8 Creating Alerts

Topics

8.1 About Alerts

Topics

8.1.1 Overview

You can create and configure alerts on events for secured targets, and for third-party plug-ins that have been developed using the Oracle Audit Vault and Database Firewall SDK. These events may be collected by the Audit Vault Agent or the Database Firewall. Alerts are independent of audit policies or firewall policies.

Alerts are rule-based. That is, if the rule definition is matched (for example, User A fails to log in to Client Host B after three tries), then an alert is raised. An alert can be applied to multiple secured targets, such as four Oracle databases. The alert rule can include more than one event and the event comes from different secured targets. For example, User A failed to log in to secured target X and User A also failed to log in to secured target Y.

You can specify an alert severity and associate the alert with the audit events through active directory. Also, if a secured target is monitored by a Database Firewall, you can configure alerts based on audit records sent by the firewall, in addition to the alerts specified in the firewall policy.

When you configure an alert, you can set up an email to be automatically sent to a user, such as a security officer, or to a distribution list. You can also configure templates to be used for email alert notification.

Alerts are raised when the audit data reaches the Audit Vault Server, not when the event that raises the alert occurs. The time lag between when the event occurs and when the alert is raised depends on several factors, including how frequently the audit trails are retrieved. The timestamp of an alert event indicates the time that the event occurred (for example, the time that User A tries to log in). The timestamp for the alert indicates when the alert was raised.

See Also:

8.1.2 Defining Useful Alerts

A good way to define specific alerts that are meaningful to you is to first browse activity reports in Oracle Audit Vault and Database Firewall. Activity reports contain a variety of audit event data, so browsing them can help you determine the key fields in audit records that are of special interest to you. These audit record fields are columns in the activity reports.

Looking at the report columns of interest, and the values in those columns, is a useful starting point for creating an alert that focuses on the audit events on which you want to be alerted. You can then create an alert with a condition (a rule) that defines the specific audit record field(s) and values that will trigger the alert.

For example, suppose you want to be alerted on schema changes to certain database objects. You can start by browsing the Database Schema Changes activity report. Figure 8-1 shows a sample of this report.

Figure 8-1 Activity Report: Database Schema Changes

Description of "Figure 8-1 Activity Report: Database Schema Changes"

From this report, you can see the various database target objects, users, client program names, and other data associated with schema change audit events captured by Oracle Audit Vault and Database Firewall. From here, you can decide which target objects you want to alert on. You can then narrow down the alert to specific users, client programs, etc.

See Also:

Browsing the Built-In Reports

8.2 Creating Alerts and Writing Alert Conditions

Topics

8.2.1 Creating or Modifying an Alert

When you create an alert in Oracle Audit Vault and Database Firewall, you define the conditions that will trigger the alert, and specify the type of notification that will be sent, and to whom. For example, you could create an alert that is raised each time User X tries to modify Table Y, which will notify administrator Z, using a specific email notification template.

Oracle Audit Vault and Database Firewall has a preconfigured alert that is triggered based on alert settings in your Database Firewall policy. The alerts you create are for audit and other events not associated with Database Firewall.

To create or modify an alert:

Log in to the Audit Vault Server console as an auditor.
Click the Policy tab.
From the Alerts menu on the left, select Alert Definitions.

The Alert Definitions page appears with a list of the existing alerts. To view or modify the definition for an existing alert, click its name in the Alert Name field.
For a new alert click Create, otherwise, click the name of the alert to modify.

The Create (or Modify) Alert page appears.
Enter the alert Name and optional Description in the appropriate fields.
Specify the following information:
- Name: Enter a name for the alert.
- Secured Target Type: Select a secured target type, for example, Oracle Database.
- Severity: Select Warning or Critical.
- Threshold: Enter the number of times the alert condition should be met before the alert is raised.
- Duration: If you entered a threshold value that is more than 1, enter the length of time (in minutes) that this alert condition should be evaluated to meet that threshold value. For example if you enter a threshold of 3 and duration of 5, then the condition must be met 3 times in 5 minutes to raise an alert.
- Group By (Field): Select a field from the list to group events by this column for this alert.
- Description: Optionally, enter a description for this alert.
- Condition: Enter a Boolean condition that must be met for this alert to be triggered.
  
