Investigating cases

Edit online

You can investigate cases to determine whether they are isolated incidents or recurring events by adjusting time frames and filters to examine activity distribution and anomalies. You can also assess risk scores and detailed analysis to understand potential threats and unusual behavior.

Case details

The case details provides a comprehensive overview of a specific Active Threat Analytics case, including source details, case-specific details, and links to various reports for in-depth case investigation and analysis.

To open the case details:

If you are using a version of Guardium® prior to 12.2.2, open the Case Analysis page by clicking the page icon next to the case number that you want to investigate.
12.2.2 and later View the details of a case by clicking its link in the Case ID column.

You can find the following information on the case details page:

12.2.2 and later Case details

When you open the case details, this information is provided:

If you have configured generative AI, the details provide an AI-generated summary of the case.
The severity, category, and status of the case, along with the case observations.
Details about the source, such as DB user, database, and server IP address. Other statistics related to the source are provide.
A graphical representation of the source behavior analysis by applications.
A graphical representation of the source behavior analysis by verbs.
If the case is a result of an outlier, a graphical representation of the source behavior analysis by object.

While in the details panel, click View case to open the expanded details of the case. Doing this allows you to see comprehensive details about the case, including:

If the case is a result of policy violation:
- The configuration of the policy that was used to detect the case. This includes the rule pattern that was used and an explanation of what the rule does.
- A timeline of the policy violations (Policy violations within the case timeline).
- The ability to see details about SQL visibility.
If the case is a result of an outlier, a timeline of the outliers within the case (Outliers within case timeline). You can also set the timeline to include Additional outliers (anomalies that occurred in the same hour but are in different threat categories).
An Activity chart for the outlier is also provided.
If the case is a result of threat diagnostics, a timeline of the symptoms (Symptoms within case timeline) that lead to the case.
If the case is a result of a threshold alert, a timeline will not be available since no symptoms are associated with threshold alerts.
For all cases, these are also available:
- Details about the source (this can include DB user details, Database, and Server). Click the source to see its details.
- User risk (if you click the value of the User risk, you can see how the score was calculated).
- Quick access to reports that are relevant to the case (the list of available reports is dynamically produced, depending on the nature of the case).
- Timeline records can be exported. You can Download all records, Download display records, open a Full printable report, or Download as PDF.
To open the case in the Investigation Dashboard, click Open investigation dashboard.

12.2.x and later Case details

Displays statistics and activities on the source, distribution of activities by time period, history of cases, and the case types that are opened or closed on the source. The time, type, observations, and details specific to the case type are provided - along with links to these reports:

SQL Report - SQL statements with limited information.
Full SQL Report - Full SQL statements. Available only if the Log full details rule action applies according to the installed policy. The default time range for this report is the time period that is defined by the from date and to date of the specific case.
SQL Exceptions Report - SQL exceptions, including the SQL statement that caused the exception.
Open case dashboard - Opens the Investigation Dashboard and filters the data by the case's Source. Drill down for details of symptoms, compare to other databases and users, and view activity over time. For more information, see Investigation Dashboard.
If the case category is based on outliers, the descriptions of these outliers are displayed in a table as links that direct you to a dedicated Investigation Dashboard. This dashboard filters data by the source and outlier. For example, if the outlier is excessive Select commands on the CUSTOMER table, the dashboard filters data by command (Select commands) and object (CUSTOMER), alongside the source filter.

Exploration

Presents detailed context for a specific case in the following sections.

Where - More details on the server and database, for example, number of databases (and their types) on the server, number of cases of the same type seen on the database.
When - Time period details, including work hours, off-work hours, weekends, what else happened during this time.
What - Details of similar cases, including case statistics, sensitive objects accessed (and by which commands), other occurrences of this case (and where).
Who - Statistics on the users that accessed the database, users that normally access this database (OS users, DB users), and from which client hosts. For OS users, the client hosts this user accesses from and when it was first used, as recorded in Guardium.
How - Statistics on the applications that are used to access the database. Applications that are used during the case time window, applications that are normally used, First record of use of application as recorded in Guardium.

Case management

You can also view and manage your cases by using these actions:

Close case

If the observed behavior is acceptable, consider closing the case. When closing the case:

In versions of Guardium prior to 12.2.2, you can assign the case a threat category and severity level based on your own input by completing the Actual threat category and Actual severity fields.
12.2.2 and later Report the case as a Valid threat or False positive.

To learn how to close multiple Active Threat Analytics cases simultaneously, see Closing cases in bulk.

12.2.2 and later Reopen case

If a case is closed, you can reopen it.

To learn how to reopen multiple Active Threat Analytics cases simultaneously, see Reopening cases in bulk.

Add to group

Select either Server IP, database, DB user, file system, or file user and add it to either an existing group or a new group. This action is useful for tracking users and activity. You can use these groups in policies, reports, and alerts for enhanced monitoring over your system.

Open case dashboard

Opens the Investigation Dashboard for the selected case. Drill down for details of symptoms, compare to other databases and users, and view activity over time. For more information, see Investigation Dashboard.

Add to exclusion list

Add items to an exclusion list. For more information, see Excluding items from Active Threat Analytics.

Assign case

Assign the case to a role, an email, a user group, or a user. Roles and groups are preferable, since individual users and emails can change.

View risk details

12.2 and later When a DB user is identified as a risky user by Risk Spotter, the Source column displays the DB user's name along with a small circle that signifies the severity level. For example, a red circle indicates a high severity level. To open the Risk Details window and examine the risk indicators, click View next to the DB user.

Filter

If you are using Guardium Data Protection 12.2.1 or earlier, filter the entire table by threat category by using the drop-down menu or the Filter field.

Filter the entire table by severity level (High, Medium, or Low).
Filter the table to show either only unassigned cases or only cases that are assigned to an audit process or an external ticketing system, such as ServiceNow.

12.2.2 and later You can search the table that is currently displayed on the page - and you can also click Filter to filter the entire table by Category, Case status, Severity, Source, and Assignee.