The suspicious activity is limited to a total of 50,000 records per server. The purpose of this module is to help identify activities from users or applications that are found to be suspicious and unwelcome in your environment.
At first, all records will be of identified, common sources. You should eliminate known applications and logins by adding them to the whitelist.
By default, the Experda agent runs two separate background profiler sessions that filter by the whitelist. These sessions do not cause an overhead as they are capped at 50,000 records. They will only continue after the user has whitelisted entities.
Adding a login or an application to the whitelist will automatically delete all its records and free the suspicious activities module to continue searching for new suspicious activities.
The suspicious activity module creates two separate trace files that it monitors all the time. The more whitelisted logins/applications there are – the more efficient the trace file search becomes and less of a burden on the system.
Your module activates automatically upon adding a new managed server. However, you may cancel it at any time by disabling it (see 4 from the diagram below).
This module does not correlate to the main timeframe control.
Note: The suspicious activities will automatically stop running after 50,000 activities have been collected and will continue upon adding applications or Logins to the white list.
| Legend | |||||||||||||||
| 1 | Total suspicious activities found for the given server. Note if this number reaches around 50,000 activities, the module will automatically hold until objects are added to the whitelist, which then releases storage until 50,000 records are reached again.
It is ideal to have a minimum number of suspicious activities by “cleaning” and adding objects to the whitelist from the suspicious activities settings. |
||||||||||||||
| 2 | Total suspicious applications found (not whitelisted) | ||||||||||||||
| 3 | Activities of logins grouped by day and logins. | ||||||||||||||
| 4 | Settings button – redirect to the suspicious activities settings to add/remove objects from the whitelists. | ||||||||||||||
| 5 | Total suspicious logins found (not whitelisted) | ||||||||||||||
| 6 | Total databases where suspicious activities have been found. | ||||||||||||||
| 7 | Detailed Results Grid of all suspicious activities found.
|
||||||||||||||
Filtering the suspicious records. Possible filters are by login name or application name. Filtering will also affect the grouping.
In addition, there is a global search textbox to find specific logins/queries/ applications easily.
Suspicious Activity Settings
The suspicious activity module is built around the whitelists. There are two whitelists: Applications and Logins.
To make the best use of the suspicious activity module, review the whitelists weekly and remove any non-threatening users or applications that you recognize.
Main Suspicious Records Settings – Records View
| Legend | |||||||||
| 1 | Filter by logins/applications. Default is filter by user.
|
||||||||
| 2 | Search textbox to find logins/applications easily. | ||||||||
| 3 | Results grid
|
||||||||
Main Suspicious Records Settings – Whitelist View
| Legend | |||||||
| 1 | Toggle the page between the suspicious records view and the whitelist view. | ||||||
| 2 | Enable/Disable the entire module for the selected server. This module is activated by default. | ||||||
| 1 | Multiple selected entities “add to whitelist” action. | ||||||
| 2 | All whitelisted logins list
|
||||||
| 1 | Add to blacklist buttons that remove the selected entity from the black list. | ||||||
| 2 | The whitelisted application list
|
||||||