  You can click any of the Condition - Available Fields listed on the right to enter them as part of the alert condition. These fields are the permissible audit record fields you can use to build your condition in the following format:
  
  :condition_field operator expression
  
  You can use any valid SQL WHERE clause with the available fields, making sure to include a colon (:) before that field. For example, your condition may be:
  
  upper(:EVENT_STATUS)='FAILURE'
Optionally, in the Notification area:
1. Specify the following information:
  - Template: Select a notification template to use for this alert. (To create alert templates.)
  - Distribution List: Select an email distribution list that will be notified about this alert.
  - To: Enter email addresses, separated by commas, to receive notifications.
  - Cc: Enter email addresses, separated by commas, to be copied on notifications.
2. Click Add to List to record the email recipients that you entered in the To and Cc fields.
Click Save.

The new alert appears in the Alert Definitions page.

You can monitor alert activity from the dashboard on the Audit Vault Server console Home page.

See Also:

8.2.2 Writing Alert Conditions

Topics

8.2.2.1 About Alert Conditions

In the Condition field of the Create Alert page, you can construct a Boolean condition that evaluates audit events. When the Boolean condition evaluates to TRUE, then Oracle Audit Vault and Database Firewall raises the alert, and notifies any specified users. As a general guideline, try to keep your alert conditions simple. Overly complex conditions can slow the Audit Vault Server database performance.

8.2.2.2 Writing an Alert Condition

Topics

Syntax of Alert Conditions

The syntax for an alert condition is:

:condition_field operator expression

For example:

:event_status='FAILURE' and upper(:event_name)=upper('LOGON')

An alert condition is similar to a WHERE clause in a SELECT statement, with an added colon (:). For example, the above condition looks like the WHERE clause in this SELECT statement:

SELECT user_name, event_status, event_name from avsys.event_log
   WHERE event_status='FAILURE' and upper(event_name)=upper('LOGON');

The WHERE clause above captures events in the avsys.event_log table where the event was LOGON and the event status was FAILURE. Converting this WHERE clause to an alert condition will cause that alert to be triggered whenever there are failed logons. You can specify in the alert how many failed logons within a specified period of time trigger the alert.

Rules for Writing Alert Conditions

Table 8-1 lists the rules for writing alert conditions and gives some examples.

Table 8-1 Rules for Writing Alert Conditions

Use the available audit record fields	The Create Alert page has a list of fields you can copy and use to build the alert condition. See .
Use any legal SQL function	You can use any legal SQL function, including user-defined functions. However, you cannot use sub-query statements. For example, you can use: `upper()` `lower()` `to_char()`
Use any legal SQL operator	For example, you can use: `not` `like` `<` `>` `in` `and` `null` When using operators, follow these guidelines: Remember that Oracle Audit Vault and Database Firewall evaluates an alert condition for each incoming audit record. You cannot use nested queries (for example, `not in SELECT...`) in the condition.
Use wildcards	You can use the following wildcards: `%` (to match zero or more characters) `_` (to match exactly one character)
Group components of a condition	You can group components within the condition by using parentheses. For example: (((A > B) and (B > C)) or C > D)
Example 1	You want to be alerted whenever there are three failed logon attempts on Oracle Database secured targets within a five-minute period. To write a condition for this alert, you can copy EVENT_STATUS and EVENT_NAME from the available fields list, and use them to write this condition: `upper(:EVENT_STATUS)='FAILURE' and upper(:EVENT_NAME)='LOGON'` The figure below shows how this alert looks in the Create Alert page in the Audit Vault Server console. Tip: Set the threshold to 3 (3 times) and duration to 5 (less than 5 minutes) with this condition. You can look up audit event names and attributes in Oracle Database Audit Events through Active Directory Audit Events.
Example 2	You wa nt to monitor application shared schema accounts that are being used outside the database. An example of this scenario is when the database user is `APPS` and the client identifier is set to `NULL`. To write a condition for this alert, you can copy the EVENT_NAME and USER_NAME fields from the available fields list, and use them to write this condition: `:EVENT_NAME='LOGON' and :USER_NAME='apps' and :CLIENT_IP=NULL` This condition says, "Raise an alert if any ex-employee tries to log in to the database." Tip: You can look up audit event names and attributes in Oracle Database Audit Events through Active Directory Audit Events.

