Imperva Cyber Community

I have created audit policy for oracle and sql server to monitor anomalous data extraction, in audit policy i am simply adding query response size greater than 100 records and event type as query,i not getting anything, even if i reduce record size to 10.
Can you please share insghits how to achieve this.

TIA

Hello Musaib,

Have you install agent in oracle and sql server? If yes, have ur DB admin done any data extraction from their side?

------------------------------
Agustin Cudiamat
Field Engineer
Singapore

Original Message:
Sent: 09-14-2025 04:45
From: Mohammad Musaib Rather
Subject: Audit policy for anomalous extraction

I have created audit policy for oracle and sql server to monitor anomalous data extraction, in audit policy i am simply adding query response size greater than 100 records and event type as query,i not getting anything, even if i reduce record size to 10.
Can you please share insghits how to achieve this.

TIA

#DatabaseActivityMonitoring

------------------------------
Mohammad Musaib Rather

------------------------------

I have created audit policy for oracle and sql server to monitor anomalous data extraction, in audit policy i am simply adding query response size greater than 100 records and event type as query,i not getting anything, even if i reduce record size to 10.
Can you please share insghits how to achieve this.

TIA

Hello Musaib,

Can you create a security policy as DB Service Custom type and set the criteria as same with your audit policy? Then apply it to related Server Groups and check if it is triggered or not.

------------------------------
Cezmi Cal
Consultant
Barikat Internet Guvenligi Bilisim Ticaret A.S.
Ankara

Original Message:
Sent: 09-14-2025 04:45
From: Mohammad Musaib Rather
Subject: Audit policy for anomalous extraction

I have created audit policy for oracle and sql server to monitor anomalous data extraction, in audit policy i am simply adding query response size greater than 100 records and event type as query,i not getting anything, even if i reduce record size to 10.
Can you please share insghits how to achieve this.

TIA

#DatabaseActivityMonitoring

------------------------------
Mohammad Musaib Rather
-------------

Hi Cezmi,

I did still no result, config screenshots i am attaching

Hello Musaib,

Can you create a security policy as DB Service Custom type and set the criteria as same with your audit policy? Then apply it to related Server Groups and check if it is triggered or not.

I have created audit policy for oracle and sql server to monitor anomalous data extraction, in audit policy i am simply adding query response size greater than 100 records and event type as query,i not getting anything, even if i reduce record size to 10.
Can you please share insghits how to achieve this.

TIA

Hi Musaib,

You applied the policy to correct server group and services, right?

Can you share the Alerts tab of MX too?

Additionally, can you see any throughput on related agent's details page?

------------------------------
Cezmi Cal
Consultant
Barikat Internet Guvenligi Bilisim Ticaret A.S.
Ankara

Original Message:
Sent: 09-15-2025 05:34
From: Mohammad Musaib Rather
Subject: Audit policy for anomalous extraction

Hi Cezmi,

I did still no result, config screenshots i am attaching

------------------------------
Mohammad Musaib Rather


Original Message:
Sent: 09-15-2025 05:27
From: Cezmi Cal
Subject: Audit policy for anomalous extraction

Hello Musaib,

Can you create a security policy as DB Service Custom type and set the criteria as same with your audit policy? Then apply it to related Server Groups and check if it is triggered or not.

------------------------------
Cezmi Cal
Consultant
Barikat Internet Guvenligi Bilisim Ticaret A.S.
Ankara

Original Message:
Sent: 09-14-2025 04:45
From: Mohammad Musaib Rather
Subject: Audit policy for anomalous extraction

I have created audit policy for oracle and sql server to monitor anomalous data extraction, in audit policy i am simply adding query response size greater than 100 records and event type as query,i not getting anything, even if i reduce record size to 10.
Can you please share insghits how to achieve this.

