Rule Chaining

Chaining with Parameterized User-Defined Rules

After the database has been specified and you have clicked on [Add Item], you will be presented with the Create Rule Chaining Settings page.

Here, you need to:

Name the Rule Chain

Select the policy you want to use as the Source Rule

Select the target rule (Chained Rule) you want to execute, once the first rule had been violated.

Specify whether you want the chain to run immediately upon source-rule violation or not. Run Immediately means that the target rule will run as soon as there is a source-rule violation. Run as Scheduled means that the target rule will run according to the module-, database-, or item-specific schedule that is in effect for the source rule.

Decide whether you want to immediat1ely enable the chain or not. Unless you check the Enable Chain? checkbox, the chain won't be in effect. This allows you to create the chain and then only use it when needed.

You can see the Module and the name of the available guarded items for all policies. For example, 'PM' or 'UBM' preceding the rule name indicates the PM, or UBM module, respectively.

After the Rule Chain is invoked, alerts will appear with those of other policies.

Note: For UBM policies, which are indicated in green, you can pass parameters from the Source Rule to the Chained Rule, if the latter is a Parameterized User- Defined Rule (PUDR) and if the Chain meets certain other conditions. For more information on how to create a PUDR see the FortiDB MA User Behavior Monitor (UBM) User Guide. For more information on using PUDRs in a chain, see Chaining with Parameterized User-Defined Rules).

Chaining with Parameterized User-Defined Rules

Parameters, specific to the RDBMS type of your target database, can be passed from the source to the target in order to permit the target to perform specific tasks, such as to kill the session of a suspicious user.

The source rule can be a UBM User, Object, or Session Policy. The target rule can only be a User-Defined Rule (UDR) and specifically one that can accept parameters: a Parameterized User Defined Rule (PUDR). The PUDR functionality can be accessed within the UBM module. (See the FortiDB MA User Behavior Monitor (UBM) User Guide)

When there is a violation of the source rule, the target UDR gets executed, with the parameters passed from the source rule. An alert is generated both for the source violation and for the PUDR execution.

1.A module schedule will be overridden by a database-specific schedule, if one is set. A database-specific schedule will be overridden by an item-specific schedule if one is set.

FortiDB Version 3.2 Utilities

User Guide

15-32000-81369-20081219

11

Page 13
Image 13
Fortinet FortiDB manual Chaining with Parameterized User-Defined Rules