Alert for Example 1 in the Audit Vault Server Console

The figure below shows what the alert from Example 1 above looks like in the Create Alert page in the Audit Vault Server console.

This alert says: "Alert me whenever there are three failed logon attempts on Oracle Database secured targets within a five-minute period."

The alert Condition uses two of the Condition - Available Fields on the right side of the Create Alert page.

If this alert is raised, its Severity will be set to Warning. An email will also be sent to the user avdf_auditor@samplecompany.com, using the Alert Notification Template.

In reports, instances of this alert will be grouped by client application ID.

Figure 8-2 Example Alert

Description of "Figure 8-2 Example Alert"

Available Audit Record Fields for use in Alert Conditions

Table 8-2 describes the available audit record fields you can use in alert conditions. These fields appear on the Create Alert page (shown in the figure above) so that you can cut and paste them into alert conditions as needed.

Important: These fields must be preceded by a colon (:) when used in the condition (for example :USER_NAME).

Table 8-2 Available Fields for Alert Conditions

Condition Field	Description
ACTION_TAKEN	(Firewall Alerts) Action taken by the Database Firewall, for example: `BLOCK`, `WARN`, or `PASS`
AV_TIME	The time Oracle Audit Vault and Database Firewall raised the alert
CLIENT_HOST_NAME	The host name of the client application that was the source of the event causing the alert
CLIENT_ID	The ID of the client application that was the source of the event causing the alert
CLIENT_IP	The IP address of the client application that was the source of the event causing the alert
CLUSTER_TYPE	(Firewall Alerts) The cluster type of the SQL statement causing the alert. Values may be: Data Manipulation Data Definition Data Control Procedural Transaction Composite Composite with Transaction
COMMAND_CLASS	The Oracle Audit Vault and Database Firewall command class. Tip: You can look up audit event names and attributes in Oracle Database Audit Events through Active Directory Audit Events.
ERROR_CODE	The secured target's error code
ERROR_MESSAGE	The secured target's error message
EVENT_NAME	The secured target's audit event name. Tip: You can look up audit event names and attributes in Oracle Database Audit Events through Active Directory Audit Events.
EVENT_STATUS	Status of the event: `Success` or `Failure`
EVENT_TIME	The time that the event occurred
LOCATION	Describes where the audit trail is located. Valid values are: Audit File Audit Table Transaction Log Event Log Syslog Network Custom
NETWORK_CONNECTION	Description of the connection between the secured target database and the database client, in the following format: `client_ip:client_port,database_ip:database_port` For example: `198.51.100.1:5760,203.0.113.1:1521`
POLICY_NAME	The name of the Database Firewall policy
OSUSER_NAME	Name of the secured target's OS user
SECURED_TARGET_CLASS	Secured targets fall into these classes: Database OS Directory Service Filesystem
SECURED_TARGET_NAME	Name of the secured target in Oracle Audit Vault and Database Firewall.
TARGET_OBJECT	Name of the object on the secured target, for example, a table name, file name, or a directory name. Must be in upper case, for example, `ALERT_TABLE`.
TARGET_OWNER	Owner of the object on the secured target
TARGET_TYPE	The object type on the secured target, for example, `TABLE`, or `DIRECTORY`
TERMINAL	The Unix terminal that was the source of the event causing the alert (for example, `/dev/1`)
THREAT_SEVERITY	(Firewall Alerts) The threat severity of the SQL statement triggering the alert, as defined in a Database Firewall policy. Values may be: `Unassigned`, `Insignificant`, `Minor`, `Moderate`, `Major`, or `Catastrophic`.
USER_NAME	User name of the secured target user

See Also:

8.2.3 Disabling, Enabling, or Deleting Alerts

You can disable an alert while keeping the alert definition in case you wish to enable this alert again in the future.

To disable or enable alerts:

Log into the Audit Vault Server console as an auditor.
Click the Policy tab.
From the Alerts menu, select Alert Definitions.

