Active Threat Analytics

Edit online

The Active Threat Analytics dashboard shows potential security breach cases, based on the outlier mining process and on identified attack symptoms. In this dashboard, you can view and investigate cases, and take actions on individual cases.

Active Threat Analytics runs on central managers and stand-alone units.

Prerequisite: Threat finder and DAM Outlier mining are enabled. Click the Active Threat Analytics Setup link to enable Threat finder and DAM Outlier mining. Active Threat Analytics shows results for all collectors on which DAM Outlier mining is enabled.

Access Active Threat Analytics from the Welcome page or from Protect > Uncover threat vectors > Active Threat Analytics.

The first row of results tabulates all cases and all open cases per: databases, DB users or OS users, file systems and file user. The cases in each category are identified by their risk level: high, medium, and low. If a database, database user, file system, or OS user is associated with multiple cases, that database or user is only counted one time.

For example, assume there are 40 cases. 10 of which are associated with database NN, 10 of which are associated with user XX, and the remaining 20 associated with various databases or users. In this case, the total of database and file server cases and database and file user cases would be 22, and not 40.

By default, data is presented for the last day. You can change the time period from the drop-down list.

The table shows violations, outliers, errors, and activities over the same period of time.

The table lists all cases (in descending order of severity), including the type of threat, the observed activity on which the case is based, and the source details. Active Threat Analytics identifies potential security breaches by case type, listed in Threat descriptions.

Click Databases, DB users, File Systems, and OS users to open a summary of the entities with open cases. From there, you can click View Profile to open the Behavioral Analytics for the specific database or user, and view all cases that are associated with this entity, the distribution of working hours, and the distribution of verbs. For database users, you can also click User Risk Indicators to open the Risk Details window, showing the Risk Spotter risk indicator scores.

Attention: Each high severity case is a suspected threat that should be investigated immediately.

High severity cases can also be caused by a patch installation. In this case, you would close the case. Low severity cases can be anomalies. If so, consider closing the case. For more information, see Investigating cases.

The threat cases are not copied to the secondary central manager. In the case of a failover, there are no known threat cases in the new primary central manager.