Search Imperva Community for
Looking for some tips and trick with tuning DAM security policies within my environment. At the moment I have default security policies enabled and would like to start tuning out any major noise that is setting off CRITICAL/HIGH level alerts. It seems as though the default policies do not allow a lot of adjustment.
What are some best practices with tuning the policies? Wondering how others have had success?
One example: I have a SQL monitoring application causing a ton of noise and generating 'SQL Injection' alerts. All traffic is coming from the same source, hitting all servers.
Policy enabled: Recommended Signature Policy for Database Applications
Focusing on the example in my original post. Our DBA's are using a tool called 'Redgate SQL monitor' within our MSSQL environment.
This tool is causing a lot of SQL injection alerts which are false positives. What would be the best way to modify this alert to remove any noise from this application.
I know I could click on each 'Violation' and click 'Add as exception', however when there are 5000 violations... haha. Added a screenshot of one of the alerts.
Thanks for this information! I see now where I can expand the criteria for the exception.
Is there a way to add further exception criteria to that area, such as a lookup data set?Appreciate the help!
One last question...
I am trying to use this full query field to add an exception to this monitoring software. All of the queries have a similar object naming showing up throughout all of the operations. "##redgate_sqlmonitor_querywaitstats"
Example query selection:
--RedGateIgnore RedGateNoLog..SET NOCOUNT ON;....IF OBJECT_ID(N'tempdb..[##redgate_sqlmonitor_querywaitstats_SERVER1_SERVER2.(local)]').....Are wildcards an option in the 'Full Query' exception area, or can you think of any other way I could match this?
Just wanted to update my post here.
- You can not use a wildcard in the full query are to match what you're looking for- You can not add any other match criteria into the exceptions
The default security policies are limited in this manner. I finally found success by reaching out to support. We were able to exclude this traffic by removing the signature from the default policy, and building a custom policy for that specific signature WHILE excluding the specific 'Source Application'. In this case, Redgate SQL Monitor source app was "sql monitor - monitoring"
Support states that this was something they have had to do for other customers. Might be helpful for the community to write up an article on something like this. It required a bit more work, custom dictionary, few other steps.Either way thanks for all the answers. I will definitely be using this method to further reduce false positive alerts in bulk.
or Contact Us
Copyright @ 2019 Imperva. All rights reserved