Excluding items from Active Threat Analytics
Exclude items from the Active Threat Analytics process.
About this task
You might want to exclude certain sources and activities from the Active Threat Analytic processes altogether to optimize resources and reduce false positives. For example, test data or activities run by automated processes.
Excluding sources from Active Threat Analytics:
A source is a database, a database user (DB user), or an operation system user (OS user).
You can exclude sources from the analytics process based on the following attributes:
- Server IP
- Database
- Database user
- Operation system user
Each such row is called an exclude item, though it might match several sources. You can use the asterisk character as a wildcard that replaces any string. The sources are excluded from all Active Threat Analytic processes – Outlier mining, Threat finder, and Threat diagnostics.
- Examples of exclude items:
- Example 1
Server IP=130.23.45.55
Result: all the databases on this server and all the DB users of these databases are excluded from analytics.
You can also choose to exclude sources only from a specific category. For example, to exclude a database only from the “New grants” category. The database is analyzed for all other categories.
Excluding activities from Outlier mining:
You can exclude activities and exceptions from the Outlier mining process only, based on the source program (application) or object. This capability can be used, for example, to exclude temporary tables or activities that are run by trustworthy applications to reduce false positives.
Excluding sources and activities from Active Threat Analytics on a temporary basis:
Specify start and end dates on the exclude item to exclude sources and activities temporarily.
The following limitations affect only managed units that are working with Guardium versions that are earlier than 12.0, while their central manager is upgraded to version 12.0 or later:
- The managed unit is not updated when you update or delete an exclusion item.
- Items excluded temporarily, that is, items with an end date selected, do not take effect on the managed units.
- When you enter a future start date on an exclude item, the exclusion starts immediately on the managed units.
- Cases cannot be excluded based on their category when the cases are created from the managed unit.
- Cases that are created from the managed unit are not excluded based on their category.