Fortinet black logo

Handbook (HTML)

Home FortiDB 5.1.14 Handbook (HTML)
5.1.14
5.1.14
5.1.13
5.1.12
5.1.11
5.1.10
5.1.9
5.1.8
5.1.7
5.1.6
5.1.5
5.1.2
5.1.1
5.0.0

Configuring alert rules for a session policy

Configuring alert rules for a session policy

  1. Click the triangle icon at Alert Rules to expand it.
  2. In the Combination Rule field, select one from the dropdown list:
    • Issue alert if ANY of the enabled rules are triggered
    • Issue alert if ALL of the enabled rules are triggered
  3. Mark the check box of your interests from the following rules:
    4. Options Descriptions
    Login/Logout Activity Generate alerts for login/logout activity. Select option "Alert Login Failure" to alert for failure login only, or select option "Alert All Login/logout Activity".
    Suspicious Login Time

    Time of login is beyond specified normal hours.

    You can specify the time, entering numbers:

    1. In the From and To field, enter the starting and ending times you want to specify as suspicious login time.
    2. If necessary, click + sign to add more time range, or - sign to remove the time range.
    • To generate alerts for the login time you specified in the list, check "Alert if login time is within one of the time ranges in the list" check box.
    • To generate alerts for the login time you didn't specified in the list, check "Alert if login time is NOT within one of the time ranges in the list" check box.
    Extremely Long Session

    Generate alerts when duration of session is abnormally long.

    You can specify the threshold by entering how many hours allowed for a session.
    Excessive Read Activities

    Generate alerts when number of logical page reads is abnormally high.

    You can specify the threshold by entering how many page reads are allowed for a session.
    High Read Ratio

    Generate alerts when number of logical reads/minute is abnormally high.

    You can specify the threshold by entering how many page reads are allowed for a session.
    Suspicious Os User

    Alert any successful access to selected object by certain OS users.

    Note:For Microsoft SQL Server, this rule is applicable for only Windows authentication.

    You can specify one or more OS usernames by typing the specific name or using a regular expression.

    1. Click Add.
    2. Select an operator from the dropdown list.
    3. Enter OS username depending on the operator you selected.
    4. Repeat steps 1 to 3 if necessary.
    • To generate alerts for the OS user(s) you specified in the list, check "Alert any successful access if the OS user is specified in the list" check box.
    • To generate alerts for the OS user(s) you didn't specified in the list, check "Alert any successful access if the OS user is not specified in the list" check box.
    Suspicious Location

    Alert any successful access to selected object from certain locations.

    You can specify one or more locations by typing the specific location or using a regular expression.

    1. Click Add.
    2. Select an operator from the dropdown list.
    3. Enter a location name depending on the operator you selected.
    4. Repeat steps 1 to 3 if necessary.
    • To generate alerts for location(s) you specified in the list, check "Alert any successful access from locations in the list" check box.
    • To generate alerts for location(s) you didn't specified in the list, check "Alert any successful access from locations not in the list" check box.
    Suspicious Client Application

    Alert any successful access to selected object by certain client applications.

    You can specify one or more client applications by typing the specific client application or using a regular expression.

    1. Click Add.
    2. Select an operator from the dropdown list.
    3. Enter a client application depending on the operator you selected.
    4. Repeat steps 1 to 3 if necessary.
    • To generate alerts for the client application you specified in the list, check "Alert any successful access if the client application is in the list" check box.
    • To generate alerts for the client application you didn't specified in the list, check "Alert any successful access if the client application is not in the list" check box.
    Excessive Access Violation

    Alert excessive access to selected object within the specified time slot.

    You can specify the maximum accesses allowed within a certain time period.

    1. Enter the number of accesses allowed.
    2. Enter the number of hours, days, minutes, or seconds after selecting one from the dropdown list.

    Tracking Strategy - Tracking rule selection for time violation.

    The threshold you set for time violation can be incremented by OS User, Location, Client Application, or Database User separately, depending on your selection. If you don't select any rule, any access to the selected audit settings will be counted.

    Suspicious Client IP (only for Collection Method "TCP/IP Sniffer")

    Alert any successful access to selected object by certain client IPs. This rule only has effect for monitoring with Collection Method "TCP/IP Sniffer".

    You can specify one or more IP address, IP address Range or subnet.

