Trust Rules

Set the rule name. Must consist of   Chinese characters, letters, numbers, underlines (_), dots (.)   or dashes (-), within 64 characters.

Description of the rule.

Required. The system's default risk   level is medium. The risk level can be high, medium, or low.

Required. You can select a custom rule   group or a default rule group. To manage custom rule groups, follow the steps   below:

On the   right side of the associated rule group, click Manage Rule Group to   add, modify and delete the custom rule group.

Currently, two types of rules are   supported: general rules and statistical rules.

• General rules: When a single audit        record matches a common rule configured, a general alarm will be        triggered (for example, a select statement may trigger a general alarm).

• Statistical rules: If the        configured statistical rules are matched multiple times within a        specified time, a statistical alarm will be triggered (for example, 10        select failures within five minutes may trigger a statistical alarm).

Currently available are alarm, and alarm and   blocking.

• Alarm: After an operation matches        a rule, it is still executed normally without special control.

• Alarm and blocking: After an        operation matches a rule, the database connection corresponding to the        operation is disconnected.

Client IP or IP group for accessing a   service type. You can fill in multiple entries, and separate them with commas   (,).

You can configure multiple client tools by   separating them with commas (,). Example: db2bp.exe,java.exe.

You can configure multiple values or   ranges, and separate them with commas (,). Example: 10-15,20,25,30-40.

You can fill in multiple values, and separate them   with commas (,).

You can select a string or a regular expression.   The string can contain multiple values separated with commas (,).

You can select a string or a regular expression.   The string can contain multiple values separated with commas (,).

Specifies the application IP or IP   group that matches the rule, corresponding to the associated IP in audit   logs. Multiple values can be filled in. Separate them with commas (,).

Specifies the application user or user   group that matches the rule, corresponding to the associated account in audit   logs. Multiple values can be filled in. Separate them with commas (,).

You can fill in multiple values, and separate them   with commas (,).

You can configure multiple values or   ranges, and separate them with commas (,). Example: 10-15,20,25,30-40.

Specifies the database login user   account or account group that matches the rule, or a regular expression.   Multiple values can be filled in. Separate them with commas (,).

You can fill in multiple values, and   separate them with commas (,).

You can select a string or regular   expression. For an Oracle database, enter an SID. For other databases, enter   a database name. The string can contain multiple values. Separate them with   commas (,).

Specifies the object group that matches the rule.

Specifies the operation type of an SQL statement,   for example, select, update, delete, etc.

Optional. Multiple values can be filled   in. Separate them with commas (,).

SQL   keywords: Supports matching packets with regular expressions.

Click Regular   Verification to enter the packet content, click Verify to verify   whether the input content matches the regular expression in the execution   result keyword; click Add Condition to add multiple conditions.

Logical   expression of conditional operation: If the SQL keyword is filled in, this   item is required. The relationship between conditions can be based on AND,   OR, NOT, and bracket operations (&: AND; |: OR; ~: NOT). Conditions are   represented by serial numbers, that is, 1 represents condition 1. For   example, 1&2 means there are two SQL keyword conditions and both keywords   must be met for an alarm to be generated.

Specifies the length of a SQL statement. Value   range: 1 B to 64 KB.

This rule is triggered when the number   of tables involved in the SQL operation is greater than or equal to this   value. The maximum input value allowed is 255.

Whether there is any WHERE clause.   Supports three options:

• Do not check

• With WHERE clause

• Without WHERE clause

The   default is "Do not check". A WHERE clause is used to extract SQL   records that meet the specified conditions. The syntax is as follows:

SELECT   column_name,column_name

FROM   table_name

WHERE   column_name operator value;

(Optional) Unit: Seconds, milliseconds,   microseconds. Value range: zero to half an hour. If the SQL execution   duration falls within this range, the rule is triggered.

Value range: 0 to 999,999,999. If the   number of records returned by the SQL operation or the number of affected   rows falls within this range, the rule is triggered.

Supports matching with regular   expressions.

Click Regular   Verification to enter the packet content, click Verify to verify   whether the input content matches the regular expression in the execution   result keyword; click Add Condition to add multiple conditions.

Logical   expression of conditional operation: If the SQL keyword is filled in, this   item is required. The relationship between conditions can be based on AND,   OR, NOT, and bracket operations (&: AND; |: OR; ~: NOT). Conditions are   represented by serial numbers, that is, 1 represents condition 1. For   example, 1&2 means there are two SQL keyword conditions and both keywords   must be met for an alarm to be generated.

There   are three types of execution status:

• All

• Successful

• Failed

The   default is "All".

Supports matching with regular   expressions.

You can customize the time group or   select one.

Value range: 0 to 99,999. Where, 0 for   no limit.

Set the storage policy for the returned   result set of the alarm logs of the rule, including "Same as asset   settings", "Save", and "Do not save".