Imperva Cyber Community

Expand all | Collapse all

DAM Alert Rule

  • 1.  DAM Alert Rule

    Posted 12-19-2019 04:06
      |   view attached
    Hi,

    I want to test following scenario.

    I have a trusted user(sa) and a trusted ip(172.28.174.175). When a query matches these values together, i dont want to get alerts. Because I trust to this connection. For all the other querys which dont match this rule, i want to get an alert.

    Logical:     All queries exclude  (user:sa AND sourceip:172.28.174.175) ---- should create an alert.

    To do that I created a rule ( see Alert.png).

    But if I connect with "sa" user with ip address other than "172.28.174.175", i dont get any alert --- (i should get an alert)
    OR
     if I connect with source ip address "172.28.175.175" with other users than "sa" user, i dont get any alert ---( i should get an alert)

    How can I do LOGICAL AND these two values and then exclude this situation?

    I can do that with AMR rule but i could not on alerts rules and db audit rules.


    #DatabaseActivityMonitoring

    ------------------------------
    Bilal Kaya
    Barikat
    ISTANBUL
    ------------------------------


  • 2.  RE: DAM Alert Rule

    Imperva Employee
    Posted 12-19-2019 15:29
    Hello Bilal Kaya,
    The logic in the policy is correct. Does sa show up in the field database user name in the audit logs? Is the policy applied to the correct resource under apply to tab? Is the policy saved?


    ------------------------------
    Scott Morgan
    Impreva
    ------------------------------



  • 3.  RE: DAM Alert Rule

    Posted 12-20-2019 02:06
    Hi Scott,

    Thank you for your reply.

    I have no problem getting audit data. 

    The security policy(attached in previous post) cant do what I intend to.

    For example:

    if "sa" user connects to database (whatever source ip), it does not create an alert. (but it should)
    or
    if "172.28.174.175" source ip connects to database(whatever user name), it does not create an alert.(but it should).

    I want if only "source ip" AND "user" matches together at the same time, it should not create an alert. All the other conditions should create an alert. I cant do such a basic thing in security policy or audit policy.




    ------------------------------
    Bilal Kaya
    Barikat
    ISTANBUL
    ------------------------------



  • 4.  RE: DAM Alert Rule

    Imperva Employee
    Posted 12-20-2019 14:33
    My question of "Does sa show up in the field database user name in the audit logs?" is asked because of some times SA  shows up as user or database user. Please look at the audit logs to see what field SA is showing up under. Also, verify the required IP shows up in the audit logs as source IP. I get it should, but SA is a local account and may show up differently. Maybe as 0.0.0.0 if the agent sees the traffic as local rather than network. If the source IP is seen in the audit logs as 0.0.0.0, in the advanced configuration of the agent (in the agent workbench) change the fictitious IPs to the IP of the server interface.

    What tool are you using to access the DB with the username SA? You may filter for that tool too to improve security.

    The policy logic is consistent with what you desire as the outcome.


    ------------------------------
    Scott Morgan
    Impreva
    ------------------------------



  • 5.  RE: DAM Alert Rule

    Posted 12-23-2019 06:32
    As I said before, I have no problem getting audit data properly. User names, fictitious IPs are all correct.

    The problem is that:

    Imperva cant do this logical operation: (A AND B)'
     
    Imperva can do this: A' and B'

    As as logic rule:

    A' and B' != (A AND B)' 

    This can be done only AMR rule, not security or db audit rule.


    you can see it if you give a try this condition.



    ------------------------------
    Bilal Kaya
    Barikat
    ISTANBUL
    ------------------------------



  • 6.  RE: DAM Alert Rule

    Imperva Employee
    Posted 12-30-2019 11:18
    You are correct Bilal 
    We have multiple Feature requests for more flexibility in how we can apply and define match criteria 

    I know we are working on some feature sin this area but I do not have any ETA 
    It should be apart of Version 14 though 

    Hopefully we can implement some of these features soon


    ------------------------------
    Phil Klassen
    ------------------------------



  • 7.  RE: DAM Alert Rule

    Posted 12-31-2019 02:06
    Thank you Phil.

    ------------------------------
    Bilal Kaya
    Barikat
    ISTANBUL
    ------------------------------