I've tried that in the past and it was not possible due to the username not being part of the agent level criteria. If you use username in your AMR then the gateway will need to decision it and considering login is the first event the database would see it would create an audit event before the gateway could tell the agent to stop monitoring that session.
If you exclude some other activity for that username, such as selects, you then would be able to filter out that sessions traffic as the gateway would have informed the agent to stop monitoring, but I believe you would always see a login event. For traffic to be excluded at the agent level, you are restricted to using the match criteria prefixed with "Agent Criteria".
This is how it worked when I tried in the past and Imperva would need to confirm this is still accurate.
If your only concern is not logging the event then you can just use the match criteria within the audit policy to exclude the specific username. If it's for performance concerns due to traffic from the agent to the gateway then I'm not sure it's possible.
------------------------------
Tyler Somers
Marriott International
Bethesda MD
------------------------------
Original Message:
Sent: 10-24-2019 11:54
From: Phil Klassen
Subject: Agent Monitoring Database User Exclution
the best test would be only the user name w/out any other criteria - which it sounds like you have tried
At this point I would suggest opening a case
We will need an agent PCAP that is taken while the user we want to exclude is accessing the DB
Along with Agent and GW logs
A screen print of the AMR would also be good
Sorry we couldn't resolve it here
------------------------------
Phil Klassen
Original Message:
Sent: 10-24-2019 09:36
From: Bilal Kaya
Subject: Agent Monitoring Database User Exclution
I tried to use other match criteria such as (event type -> at least one -> login, logout and query) with AND'd with username match criteria.
I am using the username which I see on db audit data user column, so it is not OS User and I applied the rule to the regarding agent.
When I use source ip address instead of username, it is working as expected, i dont get any audit data including login event.
------------------------------
Bilal Kaya
Barikat
ISTANBUL
Original Message:
Sent: 10-24-2019 08:51
From: Phil Klassen
Subject: Agent Monitoring Database User Exclution
It sounds like you are taking the correct approach.
Is the user name match the only criteria you have - multiple match criteria are AND'd so all have to match
In the audit data is the user actually listed as the DB user.
Its possible its the OS user ID that needs to be excluded
Did you remember to apply the AMR to the agent
------------------------------
Phil Klassen
Original Message:
Sent: 10-24-2019 06:58
From: Bilal Kaya
Subject: Agent Monitoring Database User Exclution
I am trying to exclude a database user from monitoring using Agent Monitoring Rules settings. When I add database user name match criteria including relevant username, i still get login event audit regarding user name. How can I exclude login audits as well as other audits regarding a username?
#DatabaseActivityMonitoring
------------------------------
Bilal Kaya
Barikat
ISTANBUL
------------------------------