Configure and enable Risk Spotter
Configure and enable the required and optional Guardium® and Risk Spotter modules, then enable Risk Spotter itself.
Before you begin
- All collectors must be running V11.0 or later.
- Ports 8983 and 9983, on both the collectors and the central manager, are opened when you enable enterprise search. Verify that these ports are not blocked by any firewall.
- On the central manager or standalone system: Enter the GuardAPI command: grdapi restart_solr.
- On the central manager: Enterprise search should be enabled by default. To
check the Enterprise search status enter the following GuardAPI
command:
If it isn't enabled, enter the following GuardAPI command:grdapi get_quick_search_info
grdapi enable_quick_search schedule_interval=2 schedule_units=MINUTE all=true includeViolations=true
- Some Guardium modules must be enabled or configured before you can enable Risk Spotter. They are included in this task. You can enable the Risk Spotter process without enabling the optional Guardium modules. You get the best protection by enabling both the required and optional modules.
- Enabling Risk Spotter only activates risk assessment for users audited by your installed policies. To dynamically audit risky users with Dynamic Auditing, create and install a Risk Spotter policy. See Create a Dynamic Auditing policy and Using the Policy Installation tool.
About this task
Configure Risk Spotter on the central manager or on a stand-alone Guardium system. In a central manager environment, enable all modules once on the central manager only. If you install a Risk Spotter policy, this is also managed from the central manager.
- Enterprise search: Queries data across the entire Guardium environment. It is enabled by default.
- Unit utilization data processing: Assesses resource utilization of each Guardium system in your environment to maximize user auditing. See step 3
- S-TAP and buffer usage monitoring: Enables the central manager to get updated information on unit utilization and on its managed units. (Not relevant for standalone Guardium systems.) See step 4
- Dynamic Auditing: To get the most comprehensive risk assessment, configure Dynamic Auditing: create, install, and select a policy that incorporates the Risk Spotter – Audited Risky users group. This policy audits identified risky users and users in the Risk Spotter watchlist, and it samples users beyond your policy radar to identify additional risks. For details on creating the policy, see Create a Dynamic Auditing policy.
- The Database Protection Subscription service (DPS) publishes updates to known vulnerabilities (known risks). The DPS file is not mandatory but without it, the risk scores are less accurate. (Best practice is to subscribe to this service whether you use Risk Spotter or not.) See step 5
- Active Threat Analytics identifies various types of suspected attacks. These findings are incorporated into the Risk Spotter analysis. See step 6
Click Logs and Status to open the Risk Spotter events log. This log has details of, for example: start and end of the Risk Spotter processes, if/when the risk spotter policy was uninstalled.
Procedure
Results
After the first run of the risk score process (between 01:00-02:00 daily), the Risk Spotter page shows results. The risky users are added incrementally according to the available collector resources.