Troubleshooting Risk Events

Ensure that you have settings that are configured properly to trigger Risk Events.

About this task

If no Risk Events are appearing, ensure that you followed all the steps that are listed here. These steps ensure that Risk Events is enabled properly and receiving the relevant sorts of data. If you still are not seeing any Risk Events, contact IBM Guardium support.

Procedure

  1. Confirm that the process is enabled and running:
    On the Risk Events page, go to Settings ( ) > General tab and confirm that the Risk Events switch is set to On. Also, confirm that the last run occurred within the past hour.
  2. Confirm you are receiving the type of data that triggers a Risk Event.
    Risk events are only opened for assets with Leads. Leads can be:
    • Outliers (anomalies)
    • High severity violations
    • A high volume of failed log-ins. This lead is disabled by default.
    • A high volume of SQL exceptions. This lead is disabled by default.
    Therefore, if no Outliers or high severity violations occurred in the last few hours, do not expect to see new Risk Events. You can check whether you have Outliers or high severity violations in the Reports page.
    1. Check whether Outliers exist that would trigger a Risk event.
      On the Reports page, run the predefined report named Outlier summary. Then, check whether you have any Outliers with an anomaly score higher than 40 (The default value for Outliers Leads configuration). If you don’t have any Outliers in the report, check whether the Outlier detection is running. For more information, see Outliers detection.
    2. Check whether high-severity violations exist that would trigger a Risk event.
      On the Reports page, run the predefined report named Policy violation. Then, check whether you have any violations with a Severity value of 10.
  3. Decrease the risk score threshold.
    If one of the reports you checked does display data that triggers a Risk event but you still don’t see any Risk events, consider decreasing the risk score threshold.
    Note: A Risk event is opened only if its score is higher than this threshold.
    1. Go to Settings ( ) > Global settings > Risk event settings and decrease the Risk score threshold (the default number is 40).
      Note: Changing this setting applies only from the time that you made the change. It does not apply to risk events before the time of the change.