Defining an Alarm Policy (cloned)
16 min
in the policy tab, select and edit an existing policy kron dam masking alarm masking method is defined under policy ▸ masking method (e g , stuff(${column},1,7,'masked') for mssql) a masking policy is created specifying database, schema, table, column, and the masking method the policy is added to a policy group , then the group is linked to the appropriate policy realm when the sql proxy detects a query on a masked column, the data set is presented in its masked form and the corresponding alarm rule (if configured) is evaluated kron dam policy alarm a policy key of type black key is created (regex or literal query fragment) the key is placed in a policy group and associated with the target device realm the key action is set to generate error so that any query containing the forbidden key is denied on execution of a black key query, the session is terminated, the user receives an error, and the alarm workflow is triggered kron dam buffer overflow alarm kron dam implements buffer overflow protection at the sql proxy layer by validating incoming request sizes if a request exceeds the defined buffer size limit, it is blocked immediately to prevent potential overflow attacks or abuse patterns such as denial of service vectors, and the system alarm is generated the mechanism ensures system resilience against malformed or maliciously large queries · the buffer overflow alarm is provided as a system defined policy · the alarm status can be enabled by navigating to database alarm → policy → actions and clicking the bell icon · the notification target and alarm level can be customized via database alarm → policy → edit policy · email fields and subject lines can be edited through database alarm → notification targets → admin · triggered alarms can be viewed under database alarm → history → parent policy → buffer overflow alarm this feature is disabled by default to enable buffer overflow protection, set the following master parameter parameter description default dam ddm buffer overflow\ attack protection enables the buffer overflow protection mechanism false dam ddm buffer overflow\ limit maximum allowed request size in bytes values below 8192 bytes are not recommended due to minimum metadata requirements 65535b kron dam connection rate alarm kron dam implements protection against excessive connection requests at the sql proxy layer by monitoring incoming database connection attempts when the number of requests exceeds the threshold defined in the system configuration manager, an alarm is triggered this mechanism helps prevent abnormal load conditions and potential abuse patterns, ensuring system stability and availability · the connection rate alarm is provided as a system defined policy · the alarm status can be enabled by navigating to database alarm → policy → actions and clicking the bell icon · the notification target and alarm level can be customized via database alarm → policy → edit policy · email fields and subject lines can be edited through database alarm → notification targets → admin · triggered alarms can be viewed under database alarm → history → parent policy → connection rate alarm this feature is disabled by default to enable buffer overflow protection, set the following master parameter parameter description default dam ddm buffer overflow\ attack protection enables the buffer overflow protection mechanism false dam ddm connection rate limit per client ip maximum allowed number of concurrent connection attempts per client ip 20 kron dam connection rate alarm kron dam implements protection against excessive connection requests at the sql proxy layer by monitoring incoming database connection attempts when the number of requests exceeds the threshold defined in the system configuration manager, an alarm is triggered this mechanism helps prevent abnormal load conditions and potential abuse patterns, ensuring system stability and availability · the connection rate alarm is provided as a system defined policy · the alarm status can be enabled by navigating to database alarm → policy → actions and clicking the bell icon · the notification target and alarm level can be customized via database alarm → policy → edit policy · email fields and subject lines can be edited through database alarm → notification targets → admin · triggered alarms can be viewed under database alarm → history → parent policy → connection rate alarm this feature is disabled by default to enable buffer overflow protection, set the following master parameter parameter description default dam ddm buffer overflow\ attack protection enables the buffer overflow protection mechanism false dam ddm connection rate limit per client ip maximum allowed number of concurrent connection attempts per client ip 20 kron dam database packet rate alarm kron dam implements monitoring of client packet traffic at the sql proxy layer after a session is established by analyzing packets directed to a database, such as queries and ping operations when the number of client packets sent to a database exceeds the threshold defined in the system configuration manager, an alarm is triggered this mechanism helps detect abnormal traffic patterns targeting a database and prevents potential misuse, ensuring system performance and stability · the database packet rate alarm is provided as a system defined policy · the alarm status can be enabled by navigating to database alarm → policy → actions and clicking the bell icon · the notification target and alarm level can be customized via database alarm → policy → edit policy · email fields and subject lines can be edited through database alarm → notification targets → admin · triggered alarms can be viewed under database alarm → history → parent policy → packet rate alarm this feature is disabled by default to enable buffer overflow protection, set the following master parameter parameter description default dam ddm buffer overflow\ attack protection enables the buffer overflow protection mechanism false dam ddm packet client rate limit per database maximum allowed number of client packets (queries, pings, etc ) per database within the session period 20 kron dam packet rate alarm kron dam implements monitoring of client packet traffic at the sql proxy layer after a session is established by analyzing packets originating from a user, such as queries and ping operations when the number of client packets generated by a user exceeds the threshold defined in the system configuration manager, an alarm is triggered this mechanism helps detect abnormal traffic patterns originating from a user and prevents potential misuse, ensuring system performance and stability · the user packet rate alarm is provided as a system defined policy · the alarm status can be enabled by navigating to database alarm → policy → actions and clicking the bell icon · the notification target and alarm level can be customized via database alarm → policy → edit policy · email fields and subject lines can be edited through database alarm → notification targets → admin · triggered alarms can be viewed under database alarm → history → parent policy → user packet rate alarm this feature is disabled by default to enable buffer overflow protection, set the following master parameter parameter description default dam ddm buffer overflow\ attack protection enables the buffer overflow protection mechanism false dam ddm packet client rate limit per user maximum allowed number of client packets generated by an individual user 20 kron dam policy alarm · policy alarm, connection rate alarm, masking alarm, buffer overflow alarm, database packet rate alarm, user packet rate alarm defined by the system · navigate to database alarm > policy · select an existing policy from the list · click the edit button to modify the configuration o if enabled is selected, the policy becomes active immediately · define rule parameters such as alarm level, repeats before trigger, max repeat count, watched metric/operator/value and combinator to next to specify the triggering conditions of the alarm o alarm level defines the severity of the triggered alarm o repeats before trigger specifies how many identical events are required before raising an alarm o max repeat count limits how many times an alarm can be triggered for the same condition o watched metric / operator / value determines the condition that activates the alarm rule o combinator to next defines the logical relation between multiple conditions ( and / or ) · click the save button to complete the configuration in the policy list, ensure the bell icon is toggled so that the policy is marked enabled the relevant alarm policy is highlighted and the edit icon is activated populate the header fields · name – logical identifier displayed in reports · enabled – activates the policy immediately · linked sources – choose dam alarm or other data sources that may trigger the policy · move one or more targets into the notification targets pane each alarm policy includes one or more rules that define the triggering conditions when an event matches all rule criteria, an alarm is raised at the designated severity field purpose accepted values / behaviour alarm level sets the severity that will be recorded and propagated to external systems (e mail, siem, snmp, etc ) when an alarm is first triggered it inherits this level; subsequent repeats may escalate automatically (see § 4 2) clear, minor, major, critical (drop down shown in figure 5a ) repeats before trigger defines the number of identical events that must be observed consecutively before the rule fires for the first time positive integer (default = 1) max repeat count caps the total number of alarm messages that may be generated by this rule while the triggering condition remains true escalation logic when the cap is reached, the alarm level is promoted one step up the list in the table above (tooltip shown in figure 5b ) positive integer (0 disables escalation; required value) override notification targets when toggled on , a per rule recipient list may be supplied, replacing the policy level targets boolean switch (off by default, see figure 5c ) field purpose accepted values / behaviour watched metric selects an event attribute that is evaluated the list is derived dynamically from the event type associated with the policy blocked boolean user string error string operator comparison applied between watched metric and value is (equality) or not (inequality) value critical value that triggers the rule when the comparison evaluates true type depends on metric (string, boolean, numeric) true (boolean) for blocked, or a literal username for user combinator to next logical connector used when multiple condition lines are defined use the placeholder “ ” for a single line rule and, or, xor “+” / “−” icons add or remove additional condition lines ui controls at the right margin example watched metric masked boolean operator is value true alarm level critical repeats before 1 when a query returns masked data the rule above triggers a critical alarm, increments repeat count , and stops issuing new notifications after ten occurrences reminder after rules are saved, the parent policy must be enabled via the bell icon in the policy list; otherwise no alarm or notification will be produced