Previous Topic: Customize Queries to Retrieve Only Severe EventsNext Topic: Action Alert Considerations

Administration GuideAction AlertsCustomizing Queries for Action AlertsCustomize Queries to Retrieve Only Severe EventsCandidate Queries for Modification

Candidate Queries for Modification

Consider modifying selected predefined queries for use with alerts. To customize the query, add the simple filter based on the CEG analysis. Set the Date Range Selection with the Predefined Range, Last 5 minutes to ensure immediate notification. A few examples follow:

Query for Successful Configuration Error

  1. Copy Configuration Error Activity Detail.

    This query returns successes as well as failures. Only successes are needed.

  2. Set the simple filter as follows:

Category

Class

Action

Result

Security Level

Configuration Management

Configuration Management

Configuration Error

Success

6
  1. Save as Alert: Successful Configuration Error

Query for Successful Control File Creation

  1. Copy Data Manipulation Activity Detail

    This query retrieves all data access actions.

  2. Set the simple filter as follows:

Category

Class

Action

Result

Security Level

Data Access

Object Management

Control File Creation

Success

6
  1. Save as Alert: Successful Control File Creation

Query for Antivirus Scan Failure

  1. Copy Virus Activity by Action

    This query filters for all Antivirus host security actions.

  2. Use the following definition as a guide:

Category

Class

Action

Result

Security Level

Host Security

Antivirus Activity

Scan Error

Success

6
  1. Define the simple filter as follows:

    Success of Scan Error is similar to virus Scan failure.

  2. Save as Alert: Virus Scan Failed

Query for Virus Cleaning Failure

You can use the predefined query Virus Detection or Cleaning Activity Detail to retrieve both actions with either success or failure results. This may be sufficient for your needs. Optionally, you can create two separate queries based on this query where you specify the result as indicated on the CEG table for severe events.

  1. Copy Virus Detection or Cleaning Activity Detail.
  2. Create a simple filter to specify result of failure.

Category

Class

Action

Result

Security Level

Host Security

Antivirus Activity

Virus Clean

Failure

6
  1. Remove the Advanced Filter.
  2. Save as Alert: Virus Cleaning Failure

Query for Successful Detection of a Virus

You can use the predefined query Virus Detection or Cleaning Activity Detail to retrieve both actions with either success or failure results. This may be sufficient for your needs. Optionally, you can create two separate queries based on this query where you specify the result as indicated on the CEG table for severe events.

  1. Copy Virus Detection or Cleaning Activity Detail.
  2. Create a simple filter to specify result of success with just the detection activity.

Category

Class

Action

Result

Security Level

Host Security

Antivirus Activity

Virus Detected

Success

6
  1. Remove the Advanced Filter.
  2. Save as Alert: Virus Detected