Working with case reports

This topic describes working with case reports.

Guardium analyzes the symptoms over time, correlates them, and assigns a score per identified possible attack. If the score indicates a likely attack, the set of events becomes a case whose id is unique per collector. Cases are externalized in case reports, one per each suspected attack. Access case reports by one of:

  • Set up an audit process to receive notifications in your To Do list on the Central Manager, and open the report directly on the relevant associated collector. Note that the To Do list is updated once an hour.
  • Access Investigate > Exceptions.

The case reports window A report presents, by default, up to 3 incidents, one per line. Each case includes a risk score from 1 to 3, with 3 being the most severe. You can:

  • Hover on the case ID to view a summary of the attack (only stored procedure cases).
  • Hover on the case ID and click Link to Symptoms to access the detailed symptoms report.
  • Click the ID to open the case-specific threat diagnostic dashboard. See Working with threat diagnostic dashboards.
Restriction: Case reports have the following restrictions:
  • There is no Data Level Security.
  • These reports cannot be cloned.
  • You can create a distributed report for these case reports; however, from the Central Manager there are no direct links from the case report to the threat diagnostic dashboard, and there is no additional hover help and link to symptoms.