Learning Rules and Audit

Database protection from DataSunrise is effected through sets of audit, security and masking rules. This approach makes protection very versatile and highly customizable. However, DataSunrise is constantly thinking how to make database protection even more user-friendly and efficient.

DataSunrise can analyze all corporate traffic and create a “white list” of database user operations considered safe for the given environment. So, in fact, this “white list” is an array of SQL statements, target database user names and database objects typical for the target database environment. Based on this “white list” database administrators can create audit, security and masking rules. Below are instructions on how to set up learning rules.

1. Navigate Audit → Learning Rules and click Add Rule



2. In the Main Section subsection give a name your learning rule, which can be anything. After that select a database type and instance to learn from.



3. In the Filter Sessions subsections you can specify a user you’re creating this rule for or a group of users.

In the Action subsection you can select an action for the rule. It can be either Learn or Skip. If you choose Learn it means the all incoming queries will be logged and added to predefined SQL groups. If you choose Skip it means that incoming queries will be ignored. In addition, you can set up a schedule for the rule to be active.

In the Filter SQL Statement subsection you can set the filter requirements to queries. Below is some additional information on the Filter SQL Statements subsection and further under it a screenshot for your reference.

After you’ve finished configuring a learning rule, don’t forget to click Save Rule. Now after we’ve “whitelisted” some queries it’s time to set up auditing rules. We can use the statements, objects, users and application information from the newly created learning rule in the audit rule below.

To set up an auditing rule we need to do the following:

1. Navigate Audit → Rules → Add Rule



2. Give a name to your audit rule. This name can be anything. Specify a database type and instance. In the Comment field you can add any comment.



3. In the Action subsection you’ll see a lot of settings the most important of which is Log Event in Storage. Default setting as in the picture below will ensure reliable auditing of your database(s). Check the Skip checkbox if you want to skip this subsection.



4. In the Filter Sessions add a condition for your audit rule. In the picture below by clicking Add Condition we’ve chosen to audit our Postgres database using a specific application – the pgadmin 3 query tool.



5. In the Filter Statements subsection you can customize queries filtering. Let’s use filtering of statements by Query Group. For this we can use data from the learning rule we created earlier. For learning rules we set up the Statements_group_learning group. To do that select it from the Process Group of Query drop-down list. After that click Add Object Group. You can also select to Skip Group of Query. In our picture we selected to skip pgAdmin queries.

In the windows that shows up after clicking Add Object Group select the required object group. Below it’s Objects_group_learning from our learning rule and click Add Object Group.

The specified object group appears in the Choose Object Groups section.

Click Save at the bottom of the rule’s page to save it. From now on your auditing rule will be using data from your learning rule and is fully operational!

DataSunrise is the company that makes data protection highly efficient, versatile and user-friendly.