Fortinet FortiDB manual Table Columns That Could Appear in Alerts, Resulting Killed Session

Page 19


Rule Chaining	Chaining with Parameterized User-Defined Rules

Chained-Rule Alerts: (UBM Session Policy and PUDR)

5Get an alert when the (the Session Policy) Source rule is violated.

6Get another alert when the chained PUDR executes and, in this case kills the session of BAD_GUY.

7And, in the Alert Details dialog, display DB user name, OS user name, machine name, and source-program name as shown above.

Resulting Killed Session

8Notice that our SQLPlus session has been killed

Alert Behavior

This topic describes various alert behavior users should be aware of.

Table Columns That Could Appear in Alerts

Be careful when specifying the SQL for your UDRs. Statements like "SELECT * FROM <table_name>", where <table_name> has a lot of columns, may produce alerts that are difficult to read due to the large number of columns. It is better to be more specific like "SELECT <column_name1>, ... , <column_nameN> from <table_name>".

For example using Oracle, v$session has over 40 columns, so instead of this statement:

SELECT * FROM v$session WHERE osuser = '$osusername'

you might want to use one with specific columns, like:

FortiDB Version 3.2 Utilities	User Guide
15-32000-81369-20081219	17

Image 19

Contents Utilities User Guide Trademarks FortiDB Utilities User GuideTable of Contents Index FortiDB MA Utilities Selecting Addresses for Auto-Discovery Auto DiscoveryResults from Auto-Discovery Selecting Non-Standard Ports for Auto-DiscoveryDiscovered Database Information Populating Connection Form MS-SQLMS-SQL Connection Summary Button Connection Summary Output Connection SummaryRule Chaining Rule Chaining Setting ScreenRule Chaining Chaining with Parameterized User-Defined Rules General Pudr Steps Parameterized User-Defined Rule Flow DiagramValidating the Pudr before Saving Disabled Parameter CheckboxesExample of Chaining to a PL/SQL-based Pudr Item Setting for Session PolicyPolicy Settings for Suspicious Login Time Immediate Chained-Rule Alerts UBM Session Policy and Pudr Table Columns That Could Appear in AlertsResulting Killed Session DB Example Multiple Source-Rule-Violation BehaviorRule Chaining Setting a Timer-based Schedule Setting a Report ScheduleAlert Report Manager Deleting a Timer Schedule Deleting a Previously Set Timer ScheduleSetting a Calendar-based Schedule Setting a Timer-Based ScheduleSetting a Randomized Interval Setting a Combined ScheduleSetting a Randomized Interval Setting a Calendar-Based ScheduleARM Reporting by Time ARM Reporting by Time Calendar Pop-up Reporting by TimeEnabling Email Recipients Specifying Report ParametersNew Reports Menu New Report Setting Screen topNew Report Setting Screen bottom Using the Select Checkbox to Affect Multiple Reports Saved and Enabled ReportView Reports Dropdown List on Current Reports Screen Activating ARMRunning and Analyzing Reports Status Menu Status DialogSummary-Action Output Types Current Report ConfigurationReport Summary Action Choosing Summary Report ActionLimitation Report Detailed ActionReport Size Archiving Reports Custom Reports Using This FeatureCustom Reports SchedulingTime-only Schedule Settings Daily Schedule Settings Monthly Schedule Settings Weekly Schedule SettingsCustomer and Company Information Company Information Dialog Report and Template Generation and ManagementCustom Reports Main Modifying Reports Adding ReportsAdding a Report Modifying a Report Deleting ReportsDeleting a Report Modifying Report Templates Report Result Generating ReportsTemplates Manager Modifying a Template Generated Html Report Example Report History Report HistoryProperty Purpose Possible Values Default Licensing and AdministrationUser Administration for Custom Reports and SOX Reports Reports radio button on the User Administration screenLimitations Property Purpose Possible Values Default1SOX Reports within Custom Reports Manager SOX Compliance ReportsReport Name Acronym General Setup InstructionsReports and Acronyms Common Report Header FieldsHPC Report Sample Cobit Objectives and Setup RequirementsHistory of Privilege Changes Report HPC Report Body ColumnsAUC Report Sample Abnormal or Unauthorized Changes to Data Report AUCAUS Report Sample Abnormal Use of Service Accounts Report AUSATD Report Sample Abnormal Termination of Database Activity Report ATDSettings Dialog for the EPA Report End of Period Adjustments Report EPAEPA Report Sample Assumptions CaseVAS Report Sample Verification of Audit Settings Report VASArchiving Reports Licensing and AdministrationReport Size Verification of Audit Settings Report VAS Index