I currently have a collector running v11.2p250. I also have the Policy Changes Alert running for this collector. It seems in v11.2p250 the policy change alert catches an event from the "system" user (which is not a user that can be found) performing an insert on the policies. I have other appliances, 11.1 for example, where this does not occur. Is this a bug with the version, or is this new expected behavior? If it is expected, it creates a problem with the alert firing every specified interval. If it is a bug, is there any fix for this in a later release?

------------------------------
Chase Walkup
------------------------------

Hi Chase,

This is indeed working as designed, in the p250 release notes - https://delivery04.dhe.ibm.com/sar/CMA/IMA/09vdh/0/Guardium_v11_0_p250_patch_release_notes.pdf
Its caused by "GRD-49593 Scheduled policy installation is not stored in GUARD_USER_ACTIVITY_AUDIT".

GUARD_USER_ACTIVITY_AUDIT is the table that Policy alert changes alert is checking for changes.

Behavior prior to p250:
i) Manual policy installations by user are logged in GUARD_USER_ACTIVITY_AUDIT under the user who initiated the install 
ii) Scheduled policy installations are not logged in GUARD_USER_ACTIVITY_AUDIT

Behavior in p250 (Also in latest v10.6, v11.1 and v11.3 bundles and in v11.4):
i) Manual policy installations by user are logged in GUARD_USER_ACTIVITY_AUDIT under the user who initiated the install 
ii) Scheduled policy installations are logged in GUARD_USER_ACTIVITY_AUDIT under system user 

The reason for the change is that some customers want to track every time the policy is reinstalled, even if this is run by the schedule. It's a more accurate picture of what is really happening on the appliance. And if we do track the information, there is always the option to filter it out in report conditions.

Unfortunately for your use case it adds more noise to the alert. To reduce that you can make a new report in Guardium Activity domain, cloned from 'Policy Changes' report.  Add a condition User Name Not Equal to System. Then use your new cloned report in the Policy Changes Alert definition. 
That will revert the alert to the same results as pre p250 

Hope that helps,
Avi

------------------------------
Avram Walerius
------------------------------

Original Message:
Sent: Mon October 04, 2021 05:06 PM
From: Chase Walkup
Subject: Policy Changes Alert v11.2p250

I currently have a collector running v11.2p250. I also have the Policy Changes Alert running for this collector. It seems in v11.2p250 the policy change alert catches an event from the "system" user (which is not a user that can be found) performing an insert on the policies. I have other appliances, 11.1 for example, where this does not occur. Is this a bug with the version, or is this new expected behavior? If it is expected, it creates a problem with the alert firing every specified interval. If it is a bug, is there any fix for this in a later release?

------------------------------
Chase Walkup
------------------------------