Imperva Cyber Community

Hello,

Looking for some tips and trick with tuning DAM security policies within my environment. At the moment I have default security policies enabled and would like to start tuning out any major noise that is setting off CRITICAL/HIGH level alerts. It seems as though the default policies do not allow a lot of adjustment.

What are some best practices with tuning the policies? Wondering how others have had success?

One example: I have a SQL monitoring application causing a ton of noise and generating 'SQL Injection' alerts. All traffic is coming from the same source, hitting all servers.

Policy enabled: Recommended Signature Policy for Database Applications 

Thanks!

Hello,

Looking for some tips and trick with tuning DAM security policies within my environment. At the moment I have default security policies enabled and would like to start tuning out any major noise that is setting off CRITICAL/HIGH level alerts. It seems as though the default policies do not allow a lot of adjustment.

What are some best practices with tuning the policies? Wondering how others have had success?

One example: I have a SQL monitoring application causing a ton of noise and generating 'SQL Injection' alerts. All traffic is coming from the same source, hitting all servers.

Policy enabled: Recommended Signature Policy for Database Applications 

Thanks!

Hello,

Looking for some tips and trick with tuning DAM security policies within my environment. At the moment I have default security policies enabled and would like to start tuning out any major noise that is setting off CRITICAL/HIGH level alerts. It seems as though the default policies do not allow a lot of adjustment.

What are some best practices with tuning the policies? Wondering how others have had success?

One example: I have a SQL monitoring application causing a ton of noise and generating 'SQL Injection' alerts. All traffic is coming from the same source, hitting all servers.

Policy enabled: Recommended Signature Policy for Database Applications 

Thanks!

Hey Pal,

Focusing on the example in my original post. Our DBA's are using a tool called 'Redgate SQL monitor' within our MSSQL environment.

This tool is causing a lot of SQL injection alerts which are false positives. What would be the best way to modify this alert to remove any noise from this application.

I know I could click on each 'Violation' and click 'Add as exception', however when there are 5000 violations... haha. Added a screenshot of one of the alerts.

Hello,

Looking for some tips and trick with tuning DAM security policies within my environment. At the moment I have default security policies enabled and would like to start tuning out any major noise that is setting off CRITICAL/HIGH level alerts. It seems as though the default policies do not allow a lot of adjustment.

What are some best practices with tuning the policies? Wondering how others have had success?

One example: I have a SQL monitoring application causing a ton of noise and generating 'SQL Injection' alerts. All traffic is coming from the same source, hitting all servers.

Policy enabled: Recommended Signature Policy for Database Applications 

Thanks!

Hey Pal,

Focusing on the example in my original post. Our DBA's are using a tool called 'Redgate SQL monitor' within our MSSQL environment.

This tool is causing a lot of SQL injection alerts which are false positives. What would be the best way to modify this alert to remove any noise from this application.

I know I could click on each 'Violation' and click 'Add as exception', however when there are 5000 violations... haha. Added a screenshot of one of the alerts.

Hello,

Looking for some tips and trick with tuning DAM security policies within my environment. At the moment I have default security policies enabled and would like to start tuning out any major noise that is setting off CRITICAL/HIGH level alerts. It seems as though the default policies do not allow a lot of adjustment.

What are some best practices with tuning the policies? Wondering how others have had success?

One example: I have a SQL monitoring application causing a ton of noise and generating 'SQL Injection' alerts. All traffic is coming from the same source, hitting all servers.

Policy enabled: Recommended Signature Policy for Database Applications 

Thanks!

Hey Jaired,

Thanks for this information! I see now where I can expand the criteria for the exception.

Is there a way to add further exception criteria to that area, such as a lookup data set?

Appreciate the help!

Hey Pal,

Focusing on the example in my original post. Our DBA's are using a tool called 'Redgate SQL monitor' within our MSSQL environment.

This tool is causing a lot of SQL injection alerts which are false positives. What would be the best way to modify this alert to remove any noise from this application.

I know I could click on each 'Violation' and click 'Add as exception', however when there are 5000 violations... haha. Added a screenshot of one of the alerts.

Hello,

Looking for some tips and trick with tuning DAM security policies within my environment. At the moment I have default security policies enabled and would like to start tuning out any major noise that is setting off CRITICAL/HIGH level alerts. It seems as though the default policies do not allow a lot of adjustment.

What are some best practices with tuning the policies? Wondering how others have had success?

One example: I have a SQL monitoring application causing a ton of noise and generating 'SQL Injection' alerts. All traffic is coming from the same source, hitting all servers.

Policy enabled: Recommended Signature Policy for Database Applications 

Thanks!

Hey Jaired,

Thanks for this information! I see now where I can expand the criteria for the exception.

Is there a way to add further exception criteria to that area, such as a lookup data set?

Appreciate the help!

Hey Pal,

Focusing on the example in my original post. Our DBA's are using a tool called 'Redgate SQL monitor' within our MSSQL environment.

This tool is causing a lot of SQL injection alerts which are false positives. What would be the best way to modify this alert to remove any noise from this application.

I know I could click on each 'Violation' and click 'Add as exception', however when there are 5000 violations... haha. Added a screenshot of one of the alerts.

Hello,

Looking for some tips and trick with tuning DAM security policies within my environment. At the moment I have default security policies enabled and would like to start tuning out any major noise that is setting off CRITICAL/HIGH level alerts. It seems as though the default policies do not allow a lot of adjustment.

What are some best practices with tuning the policies? Wondering how others have had success?

One example: I have a SQL monitoring application causing a ton of noise and generating 'SQL Injection' alerts. All traffic is coming from the same source, hitting all servers.

Policy enabled: Recommended Signature Policy for Database Applications 

Thanks!

Hey Pal,

Focusing on the example in my original post. Our DBA's are using a tool called 'Redgate SQL monitor' within our MSSQL environment.

This tool is causing a lot of SQL injection alerts which are false positives. What would be the best way to modify this alert to remove any noise from this application.

I know I could click on each 'Violation' and click 'Add as exception', however when there are 5000 violations... haha. Added a screenshot of one of the alerts.

Hello,

Looking for some tips and trick with tuning DAM security policies within my environment. At the moment I have default security policies enabled and would like to start tuning out any major noise that is setting off CRITICAL/HIGH level alerts. It seems as though the default policies do not allow a lot of adjustment.

What are some best practices with tuning the policies? Wondering how others have had success?

One example: I have a SQL monitoring application causing a ton of noise and generating 'SQL Injection' alerts. All traffic is coming from the same source, hitting all servers.

Policy enabled: Recommended Signature Policy for Database Applications 

Thanks!

Hey Pal,

Focusing on the example in my original post. Our DBA's are using a tool called 'Redgate SQL monitor' within our MSSQL environment.

This tool is causing a lot of SQL injection alerts which are false positives. What would be the best way to modify this alert to remove any noise from this application.

I know I could click on each 'Violation' and click 'Add as exception', however when there are 5000 violations... haha. Added a screenshot of one of the alerts.

Hello,

Looking for some tips and trick with tuning DAM security policies within my environment. At the moment I have default security policies enabled and would like to start tuning out any major noise that is setting off CRITICAL/HIGH level alerts. It seems as though the default policies do not allow a lot of adjustment.

What are some best practices with tuning the policies? Wondering how others have had success?

One example: I have a SQL monitoring application causing a ton of noise and generating 'SQL Injection' alerts. All traffic is coming from the same source, hitting all servers.

Policy enabled: Recommended Signature Policy for Database Applications 

Thanks!