8 Creating Alerts

This chapter contains:

About Alerts

You can create and configure alerts on events for secured targets, and for third-party plug-ins that have been developed using the Oracle AVDF SDK. These events may be collected by the Audit Vault Agent or the Database Firewall. Alerts are independent of audit policies or firewall policies.

Alerts are rule-based. That is, if the rule definition is matched (for example, User A fails to log in to Client Host B after three tries), then an alert is raised. An alert can be applied to multiple secured targets, such as four Oracle databases. In this case, the rule can include more than one event and the event comes from different secured targets. For example, User A failed to log in to secured target X and User A also failed to log in to secured target Y.

You can specify an alert severity and associate the alert with the audit events described in Appendix C through Appendix G. Also, if a secured target is monitored by a Database Firewall, you can configure alerts based on audit records sent by the firewall, in addition to the alerts specified in the firewall policy (see "Creating Database Firewall Policies".)

When you configure an alert, you can set up an email to be automatically sent to a user, such as a security officer, or to a distribution list. You can also configure templates to be used for email alert notification.

Alerts are raised when the audit data reaches the Audit Vault Server, not when the event that raises the alert occurs. The time lag between when the event occurs and when the alert is raised depends on several factors, including how frequently the audit trails are retrieved. The timestamp of an alert event indicates the time that the event occurred (for example, the time that User A tries to log in). The timestamp for the alert indicates when the alert was raised.

Creating and Configuring Alerts

This section contains:

Creating Alert Status Values

You can create alert status values to assign to an alert during the lifetime of the alert. Oracle AVDF provides two status values: New and Closed. You can create additional ones to suit your needs, such as Pending.

To create an alert status value:

  1. Log in to the Audit Vault Server console as an auditor, then click the Policy tab.

  2. From the menu on the left, click Alerts, then click Manage Alert Status Values.

    The Alert Status Values page appears. From here you can edit or delete existing user-defined alert status values.

  3. To create a new alert status, click Create.

  4. In the Create Alert Status Value page, enter the following settings:

    • Status Value: Enter a name for the status value (for example, Pending).

    • Description: Optionally, enter a description for the status value.

  5. Click Save.

    The new alert status appears in the Alert Status Values page.

Creating or Modifying an Alert

When you create an alert in Oracle AVDF, you define the conditions that will trigger the alert, and specify the type of notification that will be sent, and to whom. For example, you could create an alert that is raised each time User X tries to modify Table Y, and which will notify administrator Z, using a specific email notification template.

Oracle AVDF has a preconfigured alert that is triggered based on alert settings in your Database Firewall policy. The alerts you create are for audit and other events not associated with Database Firewall.

To create an alert:

  1. Log in to the Audit Vault Server console as an auditor, and click the Policy tab.

  2. From the menu on the left, click Alerts.

    The Alerts page appears, which lists the existing alerts. To view or modify the definition for an existing alert, click its name in the Alert Name field.

    You can adjust the appearance of the list from the Actions menu. See "Working with Lists of Objects in the UI".

  3. For a new alert click Create, otherwise, click the name of the alert to modify.

    The Create (or Modify) Alert page appears.

  4. Enter the alert Name and optional Description in the appropriate fields.

  5. Specify the following information:

    • Alert Severity: Select Warning or Critical.

    • Secured Target Type: Select secured target type, for example, Oracle Database.

    • Threshold: Enter the number of times the alert condition should be matched before the alert is raised.

    • Duration: If you entered a threshold value that is more than 1, enter the length of time (in minutes) that this alert condition should be evaluated to meet that threshold value. For example if you enter a threshold of 3 and duration of 5, then the condition must be matched 3 times in 5 minutes to raise an alert.

    • Group By: Select a field from the list to group events by this column for this alert rule.

    • Condition: Enter a Boolean condition that must be met for this alert to be triggered. The Condition - Available Fields area on the right lists the permissible fields you can use to build your condition in the following format:

      :condition_field operator expression

      You can use any valid SQL WHERE clause with the available fields, for example, your condition may be:

      upper(:EVENT_STATUS) = 'FAILURE'

      See "Defining Alert Conditions" for details.

