IBM Security Guardium

Hello,

I'm trying to create a rule that will send an alert for a specific group of commands and for a specific group of users.

Since processes such as insert and update are often released, we do not want to get a large number of alerts. We tried to use the rule ALERT ONCE PER SESSION but the rule is triggered only once, for example for INSERT, if during the same session the user does UPDATE the rule is not triggered.

Is this behavior expected and what is the best way to solve this problem, ie for the user to receive an alert for each command and to avoid repeating the same queries over the same objects?

Best Regards,


------------------------------
Sanela Kovač
------------------------------

Hi Sanela,

Yes, it is expected and the alert is triggered once  if the INSERT and UPDATE are in same session. If you wanna receive an alert for each command, you can consider to use "Alert Per Match". For more info, please refer to:
https://www.ibm.com/docs/en/guardium/11.0?topic=actions-alerting-rule

------------------------------
Jonathan LU
Security Support Engineer
IBM
------------------------------

Original Message:
Sent: Fri August 27, 2021 04:04 AM
From: Sanela Kovač
Subject: Alert Once per Session Rule

Hello,

I'm trying to create a rule that will send an alert for a specific group of commands and for a specific group of users.

Since processes such as insert and update are often released, we do not want to get a large number of alerts. We tried to use the rule ALERT ONCE PER SESSION but the rule is triggered only once, for example for INSERT, if during the same session the user does UPDATE the rule is not triggered.

Is this behavior expected and what is the best way to solve this problem, ie for the user to receive an alert for each command and to avoid repeating the same queries over the same objects?

Best Regards,


------------------------------
Sanela Kovač
------------------------------