Configuring Risk Event Leads

Configure the Risk Event Leads to determine which assets are considered as potential risk to start the risk evaluation.

The Risk Event process runs every hour, searching for assets with a potential risk. The risk of these assets is later evaluated and if the asset’s risk score is higher than the threshold, then a Risk Event is created.

Leads are assets with a potential risk and the processes that search for them are called lead generators. You can configure some aspects of the lead generators by using the Insights REST API.

Use the GetLeadGeneratorConfig API to view the list of lead generators and their current configuration. This API displays how each lead is calculated and with which parameters, and whether each of those generators is enabled. You can check this API to see what you do or don’t want to enable.

Use the UpdateLeadGeneratorConfig API to configure the lead generators. Using this API, you can edit what is displayed in the first API.

In UpdateLeadGeneratorConfig, you can configure the following information:

"lead_generator_name": "string",
         "is_active": true, 
    "max_number_of_records": 0,
    "minimum_count": 0,
    "minimum_severity":
lead_generator_name
is a lead type. Some generators are separated per asset type so that you can customize API configurations per each asset type. You can identify which generators are separated per asset type by looking at the generator name. "DB" denotes a database asset while "user" denotes a database or operating system user asset.
is_active
defines whether that lead type is enabled or not.
maximum_num_of_records
defines the maximum number of assets that can be processed for each lead type per hour. The Risk Events process does not process more assets beyond this maximum that occur during the hour.
minimum_count
defines the minimum threshold for exception Leads. When the number of exceptions surpasses the amount that is configured here, a new exception lead is created.
minimum_severity
defines the threshold severity that defines whether a lead is created or not.

For Outliers, the minimum severity value corresponds to the anomaly score. For violations, it refers to the violation severity.

Minimum severity threshold is not to be confused with the threshold setting in the Risk events settings in the UI.

See Using Guardium® Insights API for details. Specifically, the Risk Analytics Engine API.