Alerts

Overview

The Alerts page offers notification features related to resource access. By pre-setting trigger conditions for major anomalies, you can detect policy violations in real-time. This allows for the rapid identification and resolution of potential security incidents and helps protect sensitive information from exposure or excessive queries that exceed predefined thresholds.

스크린샷 2024-07-28 오후 10.33.20.png — Administrator > General > Company Management > Alerts

This document covers the following topics

Creating Notifications

Click the Create Alert button at the top right of the Alerts page to create a new notification. Click the OK button to complete the notification creation.

스크린샷 2024-07-29 오후 2.17.28.png — Administrator > General > Company Management > Alerts > Create Alert

Name : Notification Name
Alert Type : Refer to the notification types section below
Alert Detail : Notification sending conditions and message template
1. Sending Conditions: Sending Conditions: Refer to the notification types and sending conditions section below.
2. Message Template: Template for the message to be sent with the notification
  1. Default templates are pre-filled based on notification type
  2. You can check supported variable types in Message Template Variables (varies by Alert Type)
Channel : Channel for sending notifications
1. Select from the channels listed under Administrator > General > Channels.
2. For more details about channels, refer to the Channels document.

Notification Types

Supports common notifications as well as notifications specialized for DB access and system access. Refer to the table below to see the supported notification types for each service.

Service Classification	Notification Type	Description
SAC, DAC, KAC	New Request	New Approval Request Notification
General	Unusual Login Attempt	User Login Activity Notification by IP Range
DAC	SQL Execution	Notification for SQL Statement Execution Matching Defined Conditions
DAC	Prevented SQL Execution	Unauthorized SQL Execution Notification
DAC	DB Connection Attempt	Database Connection Success or Failure Notification
DAC	Sensitive Data Access	Notification for Accessing Sensitive Data Based on Defined Conditions
DAC	SQL Export	Notification for SQL Export Execution Based on Defined Conditions
SAC	Server Connection Attempt	Server Connection Success or Failure Notification
SAC	Restricted Command	Notification for Execution of Blocked Commands by Server/Server Group
SAC	Specific Command	Specific Command Execution Notification
SAC	File Transfer (SFTP)	File Transfer Execution Notification via SFTP

Notification Types and Sending Conditions

When creating a notification, you can specify the sending conditions in the Alert Detail based on the selected notification type.

1. New Request

Notification for New Approval Request Registration.

Approval Type : Select the workflow request type (single choice).
- Select All : Send notifications for all types.
Alert Trigger Condition (Urgent Mode) : Specify the trigger condition for the alert.
- On : Send notifications only for post-approval requests.
- Off : Send notifications only for requests that are not post-approval.
- Select All : Send notifications for all approval requests.

2. Unusual Login Attempt

Notification for User Login Activity by IP Range.

Action Count : Number of failed authentication attempts required to trigger the notification.
Specific Time Interval (Minutes) : Time interval (in minutes) used as the basis for sending notifications.

For example, to send a notification for abnormal login attempts after 3 failed login attempts within 5 minutes

Alert Type : Unusual Login Attempt
Action Count : 3
Specific Time Internal : 5

3. SQL Execution

Notification for SQL Statement Execution Matching Defined Conditions

Alert Trigger Condition (Rows) : Number of rows for which the SQL execution should trigger a notification.
SQL Events : SQL queries that should trigger a notification (multiple selections allowed).
- Select All : Send notifications for all queries that meet the row count condition.
Connection : Target connection for sending notifications (single choice).
- Select All : Send notifications for all connections.

Example 1: Notification for Large Data Retrieval

Alert Type : SQL Execution
Trigger Condition (Rows) : 100
SQL Events : SELECT

Example 2: Notification for Data Modification and Deletion Attempts

Alert Type : SQL Execution
Trigger Condition (Rows) : 1
SQL Events : UPDATE, DELETE

Example 3: Notification for Attempts to Create, Alter, Truncate, Drop Tables, or Delete Privileges

Alert Type : SQL Execution
Trigger Condition (Rows) : 0
SQL Events : CREATE, ALTER, DROP, TRUNCATE, REVOKE

4. Prevented SQL Execution

Notification for Unauthorized SQL Execution

Connection : Target connection for sending notifications (single choice)
- Select All : Send notifications for all connections

5. DB Connection Attempt

Notification for Database Connection Success or Failure

Alert Trigger Condition : Condition for sending notifications.
- Success : Send notifications for successful database connections.
- Failure : Send notifications for failed database connections.
  - Connection Failure Trigger with Interval : Set conditions for connection failure notifications.
    - Off: No conditions (send notifications for every connection failure).
    - On: With conditions (send notifications only if failures exceed a defined number/period).
      - Action Count : Number of failures required to trigger a notification.
      - Specific Time Interval (Minutes) : Time period (in minutes) used to evaluate connection failures.
Connection : Target connection for sending notifications (single choice).
- Select All : Send notifications for all connections.

