Viewing case reports

View case reports in threat analytics.

Guardium analyzes the symptoms over time, correlates them, and assigns a score per identified possible attack. If the score indicates a likely attack, the set of events becomes a case whose ID is unique per collector. Cases are externalized in case reports, one per each suspected attack. Access case reports in one of the following ways:

  • Set up an audit process to receive notifications in your To-Do list on the Central Manager, and open the report directly on the relevant associated collector. The To-Do list is updated once an hour.
  • Access the reports in the UI by going to Investigate > Exceptions.

In the case reports window, a case report presents, by default, up to 3 incidents (one per line). Each case includes a risk score from 1 to 3, with 3 being the most severe. In this window, you can:

  • Hover on the case ID to view a summary of the attack (only stored procedure cases).
  • Hover on the case ID and click Link to Symptoms to access the detailed symptoms report.
  • Click the ID to open the case-specific threat diagnostic dashboard. See Working with threat diagnostic dashboards.
Restriction: Case reports have the following restrictions:
  • Data Level Security is not available.
  • These reports cannot be cloned.
  • You can create a distributed report for these case reports. However, the central manager does not provide direct links from the case report to the threat diagnostic dashboard. Additional hover help and links to symptoms are not available.