Trigger a correlation alert if there are more than fifteen
SQL Errors in the last three hours from any individual user of the
application.
About this task
Use correlation alerts to inform about events accumulated
over time. Applications do not normally have SQL errors. An increase
in SQL Errors in an application is a warning sign that a possible
SQL Injection is being attempted. See the online help topics, Correlation
Alerts and Queries for further information.
Prerequisites
- Configure email (SMTP) server (Setup > Tools and Views >Alerter)
- After fully configuring the correlation alert, make sure it is
active and running (Setup > Tools and Views> Anomaly Detection)
An alert is a message indicating that an exception (correlation
alert) or policy rule violation (real-time alert) was detected.
A
correlation alert is triggered by a query that looks back over a specified
time period to determine if an alert threshold has been met.
Overview
of correlation alert steps
- Create a custom query from Exceptions Tracking with a field of
SQL Errors (with a count) and a condition of application users. In
order to use this custom query in the Alert Builder, a date field
(timestamp) is required.
- Click to open the Alert Finder.
- Click on New. Complete the fields per the instructions after the
Alert Builder menu screen.
- Add Receiver.
Exceptions domain, SQL Errors query
- Exceptions Tracking - Open the Query Finder
- Users: Select Tools > Report Building, and then select the Exceptions
domain only.
- Open the drop-down choices for Query. Select SQL Errors.
This will open a configuration screen with SQL Errors at the main
title.
- Clone this selection, typing in a unique name in the text
box for the query. Do not include apostrophe characters in the query
name.
- In your custom query, under Query fields, from Client/Server
entity list, add a date field (timestamp) and change the database
error text field to count field mode. Under Query conditions, change
the run time parameters of exception types to attribute and choose
Exception.App. User Name.
- Click Save. This custom query for
SQL Errors from any application user is now available for use in the
Alert Builder.
Alert
Builder menu screen
- Alert Builder - Create a Correlation Alert
- Click to open the Alert Finder.
- Click the New button in the Alerts Finder panel to display
the Add Alert panel.
- Enter a unique name for the alert in the Name box. Do not
include apostrophe characters in the alert name.
- Enter a short sentence that describes the alert in the
Description box.
- Enter an optional category in the Category box. In this
instance, Self Monitoring was used.
- Enter an optional classification in the Classification
box.
- Select a severity level from the Severity list. For an
email alert, a setting of HIGH results in the email being flagged
as urgent.
- Enter the number of minutes between runs of the query in
the Run Frequency field.
- Mark the Active box to activate the alert.
- Mark the Log Policy Violation box to log a policy violation
when this alert is triggered. By default, correlation alerts are logged
in the Alert Tracking domain only. By marking this box, correlation
alerts and real-time alerts (issued by the data access security policy)
can be viewed together, in the Policy Violations domain.
- From the Query list in the Alert Definition panel, select
the query to run for this alert. The list of queries displayed will
include all queries defined that:
- Contain at least one date field (timestamp) - a timestamp field
is required
- Contain a Count field - a count field is required
- Can be accessed by your Guardium® user
account
Troubleshooting tip: If a custom query has been created in
any Query Builder in Report Building, and it does not appear in the
Query list, then make sure that the custom query has a timestamp (date
field).
Troubleshooting tip: After selecting a query from the
Query list in the Alert Definition panel of the Add Alert screen,
and there is need to edit the query (Edit icon), and the query can
not be edited, then go to Query Builder (Tools > Report Building)
to edit the query.
- If the selected query contains run-time parameters, a Query
Parameters panel will appear in the Alert Definition pane. Supply
parameter values as appropriate for your application.
- In the Accumulation Interval box, enter the length of the
time interval (in minutes) that the query should examine in the audit
repository, counting back from the current time (for example, enter
10 to examine the last 10 minutes of data).
- Mark the Log Full Query results box to have the full report
logged with the alert.
- If the selected query contains one or more columns of numeric
data, select one of those columns to use for the test. The default,
which will be the last item listed, is the last column for the query,
which is always the count of occurrences aggregated in that row.
- In the Alert Threshold pane, define the threshold at which
a correlation alert is to be generated, as follows:
- In the Threshold field, enter a threshold number that will apply
as described by the remaining fields in the panel.
- From the Alert when value is list, select an operator indicating
how the report value is to relate to the threshold to produce an alert
(greater than, greater than or equal to, less than, etc.).
- Select per report if the threshold number applies to a report
total.
If there is no data during the specified Accumulation Interval:
If the threshold is per report, the value for that interval is 0 (zero),
and an alert will be generated if the threshold condition is met (for
example, if the condition specified is “Alert when value is <
1”).
- Indicate in the Notification Frequency box how often (in
minutes) the Alert Receivers should be notified when the alert condition
has been satisfied.
- Click the Apply button to save the alert definition.
Note: You cannot assign receivers or roles, or enter
comments until the definition has been saved.
- In the Alert Receivers panel, optionally designate one
or more persons or groups to be notified when this alert condition
is satisfied. To add a receiver, click the Add Receiver button to
open the Add Receiver Selection panel. For information about adding
receivers, see notifications.
- Optionally click the Roles button to assign roles for the
alert. See Security Roles.
- Optionally click the Comments button to add comments to
the definition.
- Click the Apply button and then the Done button when you
have finished.
If there are more than fifteen
SQL errors in the last three hours by any application user, then an
alert will be sent to the designated receiver.