Question & Answer
Question
You defined the Records Affected Threshold value in a policy rule. However a thresold alert arose even when the affected records number was less than the threshold value. Why does an alert arise even when the records count is less than the threshold value?"
Cause
The appliance keeps the total record count per session. It resets the count every time the rule fires, but carries over residual counts. So an alert arises when the residual count + new records number exceeds the threshold value.
Answer
This is expected behaviour. The appliance keeps a total count of records affected per construct, per session. The rule fires and resets every time it fires, but carries over residual counts.
Assume you have set the records Affected Threshold value to 500 in a policy rule, and run the following queries. .
SELECT * FROM xxx WHERE ROWNUM <= 600 (returns 600 records).
The rule will fire for the 500th record, but the remaining 100 will carry over to the next count. So if you now run
SELECT * FROM xxx WHERE ROWNUM <= 400 (returns 400 records),
the rule would indeed fire again because 100+400=500.
The idea here is to prevent the user from selecting a large number of rows in small increments, thereby circumventing the alert rule.
Was this topic helpful?
Document Information
Modified date:
16 June 2018
UID
swg21571176