced with Agent Monitoring Rules? 

    If you've missed our previous Imperva Insights and want to explore all of the product expert advice we've been sharing, check it out here

    #AgentMonitoringRules ​
    #DatabaseActivityMonitoring

    ------------------------------
    Christopher Detzel
    Community Manager
    Imperva
    ------------------------------