Hi,
I think that the most important is monitoring sensitive data.
First, you should create your own sensitive data dictionary and add it to the Global Objects. After that run a Sensitive data scan and review the results - accept or decline.
Then you have the first audit policy -> all events on sensitive data.
What's else? It depends on your corps. Try to find audit guidelines for monitoring DB/systems, maybe you have guidelines in local law....
If you do not know what you should monitor you can always use the match criteria -> All Events -> login/logout/query..... but I know that is no solution.... it is only a huge problem...
------------------------------
Karol Gruszczyński
IT Security Expert
Trafford IT
Warsaw
------------------------------
Original Message:
Sent: 06-15-2022 06:49
From: Mohammad Alriaty
Subject: Baseline ( Audit policies )
Dear All,
I need your feedback on the below let's say baseline audit policies can we start with them.
and if you have use cases and recommended audit policies.
- DDL Command with the event:
- Command group (Data Object Management – general object management)
- Database user name (Exclude)
- DML Command with the event:
- Database user name (Exclude)
- Operation (Delete, Insert, Update)
- Modification sensitive data:
- Operation (Delete, Insert, Update)
- Table group (Classified object) or we can use:
- Access sensitive data:
- Operation (Select)
- Table group (Classified object)
- Privilege operation:
- Command group (Users and Privilege management) "at least one"
- Operation (privilege operations)
- Creation of new Database:
- Privileged operation "at least one" (create database, create schema)
- Login Logout: without event
#DatabaseActivityMonitoring
------------------------------
Mohammad Alriaty
System Engineer
Cloud Distribution
Riyadh
------------------------------