Configuring Risk Event Leads

Configure the Risk Event Leads to determine which assets are considered as potential risk to start the risk evaluation.

DDR This content is available through the IBM Guardium® Data Detection and Response module.

The Risk Event process runs every hour, searching for assets with a potential risk. The risk of these assets is later evaluated and if the asset’s risk score is higher than the threshold, then a Risk Event is created.

Leads are assets with a potential risk and the processes that search for them are called lead generators. You can configure some aspects of the lead generators by using the Insights REST API.

Use the GetLeadGeneratorConfig API to view the list of lead generators and their current configuration. This API displays how each lead is calculated and with which parameters, and whether each of those generators is enabled. You can check this API to see what you do or don’t want to enable.

Use the UpdateLeadGeneratorConfig API to configure the lead generators. Using this API, you can edit what is displayed in the first API.

The following an example of what you can configure in the UpdateLeadGeneratorConfigAPI for the lead_gen_violation_db lead type.

{
  {
      "lead_generator_name": "lead_gen_violation_db",
      "is_active": true,
      "lead_generator_params": [
       
{           "name": "leads_query_rows_limit",           "value": "1000"         }

,
       
{           "name": "minimum_severity",           "value": "10"         }

,
       
{           "name": "minimum_count",           "value": "1"         }

      ]
    }
}
is_active
defines whether the lead type is enabled or not.
lead_generator_name
is a lead type. Some generators are separated per asset type so that you can customize API configurations per each asset type. You can identify which generators are separated per asset type by looking at the generator name. "DB" denotes a database asset while "user" denotes a database or operating system user asset.
lead_generator_params
is the header for the parameters whose values can be changed that is about to be listed.
leads_query_rows_limit
defines the maximum number of assets that can be processed for each lead type per hour. The Risk Events process does not process more assets beyond this maximum that occur during the hour.
minimum_severity
defines the threshold severity that defines whether a lead is created or not.

For Outliers, the minimum severity value corresponds to the anomaly score. For violations, it refers to the violation severity.

Minimum severity threshold is not to be confused with the threshold setting in the Risk events settings in the UI.
minimum_count
defines the minimum threshold for exception Leads. When the number of exceptions surpasses the amount that is configured here, a new exception lead is created.

See Creating API keys and Calling Guardium Data Security Center SaaS APIs for details.