Imperva Cyber Community

communities_1.jpg
 View Only
  • 1.  Help with audit \ brainstorm.

    Posted 07-08-2021 04:35
    Edited by Sarah Lamont 07-23-2021 05:38
    Hello dear Imperva community.

    We have a task make enternal audit our data bases , the primary target audit - found user account who not need access to data base and block (users who more that 6 months not a login into data base).

    I am more than sure, that not the first person, who faces that task.

    We tried use URM function Discovery & Classification \ DB User Rights \ Bad practices \ Dormant Users who are not Locked

    - This feature completely covers the requirements for the task, but how many times we tried it does not work (are there any specialists who managed to solve the problem of empty fields?) Maybe someone will tell you to share their experience?

    Dear community we need your ideas \ examples \ experience.
    #DatabaseActivityMonitoring

    ------------------------------
    Sergey Malovidchenko
    Lead Engineer
    Moscow
    ------------------------------


  • 2.  RE: Help with audit \ brainstorm.

    Posted 07-23-2021 05:40
    Hi Sergey,

    I love this question. I am going to boost it to see if we can get some responses. 

    In the mean time, have you tried anything that has been successful so far?

    ------------------------------
    Sarah Lamont
    Digital Community Manager
    ------------------------------



  • 3.  RE: Help with audit \ brainstorm.

    Posted 07-23-2021 06:13
    Edited by Sergey Malovidchenko 07-23-2021 06:13
    ​Hi Sarah ,

    Thx about your interest for this task.

    When we tried to fix "empty fields" on URM scanning we found some internal errors in our system and now try fix them.

    In this time (we have dead line) , we decided make this audit in manually (load information accounts from DB and use hands, phone and email to get feedback from users about the need for access) , yes a solution from the "last century", but ...

    Anyway , we do not despair and try fix, and use in future URM for this task (how i now know from my "colleagues", such a task is in demand but there is no single solution, so maybe - we will be the first)

    Also have idea do something with use audit polices with report "login in" \ "hit summ" from 6 months , but need think about this solution.

    ------------------------------
    Sergey Malovidchenko
    Lead Engineer
    Moscow
    ------------------------------



  • 4.  RE: Help with audit \ brainstorm.
    Best Answer

    Posted 07-23-2021 14:16
    Sergey,

    The "Dormant Users Who are Not Locked" is a great feature for what you want, but it needs a few things to give you the results you expect.
    1. You need to have a successful URM scan against the server.
    2. You need to be auditing the traffic on the server.  
    (see https://docs.imperva.com/bundle/v12.6-database-activity-monitoring-user-guide/page/575.htm for some details)

    Essentially what this does is take the list of users on the server, subtract the list of users that have actually used their access(and showed up in the audit log), and reports on the difference.  

    If you don't haven't been processing the historic audit information you probably won't be able to get what you want now, but it is worth setting up for the next review.

    (I think some databases may also keep a "last login" statistic for a user that we can pull , so if you see an old date for a server you haven't audited, that may be why)

    Jim

    ------------------------------
    Jim Burtoft (Prm)
    SE
    State College PA
    ------------------------------