Risk events
A Risk Event is a collection of data points around an asset that shows a potential risk.
DDR This content is available through the IBM Guardium® Data Detection and Response module.
The Risk Event module evaluates assets every hour, looking for assets with potential risks. Assets are databases, database users, and operational system users. It examines the asset’s activities and other attributes and evaluates the asset’s risk.
In Guardium Data Security Center, databases are identified by server IP and database name or service name, depending on their type.
Vulnerability assessment and classification results are based on the respective processes in Guardium Data Protection. They can be linked to Risk Events only if the Guardium Data Protection data source was defined by the server IP and database name or service name.
Examples of high risk findings
- Outliers, or anomalies such as exceptionally high volumes of Select type of activities, Delete type of activities from a certain database table, or new activities.
- High severity policy violations.
- High volume of failed logins. For more information, see more information in Configuring Risk Event leads.
- High volume of SQL exceptions. For more information, see Configuring Risk Event leads.
Examples of Risk Events
- A certain database had 300 failed logins during an hour, along with policy violations typical to SQL injection attacks. During the following hour, the same database has exceptionally high volume of SQL exceptions and exceptionally high volume of activities on the CUSTOMENT, CREDIT_CARD and PURCHASE_ORDER tables.
- A certain user had exceptional amounts of Select type of activities and an exceptional number of Delete type of activities during an hour.
Risk Events module terminology
- Risk Event
- A Risk Event is a potential attack or breach with the following characteristics: asset, time frame, category, severity level, and findings.
- Asset
- The objects the Risk Events process observes when it is searching for Risk Events. The asset types are as follows: database, database user, and operating system user.
- Finding, lead
- Data points, such as outliers and policy violations, that indicate a potential breach.
- Feature
- Historical data about the asset that portrays an attribute of the asset. The Risk Events process
uses a list of features to categorize the Risk Event and calculate its risk score and severity
level. The following are some examples of features:
- Total number of high severity violations in the last hour: 23
- Number of failed log-in attempts in the last week: 744