Parameter | Description |
Rule Template Name | This field can contain up to 30 letters, digits, and symbols -_./()[]()+=::@ and cannot start with a digit. |
Rule Content | Specify the rule content, including parameters, matching types, and feature strings. For detailed descriptions and examples, see Rule Content Details and Examples . Note: You can click 'Add' under Rule Content to include additional parameter fields. You can click 'Delete' in the action column under Rule Content to remove unnecessary parameter fields and conditions, although at least one parameter field and condition must remain. |
Risk Level | Choose a risk level for this rule template. Options include Low Risk, Medium Risk, and High Risk. |
Alarm Policy | Choose an alarm policy for this rule template. Options include 'Do Not Send Alarms' and 'Send Alarms'. Note: Please go to TCOP->Alarm Management to set alarm rules and notifications. For detailed information, refer to Post-Event Alarm Configuration. |
Rule Template Remarks | This field can contain up to 200 letters, digits, and symbols-_./()[]()+=::@ and cannot start with a digit. |
Parameter Field | Operator | Characteristic String |
Client IP | Include, Exclude, Equal to, Not equal to, Regex | Up to five client IPs can be configured and should be separated by vertical bar "|". When the operator is Regex, only one characteristic string can be entered. |
User Account | Include, Exclude, Equal to, Not equal to, Regex | Up to 5 user accounts can be configured, separated by English vertical bars. When the match type is regular expression, only one feature string is supported. |
Database Name | Include, Exclude, Equal to, Not equal to, Regex | Up to five database names can be configured and should be separated by vertical bar "|". When the operator is Regex, only one characteristic string can be entered. |
SQL Details | Include, Exclude | Up to five SQL commands can be configured and should be separated by vertical bar "|". |
SQL Type | Equal to, Not equal to | Up to five SQL types can be selected. Valid options: ALTER, CHANGEUSER, CREATE, DELETE, DROP, EXECUTE, INSERT, LOGIN, LOGOUT, OTHER, REPLACE, SELECT, SET, UPDATE. |
Affected Rows | Greater than, Less than | Select affected rows. |
Returned Rows | Greater than, Less than | Select returned rows. |
Scanned Rows | Greater than, Less than | Select scanned rows. |
Execution Time | Greater than, Less than | Select execution time, with the unit being millisecond. |
a
, b
, or c
, and the client IP should include IP1, 2 or 3, then the audit logs filtered by the rule are those where the database name includes a
, b
, or c
and the client IP includes IP1, 2, or 3.
Was this page helpful?