Example: Notification for Abnormal Database Connection Attempts

Alert Type : DB Connection Attempt
Alert Trigger Condition : Failure
Connection Failure Trigger with Internal
- Action Count : 3
- Specified Time Internal (Minutes) : 5

6. Sensitive Data Access

Notification for Accessing Sensitive Data Based on Defined Conditions.

Alert Trigger Condition : Condition that triggers the notification.
- Sensitive Level : Select from the registered sensitivity levels - Low, Medium, or High.
- Policy : Choose from the sensitive data policies registered in QueryPie.

To use the Sensitive Data Access notification type, sensitive data policies must pre-define tables and columns containing personal information. For more details, refer to the Sensitive Data document.

Example 1: Notification for Accessing Personal Data with High Sensitivity Level

Alert Type : Sensitive Data Access
Alert Trigger Condition : Sensitive Level = High

Example 2: Notification for Accessing Personal Data in a Specific Database

Alert Type : Sensitive Data Access
Alert Trigger Condition : Policy = {사전에 등록된 Sensitive Data 정책}
For this notification type, ensure that personal data tables and columns are pre-defined in the Sensitive Data policy.

7. SQL Export

Notification for SQL Export Execution Matching Defined Conditions

Alert Trigger Condition (Rows) : Number of rows for which the SQL export should trigger a notification.
Connection : Target connection for sending notifications (single choice).
- Select All : Send notifications for all connections.

Example: Notification for Attempting to Export More Than 100 Rows of Data

Alert Type : SQL Export
Trigger Condition (Rows) : 100

8. Server Connection Attempt

Notification for Server Connection Success or Failure.

Alert Trigger Condition : Condition for sending notifications.
- Success : Send notifications for successful server connections.
- Failure : Send notifications for failed server connections.
Connection : Target connections for sending notifications (multiple selections allowed).
- You can select servers and server groups, and duplicate selections are allowed.
  - Even if multiple targets are selected, the notification will be sent only once.
- Select All : Send notifications for all connections.

Example: Send Notification Only When a Server Connection Attempt Fails

Alert Type : Server Connection Attempt
Alert Trigger Condition : Check only Failure

9. Restrict Command

Notification for Execution of Blocked Commands by Server/Server Group.

Connection : Target connections for sending notifications (multiple selections allowed).
- You can select servers and server groups, and duplicate selections are allowed.
  - Even if multiple targets are selected, the notification will be sent only once.
- Select All : Send notifications for all connections.

10. Specific Command

Notification for Execution of Specific Commands.

Connection : Target connections for sending notifications (multiple selections allowed).
- You can select servers and server groups, and duplicate selections are allowed.
  - Even if multiple targets are selected, the notification will be sent only once.
- Select All : Send notifications for all connections.
Command : Conditions for triggering notifications for specific commands.
- Keyword : Trigger notification if the command contains specified keywords.
- RegExr : Trigger notification if the command matches the specified regular expression.

Example: Send Notification When a User Executes a Pre-defined Specific Command

Alert Type : Specific Command
Command : Keyword > rm ls

11. File Transfer (SFTP)

Notification for File Transfer Execution via SFTP.

Alert Trigger Condition : Conditions for sending notifications.
- FIle Upload : Send notification when a file is uploaded.
- File Download : Send notification when a file is downloaded.
Connection : Target connections for sending notifications (multiple selections allowed).
- You can select servers and server groups, and duplicate selections are allowed.
  - Even if multiple targets are selected, the notification will be sent only once.
- Select All : Send notifications for all connections.

Example: Send Notification Only When a User Downloads a File via SFTP

Alert Type : File Transfer (SFTP)
Alert Trigger Condition : Check only File Download

Viewing and Editing Notification Details

To view or modify the details of a notification, select the notification you want to review on the Alerts page. In the Details tab of the detailed page, you can view and edit the notification conditions and messages that were set during creation. Click the Save Changes button at the top right to apply any modifications.

스크린샷 2024-07-29 오후 3.42.17.png — Administrator > General > Company Management > Alerts > List Details (Details)

Testing Notification Integration

On the Alerts page, select the notification you want to test. Click the Test button at the top right of the detailed page to send a test notification to the selected channel.

The test message will be sent with the content: QueryPie Alert Test.

Viewing Notification Sending History

In the Alerts list, select the notification for which you want to view the sending history. On the detailed page, navigate to the Log section to review the notification history.

스크린샷 2024-07-29 오후 3.42.23.png — Administrator > General > Company Management > Alerts > List Details (Logs)

Deleting Notifications

There are two methods for deleting existing notifications.

1. Delete from the Alerts Page

In the Alerts list, select the notifications you wish to delete using the checkboxes. Click the Delete button that appears. A confirmation modal will be displayed. Click the OK button to complete the deletion.

2. Delete from the Notification Detail Page

Go to the detailed page of the notification you want to delete. Click the Delete button at the top right of the page. A confirmation modal will appear. Click theOK button to finalize the deletion.