Fortinet black logo

Handbook (HTML)

Home FortiDB 5.1.14 Handbook (HTML)

Configuring alert rules for a user policy

5.1.14
5.1.14
5.1.13
5.1.12
5.1.11
5.1.10
5.1.9
5.1.8
5.1.7
5.1.6
5.1.5
5.1.2
5.1.1
5.0.0
Copy Link
Copy Doc ID 73ac471a-9afd-11ea-8862-00505692583a:98761

Configuring alert rules for a user policy

  1. Click the triangle icon of the Alert Rules section to expand it.
  2. In the Combination Rule field, select one from the dropdown list:
    3. Options Descriptions
    Issue alert if ANY of the enabled rules are triggered if you select this, each rule generates alerts individually.
    Issue alert if ALL of the enabled rules are triggered If you select this, the combination of selected policies generates alerts.
  3. Mark the check box of your interests from the following rules:
    4. Options Descriptions
    Security Violation Alert any failed attempt to access selected object without proper permission.
    Suspicious OS User

    Alert any successful access to selected object by certain OS users.

    You can specify one or more OS usernames by typing the specific name or using a regular expression.

    1. Click Add.
    2. Select an operator from the dropdown list.
    3. Enter OS username depending on the operator you selected
    • To generate alerts for the OS user(s) you specified in the list, check "Alert any successful access if the OS user is specified in the list" check box.
    • To generate alerts for the OS user(s) you didn't specified in the list, check "Alert any successful access if the OS user is not specified in the list" check box.
    Suspicious Object Access

    Alert any successful access to selected object(s). There are the following options to select objects:

    • Manually Select Object
    • Browse Object by Target (default)

    You can specify one or more objects as follows:

    1. Select a target from the Target dropdown list.
    2. Select a schema from the dropdown list.
    3. Select one or more tables from the Tables list.
    4. Select the Read (Select) or Write (Insert/Update/Delete) check box or both in the Audit Actions field.
    5. Click the right arrow to move the selections the Selected Objects list.

    Note: If you want to remove the users from the selected objects list, select the objects you want to remove and click the left arrow.

    • To generate alerts for the object(s) you specified in the list, check "Issue alert if the accessed object is specified in the list" check box.
    • To generate alerts for the object(s) you didn't specified in the list, check "Issue alert if the accessed object is not specified in the list" check box.
    Suspicious Location

    Alert any successful access to selected object from certain locations.

    You can specify one or more locations by typing the specific location or using a regular expression.

    1. Click Add.
    2. Select an operator from the dropdown list.
    3. Enter a location name depending on the operator you selected.
    4. Repeat steps 1 to 3 if necessary.
    • To generate alerts for the location(s) you specified in the list, check "Alert any successful access from locations in the list" check box.
    • To generate alerts for the location(s) you didn't specified in the list, check "Issue alert if the accessed object is not specified in the list" check box.
    Suspicious Client Application (Client Id)

    Alert any successful access to selected object by certain client applications.

    You can specify one or more client applications by typing the specific client application or using a regular expression.

    1. Click Add.
    2. Select an operator from the dropdown list.
    3. Enter a client ID depending on the operator you selected.
    4. Repeat steps 1 to 3 if necessary.
    • To generate alerts for the client application you specified in the list, check "Alert any successful access if the client application is in the list" check box.
    • To generate alerts for the client application you didn't specified in the list, check "Alert any successful access if the client application is not in the list" check box.
    Excessive Access Violation

    Alert excessive access to selected object within the specified time slot.

    You can specify the maximum accesses allowed within a certain time period.

    1. Enter the number of accesses allowed.
    2. Enter the number of hours, days, minutes, or seconds after selecting one from the dropdown lis

    Tracking Strategy - Tracking rule selection for time violation.

    • The threshold you set for time violation can be incremented by OS User, Location, Client Application, or Database User separately, depending on your selection. If you don't select any rule, any access to the selected audit settings will be counted.
    Time Range Violation

    Alert any access to selected object by certain time range.

    You can specify one or more time range.

    1. Click Add.
    2. Enter hour and minute values in "Received from" and "To" for time range, with 24 hours format.
    3. Repeat above if necessary.
    • To generate alerts for the access within the time range, select the "Alert any access if the timestamp is between time range".
    • To generate alerts for the access out of the time range, select the "Alert any access if the timestamp is not between time range".
    Suspicious Client IP (only for Collection Method "TCP/IP Sniffer")

    Alert any successful access to selected object by certain client IPs. This rule only has effect for monitoring with Collection Method "TCP/IP Sniffer".

    You can specify one or more IP address, IP address Range or subnet.

