Excluding items from Active Threat Analytics

Edit online

You can exclude certain sources and activities from the Active Threat Analytics processes to optimize resources and reduce false positives.

About this task

You can exclude sources from Active Threat Analytics processes based on the following attributes.
  • Server IP
  • Database
  • Database user
  • Operation system user

Each such row is called an exclude item, though it might match several sources. You can use the asterisk character as a wildcard that replaces any string. The sources are excluded from all Active Threat Analytic processes – Outlier mining, Threat finder, and Threat diagnostics.

The following are examples of exclude items.
  • If you exclude Server IP=130.23.45.55, all the databases on this server and all the DB users of these databases are excluded from analytics.
  • If you exclude Server IP=130.23.* and Database=QA_*, all the databases that start with QA_ on all the servers in subnet 130.23 and all DB users of these databases are excluded from analytics.
  • If you exclude Database user=QATEST, database user QATEST is excluded from analytics in all the databases.

You can also choose to exclude sources only from a specific category. For example, to exclude a database only from the “New grants” category. The database is analyzed for all other categories.

Restriction:

The following limitations affect only managed units that are working with Guardium 12.0 and earlier, while their central manager is upgraded to version 12.0 or later:

  • The managed unit is not updated when you update or delete an exclusion item.
  • Items excluded temporarily, that is, items with an end date selected, do not take effect on the managed units.
  • When you enter a future start date on an exclude item, the exclusion starts immediately on the managed units.
  • Cases cannot be excluded based on their category when the cases are created from the managed unit.
  • Cases that are created from the managed unit are not excluded based on their category.

Adding items to the exclude list

Edit online

You can add items to the exclude list from the Active Threat Analytics setup page, Active Threat Analytics dashboard, or the Investigation Dashboard.

Procedure

  1. To add items to the exclude list, you can use any one of the following methods.
    • Add items to the exclude list from the Active Threat Analytics setup page.
    1. To view the exclude list, go to Manage > Maintenance > Active Threat Analytics Setup > Analytics exclusionsection, or click Active Threat Analytics setup from the main Active Threat Analytics page.
    2. To add an item, click the Add icon .
      The Add to analytic exclude list dialog opens.
    3. Select a period start in the window that appears. You can also select a period end, but it is not required. These fields define the window of time that the case is excluded.
    • Add items to the exclude list from the Active Threat Analytics dashboard.
    1. Select a case whose source you want to exclude and click Actions > Add to exclude list. Or click the Case details icon and then click Actions > Add to exclude list.
      The Add to analytic exclude list dialog opens.
    2. Define the period start and period end fields. These fields define the window of time that the case is excluded.
    • Add items to the exclude list from the Investigation Dashboard.
    1. Go to Welcome > Investigation dashboard > Outliers tab.
    2. In the outliers table, right-click the outlier that you want to exclude and select Add to analytic exclude list.
      The Add to analytic exclude list dialog opens.
    3. Define the period start and period end fields. These fields define the window of time that the case is excluded.
  2. From the Add to analytic exclude list dialog, you can configure the following fields.
    • Define a Server IP, Database, Database user, and Operating system user to exclude in the respective fields (if relevant). Use an asterisk in these fields to mark things you want to ignore as a wildcard.
    • The Category field defines specific threat categories to exclude, and you can use it in tandem with the Server IP, Database, Database user, and Operating system user fields. For more information about each threat category, see Threat descriptions.
    • If you do not want to see any cases from a specific category, you can deactivate the entire category. In the Categories section of Active threat Analytics setup, choose the categories that you want to deactivate and click Actions > Inactivate.
    • The Source program and Object fields define specific activities and exceptions to exclude. These fields are only intended for cases that stem from the Outlier mining process only and they cannot be selected in tandem with the Category field.
    • Add a comment in the Comment field to remind yourself or other users why you are making the current exclusion selections.
  3. 12.2 and later You can simultaneously close all open Active Threat Analytics cases when you are adding items to the exclude list by completing the following steps.
    1. From the Add to analytic exclude list dialog, select the Close existing cases checkbox.
      Important: The Close existing cases checkbox is disabled when you use attributes that do not define a source, such as the Source program and Object fields.
    2. Click Save to close the cases.
      All open cases with a source that matches the defined criteria are closed and removed from the Active Threat Analytic page.

Editing items in the exclude list

Edit online

You can view and adjust the exclusion parameters for an existing item from the Active Threat Analytics setup page.

Procedure

  1. Open the exclude list by going to Manage > Maintenance > Active Threat Analytics Setup > Analytics exclusionsection, or clicking Active Threat Analytics setup from the main Active Threat Analytics page.
  2. To edit an item, select a case and click the Edit icon .
    The Edit analytic exclude list dialog opens.
  3. You can add, remove, or edit the values for the fields in the Edit analytic exclude list dialog. For more information, see Adding items to the exclude list.
  4. 12.2 and later You can simultaneously close all open Active Threat Analytics cases when you are editing items in the exclude list by completing the following steps.
    1. From the Edit analytic exclude list dialog, select the Close existing cases checkbox.
      Important: The Close existing cases checkbox is disabled when you use attributes that do not define a source, such as the Source program and Object fields.
    2. Click Save to close the cases.
      All open cases with a source that matches the defined criteria are closed and removed from the Active Threat Analytic page.

Removing items from the exclude list

Edit online

You can remove items from the exclude list only from the Active Threat Analytics setup page.

Procedure

  1. Open the exclude list by going to Manage > Maintenance > Active Threat Analytics Setup > Analytics exclusionsection, or clicking Active Threat Analytics setup from the main Active Threat Analytics page.
  2. From the exclude list, select the item that you want to remove and then click the icon.