Ensure that you have settings that are configured properly to trigger Risk
Events.
About this task
If no Risk Events
are appearing, ensure that you followed all the steps that are listed here. These steps ensure that
Risk Events is enabled properly and receiving the relevant sorts of data. If you still are not
seeing any Risk Events, contact IBM Guardium support.
Procedure
- Confirm that the process is enabled and running:
On the Risk Events
page, go to and confirm that the Risk
Events switch is set to On. Also, confirm that the last run occurred
within the past hour.
- Confirm you are receiving the type of data that triggers a Risk Event.
Risk
events are only opened for assets with Leads. Leads can be:
- Outliers (anomalies)
- High severity violations
- A high volume of failed log-ins. This lead is disabled by default.
- A high volume of SQL exceptions. This lead is disabled by default.
Therefore, if no Outliers or high severity violations occurred in the last few hours, do not
expect to see new Risk Events. You can check whether you have Outliers or high severity violations
in the
Reports page.
- Check whether Outliers exist that would trigger a Risk event.
On the
Reports page, run the predefined report named Outlier summary. Then, check
whether you have any Outliers with an anomaly score higher than 40 (The default value for Outliers
Leads configuration). If you don’t have any Outliers in the report, check whether the Outlier
detection is running. For more information, see
Outliers
detection.
- Check whether high-severity violations exist that would trigger a Risk
event.
On the Reports page, run the predefined report named Policy
violation. Then, check whether you have any violations with a Severity value of 10.
- Decrease the risk score threshold.
If one of the reports you checked does
display data that triggers a Risk event but you still don’t see any Risk events, consider decreasing
the risk score threshold.
Note: A Risk event is opened only if its score is higher than this
threshold.
- Go to and decrease the Risk score threshold (the default number is 40).
Note: Changing this setting applies only from the time that you made the change. It does not apply
to risk events before the time of the change.