    1. Click Add.
    2. Enter Start/End IP address, or IP/Netmask. For example, "192.168.1.1" - "192.168.1.254" for IP range, "192.168.2.0/255.255.255.0" for subnet.
    3. Repeat above if necessary.
    • To generate alerts for the client which's IP is in the specified IP range or subnet, select the "Alert any successful access if the client's IP is in the list".
    • To generate alerts for the client which's IP is not in the specified IP range or subnet, select the "Alert any successful access if the client's IP is not in the list".
  4. Click Save.
See also

Previous
Next

Configuring alert rules for a session policy

  1. Click the triangle icon at Alert Rules to expand it.
  2. In the Combination Rule field, select one from the dropdown list:
    • Issue alert if ANY of the enabled rules are triggered
    • Issue alert if ALL of the enabled rules are triggered
  3. Mark the check box of your interests from the following rules:
    4. Options Descriptions
    Login/Logout Activity Generate alerts for login/logout activity. Select option "Alert Login Failure" to alert for failure login only, or select option "Alert All Login/logout Activity".
    Suspicious Login Time

    Time of login is beyond specified normal hours.

    You can specify the time, entering numbers:

    1. In the From and To field, enter the starting and ending times you want to specify as suspicious login time.
    2. If necessary, click + sign to add more time range, or - sign to remove the time range.
    • To generate alerts for the login time you specified in the list, check "Alert if login time is within one of the time ranges in the list" check box.
    • To generate alerts for the login time you didn't specified in the list, check "Alert if login time is NOT within one of the time ranges in the list" check box.
    Extremely Long Session

    Generate alerts when duration of session is abnormally long.

    You can specify the threshold by entering how many hours allowed for a session.
    Excessive Read Activities

    Generate alerts when number of logical page reads is abnormally high.

    You can specify the threshold by entering how many page reads are allowed for a session.
    High Read Ratio

    Generate alerts when number of logical reads/minute is abnormally high.

    You can specify the threshold by entering how many page reads are allowed for a session.
    Suspicious Os User

    Alert any successful access to selected object by certain OS users.

    Note:For Microsoft SQL Server, this rule is applicable for only Windows authentication.

    You can specify one or more OS usernames by typing the specific name or using a regular expression.

    1. Click Add.
    2. Select an operator from the dropdown list.
    3. Enter OS username depending on the operator you selected.
    4. Repeat steps 1 to 3 if necessary.
    • To generate alerts for the OS user(s) you specified in the list, check "Alert any successful access if the OS user is specified in the list" check box.
    • To generate alerts for the OS user(s) you didn't specified in the list, check "Alert any successful access if the OS user is not specified in the list" check box.
    Suspicious Location

    Alert any successful access to selected object from certain locations.

    You can specify one or more locations by typing the specific location or using a regular expression.

    1. Click Add.
    2. Select an operator from the dropdown list.
    3. Enter a location name depending on the operator you selected.
    4. Repeat steps 1 to 3 if necessary.
    • To generate alerts for location(s) you specified in the list, check "Alert any successful access from locations in the list" check box.
    • To generate alerts for location(s) you didn't specified in the list, check "Alert any successful access from locations not in the list" check box.
    Suspicious Client Application

    Alert any successful access to selected object by certain client applications.

    You can specify one or more client applications by typing the specific client application or using a regular expression.

    1. Click Add.
    2. Select an operator from the dropdown list.
    3. Enter a client application depending on the operator you selected.
    4. Repeat steps 1 to 3 if necessary.
    • To generate alerts for the client application you specified in the list, check "Alert any successful access if the client application is in the list" check box.
    • To generate alerts for the client application you didn't specified in the list, check "Alert any successful access if the client application is not in the list" check box.
    Excessive Access Violation

    Alert excessive access to selected object within the specified time slot.

    You can specify the maximum accesses allowed within a certain time period.

    1. Enter the number of accesses allowed.
    2. Enter the number of hours, days, minutes, or seconds after selecting one from the dropdown list.

    Tracking Strategy - Tracking rule selection for time violation.

    The threshold you set for time violation can be incremented by OS User, Location, Client Application, or Database User separately, depending on your selection. If you don't select any rule, any access to the selected audit settings will be counted.

    Suspicious Client IP (only for Collection Method "TCP/IP Sniffer")

    Alert any successful access to selected object by certain client IPs. This rule only has effect for monitoring with Collection Method "TCP/IP Sniffer".

    You can specify one or more IP address, IP address Range or subnet.

    1. Click Add.
    2. Enter Start/End IP address, or IP/Netmask. For example, "192.168.1.1" - "192.168.1.254" for IP range, "192.168.2.0/255.255.255.0" for subnet.
    3. Repeat above if necessary.
    • To generate alerts for the client which's IP is in the specified IP range or subnet, select the "Alert any successful access if the client's IP is in the list".
    • To generate alerts for the client which's IP is not in the specified IP range or subnet, select the "Alert any successful access if the client's IP is not in the list".
  4. Click Save.
See also

Previous
Next