Imperva Cyber Community

dear team, 

hope you are doing well. 

I would like to emphasize the importance, from a SOC team's perspective, of receiving clear and detailed incident information-particularly when incidents involve critical or sensitive access to database tables.

In our current setup, ERP database access appears under the generic username "APPS," which is the only account authorized to connect to the databases. Therefore, it is essential to implement a reliable mapping mechanism that translates actions performed by the "APPS" account back to the actual application-level usernames.

This mapping is crucial for accurately tracking user activity, identifying any unauthorized access, and investigating potential data exposure or modifications to confidential information. 

is there any suggest to resolve the issue or any workaround to be fixed? 

#DatabaseActivityMonitoring

------------------------------
Mohammed AlNuqaydan
Senior Endpoint & DataSec Analyst
Riyadh
------------------------------

Hi

It is possible, but not for all systems.

You can try to check how IMPERVA does it with SAP ERP.

Several conditions must be met:

1. The application must send the username to the database in an SQL query as Bind Variables
2. There cannot be a second login by another user in a given SQL session, because IMPERVA, from that moment on, will sign all logs with the last logged in user.

To be honest, it is hard to configure if you do not have any docs or help from developers. You have to analyse a lot of SQL full audit logs.

 https://docs-cybersec.thalesgroup.com/bundle/v14.19-dam-user-guide/page/2049.htm

------------------------------
Karol Gruszczynski
IT Security Expert
Trafford IT Sp. z o.o.
Warszawa
------------------------------