TIA

#DatabaseActivityMonitoring

------------------------------
Mohammad Musaib Rather

------------------------------

Hi Cezmi,

Thank you for your help, i can see the alerts now. Can you guide to generate the report for the same, i have scheduled report but i am seeing no data in there

Hi Musaib,

You applied the policy to correct server group and services, right?

Can you share the Alerts tab of MX too?

Additionally, can you see any throughput on related agent's details page?

Hi Cezmi,

I did still no result, config screenshots i am attaching

Hello Musaib,

Can you create a security policy as DB Service Custom type and set the criteria as same with your audit policy? Then apply it to related Server Groups and check if it is triggered or not.

I have created audit policy for oracle and sql server to monitor anomalous data extraction, in audit policy i am simply adding query response size greater than 100 records and event type as query,i not getting anything, even if i reduce record size to 10.
Can you please share insghits how to achieve this.

TIA

Hi Musaib,

Last Few Days criteria work for differently based on the execution of the report. When you run the report manually its timeframe is "from now-3*24 hours to now". But when the report runs as scheduled job, its timeframe is "last 3 days 00:00-23:59".

You can look at the details from that link: Clarification on the scope of "Last Few Days" reports [3e10470b]

Hi Cezmi,

Thank you for your help, i can see the alerts now. Can you guide to generate the report for the same, i have scheduled report but i am seeing no data in there

Hi Musaib,

You applied the policy to correct server group and services, right?

Can you share the Alerts tab of MX too?

Additionally, can you see any throughput on related agent's details page?

Hi Cezmi,

I did still no result, config screenshots i am attaching

Hello Musaib,

Can you create a security policy as DB Service Custom type and set the criteria as same with your audit policy? Then apply it to related Server Groups and check if it is triggered or not.

I have created audit policy for oracle and sql server to monitor anomalous data extraction, in audit policy i am simply adding query response size greater than 100 records and event type as query,i not getting anything, even if i reduce record size to 10.
Can you please share insghits how to achieve this.

TIA

BTW, can you share the details of Settings tab of your Audit policy?

------------------------------
Cezmi Cal
Consultant
Barikat Internet Guvenligi Bilisim Ticaret A.S.
Ankara

Original Message:
Sent: 09-15-2025 05:53
From: Cezmi Cal
Subject: Audit policy for anomalous extraction

Hi Musaib,

Last Few Days criteria work for differently based on the execution of the report. When you run the report manually its timeframe is "from now-3*24 hours to now". But when the report runs as scheduled job, its timeframe is "last 3 days 00:00-23:59".

You can look at the details from that link: Clarification on the scope of "Last Few Days" reports [3e10470b]

------------------------------
Cezmi Cal
Consultant
Barikat Internet Guvenligi Bilisim Ticaret A.S.
Ankara

Original Message:
Sent: 09-15-2025 05:48
From: Mohammad Musaib Rather
Subject: Audit policy for anomalous extraction

Hi Cezmi,

Thank you for your help, i can see the alerts now. Can you guide to generate the report for the same, i have scheduled report but i am seeing no data in there

------------------------------
Mohammad Musaib Rather
Support User
StarLink DMCC
Dubai

Original Message:
Sent: 09-15-2025 05:39
From: Cezmi Cal
Subject: Audit policy for anomalous extraction

Hi Musaib,

You applied the policy to correct server group and services, right?

Can you share the Alerts tab of MX too?

Additionally, can you see any throughput on related agent's details page?

------------------------------
Cezmi Cal
Consultant
Barikat Internet Guvenligi Bilisim Ticaret A.S.
Ankara

Original Message:
Sent: 09-15-2025 05:34
From: Mohammad Musaib Rather
Subject: Audit policy for anomalous extraction

Hi Cezmi,

I did still no result, config screenshots i am attaching

------------------------------
Mohammad Musaib Rather
Support User
StarLink DMCC
Dubai

Original Message:
Sent: 09-15-2025 05:27
From: Cezmi Cal
Subject: Audit policy for anomalous extraction

Hello Musaib,

Can you create a security policy as DB Service Custom type and set the criteria as same with your audit policy? Then apply it to related Server Groups and check if it is triggered or not.

