Alerts

Overview

The Alerts page offers notification features related to resource access. By pre-setting trigger conditions for major anomalies, you can detect policy violations in real-time. This allows for the rapid identification and resolution of potential security incidents and helps protect sensitive information from exposure or excessive queries that exceed predefined thresholds.

This document covers the following topics

Supported Notification Types

In addition to common notifications, notifications specialized for database access and system access are supported.

The types of notifications supported for each service are as follows:

Creating Notifications

Click the Create Alert button at the top right of the Alerts page to create a new notification. Click the OK button to complete the notification creation.

1. Name : Notification Name

2. Alert Type : Select the type of notification.

   1. The conditions available for each alert type vary. Please refer to the document below for more details.

3. Message Template : Set the notification message template.

   1. You can create a custom message by using the template variables supported in the Message Template Variable field.

   2. Note that the Message Template Variables differ depending on the Alert Type.

4. Channel : Channel for sending notifications

   1. Select from the channels listed under Administrator > General > Channels

   2. For more details about channels, refer to the Channels document

5. Send Test Message : Send a test notification message.

   1. This sends a test message with the entered message template content to the selected channel.

New Request

Notification for New Approval Request Registration

• Request Type : Workflow Request Type

  • Choose from the following:

    • DB Access Request

    • SQL Request

    • SQL Export Request

    • Server Access Request

    • Access Role Request

    • Unmasking Request

    • All Requests (*) : Sends notifications for all request types

• Urgent Mode : Whether to notify about post-approval requests

  • All : Sends notifications for all approval requests

  • Urgent Mode Only : Sends notifications only for post-approval requests

(10.2.2) Template Variable Information

• For notifications sent to a Slack API-based channel, Slack user mentions for {{assignees}} are supported.

• The template variables available depend on the selected Request Type. For more details, please refer to the separate document on Template Variables by Request Type under New Request.

Unusual Login Attempt

Notification for user login attempts based on IP range.

• Action Count : The number of failed authentication attempts that will trigger an alert.

  • You can enter a value of 2 or more.

• Specific Time Interval (Minutes) : The time frame (in minutes) within which the alert will be triggered.

  • You can enter a value of 1 or more.

Example) Sending an alert for unusual login attempts - When there are 3 failed login attempts to QueryPie within 5 minutes.

• Action Count : 3

• Specific Time Internal (Minutes) : 5

SQL Execution

Notification for SQL queries that meet defined conditions.

• Rows : The number of rows that trigger the alert.

  • For SQL events that do not modify records, entering 0 will work correctly.

    • (e.g., Create, Drop, Revoke, Truncate)

  • For other SQL events, enter 1 or more.

• Specific Time Interval (Minutes) : The time frame (in minutes) within which the alert will be triggered (available in version 10.2.2 and later).

  • Entering 0 will trigger the alert based on the execution of a single SQL query without any time condition.

  • The maximum value is 1440 minutes.

• SQL Events : SQL queries that will trigger the alert (multiple selections allowed).

• Connection : The connection(s) for which the alert will be sent when the query is executed (available in version 10.2.2 and later, multiple selections allowed).

  • "All Connections (*)" allows you to create alert conditions for all future connections.

Example 1) Alert for Bulk Data Retrieval (over 100 rows)

• Rows: 100

• SQL Events: SELECT

Example 2) Alert for Data Modification or Deletion Attempts

• Rows: 1

• SQL Events: UPDATE, DELETE

Prevented SQL Execution

Alert for Unauthorized SQL Execution

• Connection: The target connection to send an alert when the query is executed (available in version 10.2.2 and later - multiple selections allowed)

  • All Connections (*): Create alert conditions for all connections that will be added in the future

DB Connection Attempt

Alert for DB Connection Success or Failure

• Alert Trigger Condition: Conditions for sending alerts (multiple selections allowed)

  • Success: Alert is sent when DB connection is successful

  • Failure: Alert is sent when DB connection fails

• Connection Failure Trigger with Interval: Set alert conditions based on the number of connection failures and time period

  • This option is only available if Failure is selected. When enabled, additional input fields are displayed.

  • Action Count : The number of failures before triggering the alert

    • A value of 1 or greater can be entered.

  • Specific Time Interval (Minutes) : The time period (in minutes) for which the failure count is tracked

    • A value of 1 or greater can be entered.

• Connection: The target connection to send the alert when a query is executed (available in version 10.2.2 and later - multiple selections allowed)

  • All Connections (*): Create alert conditions for all connections that will be added in the future.

Example : Alert for Unusual DB Connection Attempts - Trigger Alert After 3 Failed DB Connection Attempts Within 5 Minutes

• Alert Trigger Condition: Failure

• Connection Failure Trigger with Interval: On

• Action Count: 3

• Specific Time Interval (Minutes): 5

Sensitive Data Access

Alert for Sensitive Data Access Based on Defined Criteria

• Criteria: Select the condition for triggering the alert.

