Imperva Cyber Community

communities_1.jpg
 View Only
  • 1.  Agent monitoring rules not working as expected

    Posted 04-20-2021 01:43
    Hello,

    I have configured agent monitoring rules where the action is set to - Exclude connection from monitoring
    The match criteria selected is Database user and applied to respective Agents. Still I am able to see alerts 
    for that DB user in DAM.

    Is there anything else we need to do ?

    Regards
    #DatabaseActivityMonitoring

    ------------------------------
    Chintan Myakal
    Sr.Cybersecurity Analyst
    Mumbai
    ------------------------------


  • 2.  RE: Agent monitoring rules not working as expected

    Posted 04-20-2021 02:20
    Hello,

    There is similar discussion post at https://community.imperva.com/communities/community-home/digestviewer/viewthread?MessageKey=3ad103cf-b5af-4961-aa1f-45cd72ef90c7&CommunityKey=39c6092a-d67a-4bc2-8134-bfbb25fc43af&tab=digestviewer#bm3ad103cf-b5af-4961-aa1f-45cd72ef90c7

    If you only see login activities of relevant user, it is normal for AMR.

    ------------------------------
    Cezmi Cal
    technical support engineer
    Barikat Cyber Security
    Ankara
    ------------------------------



  • 3.  RE: Agent monitoring rules not working as expected

    Posted 04-20-2021 03:16
    Hi Cezmi,

    Thanks for the information. From the post you shared, can we conclude we need to configure Agent criteria under match criteria ?

    Because, thr AMR is not working as per configuration for users which are used for monitoring DB service.
    alert eg. Excessive Attempts of Database Login

    Regards


    ------------------------------
    Chintan Myakal
    Sr.Cybersecurity Analyst
    Mumbai
    ------------------------------



  • 4.  RE: Agent monitoring rules not working as expected

    Posted 04-20-2021 03:32
    Hi,

    The criterion beginning with Agent Criteria is evaluated on Agent level and not forwarded to GW. Other criterion are forwarded to GW and GW decides to exclude or not based on both AMRs and Audit Policies.

    Regards,

    ------------------------------
    Cezmi Cal
    technical support engineer
    Barikat Cyber Security
    Ankara
    ------------------------------