Risk Events
A Risk Event is a collection of data points around an asset that shows a potential risk.
The Risk Event module evaluates assets every hour, looking for assets with potential risks. It examines the asset’s activities and other attributes and evaluates the asset’s risk. Assets are databases, database users, and operational system users.
- Outliers, or anomalies. Such as exceptionally high volumes of Select activities, Delete activities from a certain table, or new activities. (In other words, activities a user never did before).
- High severity policy violations.
- High volume of failed logins. Disabled by default. See details in Configuring Risk Event Leads.
- High volume of SQL exceptions. Disabled by default. See details in Configuring Risk Event Leads.
The following are some examples of Risk Events:
- A certain database had 300 failed logins during an hour, along with policy violations typical to SQL injection attacks. During the following hour, the same database has exceptionally high volume of SQL exceptions and exceptionally high volume of activities on the CUSTOMENT, CREDIT_CARD and PURCHASE_ORDER tables.
- A certain user had exceptional amounts of SELECT activities and an exceptional number of DELETE activities during an hour.
A list of terminology that the Risk Events module employs:
- Risk Event
- A Risk Event is a potential attack or breach with the following characteristics: asset, time frame, category, severity level, and findings.
- Asset
- the objects the Risk Events process observes when it is searching for Risk Events. The asset types are as follows: database, database user, and operating system user.
- Finding, lead
- data points, such as outliers and policy violations, that indicate a potential breach.
- Feature
- historical data about the asset that portrays an attribute of the asset. The Risk Events process
uses a list of features to categorize the Risk Event and calculate its risk score and severity
level. The following are some examples of features:
- Total number of high severity violations in the last hour: 23
- Number of failed log-in attempts in the last week: 744
In Guardium® Insights, databases are identified by server IP and database name or service name, depending on their type.
Vulnerability assessment and classification results are based on the respective processes in Guardium Data Protection. They can be linked to Risk Events only if the Guardium Data Protection data source was defined by the server IP and database name or service name.