Risk events

A Risk Event is a collection of data points around an asset that shows a potential risk.

DDR This content is available through the IBM Guardium® Data Detection and Response module.

The Risk Event module evaluates assets every hour, looking for assets with potential risks. Assets are databases, database users, and operational system users. It examines the asset’s activities and other attributes and evaluates the asset’s risk.

A risk event is opened for assets with a high risk. It lists the findings (also called Leads) that indicate a risk over time, thus telling a broad story of the asset’s risk.
Note: If you do not have any outliers violations or high severity policy violations, a risk event is not created. Therefore, you must enable outliers detection or create new policies. For more information, see Outliers and policies. To enable the failed login and SQL exception Leads specifically, see Configuring Risk Event leads.
Attention:

In Guardium Data Security Center, databases are identified by server IP and database name or service name, depending on their type.

Vulnerability assessment and classification results are based on the respective processes in Guardium Data Protection. They can be linked to Risk Events only if the Guardium Data Protection data source was defined by the server IP and database name or service name.

Examples of high risk findings

  • Outliers, or anomalies such as exceptionally high volumes of Select type of activities, Delete type of activities from a certain database table, or new activities.
  • High severity policy violations.
  • High volume of failed logins. For more information, see more information in Configuring Risk Event leads.
  • High volume of SQL exceptions. For more information, see Configuring Risk Event leads.

Examples of Risk Events

  • A certain database had 300 failed logins during an hour, along with policy violations typical to SQL injection attacks. During the following hour, the same database has exceptionally high volume of SQL exceptions and exceptionally high volume of activities on the CUSTOMENT, CREDIT_CARD and PURCHASE_ORDER tables.
  • A certain user had exceptional amounts of Select type of activities and an exceptional number of Delete type of activities during an hour.

Risk Events module terminology

Risk Event
A Risk Event is a potential attack or breach with the following characteristics: asset, time frame, category, severity level, and findings.
Asset
The objects the Risk Events process observes when it is searching for Risk Events. The asset types are as follows: database, database user, and operating system user.
Finding, lead
Data points, such as outliers and policy violations, that indicate a potential breach.
Feature
Historical data about the asset that portrays an attribute of the asset. The Risk Events process uses a list of features to categorize the Risk Event and calculate its risk score and severity level. The following are some examples of features:
  • Total number of high severity violations in the last hour: 23
  • Number of failed log-in attempts in the last week: 744