  6. Optionally, in the Notification area:

    1. Specify the following information:

      • Template: Select a notification template to use for this alert.

      • Distribution List: Select an email distribution list that will be notified about this alert.

      • To: Enter email addresses, separated by commas, to receive notifications.

      • Cc: Enter email addresses, separated by commas, to be copied on notifications.

    2. Click Add to List to record the email recipients that you entered in the To and Cc fields.

    See also, "Creating Templates and Distribution Lists for Email Notifications".

  7. Click Save.

    The new alert appears in the Alerts page.

You can monitor alert activity from the dashboard on the Audit Vault Server console Home page. See "Monitoring Alerts" for more information.

Defining Alert Conditions

This section contains:

About Alert Conditions

In the Condition field of the Create Audit Alert Rule page, you can construct a Boolean condition that evaluates audit events. When the Boolean condition evaluates to TRUE, then Oracle AVDF raises the alert, and notifies any specified users. As a general guideline, try to keep your alert conditions simple. Overly complex conditions can slow the Audit Vault Server database performance.

The syntax for the alert condition is:

:condition_field operator expression

Creating an Alert Condition

The Create Audit Alert Rule page contains available fields from an Oracle AVDF audit record that you can cut and paste to build your alert conditions. Table 8-1 describes the available fields for alert conditions.

Table 8-1 Available Fields for Alert Conditions

Condition Field Description

ACTION_TAKEN

(Firewall Alerts) Action taken by the Database Firewall, for example: BLOCK, WARN, or PASS

AV_TIME

The time Oracle AVDF raised the alert

CLIENT_HOST_NAME

The host name of the client application that was the source of the event causing the alert

CLIENT_IP

The IP address of the client application that was the source of the event causing the alert

CLUSTER_TYPE

(Firewall Alerts) The cluster type of the SQL statement causing the alert. Values may be:

Data Manipulation
Data Definition
Data Control
Procedural
Transaction
Composite
Composite with Transaction

COMMAND_CLASS

The Oracle AVDF command class. See Appendix C through Appendix M for details.

ERROR_CODE

The secured target's error code

ERROR_MESSAGE

The secured target's error message

EVENT_NAME

The secured target's audit event name. See Appendix C through Appendix M for details.

EVENT_STATUS

Status of the event: Success or Failure

EVENT_TIME

The time that the event occurred

NETWORK_CONNECTION

Description of the connection between the secured target database and the database client, in the following format:

client_ip:client_port,database_ip:database_port

For example:

198.51.100.1:5760,203.0.113.1:1521

OSUSER_NAME

Name of the secured target's OS user

SECURED_TARGET_NAME

Name of the secured target in Oracle AVDF

TARGET_OBJECT

Name of the object on the secured target, for example, a table name, file name, or a directory name. Must be in upper case, for example, ALERT_TABLE.

TARGET_OWNER

Owner of the object on the secured target

TARGET_TYPE

The object type on the secured target, for example, TABLE, or DIRECTORY

THREAT_SEVERITY

(Firewall Alerts) The threat severity of the SQL statement triggering the alert, as defined in a Database Firewall policy. Values may be: Unassigned, Insignificant, Minor, Moderate, Major, or Catastrophic.

USER_NAME

User name of the secured target user


The above fields must be preceded by a colon (for example :USER_NAME) when used in the condition. Using these fields, you can build your condition as described below.

Use Any Legal SQL Function

You can use any legal SQL function, including user-defined functions. However, you cannot use sub-query statements. For example:

  • upper()

  • lower()

  • to_char()

Use Any Legal SQL Operator

For example, you can use:

  • not

  • like

  • <

  • >

  • in

  • and

  • null

When using operators, follow these guidelines:

  • Remember that Oracle AVDF evaluates an alert condition for each incoming audit record.

  • You cannot use nested queries (for example, not in SELECT...) in the condition.