    1. Click Add.
    2. Enter Start/End IP address, or IP/Netmask. For example, you could enter "192.168.1.1" - "192.168.1.254" for the IP range, or "192.168.2.0/255.255.255.0" for a subnet.
    3. Repeat the above step if necessary.
    • To generate alerts for the client which's IP is in the specified IP range or subnet, select the "Alert any successful access if the client's IP is in the list".
    • To generate alerts for the client which's IP is not in the specified IP range or subnet, select the "Alert any successful access if the client's IP is not in the list".
  4. Click Save.
See also
Previous
Next

Configuring alert rules for a user policy

  1. Click the triangle icon of the Alert Rules section to expand it.
  2. In the Combination Rule field, select one from the dropdown list:
    3. Options Descriptions
    Issue alert if ANY of the enabled rules are triggered if you select this, each rule generates alerts individually.
    Issue alert if ALL of the enabled rules are triggered If you select this, the combination of selected policies generates alerts.
  3. Mark the check box of your interests from the following rules:
    4. Options Descriptions
    Security Violation Alert any failed attempt to access selected object without proper permission.
    Suspicious OS User

    Alert any successful access to selected object by certain OS users.

    You can specify one or more OS usernames by typing the specific name or using a regular expression.

    1. Click Add.
    2. Select an operator from the dropdown list.
    3. Enter OS username depending on the operator you selected
    • To generate alerts for the OS user(s) you specified in the list, check "Alert any successful access if the OS user is specified in the list" check box.
    • To generate alerts for the OS user(s) you didn't specified in the list, check "Alert any successful access if the OS user is not specified in the list" check box.
    Suspicious Object Access

    Alert any successful access to selected object(s). There are the following options to select objects:

    • Manually Select Object
    • Browse Object by Target (default)

    You can specify one or more objects as follows:

    1. Select a target from the Target dropdown list.
    2. Select a schema from the dropdown list.
    3. Select one or more tables from the Tables list.
    4. Select the Read (Select) or Write (Insert/Update/Delete) check box or both in the Audit Actions field.
    5. Click the right arrow to move the selections the Selected Objects list.

    Note: If you want to remove the users from the selected objects list, select the objects you want to remove and click the left arrow.

    • To generate alerts for the object(s) you specified in the list, check "Issue alert if the accessed object is specified in the list" check box.
    • To generate alerts for the object(s) you didn't specified in the list, check "Issue alert if the accessed object is not specified in the list" check box.
    Suspicious Location

    Alert any successful access to selected object from certain locations.

    You can specify one or more locations by typing the specific location or using a regular expression.

    1. Click Add.
    2. Select an operator from the dropdown list.
    3. Enter a location name depending on the operator you selected.
    4. Repeat steps 1 to 3 if necessary.
    • To generate alerts for the location(s) you specified in the list, check "Alert any successful access from locations in the list" check box.
    • To generate alerts for the location(s) you didn't specified in the list, check "Issue alert if the accessed object is not specified in the list" check box.
    Suspicious Client Application (Client Id)

    Alert any successful access to selected object by certain client applications.

    You can specify one or more client applications by typing the specific client application or using a regular expression.

    1. Click Add.
    2. Select an operator from the dropdown list.
    3. Enter a client ID depending on the operator you selected.
    4. Repeat steps 1 to 3 if necessary.
    • To generate alerts for the client application you specified in the list, check "Alert any successful access if the client application is in the list" check box.
    • To generate alerts for the client application you didn't specified in the list, check "Alert any successful access if the client application is not in the list" check box.
    Excessive Access Violation

    Alert excessive access to selected object within the specified time slot.

    You can specify the maximum accesses allowed within a certain time period.

    1. Enter the number of accesses allowed.
    2. Enter the number of hours, days, minutes, or seconds after selecting one from the dropdown lis

    Tracking Strategy - Tracking rule selection for time violation.

    • The threshold you set for time violation can be incremented by OS User, Location, Client Application, or Database User separately, depending on your selection. If you don't select any rule, any access to the selected audit settings will be counted.
    Time Range Violation

    Alert any access to selected object by certain time range.

    You can specify one or more time range.

    1. Click Add.
    2. Enter hour and minute values in "Received from" and "To" for time range, with 24 hours format.
    3. Repeat above if necessary.
    • To generate alerts for the access within the time range, select the "Alert any access if the timestamp is between time range".
    • To generate alerts for the access out of the time range, select the "Alert any access if the timestamp is not between time range".
    Suspicious Client IP (only for Collection Method "TCP/IP Sniffer")

    Alert any successful access to selected object by certain client IPs. This rule only has effect for monitoring with Collection Method "TCP/IP Sniffer".

    You can specify one or more IP address, IP address Range or subnet.

    1. Click Add.
    2. Enter Start/End IP address, or IP/Netmask. For example, you could enter "192.168.1.1" - "192.168.1.254" for the IP range, or "192.168.2.0/255.255.255.0" for a subnet.
    3. Repeat the above step if necessary.
    • To generate alerts for the client which's IP is in the specified IP range or subnet, select the "Alert any successful access if the client's IP is in the list".
    • To generate alerts for the client which's IP is not in the specified IP range or subnet, select the "Alert any successful access if the client's IP is not in the list".
  4. Click Save.
See also
Previous
Next