Internal Activity Policies
Monitor and enforce access by employees, service accounts, and AI agents to your data assets.
Internal Activity policies monitor runtime database access by humans, applications, and AI agents inside your environment. They require the Aurva Data Plane (Data Plane) with activity monitoring enabled on the target data source.
Additional Steps vs. Data at Rest
The Internal Activity wizard includes all five steps from Data at Rest policies, plus two additional steps between asset selection and conditions:
Select Accessors
Choose who the policy applies to:
- Humans — database users mapped to real employees
- Applications — service accounts and microservices
- AI Agents — autonomous agents making database calls
Scope by All, Individual, or Group (by department, role, privilege level, or custom tags).
Condition Fields
| Field | Description |
|---|---|
| Database user | Specific DB username |
| Operation type | SELECT, INSERT, UPDATE, DELETE, DDL |
| Access window | Time-of-day or day-of-week constraints |
| Tables accessed | Specific table names |
| Row volume | Number of rows returned |
| Source IP | CIDR range or specific IP |
| Sensitive data types | PII, PHI, PCI, etc. |
| Query patterns | UNION SELECT, COPY, INTO OUTFILE |
Ready-to-Use Recipes
Mass PII Export
Accessor: All | Condition: rows ≥ 100,000 AND sensitive type includes PII | Severity: High
After-Hours Privileged Access
Accessor: privileged role group | Condition: access window NOT IN 09:00–18:00 Mon–Fri | Severity: High
Suspicious SQL Patterns
Condition: query contains UNION SELECT OR COPY OR INTO OUTFILE | Severity: Critical
Non-Corporate IP Access
Condition: source IP NOT IN corporate CIDR AND sensitive data = true | Severity: High
Best Practices
Start with narrow scope (individual assets, specific DB users) and expand to Groups once you've validated the policy doesn't generate false positives.
- One risk per policy — simpler routing and remediation
- Prefer Group-based accessor scoping for org-wide coverage
- Review detected patterns in the Audit Trail before activating a policy in alert mode