Excluding items from Active Threat Analytics

Exclude items from the Active Threat Analytics process.

About this task

You might want to exclude certain sources and activities from the Active Threat Analytic processes altogether to optimize resources and reduce false positives. For example, test data or activities run by automated processes.

Excluding sources from Active Threat Analytics:

A source is a database, a database user (DB user), or an operation system user (OS user).

You can exclude sources from the analytics process based on the following attributes:

  • Server IP
  • Database
  • Database user
  • Operation system user

Each such row is called an exclude item, though it might match several sources. You can use the asterisk character as a wildcard that replaces any string. The sources are excluded from all Active Threat Analytic processes – Outlier mining, Threat finder, and Threat diagnostics.

Examples of exclude items:
Example 1

Server IP=130.23.45.55

Result: all the databases on this server and all the DB users of these databases are excluded from analytics.

Example 2

Server IP=130.23.*

Database=QA_*

Result: all the databases that start with “QA_” on all the servers in subnet 130.23 are excluded from analytics and all DB users of these databases are excluded as well.

Example 3

Database user=QATEST

Result: database user “QATEST” is excluded from analytics in all the databases

You can also choose to exclude sources only from a specific category. For example, to exclude a database only from the “New grants” category. The database is analyzed for all other categories.

Excluding activities from Outlier mining:

You can exclude activities and exceptions from the Outlier mining process only, based on the source program (application) or object. This capability can be used, for example, to exclude temporary tables or activities that are run by trustworthy applications to reduce false positives.

Excluding sources and activities from Active Threat Analytics on a temporary basis:

Specify start and end dates on the exclude item to exclude sources and activities temporarily.

Note: You can set dates in the future only and cannot use the exclude list to remove cases already created.
Restriction:

The following limitations affect only managed units that are working with Guardium versions that are earlier than 12.0, while their central manager is upgraded to version 12.0 or later:

  • The managed unit is not updated when you update or delete an exclusion item.
  • Items excluded temporarily, that is, items with an end date selected, do not take effect on the managed units.
  • When you enter a future start date on an exclude item, the exclusion starts immediately on the managed units.
  • Cases cannot be excluded based on their category when the cases are created from the managed unit.
  • Cases that are created from the managed unit are not excluded based on their category.

Procedure

  1. You can view the exclude list as a whole from Active Threat Analytics setup. Go to Manage > Maintenance > Active Threat Analytics Setup > Analytics exclusionsection, or click Active Threat Analytics setup from the main Active Threat Analytics page.
  2. After you access the exclude list from either of these paths, you can edit the list by adding new items or removing existing items. To add an item, click the icon and select a period start in the window that appears. You can then also select a period end, but it is not required. These 2 fields define the window of time that the case is excluded. (Step 3 addresses the other fields in this window). Remove an item by selecting it and clicking the icon.

    You can also add new items to the exclude list (but not remove items or view or edit the exclude list as a whole) from some other places in the UI.

    • To add items to the exclude list from Active Threat Analytics, click Active Threat Analytics from the Welcome page or from Protect > Uncover threat vectors > Active Threat Analytics. Select a case whose source you want to exclude and click Actions > Add to exclude list. Or click to view a case's details and then click Actions > Add to exclude list. Define the period start as usual.
    • To add items to the exclude list from the Investigation Dashboard, go to Welcome > Investigation dashboard > Outliers tab. In the Outliers table, right-click the wanted outlier and select Add to analytic exclude list. Define the period start as usual.
  3. From all paths described thus far, you can view and adjust the exclusion parameters for an existing item. Select the case that you want to make edits for and click .
    • Add, remove, or edit the values for the fields in the window that appears. Define a Server IP, Database, Database user, and Operating system user to exclude in the respective fields (if relevant). Use an asterisk in these fields to mark things you want to ignore as a wildcard.
    • The Category field defines specific threat categories to exclude, and you can use it in tandem with the Server IP, Database, Database user, and Operating system user fields. You can read more about each threat category in Threat descriptions.
    • If you do not want to see any cases from a specific category, you can deactivate the entire category. In the Categories section of Active threat Analytics setup, choose the categories that you want to deactivate and click Actions > Inactivate
    • The Source program and Object fields define specific activities and exceptions to exclude. These fields are only intended for cases that stem from the Outlier mining process only and they cannot be selected in tandem with the Category field.
    • Add a comment in the Comment field to remind yourself or other users why you are making the current exclusion selections.