JohnyBricks

Lack of Programmatic Call Back with SA 10.x based on Alert - Work Around

Discussion created by JohnyBricks on Mar 28, 2013
Latest reply on Mar 29, 2013 by JohnyBricks

Unlike enVision 4.x, the SA 10.x environment lacks the ability to programmatically call a program when a specific alert has been generated.

 

In a DB monitoring scenario, it is already known via alert that an item will require further review. Based on any report created, only the meta data will be available and that meta is constrained to 256 characters (Not good for a forensic review). In this case, log reviewers that might not be Security Analysts, will require direct access to the SA 10.x environment in order to perform their analytics via Investigator links embedded in the report. Log reviewers will have to access the report via the SA 10.x GUI and drill down on the appropriate field in the report to obtain access to the raw SQL statements for example. This is not an efficient process for Operations folks or Auditors for that matter, to facilitate access to the item that requires review.

 

With a programmatic call back function, one of the things that we could accomplish is:

1) A DB monitoring  rule (meta is available in SA) triggers an alert indicating suspicious activity or flagging the requirement for further review

2) Based on this alert, the event details are forwarded to the custom application via programmatic call back

3) The application consumes the alert event details and can extract full raw logs for a time period specified and with specific query criteria including time period and device.type etc. using the REST API

4) Once the report is generated the program can also mail the specific detailed report with full raw log data contained

5) Operations or Auditors will get a full detailed report without any field truncation due to meta size constraints since the program has access to the full evidence trail without truncation. These individuals would not require direct access either.

 

The custom application would have full access to the SA 10.x REST SDK/API and will bypass any shortcomings presented by the SA 10.x user interface.

 

Thoughts?

Outcomes