Hello, I was wondering if anyone had any ideas as regards if it is possible within Guardium to configure a policy rule which would alert whenever there are x number of unsuccessful login attempts from a single client to multiple databases and/or database servers within a given time frame (eg. 10 minutes) the userid could also differ or be the same - just the same client ip. At present I only have configured a rule to capture x number of failed login attempts for a specific userid which is for a specific server. 
Many thanks.

------------------------------
David H
------------------------------

Original Message------

Hello, I was wondering if anyone had any ideas as regards if it is possible within Guardium to configure a policy rule which would alert whenever there are x number of unsuccessful login attempts from a single client to multiple databases and/or database servers within a given time frame (eg. 10 minutes) the userid could also differ or be the same - just the same client ip. At present I only have configured a rule to capture x number of failed login attempts for a specific userid which is for a specific server. 
Many thanks.

------------------------------
David H
------------------------------

I've had this same request in the past and, unfortunately, Client IP is one of the fields that you CANNOT group on with a (.) like we do with DB User.  The solution we used was a Correlation/Threshold Alert that runs on your schedule (10 minutes) looking back over 10 minutes.  Build it against a Failed Login report that groups on Client IP with a count greater than whatever you want your threshold to be and alert as needed.  

Hope this helps, let us know if this works for you!

Matt

------------------------------
Matthew Simons
------------------------------

Original Message:
Sent: Wed May 29, 2019 11:22 AM
From: David Huckle
Subject: Is there a way to create a policy alert for failed connections to more than one DB server from one client source?

Hello, I was wondering if anyone had any ideas as regards if it is possible within Guardium to configure a policy rule which would alert whenever there are x number of unsuccessful login attempts from a single client to multiple databases and/or database servers within a given time frame (eg. 10 minutes) the userid could also differ or be the same - just the same client ip. At present I only have configured a rule to capture x number of failed login attempts for a specific userid which is for a specific server. 
Many thanks.

------------------------------
David H
------------------------------

Many thanks Matt.
I shall give your suggestion a try.

------------------------------
David Huckle
------------------------------

Original Message:
Sent: Thu May 30, 2019 08:54 AM
From: Matt Simons
Subject: Is there a way to create a policy alert for failed connections to more than one DB server from one client source?

I've had this same request in the past and, unfortunately, Client IP is one of the fields that you CANNOT group on with a (.) like we do with DB User.  The solution we used was a Correlation/Threshold Alert that runs on your schedule (10 minutes) looking back over 10 minutes.  Build it against a Failed Login report that groups on Client IP with a count greater than whatever you want your threshold to be and alert as needed.  

Hope this helps, let us know if this works for you!

Matt

------------------------------
Matthew Simons

Original Message:
Sent: Wed May 29, 2019 11:22 AM
From: David Huckle
Subject: Is there a way to create a policy alert for failed connections to more than one DB server from one client source?

Hello, I was wondering if anyone had any ideas as regards if it is possible within Guardium to configure a policy rule which would alert whenever there are x number of unsuccessful login attempts from a single client to multiple databases and/or database servers within a given time frame (eg. 10 minutes) the userid could also differ or be the same - just the same client ip. At present I only have configured a rule to capture x number of failed login attempts for a specific userid which is for a specific server. 
Many thanks.

------------------------------
David H
------------------------------