Configure statement rules

更新时间:
复制 MD 格式

A statement rule is a set of conditions defined for an SQL template. You can use statement rules in combination with security rules to create more granular business rules. This topic describes how to manage statement rules for your databases.

Background information

The more conditions you define in a statement rule, the more granular the rule becomes. An SQL template must meet all conditions in the statement rule to trigger a match.

Prerequisites

You have added an asset in the Database Audit console. For instructions, see Add a database.

Add and enable a statement rule

  1. Log on to the Database Audit system. For instructions, see Log on to the Database Audit system.

  2. In the left-side navigation pane, choose Rule Configuration > Statement Rule.

  3. On the Statement Rule page, select a database and click the 添加 icon.

  4. In the rule creation area on the right side of the Statement Rule Management page, configure the settings and click Save.

    Category

    Parameter

    Description

    Basic information

    Rule name

    The name of the rule.

    Important

    Custom rule names must be unique within a database.

    Risk level

    Specifies the risk level for alerts triggered by this rule.

    Access source

    Source IP

    The source IP address or range used to access the database, for example, 192.168.XX.1-192.168.XX.128.

    To allow access from any source, set the IP address range to 0.0.0.0-255.255.255.255.

    Database user

    The database username.

    Client tool

    The name of the client tool used to access the database.

    MAC address

    The MAC address of the device used to access the database.

    Operating system user

    The operating system username.

    Hostname

    The hostname of the computer used to access the database.

    Instance name

    The name of the database instance.

    Application identity

    Application client IP

    The client IP address associated with the application.

    Application user

    The username associated with the application.

    Response action

    Control action

    For information only. No configuration is required.

    Audit

    Specifies the audit action. You can choose from the following options:

    • Audit and Alert: The system audits events that match this rule and generates alerts.

    • Audit Only: The system audits events that match this rule but does not generate alerts.

    • No Audit: The system does not audit events that match this rule.

    Time limit settings

    Time limit settings

    The period during which the rule is active.

    After adding a custom rule, it appears in the rule navigation tree on the left. You can edit or delete the rule on its details page.

  5. On the Statement Rule page, click the status toggle for a rule to enable or disable it.

    If the audit action for a rule is set to Audit and Alert, the system triggers a risk alert when an audit record matches the enabled rule.

Adjust rule priority

If a single SQL statement matches multiple statement rules, you can adjust the rule priority to apply the rule with the highest priority.

Note

Rules are matched in a specific order: statement rules are evaluated before security rules. Within each type, rules are also evaluated by priority.

  1. Log on to the Database Audit system. For instructions, see Log on to the Database Audit system.

  2. In the left-side navigation pane, go to the Rule Configuration > Statement Rule page.
  3. On the Statement Rule page, select a rule and use the Move Up, Move Down, Move to Top, or Move to Bottom options to change the rule's priority. Then, click the 生效优先级 icon to save your changes.

Related topics

To learn how to configure security rules and understand the effective priority of both security and statement rules, see Configure security rules.