The alerts list is displayed. You can adjust the appearance of the list from the Actions menu.
Select the check boxes for the alerts that you want, and then click Disable, Enable, or Delete.
See Also:
- Working with Lists of Objects in the UI
- Logging in to the Audit Vault Server Console

8.3 Monitoring Alerts

Oracle AVDF raises an alert when data matches an alert rule condition in a single audit record, or matches multiple events with its duration and threshold setting. Auditors can view recently raised alerts in the dashboard on the Audit Vault Server console's Home pa ge. Alerts are grouped by the time that the alerts are raised, and by the severity level of the alert (warning or critical). From here, you can drill down to reports.

You can also schedule alert reports from the Audit Vault Server Reports tab.

See Also:

8.4 Responding to an Alert

After you have created alerts and when they are generated, you or other auditors can respond to them. You can change the alert status (for example, closing it), or notify other users of the alert.

To respond to an alert:

Log in to the Audit Vault Server console as an auditor.
Access the alert by using one of the following methods:
- From the Dashboard page, select the alert from the Recently Raised Alerts list.
- From the Reports tab, expand the Alert Reports section, then select All Alerts, Critical Alerts, or Warning Alerts.
Select the check boxes for the alerts to which you want to respond.
Take any of the following actions:
- Notify another auditor of the alert. Click the Notify button. In the Manual Alert Notification page, select the notification template. Then you must select a distribution list and/or enter email addresses in the To or Cc fields. Separate multiple email addresses with a comma. Click the Add to List button to compile the listing, and then click the Notify button to send the notification.
- Details. Select the page icon under the Details column for the report, and under the Notes area, enter a note to update the status of the alert.
- Set the alert status. From the Set Status to list, select New or Closed, or a user-defined status value if available, and then click the Apply button. When an alert is first generated, it is set to New.
See Also:
- Creating Custom Alert Status Values
- Logging in to the Audit Vault Server Console

8.5 Creating Custom Alert Status Values

You can create alert status values to assign to an alert during the lifetime of the alert. Oracle Audit Vault and Database Firewall provides two status values: New and Closed. You can create additional ones to suit your needs, such as Pending.

To create an alert status value:

Log in to the Audit Vault Server console as an auditor.
Click the Policy tab
From the Alerts menu on the left, click Manage Alert Status.

The Manage Alert Status page appears. From here you can edit or delete existing user-defined alert status values.
To create a new alert status, click Create.
In the Create Alert Status Value page, enter the following settings:
- Status Value: Enter a name for the status value (for example, Pending).
- Description: Optionally, enter a description for the status value.
Click Save.
The new alert status appears in the Manage Alert Status page.
See Also:
- Responding to an Alert to assign alert status.
- Logging in to the Audit Vault Server Console

8.6 Forwarding Alerts to Syslog

In addition to se eing alerts in reports, and receiving them in notifications as specified in the alert configuration, you can also forward all alert messages to syslog.

As a prerequisite to forwarding alerts to syslog, the Oracle Audit Vault and Database Firewall administrator must configure syslog destinations in the Audit Vault Server, and select Alert as a syslog category. See the Oracle Audit Vault and Database Firewall Administrator's Guide for instructions.

To forward all alerts to syslog:

Log in to the Audit Vault Server console as a super auditor.
Click the Policy tab.
Click Alerts from the menu on the left, and then click Forward Alerts to Syslog.

All defined alerts are forwarded to syslog.

Example 8-1 Oracle Audit Vault and Database Firewall Syslog Alert Message Format

Oracle Audit Vault and Database Firewall alerts appear in syslog in a format similar to the following:

[AVDFAlert@111 name="alert_name" severity="alert_severity" 
url="auditor_console_URL_for_alert" time="alert_generated_time" target="secured_target" user="username" desc="alert_description"]

The user and target parameters may list zero or more users or targets related to this alert.

Example:

Apr 16 23:22:31 avs08002707d652 logger: [AVDFAlert@111 name="w_1" severity="Warning" url="https://192.0.2.10/console/f?p=7700..." time="2014-04-16T22:55:30.462332Z" target="cpc_itself" user="JDOE" desc=" "]