Imperva Cyber Community

Expand all | Collapse all

Agent monitoring rules not working as expected

  • 1.  Agent monitoring rules not working as expected

    Posted 25 days ago
    Hello,

    I have configured agent monitoring rules where the action is set to - Exclude connection from monitoring
    The match criteria selected is Database user and applied to respective Agents. Still I am able to see alerts 
    for that DB user in DAM.

    Is there anything else we need to do ?

    Regards
    #DatabaseActivityMonitoring

    ------------------------------
    Chintan Myakal
    Sr.Cybersecurity Analyst
    Mumbai
    ------------------------------


  • 2.  RE: Agent monitoring rules not working as expected

    CHAMPION
    Posted 25 days ago
    Hello,

    There is similar discussion post at https://community.imperva.com/communities/community-home/digestviewer/viewthread?MessageKey=3ad103cf-b5af-4961-aa1f-45cd72ef90c7&CommunityKey=39c6092a-d67a-4bc2-8134-bfbb25fc43af&tab=digestviewer#bm3ad103cf-b5af-4961-aa1f-45cd72ef90c7

    If you only see login activities of relevant user, it is normal for AMR.

    ------------------------------
    Cezmi Cal
    technical support engineer
    Barikat Cyber Security
    Ankara
    ------------------------------



  • 3.  RE: Agent monitoring rules not working as expected

    Posted 25 days ago
    Hi Cezmi,

    Thanks for the information. From the post you shared, can we conclude we need to configure Agent criteria under match criteria ?

    Because, thr AMR is not working as per configuration for users which are used for monitoring DB service.
    alert eg. Excessive Attempts of Database Login

    Regards


    ------------------------------
    Chintan Myakal
    Sr.Cybersecurity Analyst
    Mumbai
    ------------------------------



  • 4.  RE: Agent monitoring rules not working as expected

    CHAMPION
    Posted 25 days ago
    Hi,

    The criterion beginning with Agent Criteria is evaluated on Agent level and not forwarded to GW. Other criterion are forwarded to GW and GW decides to exclude or not based on both AMRs and Audit Policies.

    Regards,

    ------------------------------
    Cezmi Cal
    technical support engineer
    Barikat Cyber Security
    Ankara
    ------------------------------