Imperva Cyber Community

Expand all | Collapse all

Agent Monitoring Database User Exclution

  • 1.  Agent Monitoring Database User Exclution

    Posted 10-24-2019 07:59
    I am trying to exclude a database user from monitoring using Agent Monitoring Rules settings. When I add  database user name match criteria including relevant username, i still get login event audit regarding user name. How can I exclude login audits as well as other audits regarding a username?
    #DatabaseActivityMonitoring

    ------------------------------
    Bilal Kaya
    Barikat
    ISTANBUL
    ------------------------------


  • 2.  RE: Agent Monitoring Database User Exclution

    Imperva Employee
    Posted 10-24-2019 09:01
    It sounds like you are taking the correct approach.
    Is the user name match the only criteria you have - multiple match criteria are AND'd so all have to match 

    In the audit data is the user actually listed as the DB user.
    Its possible its the OS user ID that needs to be excluded 
    Did you remember to apply the AMR to the agent

    ------------------------------
    Phil Klassen
    ------------------------------



  • 3.  RE: Agent Monitoring Database User Exclution

    Posted 10-24-2019 09:44
    I tried to use other match criteria such as (event type -> at least one -> login, logout and query) with AND'd with username match criteria.

    I am using the username which I see on db audit data user column, so it is not OS User and I applied the rule to the regarding agent.

    When I use source ip address instead of username, it is working as expected, i dont get any audit data including login event.

    ------------------------------
    Bilal Kaya
    Barikat
    ISTANBUL
    ------------------------------



  • 4.  RE: Agent Monitoring Database User Exclution

    Imperva Employee
    Posted 10-24-2019 12:08
    the best test would be only the user name w/out any other criteria - which it sounds like you have tried 
    At this point I would suggest opening  a case 

    We will need an agent PCAP that is taken while the user we want to exclude is accessing the DB 
    Along with Agent and GW logs 

    A screen print of the AMR would also be good 
    Sorry we couldn't resolve it here

    ------------------------------
    Phil Klassen
    ------------------------------



  • 5.  RE: Agent Monitoring Database User Exclution

    Posted 10-24-2019 12:35
    I've tried that in the past and it was not possible due to the username not being part of the agent level criteria.  If you use username in your AMR then the gateway will need to decision it and considering login is the first event the database would see it would create an audit event before the gateway could tell the agent to stop monitoring that session.

    If you exclude some other activity for that username, such as selects, you then would be able to filter out that sessions traffic as the gateway would have informed the agent to stop monitoring, but I believe you would always see a login event.  For traffic to be excluded at the agent level, you are restricted to using the match criteria prefixed with "Agent Criteria".

    This is how it worked when I tried in the past and Imperva would need to confirm this is still accurate.

    If your only concern is not logging the event then you can just use the match criteria within the audit policy to exclude the specific username.  If it's for performance concerns due to traffic from the agent to the gateway then I'm not sure it's possible.

    ------------------------------
    Tyler Somers
    Marriott International
    Bethesda MD
    ------------------------------



  • 6.  RE: Agent Monitoring Database User Exclution

    Imperva Employee
    Posted 10-24-2019 14:29
    Thanks a lot Tyler - appreciate the contribution - It is true that if we can use a an agent level AMR then it is preferred. 
    Its also true that other exclusions must be  examined by the GW to see if they apply and then notify the agent to exclude 

    The IP address, for example, is an agent level criteria

    its almost a race condition on how quickly we can get to the agent to have it exclude the specified criteria 

    Whatever is sent  by the agent prior to receiving the exclude request for the GW is sent to the audit process by default

    ------------------------------
    Phil Klassen
    ------------------------------



  • 7.  RE: Agent Monitoring Database User Exclution

    Posted 10-25-2019 06:43
    Thank you Tyler. I agree with you, we dont have username agent level criteria, so we cant stop login event on agent. I can do it with audit policy but it is not preferable way for me because exclusions should be on AMR. I use audit policy to decide which logs to audit. At the same time, we would be wasting network bandwith for no reason.


    ------------------------------
    Bilal Kaya
    Barikat
    ISTANBUL
    ------------------------------