Use the Risk Spotter results
The Risk Spotter page presents risk data over your entire system, with a few graphs and tables. Learn how to use the Risk Spotter data in your daily Guardium activities.
- View the top potential risky users.
The Risky Users table lists the top potential riskiest users, as identified by the Risk Spotter algorithm and the Watchlist. Users from the watchlist are indicated by the eye symbol () in the From Watchlist column.
With the default Latest period of time (the previous calendar day) Risk spotter shows the risk details of 50-100 users based on their activity during the previous calendar day: 50 from the Top Risky Users (highest risk score or highest potential for causing damage) and up to 50 from the Watchlist. In this scenario, the Max Risk is the same as Current Risk.
If you select Last 3 days, there are up to 150 users from the Top Risky Users group since they are aggregated over the selected time period; and up to 150 Watchlist users. In this scenario, the Max Risk column shows the highest risk for the DB user over the time period. There is one row per user. Multiple instances of both Risky User and Watchlist are aggregated into one row.
Hover over the colored risk level to see the individual risk indicators. Sort the columns to view and compare multiple occurrences of database users or databases. - Investigate risky users in the investigation dashboard.
- If a user was added to the risky users but it seems unwarranted, add it to the Trusted users group. Henceforth, Risk Spotter only audits the user with your installed policies.
- Do you suspect other users in your system but they are not in the Risky users list? Add them to the Watchlist. Continue adding and removing users to and from the Watchlist, as relevant. View the Watchlist report, looking at maximum scores per day. Consider creating new groups and new reports for continued observation.
- Watch the Risk Spotter page, looking for trends, and unusual changes.
Auditing can be temporarily stopped for one day if system resources are low on an individual managed unit. Check the Risk Spotter log to see whether auditing was suspended.
- View risk details: opens a window with the relative weights of the risk indicators that are currently associated with the user, for example, violations, outliers, vulnerability. The gray bars reflect the maximum score for each risk indicator based on its relative weight, and the yellow bars show the actual score. When a risk indicator reaches its maximum score, there is no gray visible. Click a risk indicator to open the Investigation Dashboard, filtered for this user, database server, and verb group (if relevant), for the selected date. Click Threat Analytics in the Latest Risk or Max Risk window to open the associated Threat Analytics DB User Behavioral Analytics window.
- View max risk details: Opens a window with the relative weights of the risk indicators for the maximum identified risks that were posed by this user during the selected timeframe. Click a risk indicator to open the Investigation Dashboard, filtered for this user, database server, and verb group (if relevant), for the selected date.
- Investigate: opens the Investigation Dashboard, filtered for this DB user and server, for the selected date. You can investigate the specific activities that resulted in the high risk score. You can also view specific details, activities, and you can compare to other users, dates, databases. Consider adding a rule to your installed policies to quarantine the user by blocking its access on next entry.
- Assign risky user: Appears if there is no configured external ticketing system. Opens a ticket in Guardium to review specific users. (If you are logged in with the User role, add permission for the report Active Risk Spotter - Risky User before assigning a risky user.)
- Create ticket: Apears if an external ticketing system is configured. Opens a ticket in ServiceNow. See more details in Configure an external ticketing system.
- Add user to Watchlist. Use the Watchlist to maintain a group of users that you want to monitor. If you try to add a user to the Watchlist, but it's currently in the Trusted Users group, the user remains in the Trusted Users group. Guardium responds with a message that at least one user was found in the Trusted Users group and was ignored. To add it to the Watchlist, you need to delete it from the trusted users group. Changes to this group are effective from the next run of the Risk Spotter.
- Add to "Risk Spotter - Trusted Users" group: Users in this group are not added to the Top Risky Users group and not monitored by the Risk Spotter policy, though they continue to be monitored by your installed policies. If you identify a false positive, consider adding the database user to the Trusted Users group. If you try to add a user to the Trusted Users group, and it's currently in the Watchlist, it's deleted from the watchlist, and added to the Trusted Users group. Changes to this group are effective from the next run of the Risk Spotter.
- Add DB users to group: Add the DB user to a group that is already defined, or create a new group. The Add DB User to Group window is prefiltered for the user. Consider adding a DB user group to a specific policy to audit these users at a higher resolution, by setting the Log Full Details option. Groups can also be used to keep watching these users with an automatic workflow process, or a specific alert. And you can use these groups in policies, and reports.
- Add server IPs to group: Add the server IP to a group that is already defined, or create a new group. The Add Server IP to Group window is prefiltered for the server IP. Consider adding a server IPs to a specific policy to audit these servers at a higher resolution, by setting the Log Full Details option. Groups can also be used to keep watching these servers with an automatic workflow process, or a specific alert. And you can use these groups in policies, and reports.
- Audit process all risky users: This pre-defined audit process sends the Active Risk Spotter - Risky Users Scores report to the users you define. See Building audit processes.
- Investigate risky users: Opens the investigation dashboard, which is filtered for the Risk Spotter - Risky Users Index group (similar to the Risk Spotter - Top Risky Users group), for the selected dates. In the Investigation Dashboard, you can look for trends over all the users. Change the time period or filters for a narrower or broader cross section, and look for patterns or other unusual behavior. Look at the distribution of activity per verb, activity over time, average activities, and errors. And drill down on specific users. See Investigation Dashboard for data.
- Edit groups: where you can manage your watchlist and trusted users group – to add, remove and view members.
- View report: view one of the reports, showing data for the selected date:
- Risky Users - Connection profiling list: the Connection profiling list report filtered for risky users
- Risky Users - SQL Errors report: the SQL Errors report filtered for risky users
- Risky Users - Policy Violation report: the Policy Violation report filtered for risky users
- Active Risk Spotter - Risky Users Scores: This report lists users, DBs, total risk, and individual risk indicator scores.
- Active Risk Spotter - Watchlist Snapshot: This report lists users, DBs, total risk, and individual risk indicator scores for the users in the Watchlist.
- Export risky users to PDF: A handy PDF, as a snapshot, or for distribution. It lists users, DBs, total risk, and individual risk indicator scores. It has the same details as the Risky Users table.
- Export risky users to CSV: A handy Excel, as a snapshot, or for distribution. It lists users, DBs, total risk, and individual risk indicator scores. It has the same details as the Risky Users table.