Rule Chaining
Chaining with Parameterized User-Defined Rules
FortiDB Version 3.2 Utilities User Guide
15-32000-81369-20081219
11
After the database has been specified and you have clicked on
[Add Item]
, you
will be presented with the
Create Rule Chaining Settings
page.
Here, you need to:
• Name the Rule Chain
• Select the policy you want to use as the
Source Rule
• Select the target rule (
Chained Rule
) you want to execute, once the first rule
had been violated.
• Specify whether you want the chain to run immediately upon source-rule
violation or not.
Run Immediately
means that the target rule will run as soon
as there is a source-rule violation.
Run as Scheduled
means that the target
rule will run according to the module-, database-, or item-specific schedule that
is in effect for the source rule.
• Decide whether you want to immediat
1
ely enable the chain or not. Unless you
check the
Enable Chain?
checkbox, the chain won't be in effect. This allows
you to create the chain and then only use it when needed.
You can see the Module and the name of the available guarded items for all
policies. For example, 'PM|' or 'UBM|' preceding the rule name indicates the PM,
or UBM module, respectively.
After the Rule Chain is invoked, alerts will appear with those of other policies.
Chaining with Parameterized User-Defined Rules
Parameters, specific to the RDBMS type of your target database, can be passed
from the source to the target in order to permit the target to perform specific tasks,
such as to kill the session of a suspicious user.
The source rule can be a UBM User, Object, or Session Policy. The target rule can
only be a User-Defined Rule (UDR) and specifically one that can accept
parameters: a Parameterized User Defined Rule (PUDR). The PUDR functionality
can be accessed within the UBM module. (See the
FortiDB MA User Behavior
Monitor (UBM) User Guide
)
When there is a violation of the source rule, the target UDR gets executed, with
the parameters passed from the source rule. An alert is generated both for the
source violation and for the PUDR execution.
1.
A module schedule will be overridden by a database-specific schedule, if one is set. A
database-specific schedule will be overridden by an item-specific schedule if one is set.
Note:
For UBM policies, which are indicated in green, you can pass parameters
from the Source Rule to the Chained Rule, if the latter is a Parameterized User-
Defined Rule (PUDR) and if the Chain meets certain other conditions. For more
information on how to create a PUDR see the FortiDB MA User Behavior Monitor
(UBM) User Guide. For more information on using PUDRs in a chain, see
Chaining with Parameterized User-Defined Rules
).