------------------------------
Cezmi Cal
Consultant
Barikat Internet Guvenligi Bilisim Ticaret A.S.
Ankara

Original Message:
Sent: 09-14-2025 04:45
From: Mohammad Musaib Rather
Subject: Audit policy for anomalous extraction

I have created audit policy for oracle and sql server to monitor anomalous data extraction, in audit policy i am simply adding query response size greater than 100 records and event type as query,i not getting anything, even if i reduce record size to 10.
Can you please share insghits how to achieve this.

TIA

#DatabaseActivityMonitoring

------------------------------
Mohammad Musaib Rather
Support User
StarLink DMCC
Dubai
------------------------------

Hi Cezme,

I am generating report with custom policy added and for last three days, even though alerts are there, but i am seeing no data in report.

Audit policy snapshot is attached

Thank you in advance

BTW, can you share the details of Settings tab of your Audit policy?

Hi Musaib,

Last Few Days criteria work for differently based on the execution of the report. When you run the report manually its timeframe is "from now-3*24 hours to now". But when the report runs as scheduled job, its timeframe is "last 3 days 00:00-23:59".

You can look at the details from that link: Clarification on the scope of "Last Few Days" reports [3e10470b]

Hi Cezmi,

Thank you for your help, i can see the alerts now. Can you guide to generate the report for the same, i have scheduled report but i am seeing no data in there

Hi Musaib,

You applied the policy to correct server group and services, right?

Can you share the Alerts tab of MX too?

Additionally, can you see any throughput on related agent's details page?

Hi Cezmi,

I did still no result, config screenshots i am attaching

Hello Musaib,

Can you create a security policy as DB Service Custom type and set the criteria as same with your audit policy? Then apply it to related Server Groups and check if it is triggered or not.

I have created audit policy for oracle and sql server to monitor anomalous data extraction, in audit policy i am simply adding query response size greater than 100 records and event type as query,i not getting anything, even if i reduce record size to 10.
Can you please share insghits how to achieve this.

TIA

Hi Musaib,

Can you run the reports manually and look the results again for both Alerts and Audit reports?

------------------------------
Cezmi Cal
Consultant
Barikat Internet Guvenligi Bilisim Ticaret A.S.
Ankara

Original Message:
Sent: 09-15-2025 05:59
From: Mohammad Musaib Rather
Subject: Audit policy for anomalous extraction

Hi Cezme,

I am generating report with custom policy added and for last three days, even though alerts are there, but i am seeing no data in report.

Audit policy snapshot is attached

Thank you in advance

------------------------------
Mohammad Musaib Rather
Support User
StarLink DMCC
Dubai

Original Message:
Sent: 09-15-2025 05:55
From: Cezmi Cal
Subject: Audit policy for anomalous extraction

BTW, can you share the details of Settings tab of your Audit policy?

------------------------------
Cezmi Cal
Consultant
Barikat Internet Guvenligi Bilisim Ticaret A.S.
Ankara

Original Message:
Sent: 09-15-2025 05:53
From: Cezmi Cal
Subject: Audit policy for anomalous extraction

Hi Musaib,

Last Few Days criteria work for differently based on the execution of the report. When you run the report manually its timeframe is "from now-3*24 hours to now". But when the report runs as scheduled job, its timeframe is "last 3 days 00:00-23:59".

You can look at the details from that link: Clarification on the scope of "Last Few Days" reports [3e10470b]

------------------------------
Cezmi Cal
Consultant
Barikat Internet Guvenligi Bilisim Ticaret A.S.
Ankara

Original Message:
Sent: 09-15-2025 05:48
From: Mohammad Musaib Rather
Subject: Audit policy for anomalous extraction

Hi Cezmi,

Thank you for your help, i can see the alerts now. Can you guide to generate the report for the same, i have scheduled report but i am seeing no data in there

------------------------------
Mohammad Musaib Rather
Support User
StarLink DMCC
Dubai

Original Message:
Sent: 09-15-2025 05:39
From: Cezmi Cal
Subject: Audit policy for anomalous extraction

Hi Musaib,

You applied the policy to correct server group and services, right?