Use Wildcards

You can use the following wildcards:

  • % (to match zero or more characters)

  • _ (to match exactly one character)

Group Components of a Condition

You can group components within the condition by using parentheses. For example:

(((A > B) and (B > C)) or C > D)

Example of an Alert Condition

Suppose you want to monitor application shared schema accounts that are being used outside the database. An example of this scenario is when the database user is APPS and the client identifier is set to NULL.

To write a condition for this alert, you can copy the EVENT_NAME and USER_NAME fields from the available fields list, and use them to write this condition:

:EVENT_NAME='LOGON' and :USER_NAME='apps' and :CLIENT_IP=NULL

This condition says, "Raise an alert if any ex-employee tries to log in to the database."

You can look up audit event names and attributes in Appendix C through Appendix G.

Forwarding Alerts to Syslog (AVDF 12.1.2)

This feature is available as of Oracle AVDF version 12.1.2.

In addition to seeing alerts in reports, and receiving them in notifications as specified in the alert configuration, you can also forward all alert messages to syslog.

As a prerequisite to forwarding alerts to syslog, the Oracle AVDF administrator must configure syslog destinations in the Audit Vault Server, and select Alert as a syslog category. See the Oracle Audit Vault and Database Firewall Administrator's Guide for instructions.

To forward all alerts to syslog:

  1. Log in to the Audit Vault Server console as a super auditor.

  2. Click the Policy tab.

  3. Click Alerts from the menu on the left, and then click Forward Alerts to Syslog.

    All defined alerts are forwarded to syslog.

AVDF Syslog Alert Message Format

AVDF alerts appear in syslog in the following format:

[AVDFAlert@111 name="alert_name" severity="alert_severity" 
url="auditor_console_URL_for_alert" time="alert_generated_time" target="secured_target" user="username" desc="alert_description"]

The user and target parameters may list zero or more users or targets related to this alert.

Example:

Apr 16 23:22:31 avs08002707d652 logger: [AVDFAlert@111 name="w_1" severity="Warning" url="https://192.0.2.10/console/f?p=7700..." time="2014-04-16T22:55:30.462332Z" target="cpc_itself" user="JDOE" desc=" "]

Monitoring Alerts

Oracle AVDF raises an alert when data in a single audit record matches an alert rule condition. Auditors can view recently raised alerts in the dashboard on the Audit Vault Server console's Home page. Alerts are grouped by the time that the alerts are raised, and by the severity level of the alert (warning or critical). From here, you can drill down to reports.

You can also schedule alert reports from the Audit Vault Server Reports tab. For details, see:

Disabling, Enabling, or Deleting Alerts

You can disable an alert while keeping the alert definition in case you wish to enable this alert again in the future.

To disable or enable alerts:

  1. Log into the Audit Vault Server console as an auditor, and click the Policy tab.

  2. Click Alerts from the menu on the left.

    The alerts list is displayed. You can adjust the appearance of the list from the Actions menu. See "Working with Lists of Objects in the UI".

  3. Select the alerts you want, and then click Disable, Enable, or Delete.

Responding to an Alert

After you have created alerts and when they are generated, you or other auditors can respond to them. You can change the alert status (for example, closing it), or notify other users of the alert.

To respond to an alert:

  1. Log in to the Audit Vault Server console as an auditor.

  2. Access the alert by using one of the following methods:

    • From the Dashboard page, select the alert from the Recently Raised Alerts list.

    • From the Reports tab, expand the Alert Reports section, then select All Alerts, Critical Alerts, or Warning Alerts. See "Filtering and Controlling the Display of Data in a Report" to adjust the data in the report.

  3. In one of the Alerts pages, select the check boxes for the alerts to which you want to respond.

  4. Take any of the following actions:

    • Notify another auditor of the alert. Click the Notify button. In the Manual Alert Notification page, select the notification template. Then you must select a distribution list and/or enter email addresses in the To or Cc fields. Separate multiple email addresses with a comma. Click the Add to List button to compile the listing, and then click the Notify button to send the notification.

    • Details. Select the page icon under the Details column for the report, and under the Notes area, enter a note to update the status of the alert.

    • Set the alert status. From the Set Status to list, select New or Closed, or a user-defined status value if available, and then click the Apply button. When an alert is first generated, it is set to New.