How to manage the review of multiple database security incidents

Incident management - track and resolve database security incidents.

About this task

Administrators can group a series of related policy violations into a single incident and assign to specific individuals. This reduces the number of separate policy violations that oversight teams need to review.

Prerequisites

Create a Policy (See Policies).
Start inspection engines (See Inspection Engine Configuration).

A security policy contains an ordered set of rules to be applied to the observed traffic between database clients and servers.

A policy violation is logged each time that a rule is triggered. Policy violations can be assigned to incidents, either automatically by a process, or manually by authorized users (see Incident Management).

Summary of Steps

Click Comply > Tools and Views > Incident Generation to open Incident Generation Processes.
Edit Incident Generation Process (Query, Severity, Threshold, Scheduling).
Go to Incident Management tab for reports.

Incident Management

The Incident Management application provides a business-user interface with workflow automation for tracking and resolving database security incidents.

Incident generation processes can be defined and scheduled to read the policy violations log and generate new incidents. From an incident generation process, each selected incident is:

Assigned a unique incident number.
Assigned to a user.
Assigned a severity code.
Assigned to a category.

In addition, policy violations can be assigned manually (by authorized users) to new incidents or existing incidents from the Policy Violations / Incident Management report.

Once an incident has been generated, administrators and other users work with incidents from the Incident Management tab, which is included on both the admin and user portals. From there, all other tasks can be performed (assign incidents, send notifications, assign status, and so forth).

The Incident Management functions can be accessed from the drill-down menus of the Incident Management reports. Each user may only have a subset of reports or functions available, depending on the security roles assigned to the user account.

Define an Incident Generation Process

An incident generation process executes a query against the policy violations log, and generates incidents based on that query. By default, the definition and scheduling of incident generation processes is restricted to users with the admin role.

Procedure

Click Comply > Tools and Views > Incident Generation to open Incident Generation Processes.
Click the Add Process button to open the Edit Incident Generation Process panel.
Select a query from the Query list. There are several restrictions that apply to queries used in an incident generation process. Open the query in the Query Builder to verify that it satisfies the following criteria:
- The query must be from the Policy Violations domain.
- The query must have the Add Count checkbox checked. See Query Builder Overview (Queries) for more information.
- The main entity for the query must be the Policy Rule Violation entity.
- The query fields for the query must not include a SQL string (from either the SQL entity or the Full SQL String attribute of the Policy Rule Violation entity).
Select a Severity for the incident (defaults to Info).
Optionally enter a Category for the incident (defaults to none).
Optionally enter a Threshold for generating the incident. The default is one, meaning every "row" returned by the query will generate an incident.
From the Assign to User list, select the user to whom the incident will be assigned.
Enter the From and To Dates for the query. For a scheduled query, use relative dates (for example: now -1 day and now).
Click Save to save the process definition. You cannot run or schedule the process until it has been saved.
To run the query now, click Run Once Now.
To schedule the query, click Modify Schedule to open the scheduling utility. For instructions on how to use the scheduler, see Scheduling.
Assign/Reassign to Incident - Double-click on the policy violation to be assigned or reassigned, in one of the Incident Management reports.
Select Assign/Reassign to Incident from the drill-down menu. When selected, this menu will be replaced by a new menu containing a list of open incidents (for example, Assign to Incident #123), and one additional option: Assign to a new incident.
Select an incident to assign this violation to, or select Assign to a new incident to assign this Policy Violation to the next incident number available (they are numbered in sequence).
A message displays when the change has been completed, and the Incident Management panel will be refreshed. If a new incident has been created, it will be listed first on the Open Incidents report.

From the Incident Policy Violations / Incident Management report, users can:
- Assign/Reassign to Incident (create an incident from this policy violation).
- Change the severity of the incident.
- Notify one or more users about the incident.
- View reports of Client IP Activity, User Activity, or SQL from the incident.
Assign to User - Double-click on the incident to be assigned to another user, in one of the Incident Management reports.
Select Assign to user from the drill-down menu. When selected, this menu will be replaced by a new menu containing a list of users, and one additional option: Unassign.
Select a user, or select Unassign to remove the current user assigned. When a user is assigned, the Status Description will be Assigned, and when unassigned the Status Description will be Open.
A message displays when the change has been completed, and the Incident Management panel will be refreshed.
Change Severity - Double-click on the incident on which the severity is to be changed, in one of the Incident Management reports.
Select Change Severity from the drill-down menu. When selected, this menu will be replaced by a new menu containing a list of severity codes: Info, Low, Med, and High.
Select the desired severity code.
A message displays when the change has been completed, and the Incident Management panel will be refreshed.

Once a policy violation has been assigned to an incident the incident displays in the Open Incidents report. From the Open Incidents report, users can perform the actions shown:
Notify - Double-click on the incident a user is to be notified about, in one of the Incident Management reports.
Select Notify from the drill-down menu. When selected, this menu will be replaced by a new menu containing a list of users.
Select a user.
When the user gets the notification, a message will be displayed.
Change Status - Double-click on the incident on which the status is to be changed, in one of the Incident Management reports.
Select Change Status from the drill-down menu. When selected, this menu will be replaced by a new menu containing a list of status codes:
- ASSIGNED - Once an incident has this status, it cannot have additional policy violations added to it. To add policy violations, change the incident status back to Open, add the violations, and then change the status back to Assigned.
- CLOSED - Once an incident is marked Closed it cannot be modified, and is no longer listed.
- OPEN - This is the initial status for a new incident.
Select the desired status code.
A message displays when the change has been completed, and the Incident Management panel will be refreshed.
Add Comments - Double-click on the incident to which comments are to be added, in one of the Incident Management reports.
Select Comments from the drill-down menu, to open the User Comment window. For instructions on how to add comments, see Commenting.
Each user portal displays a My Open Incidents report for that user. From the My Open Incidents report, users can perform the actions shown: