Managing a Risk Event
View the Risk Event details to start an investigation. Respond to the Risk Event by closing it or creating a ticket for further investigation.
DDR This content is available through the IBM Guardium® Data Detection and Response module.
The Risk Event page displays detailed information about a Risk Event. It displays general information about the Risk Event and the related asset. If the asset type is Database or Database user, the page features links to the classification report and the vulnerability assessment report.
You can create a ticket in an external ticketing service to further investigate a risk event. When a risk event is delegated to any external ticketing service, the Status label displays the ticket number and ticket status. The ticket status is updated each time you open or refresh the Risk Event.
In Guardium Data Security Center, databases are identified by server IP and database name or service name, depending on their type.
Vulnerability assessment and classification results are based on the respective processes in Guardium Data Protection. They can be linked to Risk Events only if the Guardium Data Protection data source was defined by server IP and database name or service name.
- The Overview tab displays a description of the Risk Event and a list of findings.
- The Risk Event description details the main observations that led to choosing the category, and a description of the category.
- The list of findings is ordered by the finding date and time. The last finding appears first. Several findings can occur in the same hour.
- Click a finding to view details in a separate window. This window displays a link to a report, a table with the features that most affected the Risk Event’s severity level, a table with other features, and a table with the last week’s features (if available).
- Click the report link to view a detailed report of the finding in a new browser tab. The data this report displays depends on the finding type. If the finding is policy violations, for example, then the detailed report displays all the policy violations that are related to the asset during the specific hour.
- Features that affected severity level – this table lists up to four features of the asset that most affected the Risk Event’s severity level. It has two columns that display the values of each feature in the last hour and last day, relative to the time of the finding. ‘Last hour’ is the hour that starts at the finding’s date and time. ‘Last day’ is the 24 hours that lead up to the finding’s date and time.
- Other features – this table lists all other features of the asset. It too has two columns with the values for the last hour and last week.
- Last week’s features – this table is not always available. It lists the features from the two tables with values from the 7 days that lead up to the finding’s date and time.
- Dashboard – this tab displays the following details if an emerging risk is detected:
- Emerging finding - this tab displays the number of Errors, Failed logins, Policy violations, New resource programs, Vulnerabilities, and Client Ips that occur during the risk event and the period prior to it. Click each card to get the detail reports.
- Excessive activities - this tab displays a graph of the number of excessive activities that occurred during the emergence of the risk event.
- Findings- this tab provides time, description, and type-related information
about the potential security threat.Click on the description to get more information about the anomalies. The panel displays information about the outlier and its activity, click View full report to get a detailed report. Expand Risk indicators to view the results of an hourly analysis of activity, exceptions, policy violations and anomalies. Advance users can expand the Advance analysis tab to view the additional results.
- Related Risk Events tab – this tab displays the history of Risk Events that are related to the current Risk Event’s asset. If the asset had Risk Events in the past, then they are listed on this tab.