Hi,
I want to test following scenario.
I have a trusted user(sa) and a trusted ip(172.28.174.175). When a query matches these values together, i dont want to get alerts. Because I trust to this connection. For all the other querys which dont match this rule, i want to get an alert.
Logical: All queries exclude (user:sa AND sourceip:172.28.174.175) ---- should create an alert.
To do that I created a rule ( see Alert.png).
But if I connect with "sa" user with ip address other than "172.28.174.175", i dont get any alert --- (i should get an alert)
OR
if I connect with source ip address "172.28.175.175" with other users than "sa" user, i dont get any alert ---( i should get an alert)
How can I do LOGICAL AND these two values and then exclude this situation?
I can do that with AMR rule but i could not on alerts rules and db audit rules.
#DatabaseActivityMonitoring------------------------------
Bilal Kaya
Barikat
ISTANBUL
------------------------------