  • Sensitive Level : Based on the sensitivity level defined in the Sensitive Data Policy > Rule

    • Options: Low, Medium, High

  • Policy: Select a specific Sensitive Data Policy

    • Choose from the registered Sensitive Data Policies

• Rows: Number of rows to trigger the alert (available in version 10.2.2 and later)

  • Minimum value: 1

• Specific Time Interval (Minutes): Time interval (minutes) for the alert trigger (available in version 10.2.2 and later)

  • Setting 0 means the alert will be triggered based on a single SQL execution without time condition.

  • Maximum value: 1440 minutes.

To use the Sensitive Data Access alert type, tables and columns containing personal information must be pre-defined in the Sensitive Data Policy. For detailed information, please refer to the Sensitive Data documentation.

Example 1 : Sending an alert when sensitive data with a High sensitivity level is accessed:

• Criteria : Sensitive Level

• Sensitive Level : High

Example 2 Sending an alert when personal data in a specific database is accessed:

• Criteria : Policy

• Policy : {Predefined Sensitive Data Policy}

SQL Export

SQL Export Notification for Defined Conditions

• Rows: Number of rows that trigger the notification.

  • A value of 1 or greater can be entered.

• Specific Time Interval (Minutes): The time interval for triggering the notification (available in version 10.2.2 and later).

  • Entering 0 means the notification will trigger based on a single SQL export without any time condition.

  • A maximum value of 1440 minutes can be entered.

• Connection: The connection(s) that will trigger the notification when an SQL export is executed (available in version 10.2.2 and later - multiple selections allowed).

  • All Connections (*): Allows you to create notification conditions for all future connections that may be added.

Example: Sending an Alert When Attempting to Export More Than 100 Rows of Data

• Alert Type: SQL Export

• Trigger Condition (Rows): 100

Restrict Command

Alert for Blocked Command Execution by Server/Server Group

• Connection : Select the connection(s) to send the alert to (Multiple selections allowed)

  • Servers and server groups can be selected, and multiple selections are possible.

    • If the same target is selected multiple times, an alert will only be sent once.

  • All Connections (*) : Create an alert condition for all connections that will be added in the future.

Specific Command

Alert for Specific Command Execution

• Connection: Select the connection(s) to send the alert to (Multiple selections allowed)

  • Servers and server groups can be selected, and multiple selections are possible.

    • If the same target is selected multiple times, an alert will only be sent once.

  • All Connections (*) : Create an alert condition for all connections that will be added in the future.

• Command : Define the condition for commands that will trigger the alert upon execution.

  • Keyword : Trigger the alert when a command contains the specified keyword.

  • RegEx : Trigger the alert when a command matches the specified regular expression.

File Transfer (SFTP)

Alert for File Transfer via SFTP

• Alert Trigger Condition : Conditions that trigger the alert (Multiple selections allowed)

  • File Upload : Trigger the alert when a file is uploaded.

  • File Download : Trigger the alert when a file is downloaded.

• Connection : Select the connection(s) to send the alert to (Multiple selections allowed)

  • Servers and server groups can be selected, and multiple selections are possible.

    • If the same target is selected multiple times, an alert will only be sent once.

  • All Connections (*) : Create an alert condition for all connections that will be added in the future.

K8s API Request 10.2.2

Kubernetes API Request Alert

• Result : API request result (Multiple selections allowed)

  • Success : Trigger the alert when the request is successful.

  • Failure : Trigger the alert when the request fails.

• Clusters : Clusters where the API request alert will be sent

  • All Clusters (*) : Create an alert condition for all clusters that will be added in the future.

• Verbs : The target verbs for which the alert will be triggered

  • Supported verbs: create, update, patch, delete, deletecollection (5 types).

• Resource Kind: The resource types for which the alert will be triggered

  • Supported resource kinds : pods, pods/exec, pods/log, pods/portforward, services, ingresses, deployments, replicasets, etc. (Total of 24 types).

  • All Resources (*) : Create an alert condition for all resource types that will be added in the future.

Viewing and Editing Alert Details

To view the detailed information of an alert, select the alert from the Alerts page. In the Details tab of the detailed page, you can view and modify the alert conditions and message that were entered during alert creation. Once you have made the necessary changes, click the Save Changes button at the top-right corner to apply the modifications.

Viewing Alert Delivery History

Select the alert from the Alerts list to view its delivery history. Then, you can check the delivery details in the Log section of the detailed page.

Deleting an Alert

There are two ways to delete a registered alert:

1. Delete from the Alerts Page : In the Alerts list, select the alert you want to delete using the checkbox. The Delete button will appear. Click the button, and a confirmation modal will appear. Click OK to complete the deletion.

2. Delete from the Alert's Detail Page : On the detail page of the alert you want to delete, click the Delete button at the top right. A confirmation modal will appear. Click OK to complete the deletion.