Imperva Cyber Community

 View Only
  • 1.  Baseline ( Audit policies )

    Posted 06-15-2022 06:49
    Dear All,

    I need your feedback on the below let's say baseline audit policies can we start with them.

    and if you have use cases and recommended audit policies.

    • DDL Command with the event:
    • Command group (Data Object Management – general object management)
    • Database user name (Exclude)


    • DML Command with the event:
    • Database user name (Exclude)
    • Operation (Delete, Insert, Update)


    • Modification sensitive data:
    • Operation (Delete, Insert, Update)
    • Table group (Classified object) or we can use:


    • Access sensitive data:
    • Operation (Select)
    • Table group (Classified object)


    • Privilege operation:
    • Command group (Users and Privilege management) "at least one"
    • Operation (privilege operations)


    • Creation of new Database:
    • Privileged operation "at least one" (create database, create schema)


    • Login Logout: without event


    Mohammad Alriaty
    System Engineer
    Cloud Distribution

  • 2.  RE: Baseline ( Audit policies )

    Posted 06-28-2022 06:15
    Hi Mohammad,

    I noticed that you haven't received any replies directly on this thread, so I will boost it for a couple of days in the hope more of our #DatabaseActivityMonitoring users are able to provide some feedback. Even on on or 2 of these policies.


    Sarah Lamont(csp)
    Digital Community Manager

  • 3.  RE: Baseline ( Audit policies )

    Posted 06-28-2022 07:56

    I think that the most important is monitoring sensitive data.
    First, you should create your own sensitive data dictionary and add it to the Global Objects. After that run a Sensitive data scan and review the results - accept or decline.
    Then you have the first audit policy -> all events on sensitive data.
    What's else? It depends on your corps. Try to find audit guidelines for monitoring DB/systems, maybe you have guidelines in local law.... 
    If you do not know what you should monitor you can always use the match criteria -> All Events -> login/logout/query..... but I know that is no solution.... it is only a huge problem...

    Karol Gruszczyński
    IT Security Expert
    Trafford IT