Configuring Risk Events settings

Enable and disable the Risk Event process and feedback collection option. Manage asset exclusion. Tune the risk score and severity calculation. Set up response rules.

Premium This feature is available only in the Premium edition of Guardium® Insights SaaS.

To open the Risk events page, select Risk events in the main menu ().

On the Risk events page, click Settings at the upper right of the page ().

The Risk event settings page has four tabs – General, Exclusion, Risk profile, and Response rules.

General tab

Used to enable or disable the Risk Event process and to handle the option to collect feedback and send it to IBM.

Refer to Enabling the Risk Event process for details on how to enable the Risk Event process. Refer to Providing feedback for details on the Risk Event feedback.

Exclusion tab

Assets can be excluded from the Risk Event process. This tab lists the Guardium Insights SaaS groups of items that are excluded from the process. Click a link to view and manage each one of the groups.

The groups are as follows:

  • Applications excluded from analysis - default
  • Databases excluded from analysis - default
  • DB users excluded from analysis - default
  • OS users excluded from analysis - default
  • Server IPs excluded from analysis - default
  • Server IPs and databases excluded from analysis-default
  • Server IPs, databases, and database users excluded from analysis-default

You can exclude all the items in an existing Guardium Insights SaaS group. You can also add this group to one of the groups listed, according to the group type. These list items are groups of groups and all the items in subsequent groups are excluded from the Risk Event process.

  • Applications excluded from analysis
  • Databases excluded from analysis
  • DB users excluded from analysis
  • OS users excluded from analysis
  • Server IPs excluded from analysis
  • Server IPs and databases excluded from analysis
  • Server IPs, databases, and database users excluded from analysis
Note: The tuple items (Server IPs and databases + Server IPs, databases, and database users) are defined as a database. When you add either of these items as an item or group to be excluded, complete both the fields for server IP and database name. Do not complete any other fields, they are ignored. These items can also be populated while you are closing a Risk Event.
Note: when you are responding to a Risk Event, you can flag to exclude the Risk Event assets. If you choose to do that, the asset is added to the appropriate exclude group.

Risk profiles tab

The risk scorer computes the risk score of every asset based on the assigned weight and criticality of the identified features. The Risk Event’s severity level is determined by the calculated risk score.

Use the risk profile configuration framework to assign weight for various categories of features for computing risk score. You can customize your risk profile to assess risk based on how important each feature is for your organization.

Response rules tab

The response rules are automated rules that are applied to every Risk Event when it is created and updated.

Each rule has conditions and actions. If all the rule conditions are fulfilled, the actions are performed.

These items are examples of rules:

  • If the Risk Event’s severity is Critical, then send a notification email to the security analysts AND create a ticket in an external ticketing system.
  • If the database name is X, then send a GI notification to the security analysts.
  1. Click Create rule.
  2. Enter a name and description and click Next.
  3. Define the rule conditions. Select a condition type in the condition field, an operator (equal, not equal), and a value.
  4. Click Add another condition to add conditions. You can add as many conditions as needed.
  5. Click Next.
  6. Define the rule actions. Select an action from the list and enter relevant fields.
  7. Click add another action to add actions. If the conditions are fulfilled, then all the actions are performed.
  8. Click Next.
  9. Review and save the rule.