Hi Alex,
In this case, I recommend clicking
Add as exception and then modifying the exception to be more "wide/loose" based on your preference.
In the screenshot posted above, the exception will be added to the "
Recommended Policy for Database Applications - Legacy"
After the exception has been added, click the "
Recommended Policy for Database Applications - Legacy" link (as a shortcut) to access this policy directly, and then select the
Exceptions tab.
From here, you will be able to make adjustments to the policy exception as you see fit to be more inclusive or exclusive based on specific criteria.
------------------------------
Jaired Anderson
Principal Consultant
Imperva
Tulsa OK
------------------------------
Original Message:
Sent: 02-25-2020 11:53
From: Alex Kasprzak
Subject: Tuning Security Policies
Hey Pal,
Focusing on the example in my original post. Our DBA's are using a tool called 'Redgate SQL monitor' within our MSSQL environment.
This tool is causing a lot of SQL injection alerts which are false positives. What would be the best way to modify this alert to remove any noise from this application.
I know I could click on each 'Violation' and click 'Add as exception', however when there are 5000 violations... haha. Added a screenshot of one of the alerts.
------------------------------
Alex Kasprzak
Brookdale Senior Living
WI
Original Message:
Sent: 02-20-2020 20:35
From: Pal Balint
Subject: Tuning Security Policies
Hello Alex,
what are the most common alerts you're trying to triage?
Are they related to a MSSQL service?
Can you list a few examples you're facing?
Thanks,
p.
------------------------------
Pal Balint
Original Message:
Sent: 02-18-2020 11:39
From: Alex Kasprzak
Subject: Tuning Security Policies
Hello,
Looking for some tips and trick with tuning DAM security policies within my environment. At the moment I have default security policies enabled and would like to start tuning out any major noise that is setting off CRITICAL/HIGH level alerts. It seems as though the default policies do not allow a lot of adjustment.
What are some best practices with tuning the policies? Wondering how others have had success?
One example: I have a SQL monitoring application causing a ton of noise and generating 'SQL Injection' alerts. All traffic is coming from the same source, hitting all servers.
Policy enabled: Recommended Signature Policy for Database Applications
Thanks!
#DatabaseActivityMonitoring
------------------------------
Alex Kasprzak
Brookdale Senior Living
------------------------------