Can you share the Alerts tab of MX too?

Additionally, can you see any throughput on related agent's details page?

------------------------------
Cezmi Cal
Consultant
Barikat Internet Guvenligi Bilisim Ticaret A.S.
Ankara

Original Message:
Sent: 09-15-2025 05:34
From: Mohammad Musaib Rather
Subject: Audit policy for anomalous extraction

Hi Cezmi,

I did still no result, config screenshots i am attaching

------------------------------
Mohammad Musaib Rather
Support User
StarLink DMCC
Dubai

Original Message:
Sent: 09-15-2025 05:27
From: Cezmi Cal
Subject: Audit policy for anomalous extraction

Hello Musaib,

Can you create a security policy as DB Service Custom type and set the criteria as same with your audit policy? Then apply it to related Server Groups and check if it is triggered or not.

------------------------------
Cezmi Cal
Consultant
Barikat Internet Guvenligi Bilisim Ticaret A.S.
Ankara

Original Message:
Sent: 09-14-2025 04:45
From: Mohammad Musaib Rather
Subject: Audit policy for anomalous extraction

I have created audit policy for oracle and sql server to monitor anomalous data extraction, in audit policy i am simply adding query response size greater than 100 records and event type as query,i not getting anything, even if i reduce record size to 10.
Can you please share insghits how to achieve this.

TIA

#DatabaseActivityMonitoring

------------------------------
Mohammad Musaib Rather
Support User
StarLink DMCC
Dubai
------------------------------

Hi Cezmi,

Audit policy setting tab is here, i shared config in previous response my apology,

Yes i ran report for alert and audit but still report shows no data

Hi Musaib,

Can you run the reports manually and look the results again for both Alerts and Audit reports?

Hi Cezme,

I am generating report with custom policy added and for last three days, even though alerts are there, but i am seeing no data in report.

Audit policy snapshot is attached

Thank you in advance

BTW, can you share the details of Settings tab of your Audit policy?

Hi Musaib,

Last Few Days criteria work for differently based on the execution of the report. When you run the report manually its timeframe is "from now-3*24 hours to now". But when the report runs as scheduled job, its timeframe is "last 3 days 00:00-23:59".

You can look at the details from that link: Clarification on the scope of "Last Few Days" reports [3e10470b]

Hi Cezmi,

Thank you for your help, i can see the alerts now. Can you guide to generate the report for the same, i have scheduled report but i am seeing no data in there

Hi Musaib,

You applied the policy to correct server group and services, right?

Can you share the Alerts tab of MX too?

Additionally, can you see any throughput on related agent's details page?

Hi Cezmi,

I did still no result, config screenshots i am attaching

Hello Musaib,

Can you create a security policy as DB Service Custom type and set the criteria as same with your audit policy? Then apply it to related Server Groups and check if it is triggered or not.

I have created audit policy for oracle and sql server to monitor anomalous data extraction, in audit policy i am simply adding query response size greater than 100 records and event type as query,i not getting anything, even if i reduce record size to 10.
Can you please share insghits how to achieve this.

TIA

Hi Musaib,

If you see alert on dashboard, you should get this alert as report. Your report definition looks good. Can you share output of the latest alert report that you run it manually here please?

