Active Threat Analytics

The Active Threat Analytics dashboard shows potential security breach cases, based on the outlier mining process and on identified attack symptoms. In this dashboard, you can view and investigate cases, and take actions on individual cases.

Active Threat Analytics runs on central managers and stand-alone units.

Prerequisite: Threat finder and DAM Outlier mining are enabled. Click the Active Threat Analytics Setup link to enable Threat finder and DAM Outlier mining. Active Threat Analytics shows results for all collectors on which DAM Outlier mining is enabled.

Access Active Threat Analytics from the Welcome page or from Protect > Uncover threat vectors > Active Threat Analytics.

The first row of results tabulates all cases and all open cases per: databases, DB users or OS users, file systems and file user. The cases in each category are identified by their risk level: high, medium, and low. If a database, database user, file system, or OS user is associated with multiple cases, that database or user is only counted one time.

For example, assume there are 40 cases. 10 of which are associated with database NN, 10 of which are associated with user XX, and the remaining 20 associated with various databases or users. In this case, the total of database and file server cases and database and file user cases would be 22, and not 40.

By default, data is presented for the last day. You can change the time period from the drop-down list.

The table shows violations, outliers, errors, and activities over the same period of time.

The table lists all cases (in descending order of severity), including the type of threat, the observed activity on which the case is based, and the source details. Active Threat Analytics identifies potential security breaches by case type, listed in Threat descriptions.

Click Databases, DB users, File Systems, and OS users to open a summary of the entities with open cases. From there, you can click View Profile to open the Behavioral Analytics for the specific database or user, and view all cases that are associated with this entity, the distribution of working hours, and the distribution of verbs. For database users, you can also click User Risk Indicators to open the Risk Details window, showing the Risk Spotter risk indicator scores.

Attention: Each high severity case is a suspected threat that should be investigated immediately.
High severity cases can also be caused by a patch installation. In this case, you would close the case.

Low severity cases can be anomalies. If so, consider closing the case.

When you are investigating cases:
  • Get a clear picture of whether this is an isolated incident, or one of many on the source.
  • Change the time frame or filters for a narrower or broader cross section, and look for patterns or other unusual behavior.
  • Look at the distribution of activity per verb, distribution over time, average activities, errors, and so on.
  • For database users, look at the risk score and analysis.
In the Cases table, you can:
  • Click the page icon next to the case number to open the Case Analysis page, giving a detailed analysis of the case from a few perspectives. This is the starting point of your investigation:
    • Source details: statistics and activities on the source, distribution of activities by time period, history of cases, and types that were opened (and closed) on this source.
    • Case details: time, type, observations, details specific to the case type, and a link to the Full SQL report. The default time period for the Full SQL report is one hour. When you are investigating cases, also look at shorter time periods, and earlier time periods.
    • Exploration: Five sets of tables that give context to this case, and provide a deep-dive into your investigation.
      Where
      More details on the server and database, for example, number of databases (and their types) on the server, number of cases of the same type seen on the database.
      When
      Time period details: work hours, off-work hours, weekends, what else happened during this time.
      What
      Details of similar cases: Case statistics, sensitive objects accessed (and by which commands), other occurrences of this case (and where).
      Who
      Statistics on the users that accessed the database, users that normally access this database (OS users, DB users), and from which client hosts. For OS users: the client hosts this user accesses from, and when it was first used (as recorded in Guardium).
      How
      Statistics on the applications used to access the database. Applications that were used during the case time window, applications that are normally used, First record of use of application (as recorded in Guardium).
    You can also take actions on individual cases:
    • Assign case: Assign the case to a role, an email, a user group, or a user. Roles and groups are preferable, since individual users and emails can change.
    • Add to group: Select either Server IP, database, DB user, file system, or file user and add it to either an existing group or a new group. This is useful for tracking users and activity. You can use these groups in policies, reports, and alerts for enhanced monitoring over your system.
    • Close case: If the observed behavior is acceptable, consider closing the case. Before you close the case, you can also assign the case a threat category and severity level based on your own input by completing the Actual threat category and Actual severity fields.
    • Add a comment.
    • Open case dashboard: Opens the Investigation Dashboard, filtered for the selected case. Drill down for details of symptoms, compare to other databases and users, and view activity over time. See Investigation Dashboard.
  • Filter the entire table by threat category by using the drop-down menu or the free text field.

The threat cases are not copied to the secondary central manager. In the case of a failover, there are no known threat cases in the new primary central manager.