Cyral detects a wide range of events that happen on your data endpoints and creates alerts for those you should be aware of. You can view these alerts in the Alerts tab of the Management Console, and you can configure Cyral to send them to your team through a messaging service like Slack or Microsoft Teams, or an incident response service like The Hive.
Types of alerts
Cyral provides two main families of alerts to notify you of activity in your data repositories:
Policy alerts are triggered when a user or administrator attempts an action that would violate one of your policy rules in Cyral. You must create data maps and at least one policy to use policy alerts.
Preconfigured alerts don't rely on policies. Instead, they're triggered by common DDL and DML actions on your data repository platforms. See the later section, "Preconfigured alerts" for a list of actions that trigger alerts.
To view alerts in the Management Console, click Alerts. You can filter results using the Time Period dropdown, and you can sort based on any column by clicking its heading.
Some alerts contain more details that you can see by toggling the down-arrow on the right side of the alert entry.
Set up alert notifications
Cyral can broadcast alert notifications through various messaging platforms, including Slack. See Cyral's alerts instructions for details.
Most alerts contain:
- the date and time the event happened
- the type of event (See the table below for a list)
- the name of the affected data endpoint
For user-triggered events:
- the SSO username of the user whose action triggered the alert
- the database username of the user whose action triggered the alert
- the DDL or DML command that triggered the alert
For DML events:
- the name of the affected database element, table, or column
For DDL events:
- a shorthand summary of the DDL event type, like DROP TABLE or CREATE USER
Below, we list the preconfigured alerts for the most commonly used data repository platforms.
- Authentication failure (By default, Cyral sends an alert on the third failure)
- Create, modify, or delete object: Note that you can view these by object type and by user.
- Create user account
- Create role
- Modify user account
- Modify auth mechanisms
- Modify object
- Modify role
- Grant/revoke user privileges
- Grant/revoke role privileges
- Modify audit and logging
- Modify configuration settings
- Privileged commands
- Full table scan