Imperva Cyber Community

Expand all | Collapse all

Filter Events that are forwarded to Data Risk Analytics

  • 1.  Filter Events that are forwarded to Data Risk Analytics

    Posted 13 days ago
      |   view attached
    Hello,

    I have been trying to apply an advance filter criteria to the CounterBreach DAM AA1 audit policy so that only audit data that match event for a specific database is sent to Data Risk Analytics. So far the filtering failed. 

    Is there a reason why this filtering does not work when when matching on queries?
    #DatabaseActivityMonitoring

    ------------------------------
    samson adewale
    GA
    ------------------------------


  • 2.  RE: Filter Events that are forwarded to Data Risk Analytics

    Imperva Employee
    Posted 12 days ago
    Hi Samson,

    Is there a specific reason you are trying to filter out DBs?
    Are you trying to filter out audit for only specific DBs within a Server Group/Service, or entire blocks of DBs making up an entire Server Group Service?

    In general terms, DRA expects to get all audit data so that it can build up a very accurate picture of a normal traffic profile. If elements of the DB traffic/audit are filtered out at source, this affects the accuracy of the learning algorithms and this is undesireable as it could create false positives which are bad as they can dilute effort, or false negatives which are bad as they can miss bad activity.

    ------------------------------
    Stefan Pynappels
    Escalation Engineer
    Imperva
    ------------------------------



  • 3.  RE: Filter Events that are forwarded to Data Risk Analytics

    Posted 11 days ago
    Well, the issue is that we have exadatas which hold many many databases, and most of which are out of scope for our database monitoring efforts. We simply want DRA to receive only audit data for the databases that are in scope and profile those activities. 

    All of the exadata nodes in the cluster are set up in the server group, and the in-scope applications are setup under 1 database service to allow for accurate application profiling. 

    We are not trying to filter out useful elements from our exadatas, we just want to have control over the database traffic that we monitor with the DRA. At this time, we are receiving too much data for databases that we do not care to monitor at this time. 

    Is this possible?




    ------------------------------
    samson adewale
    GA
    ------------------------------