There are a couple of ways. Let's assume that an external system (such as CyberArk) provisions an account for 3 hours. A database session that was started prior to the account time limit will not be stopped by the database.
We can't flag a user (whatever that means) for extending beyond an externally posed time frame as SeS has no way to keep track of a users login period. If, however, we create a lookup set that is maintained externally, we can then access this information in a custom Database Service security policy. There are two possible ways to do this: 1) create a lookup set that is maintained directly on the MX (or via API) and add (and remove) appropriate userid's as they "expire". 2) Illustrated below is creating lookup data from an external database:
Here is a screenshot of me building a lookup set that queries an external database:
------------------------------
Richard Johnson
------------------------------
Original Message:
Sent: 11-04-2019 15:26
From: Chris Hauser
Subject: Flag Users When Session Exceeds Length
Hi Everyone,
Q: can I use SecureSphere WAF to flag when a user session exceeds the time allowed by the issued CyberArk ID?
Or asked differently,
Given:
- use of CyberArk for user credentials an session window (length of time)
- On-prem WAF, aka SecureSphere WAF
Q: How can we flag when a user session exceeds a length?
Regards
Chris
#On-PremisesWAF(formerlySecuresphere)
------------------------------
Chris Hauser
Chris.hauser@imperva.com
------------------------------