This note describes how to create AVDF Critical and Warning alerts. We will generate an alert when failed login attempts exceeds a defined threshold and also an alert when a privileged user like the DBA modifies data in a table marked as ‘sensitive’.
Open the Policies menu and click on the target database
We see the the Core Policies which come out-of-the-box with AVDF as well as the predefined Unified Auditing policies as well as some custom policies which have been created in this case.

Click Provision Unified Policy

Create an alert policy where an alert will be raised if there are more than 5 failed login attempts in a one minute duration


Connect to the database with an invalid password for the user SECADMIN_STEVE – we do this 6 times
SQL> connect “secadmin_steve@example.com”/Welcome_4@pdb1
ERROR:
ORA-01017: invalid username/password; logon denied
SQL> connect “secadmin_steve@example.com”/Welcome_4@pdb1
ERROR:
ORA-01017: invalid username/password; logon denied
SQL> connect “secadmin_steve@example.com”/Welcome_4@pdb1
ERROR:
ORA-01017: invalid username/password; logon denied
SQL> connect “secadmin_steve@example.com”/Welcome_4@pdb1
ERROR:
ORA-01017: invalid username/password; logon denied
SQL> connect “secadmin_steve@example.com”/Welcome_4@pdb1
ERROR:
ORA-01017: invalid username/password; logon denied
SQL> connect “secadmin_steve@example.com”/Welcome_4@pdb1
ERROR:
ORA-01017: invalid username/password; logon denied
Note that an alert has been raised

Click on the alert to get more further details related to the alert

Create an alert policy where an alert with severity Critical will be raised if a DBA tries to modify data in any of the tables and columns which have been configured as containing data sensitive in nature.
Note the Condition.


Connect as a DBA and execute an update on the EMPLOYEES table – this is one of the ‘sensitive’ data tables.
SQL> connect “dba_charles@example.com”/Oracle_4U@PDB1
Connected.
SQL> update HCM.EMPLOYEES set SALARY=23999 where EMAIL=’samkirk@example.com’;
1 row updated.
SQL> commit;
Commit complete.
Note that now a Critical alert has been raised.

Open the alert to get more details.
