Fortinet FortiDB manual Chaining with Parameterized User-Defined Rules

Page 13

 

 

Rule Chaining

Chaining with Parameterized User-Defined Rules

After the database has been specified and you have clicked on [Add Item], you will be presented with the Create Rule Chaining Settings page.

Here, you need to:

Name the Rule Chain

Select the policy you want to use as the Source Rule

Select the target rule (Chained Rule) you want to execute, once the first rule had been violated.

Specify whether you want the chain to run immediately upon source-rule violation or not. Run Immediately means that the target rule will run as soon as there is a source-rule violation. Run as Scheduled means that the target rule will run according to the module-, database-, or item-specific schedule that is in effect for the source rule.

Decide whether you want to immediat1ely enable the chain or not. Unless you check the Enable Chain? checkbox, the chain won't be in effect. This allows you to create the chain and then only use it when needed.

You can see the Module and the name of the available guarded items for all policies. For example, 'PM' or 'UBM' preceding the rule name indicates the PM, or UBM module, respectively.

After the Rule Chain is invoked, alerts will appear with those of other policies.

Note: For UBM policies, which are indicated in green, you can pass parameters from the Source Rule to the Chained Rule, if the latter is a Parameterized User- Defined Rule (PUDR) and if the Chain meets certain other conditions. For more information on how to create a PUDR see the FortiDB MA User Behavior Monitor (UBM) User Guide. For more information on using PUDRs in a chain, see Chaining with Parameterized User-Defined Rules).

Chaining with Parameterized User-Defined Rules

Parameters, specific to the RDBMS type of your target database, can be passed from the source to the target in order to permit the target to perform specific tasks, such as to kill the session of a suspicious user.

The source rule can be a UBM User, Object, or Session Policy. The target rule can only be a User-Defined Rule (UDR) and specifically one that can accept parameters: a Parameterized User Defined Rule (PUDR). The PUDR functionality can be accessed within the UBM module. (See the FortiDB MA User Behavior Monitor (UBM) User Guide)

When there is a violation of the source rule, the target UDR gets executed, with the parameters passed from the source rule. An alert is generated both for the source violation and for the PUDR execution.

1.A module schedule will be overridden by a database-specific schedule, if one is set. A database-specific schedule will be overridden by an item-specific schedule if one is set.

FortiDB Version 3.2 Utilities

User Guide

15-32000-81369-20081219

11

Page 12 Page 14
Image 13
Page 12 Page 14
Contents Utilities User Guide Trademarks FortiDB Utilities User GuideTable of Contents Index FortiDB MA Utilities Selecting Addresses for Auto-Discovery Auto DiscoveryResults from Auto-Discovery Selecting Non-Standard Ports for Auto-DiscoveryDiscovered Database Information Populating Connection Form MS-SQLMS-SQL Connection Summary Button Connection Summary Output Connection SummaryRule Chaining Rule Chaining Setting ScreenRule Chaining Chaining with Parameterized User-Defined Rules General Pudr Steps Parameterized User-Defined Rule Flow DiagramValidating the Pudr before Saving Disabled Parameter CheckboxesExample of Chaining to a PL/SQL-based Pudr Item Setting for Session PolicyPolicy Settings for Suspicious Login Time Immediate Chained-Rule Alerts UBM Session Policy and Pudr Table Columns That Could Appear in AlertsResulting Killed Session DB Example Multiple Source-Rule-Violation BehaviorRule Chaining Setting a Timer-based Schedule Setting a Report ScheduleAlert Report Manager Setting a Calendar-based Schedule Deleting a Previously Set Timer ScheduleSetting a Timer-Based Schedule Deleting a Timer ScheduleSetting a Randomized Interval Setting a Combined ScheduleSetting a Calendar-Based Schedule Setting a Randomized IntervalEnabling Email Recipients Reporting by TimeSpecifying Report Parameters ARM Reporting by Time ARM Reporting by Time Calendar Pop-upNew Reports Menu New Report Setting Screen topNew Report Setting Screen bottom Using the Select Checkbox to Affect Multiple Reports Saved and Enabled ReportRunning and Analyzing Reports Activating ARMStatus Menu Status Dialog View Reports Dropdown List on Current Reports ScreenReport Summary Action Current Report ConfigurationChoosing Summary Report Action Summary-Action Output TypesLimitation Report Detailed ActionReport Size Archiving Reports Custom Reports Using This FeatureScheduling Custom ReportsTime-only Schedule Settings Daily Schedule Settings Monthly Schedule Settings Weekly Schedule SettingsCustomer and Company Information Company Information Dialog Report and Template Generation and ManagementCustom Reports Main Modifying Reports Adding ReportsAdding a Report Modifying a Report Deleting ReportsDeleting a Report Modifying Report Templates Report Result Generating ReportsTemplates Manager Modifying a Template Generated Html Report Example Report History Report HistoryUser Administration for Custom Reports and SOX Reports Licensing and AdministrationReports radio button on the User Administration screen Property Purpose Possible Values DefaultLimitations Property Purpose Possible Values Default1SOX Reports within Custom Reports Manager SOX Compliance ReportsReports and Acronyms General Setup InstructionsCommon Report Header Fields Report Name AcronymHistory of Privilege Changes Report HPC Cobit Objectives and Setup RequirementsReport Body Columns HPC Report SampleAUC Report Sample Abnormal or Unauthorized Changes to Data Report AUCAUS Report Sample Abnormal Use of Service Accounts Report AUSATD Report Sample Abnormal Termination of Database Activity Report ATDSettings Dialog for the EPA Report End of Period Adjustments Report EPAEPA Report Sample Assumptions CaseVAS Report Sample Verification of Audit Settings Report VASArchiving Reports Licensing and AdministrationReport Size Verification of Audit Settings Report VAS Index
Top Page Image Contents