------------------------------
Cezmi Cal
Consultant
Barikat Internet Guvenligi Bilisim Ticaret A.S.
Ankara

Original Message:
Sent: 09-15-2025 06:09
From: Mohammad Musaib Rather
Subject: Audit policy for anomalous extraction

Hi Cezmi,

Audit policy setting tab is here, i shared config in previous response my apology,

Yes i ran report for alert and audit but still report shows no data

------------------------------
Mohammad Musaib Rather
Support User
StarLink DMCC
Dubai

Original Message:
Sent: 09-15-2025 06:03
From: Cezmi Cal
Subject: Audit policy for anomalous extraction

Hi Musaib,

Can you run the reports manually and look the results again for both Alerts and Audit reports?

------------------------------
Cezmi Cal
Consultant
Barikat Internet Guvenligi Bilisim Ticaret A.S.
Ankara

Original Message:
Sent: 09-15-2025 05:59
From: Mohammad Musaib Rather
Subject: Audit policy for anomalous extraction

Hi Cezme,

I am generating report with custom policy added and for last three days, even though alerts are there, but i am seeing no data in report.

Audit policy snapshot is attached

Thank you in advance

------------------------------
Mohammad Musaib Rather
Support User
StarLink DMCC
Dubai

Original Message:
Sent: 09-15-2025 05:55
From: Cezmi Cal
Subject: Audit policy for anomalous extraction

BTW, can you share the details of Settings tab of your Audit policy?

------------------------------
Cezmi Cal
Consultant
Barikat Internet Guvenligi Bilisim Ticaret A.S.
Ankara

Original Message:
Sent: 09-15-2025 05:53
From: Cezmi Cal
Subject: Audit policy for anomalous extraction

Hi Musaib,

Last Few Days criteria work for differently based on the execution of the report. When you run the report manually its timeframe is "from now-3*24 hours to now". But when the report runs as scheduled job, its timeframe is "last 3 days 00:00-23:59".

You can look at the details from that link: Clarification on the scope of "Last Few Days" reports [3e10470b]

------------------------------
Cezmi Cal
Consultant
Barikat Internet Guvenligi Bilisim Ticaret A.S.
Ankara

Original Message:
Sent: 09-15-2025 05:48
From: Mohammad Musaib Rather
Subject: Audit policy for anomalous extraction

Hi Cezmi,

Thank you for your help, i can see the alerts now. Can you guide to generate the report for the same, i have scheduled report but i am seeing no data in there

------------------------------
Mohammad Musaib Rather
Support User
StarLink DMCC
Dubai

Original Message:
Sent: 09-15-2025 05:39
From: Cezmi Cal
Subject: Audit policy for anomalous extraction

Hi Musaib,

You applied the policy to correct server group and services, right?

Can you share the Alerts tab of MX too?

Additionally, can you see any throughput on related agent's details page?

------------------------------
Cezmi Cal
Consultant
Barikat Internet Guvenligi Bilisim Ticaret A.S.
Ankara

Original Message:
Sent: 09-15-2025 05:34
From: Mohammad Musaib Rather
Subject: Audit policy for anomalous extraction

Hi Cezmi,

I did still no result, config screenshots i am attaching

------------------------------
Mohammad Musaib Rather
Support User
StarLink DMCC
Dubai

Original Message:
Sent: 09-15-2025 05:27
From: Cezmi Cal
Subject: Audit policy for anomalous extraction

Hello Musaib,

Can you create a security policy as DB Service Custom type and set the criteria as same with your audit policy? Then apply it to related Server Groups and check if it is triggered or not.

------------------------------
Cezmi Cal
Consultant
Barikat Internet Guvenligi Bilisim Ticaret A.S.
Ankara

Original Message:
Sent: 09-14-2025 04:45
From: Mohammad Musaib Rather
Subject: Audit policy for anomalous extraction

I have created audit policy for oracle and sql server to monitor anomalous data extraction, in audit policy i am simply adding query response size greater than 100 records and event type as query,i not getting anything, even if i reduce record size to 10.
Can you please share insghits how to achieve this.

TIA

#DatabaseActivityMonitoring

------------------------------
Mohammad Musaib Rather
Support User
StarLink DMCC
Dubai
------------------------------