How to manage the review of multiple database security incidents
Incident management - track and resolve database security incidents.
About this task
Administrators can group a series of related policy violations into a single incident and assign to specific individuals. This reduces the number of separate policy violations that oversight teams need to review.
Prerequisites
- Create a Policy (See Policies).
- Start inspection engines (See Inspection Engine Configuration).
A security policy contains an ordered set of rules to be applied to the observed traffic between database clients and servers.
A policy violation is logged each time that a rule is triggered. Policy violations can be assigned to incidents, either automatically by a process, or manually by authorized users (see Incident Management).
Summary of Steps
- Click Incident Generation Processes. to open
- Edit Incident Generation Process (Query, Severity, Threshold, Scheduling).
- Go to Incident Management tab for reports.
Incident Management
The Incident Management application provides a business-user interface with workflow automation for tracking and resolving database security incidents.
Incident generation processes can be defined and scheduled to read the policy violations log and generate new incidents. From an incident generation process, each selected incident is:
- Assigned a unique incident number.
- Assigned to a user.
- Assigned a severity code.
- Assigned to a category.
In addition, policy violations can be assigned manually (by authorized users) to new incidents or existing incidents from the Policy Violations / Incident Management report.
Once an incident has been generated, administrators and other users work with incidents from the Incident Management tab, which is included on both the admin and user portals. From there, all other tasks can be performed (assign incidents, send notifications, assign status, and so forth).
The Incident Management functions can be accessed from the drill-down menus of the Incident Management reports. Each user may only have a subset of reports or functions available, depending on the security roles assigned to the user account.
Define an Incident Generation Process
An incident generation process executes a query against the policy violations log, and generates incidents based on that query. By default, the definition and scheduling of incident generation processes is restricted to users with the admin role.