Fortinet FortiDB Chaining with Parameterized User-Defined Rules

Rule Chaining Chaining with Parameterized User-Defined Rules

FortiDB Version 3.2 Utilities User Guide

15-32000-81369-20081219 11

After the database has been specified and you have clicked on [Add Item], you

will be presented with the Create Rule Chaining Settings page.

Here, you need to:

• Name the Rule Chain

• Select the policy you want to use as the Source Rule

• Select the target rule (Chained Rule) you want to execute, once the first rule

had been violated.

• Specify whether you want the chain to run immediately upon source-rule

violation or not. Run Immediately means that the target rule will run as soon

as there is a source-rule violation. Run as Scheduled means that the target

rule will run according to the module-, database-, or item-specific schedule that

is in effect for the source rule.

• Decide whether you want to immediat1ely enable the chain or not. Unless you

check the Enable Chain? checkbox, the chain won't be in effect. This allows

you to create the chain and then only use it when needed.

You can see the Module and the name of the available guarded items for all

policies. For example, 'PM|' or 'UBM|' preceding the rule name indicates the PM,

or UBM module, respectively.

After the Rule Chain is invoked, alerts will appear with those of other policies.

Chaining with Parameterized User-Defined Rules

Parameters, specific to the RDBMS type of your target database, can be passed

from the source to the target in order to permit the target to perform specific tasks,

such as to kill the session of a suspicious user.

The source rule can be a UBM User, Object, or Session Policy. The target rule can

only be a User-Defined Rule (UDR) and specifically one that can accept

parameters: a Parameterized User Defined Rule (PUDR). The PUDR functionality

can be accessed within the UBM module. (See the FortiDB MA User Behavior

Monitor (UBM) User Guide)

When there is a violation of the source rule, the target UDR gets executed, with

the parameters passed from the source rule. An alert is generated both for the

source violation and for the PUDR execution.

1. A module schedule will be overridden by a database-specific schedule, if one is set. A

database-specific schedule will be overridden by an item-specific schedule if one is set.

Note: For UBM policies, which are indicated in green, you can pass parameters

from the Source Rule to the Chained Rule, if the latter is a Parameterized User-

Defined Rule (PUDR) and if the Chain meets certain other conditions. For more

information on how to create a PUDR see the FortiDB MA User Behavior Monitor

(UBM) User Guide. For more information on using PUDRs in a chain, see

Chaining with Parameterized User-Defined Rules).