ALERT: Some images may not load properly within the Knowledge Base Article. If you see a broken image, please right-click and select 'Open image in a new tab'. We apologize for this inconvenience.

Use of Classification and Mitigation Values to Improve Risk Vectors

book

Article ID: 172059

calendar_today

Updated On:

Products

Information Centric Analytics Data Loss Prevention Core Package

Issue/Introduction

Incorporating the Classify and Mitigate values for DIM Incidents to improve your Risk Vectors and influence an Entity Type's Risk Score

Resolution

How are the Classification and Mitigation values associated to a (Data in Motion) DIM Incident?

When a user actions a DIM Incident by using a DIM Remediation Action, the user can also Classify and mark an Incident as Mitigated (or not Mitigated) by using related action buttons (see below).

How do I use the Classification and/or Mitigation value for my DIM Incident to influence a Risk Score?

In order to influence any Risk Score, you must create or update a Risk Vector for a specific Entity Type (Application, Computer Endpoint, IP, Person, or User). Once you have your Entity Type selected and have a base SQL query designed, you can then reference the Classification and Mitigation columns and values to limit the data that is evaluated by the Risk Vector, therefore, impacting the Risk Score.

How do I incorporate the Classification and/or Mitigation values into my Risk Vector?

Adding the DIM Classification and/or Mitigation references to a Risk Vector requires some basic SQL skills. In order to add these fields and associated values to your Risk Vector query you must first verify that the LDW_DIMIncidents table is part of the Risk Vector query.

Example:

 

The image above is a SQL Query that is looking DIM Endpoint Incidents over the last 30 days. Now let's break down the two relevant sections of the SQL query above.

1) In the image below, we are limiting the DIM Incidents being evaluated to only those incidents that have been marked as Not Mitigated

2) In the image below we are further limiting the DIM Incidents being evaluated to only those incidents that have been classified as 1 (Violation), 2 (Investigate), or 3 (Un reviewed).

By adding the Classification (EventClassificationID) and Mitigation (IsEventMitigated) fields to our Risk Vector query, we can further ensure that only risky or questionable DIM Incidents and Actions are taken into account when creating the Risk Vector and in turn influencing the Risk Score.

Attachments