Configuring Risk Events settings
Enable and disable the Risk Event process and feedback collection option. Manage asset exclusion. Tune the risk score and severity calculation. Set up response rules.
DDR This content is available through the IBM Guardium® Data Detection and Response module.
The Risk event settings page has four tabs – General, Exclusion, Risk profile, and Response rules.
General tab
Used to enable or disable the Risk Event process and to handle the option to collect feedback and send it to IBM.
Refer to Enabling the Risk Event process for details on how to enable the Risk Event process. Refer to Providing feedback for details on the Risk Event feedback.
Exclusion tab
Assets can be excluded from the Risk Event process. This tab lists the Guardium Data Security Center groups of items that are excluded from the process. Click a link to view and manage each one of the groups.
The groups are as follows:
- Applications excluded from analysis - default
- Databases excluded from analysis - default
- DB users excluded from analysis - default
- OS users excluded from analysis - default
- Server IPs excluded from analysis - default
- Server IPs and databases excluded from analysis-default
- Server IPs, databases, and database users excluded from analysis-default
You can exclude all the items in an existing Guardium Data Security Center group. You can also add this group to one of the groups listed, according to the group type. These list items are groups of groups and all the items in subsequent groups are excluded from the Risk Event process.
- Applications excluded from analysis
- Databases excluded from analysis
- DB users excluded from analysis
- OS users excluded from analysis
- Server IPs excluded from analysis
- Server IPs and databases excluded from analysis
- Server IPs, databases, and database users excluded from analysis
Risk profiles tab
The risk scorer computes the risk score of every asset based on the assigned weight and criticality of the identified features. The Risk Event’s severity level is determined by the calculated risk score.
Use the risk profile configuration framework to assign weight for various categories of features for computing risk score. You can customize your risk profile to assess risk based on how important each feature is for your organization.
Response rules tab
The response rules are automated rules that are applied to every Risk Event when it is created and updated.
Each rule has conditions and actions. If all the rule conditions are fulfilled, the actions are performed.
These items are examples of rules:
- If the Risk Event’s severity is Critical, then send a notification email to the security analysts AND create a ticket in an external ticketing system.
- If the database name is X, then send a notification from Guardium Data Security Center to the security analysts.
- Click Create workflow.
- Select Event workflow and click Next.
- Click Add action.
- From Source Data, select the event.
- Define the rule conditions. Select a condition type in the condition field, an operator (equal, not equal), and a value.
- Click Add another condition to add conditions. You can add as many conditions as needed.
- Select one of the following options:
- Internal review: Creates review tasks for the event within Guardium Data Security Center.
- External review: Guardium Data Security Center creates a notification about the event by using either an external ticket, Slack, or Microsoft Teams..
- Click Next.
- Set the Assignments for the event:
- Use the Instructions field to provide instructions to the recipient.
- Set a recipient for the task. If the recipient is a person, the person will receive a notification for the task. Select Recipient type.
- If you select Send notification to users or roles as the recipient type,
you can then select a user (or users) to assign the task to - or choose a role (or roles) as an
owner (in which case anyone who is assigned that role will be able to complete the task). You can
also provide instructions to the user recipients in the optional Instructions
field. Whoever you assign the task to will be responsible for signing off on that task.Tip: Assigning a role as task owner provides more flexibility. For example, if you assign a task to a person, but the person leaves your organization, you will need to update the scheduled job. However, if you assign it to a role, another person assigned to that role will automatically be able to complete the task.
- You can also select Distribution rule as the recipient. If you have
already created one or more distribution lists, you can select the checkbox next to one or more of
them to add them as recipient - or you can click Create a new distribution
rule to create one (see Creating distribution rules for workflows
to learn how to complete the wizard that opens).Note: The list of distribution lists only includes those that are conditional upon data points that are in the report that you choose for the workflow.
- If you want to add additional recipients, click Add another recipient type and the fields as you did when adding the first recipient.
- When you are done adding recipient types, click Next.
- In the Reviewer actions page, set the manner in which the review will
take place:
- Choose an existing Task response template or select Create response template to create a new response template.
- Choose an existing Investigation link or select Create investigation link to create a new investigation link.
- Review and save the workflow.