I have a query regarding user exclusion logic in Imperva DAM policies.
Currently, we have separate security policies configured for each database server. In these policies, we are trying to exclude specific schema users based on source IP addresses.
Our configuration approach is as follows:
- For User, we are using the "At least" condition and specifying selected users.
- For Source IP, we are using "Exclude all" and listing multiple IP addresses.
For example:
- Users: ABC, XYZ, STU, MNO
- Source IPs: 0.1.0.1, 1.1.1.1, 2.2.2.2
Our intention is to exclude only ABC and XYZ users when traffic comes from the specified IPs.
However, in this setup, we observe that alerts are not triggered correctly. It seems that when multiple users and multiple IPs are configured together using this logic, the policy behavior becomes too broad, and unintended traffic may also get excluded or not evaluated as expected.
In contrast, when fewer users/IPs are configured, it works as intended.
Could someone help clarify:
- Why this behavior occurs when combining multiple users and multiple IPs with "At least" + "Exclude all" logic?
- What is the correct way to configure user-based exclusions with multiple IP conditions without impacting other users?
- Are there any best practices for structuring such exclusions in DAM policies?
Any guidance or examples would be really helpful.
#DatabaseActivityMonitoring------------------------------
Somnath Shinde
Engineer
------------------------------