A statement rule is a set of conditions defined for an SQL template. You can use statement rules in combination with security rules to create more granular business rules. This topic describes how to manage statement rules for your databases.
Background information
The more conditions you define in a statement rule, the more granular the rule becomes. An SQL template must meet all conditions in the statement rule to trigger a match.
Prerequisites
You have added an asset in the Database Audit console. For instructions, see Add a database.
Add and enable a statement rule
Log on to the Database Audit system. For instructions, see Log on to the Database Audit system.
In the left-side navigation pane, choose .
-
On the Statement Rule page, select a database and click the
icon. -
In the rule creation area on the right side of the Statement Rule Management page, configure the settings and click Save.
Category
Parameter
Description
Basic information
Rule name
The name of the rule.
ImportantCustom rule names must be unique within a database.
Risk level
Specifies the risk level for alerts triggered by this rule.
Access source
Source IP
The source IP address or range used to access the database, for example, 192.168.XX.1-192.168.XX.128.
To allow access from any source, set the IP address range to 0.0.0.0-255.255.255.255.
Database user
The database username.
Client tool
The name of the client tool used to access the database.
MAC address
The MAC address of the device used to access the database.
Operating system user
The operating system username.
Hostname
The hostname of the computer used to access the database.
Instance name
The name of the database instance.
Application identity
Application client IP
The client IP address associated with the application.
Application user
The username associated with the application.
Response action
Control action
For information only. No configuration is required.
Audit
Specifies the audit action. You can choose from the following options:
-
Audit and Alert: The system audits events that match this rule and generates alerts.
-
Audit Only: The system audits events that match this rule but does not generate alerts.
-
No Audit: The system does not audit events that match this rule.
Time limit settings
Time limit settings
The period during which the rule is active.
After adding a custom rule, it appears in the rule navigation tree on the left. You can edit or delete the rule on its details page.
-
-
On the Statement Rule page, click the status toggle for a rule to enable or disable it.
If the audit action for a rule is set to Audit and Alert, the system triggers a risk alert when an audit record matches the enabled rule.
Adjust rule priority
If a single SQL statement matches multiple statement rules, you can adjust the rule priority to apply the rule with the highest priority.
Rules are matched in a specific order: statement rules are evaluated before security rules. Within each type, rules are also evaluated by priority.
Log on to the Database Audit system. For instructions, see Log on to the Database Audit system.
- In the left-side navigation pane, go to the page.
-
On the Statement Rule page, select a rule and use the Move Up, Move Down, Move to Top, or Move to Bottom options to change the rule's priority. Then, click the
icon to save your changes.
Related topics
To learn how to configure security rules and understand the effective priority of both security and statement rules, see Configure security rules.