Skip to main content

Alerts

Important

This documentation is for the newly redesigned policy user interface. If you are looking for the former policy documentation, please refer to Thresholds.

Alerts can be added to tag and column policies to notify or to block users if a sensitive data access limitation has been exceeded and/or if sensitive data was queried outside of a designated time frame. When an alert is violated, a notification is sent to the user and the alert is logged on the Alerts page to be acknowledged and resolved.

There are two types of alerts:

  1. Access rate—triggers an alert based on how many records a user accesses within a defined timeframe

    Note

    An alert triggers only after query results are returned and the query audit log is generated. Since ALTR doesn’t know the number of results until the query finishes, it cannot block the user before that. ALTR allows the query to complete, log the results and then block access if the alert criteria are violated.

  2. Time window—triggers an alert based on the time of day or day of week that data was accessed

Add Alerts to a Policy

To add an alert to a policy:

  1. Select Policy in the Navigation menu.

  2. Create a new policy or edit an existing policy.

  3. Click Add an alert.

  4. Click the alert to apply. Options are:

    1. values exceed [number] within every [time frame]. This is an access rate alert.

    2. access on [day of week] in [time zone] between [time] and [time]. This is a time window alert.

  5. Select the parameters for the alert.

  6. (Optional) Select the Block users who violate this rule check box to restrict access to the protected column or tag for the offending user.

  7. Click Save.

  8. Add additional alerts to the policy as needed.

View All Active Alerts

When an alert is triggered, you can see its details, such as when it was triggered and what rule statement triggered the alert.

To view active alerts, select Alerts on the Navigation menu.

Resolve Alerts

Resolving alerts acknowledges the alert and restores normal access to the data if access was blocked.

To resolve an alert:

  1. Select Alerts in the Navigation menu.

  2. Click the alert you wish to resolve.

  3. (Optional) Add a note to the alert to explain the violation in order to provide a record for future reference.

    1. Click Notes tab to enter a note about the alert.

    2. Enter a note to document details about the alert.

    3. Click Post Note.

    4. Click Overview tab.

  4. Click Resolve Alert.

  5. (Optional) Enter a description about why you are resolving the alert.

  6. Click Resolve. If the alert was blocking user access, access will be restored once the alert is resolved.

To view alerts that have been resolved, click the Resolved Alerts tab.

In this section: