Running policy analyzer and reviewing results

Policy analyzer provides insights that help identify frequently fired rules, optimize rule order, and evaluate rule changes.

Before you begin

Policy analyzer works with standalone Guardium systems or managed units in a centrally managed environment and requires currently installed policies to evaluate traffic.
Note:
  • The policy analyzer supports up to 128 rules across all installed policies. This restriction applies to the policy analyzer only.
  • Policy analyzer does not support push-down policies from z/OS S-TAPs.

About this task

There are two policy analyzer modes: continuous and ad hoc. Continuous analysis records and evaluates data at predefined intervals and is useful for observing longer-term trends in policy activity. Ad hoc analyses run once, at a time you define, and are useful for evaluating specific policy changes.

Procedure

  1. Begin by navigating to Protect > Security policies > Policy builder for data and clicking the Analyze menu.
  2. Confirm that policy analyzer is running. If necessary, start policy analyzer by clicking the Start policy analyzer link.
  3. Optional: Configure the continuous analysis interval by clicking the Change policy analyzer settings link and specifying an interval.
  4. Optional: Start an ad hoc analysis by clicking the Run ad hoc analysis link.
    1. On the Run ad hoc analysis dialog, use the Start date fields to define a date and time to begin the analysis.
    2. Use the Duration fields to define how long to run the analysis.
      Tip:
      • Use the time and duration settings to evaluate traffic before and after modifying a policy to better understand the impact of the policy change.
      • The schedules for ad hoc policy analyzer jobs are not editable and cannot overlap.
    3. Click OK to begin the ad hoc analysis.
  5. View policy analyzer results by clicking the View results link and selecting either Ad hoc analysis or Continuous analysis.

    For continuous analysis, use the Time frame setting to change how much data is displayed. For ad hoc analysis, use the Start time menu to view a specific set of ad hoc results.

    The % fired among transactions for each rule chart shows what percentage of all transactions cause each rule to fire. Because not all transactions fire a rule, the total will not always equal 100%.

    The Top rules (fire count) chart shows the number of times that a rule fired during the continuous analysis period or during the ad hoc analysis. Click the chart to see a key that identifies the chart contents. Click the Top rules (fire count) label and select Change selected rules to hide or show specific rules in the chart.

    The Details for all policy rules table summarizes activity for policies, rules, and rule actions.
    • Use the % fired among transactions column to see how often rules are firing, expressed as a percentage of all transactions evaluated in the specified time frame.
    • Use the % fired among rules column to see which rules are firing the most, expressed as a percentage of all rules that have fired during the specified time frame.
  6. Investigate specific results.
    1. Click a bar in the % fired among transactions chart to select the corresponding row in the Details for all policy rules table or click to select any row in the table.
    2. Investigate the selected row by clicking Actions > Full SQL log details or Violation log details.
      The details view provides information about the specific clients, users, and programs triggering the selected policy rule.