Global settings

Learn about the various global settings that you can make in Guardium® Insights.

Before you begin

To open the settings menu, select Settings (main menu). Then click Global settings.

Procedure

  • Browser session duration: The default time period after which inactive Guardium Insights sessions expire is 15 minutes. Click this card to change its value. The valid range is 5 minutes to 2 hours.
  • REST-API session duration: The default maximum duration of any Guardium Insights session is 15 minutes. Click this card to change its value. The valid range is 30 minutes to 16 hours.
  • Report settings: Click this card to change these settings:
    • Report data retrieval timeout
    • Online report maximum rows
    • Maximum results exported to a file from an online report
    • Number of days an exported CSV report file is maintained before deletion
    • Number of days a scheduled report download file is maintained before deletion
    • Please install the latest Guardium Insights patch (Version 3.2.2 or later) to use this feature:

      Enable queries that use pipeline plans for online reporting: This setting can improve performance by reducing the time that it takes for reports to load. Use this setting if you have large amounts of data (for example, a report that gathers data over a long time period - or a scheduled report). By default, this is set to enable pipeline Queries without sorts and aggregation. To disable pipeline queries for reporting, select No queries - and to enable all pipeline queries for reporting, select All queries.

      If you need to know which query plan the user interface is generating for reports, you can receive an explain run by selecting Enabled under Run an explain before each online report.

      Note: Pipeline queries will not work for data that is already sorted. In this case, performance will not be improved if this feature is enabled.
  • Risk Events settings:
    • Duration of time to keep a Risk Event active: If a Risk Event remains open, meaning, it’s not closed or delegated manually, then it is active as long as new findings are found for the same asset. If there are no new findings for several days, then the Risk Event remains in Open status, but new findings found after this period will not be added to it. If there are new findings after this period, then a new Risk Event will be created for that asset. The default is 7 days.
    • Risk score threshold: After the risk score is calculated, it is compared to the threshold. A Risk Event is created only if its score is higher than this threshold. Raising the threshold results in less Risk Events created. Lowering the threshold results in more Risk Events created. The default is 40.
    • Global risk score and Global risk severity level: A global Risk Event is created when there are many leads of the same type. For example, many high severity policy violations. This Risk Event indicates there is a cross-system threat, or a cross-system event that affects many assets. When a global Risk Event is created, its risk score and severity level are not calculated. Instead the Risk Event is set with the values defined here. The default for the global risk score is 100. The default for the global severity level is Critical.
    • Number of assets in feature generators group: this is an interval attribute. Do not change this value unless specifically asked to do so by IBM Support. The default is 50.
    • Number of rows to display on the Risk Events page: The Risk Events page retrieves a limited set of Risk Events at a time. The Risk Events are retrieved by the time range set on the page and the Risk Event status. Other filters are applied to the retrieved Risk Events. The default limit is 1000.
    • Detailed reports for each finding type on the Risk Event page: When clicking a finding on the Risk Event page, a right-side panel opens with a link to a detailed report. There is a different report for each finding type – activity, exception, policy violation or outlier. Select a report for each finding type. The defaults are: Client IP activity summary report for activity findings, Exception details report for exception findings, Policy violation repot for policy violation finding and Outlier details report for outlier findings.
  • Sniffer settings: Click this card to change these settings:
    • Mask the parser errors: Mask the literal errors when a parser error is encountered.
    • Active parser: The parser engine used by the sniffer.
    • Logging granularity: The number of minutes to use as a logging time period.
    • Maximum SQL verbs in one alert: Maximum number of SQL verbs in one alert message for the Verb template variable.
    • Maximum SQL objects in one alert: Maximum number of SQL objects in one alert message for the Object template variable.
  • Connection settings: Click this card to change these settings:
    • Enable persistent queue: Enable persistent queue to prevent data loss. When enabled, the input data is saved to disk, and only then parsed and sent to the sniffer. This can prevent data loss if a universal connector service fails. The persistent queue might affect the throughput and the performance of the system.
    • Persistent queue size: The maximum data stored in the persistent queue. When the queue is full, Logstash puts back pressure on the inputs to stall data from flowing into Logstash. This mechanism helps Logstash control the rate of data flow at the input stage without overwhelming outputs like Elasticsearch.
    • Enable debug mode: The debug mode output is used by Guardium Support. Enable debug mode only if Guardium Support requests it.
    • Download certificate: Click this to download the certificate to your local system for universal connector configuration.
  • Group synchronization schedule: If you import groups from Guardium or LDAP, you can choose to synchronize them on a regular basis to keep them up-to-date. Click this card to change these settings:
    • Synchronization enabled: When this is set to On, you will be able to enable synchronization when importing group members.
    • Select schedule timezone: Select the timezone of the synchronization schedule.
    • Repeat every: You can repeat the synchronization on a daily or hourly basis. Set the number of days or hours to wait before repeating the synchronization.
    • Run at: Set the time of day to run the synchronization.