Imperva Cyber Community

I'm curious to know how administrators are tuning out create/drop alerts (privileged ops) for #temporary tables in MS SQL and privileged ops on employee schemas within Oracle?  My goal is to see an alert only if a user is executing privileged operations on objects outside of their own schemas and also not against temporary tables. Has anyone done this and if so, how? 

#DatabaseActivityMonitoring
#AllImperva

------------------------------
Jana Lee
Regions Financial Corporation
------------------------------

DB profile provides information on DB users and the actions they take, for example the queries they run 
Use the  MX UI to access and view the profile information you have now to understand what information you are provided 
You may also reference these links for information
https://docs.imperva.com/bundle/v13.5-database-activity-monitoring-user-guide/page/1735.htm
https://docs.imperva.com/bundle/v13.5-database-activity-monitoring-user-guide/page/1689.htm

Now to alerting and blocking - these are actually referred to as DBF policies and are listed under policy/security in the MX UI 
Imperva provides predefined command groups and privileged commands under global objects 
You would want to  create a security, DBF, policy and under your match criteria specify the user, tables, and commands you want alert on.
Remeber every Match operations is AND'd - so all criteria must match before there will be a match and trigger an alert.

This might be overkill for what you're looking at, but a good tool I've used in similar situations to reduce noise from temp tables is text replacement (configured in the site tree under the Service object's Operation tab). Essentially this makes the DAM see all temporary tables as whatever arbitrary string you choose to represent them (I use "#tmp") so you can then reference that single table name in criteria elsewhere (policies, profiles, etc...).

Text replacement is pretty powerful (dangerous?), because it could potentially replace any string that matches your regex.

For your example, once you had text replacement going you could just use the "Destination Tables" criteria in relevant policies to exclude #tmp (or whatever arbitrary string you chose that now represents all temporary tables).

------------------------------
Nathan Albury
Program Manager, Services
Imperva
------------------------------

Original Message:
Sent: 10-14-2019 11:35
From: Jana Lee
Subject: How are administrators profiling on the DAM product?

I'm curious to know how administrators are tuning out create/drop alerts (privileged ops) for #temporary tables in MS SQL and privileged ops on employee schemas within Oracle?  My goal is to see an alert only if a user is executing privileged operations on objects outside of their own schemas and also not against temporary tables. Has anyone done this and if so, how? 

#DatabaseActivityMonitoring
#AllImperva

------------------------------
Jana Lee
Regions Financial Corporation
------------------------------