Anomalies

Also available in:
DRA v4.9
DRA v4.19
DRA v4.18
DRA v4.17
DRA v4.16
DRA v4.15
DRA v4.14
DRA v4.13
DRA v4.12
DRA v4.11
DRA v4.10
DRA v4.8
DRA v4.3
DRA v4.2
DRA V4.1
DRA v4.0
Last UpdatedNov 06, 2024
3 minute read

Anomalies

Data Risk Analytics detects anomalous activity based on a baseline learned from the audit data it receives. If the activity is suspicious, but not enough to deem an incident, it is displayed in the Open Anomalies page. You can then perform all actions available for incidents (e.g. investigate, star, search, filter, etc.) except for Allow List rules.

An anomaly, in contrast to an incident, is a suspicious activity that is not categorized by severity. It is another piece of information that can be attributed to an employee, and in conjunction with their incidents, lets you asses the risk they might pose.

The Open Anomalies page aggregates all detected suspicious activities in table format. It shows general details on each open anomaly.

Anomalies

General details shown for each anomaly include:

Anomaly Details

Search:

Field	Description

ID	The ID number assigned by Data Risk Analytics to the anomaly.
Type	The specific anomaly type detected (e.g. Excessive Database Record Access).
Event Time	The time and date the event occurred.
User Name	The name of the user that performed the suspicious activity. The user name type can be: - Single user - Multiple users
Source Host	The host name and IP address of the machine from which the suspicious activity originated.
Destination	Depending on the type of server to which the suspicious activity was intended, the following details are shown: Host Destination IP address Database User Database Name Cluster Name - For IBM DB2 for z/OS, this is the data sharing group Cluster Member The destination server type can be: - Single database (including IBM DB2 for z/OS standalone subsystem) - Multiple databases - Clustered Databases (currently supporting only IBM for z/OS data sharing group and MongoDB) - File Server
Comment	The comment that was entered in the Anomaly Details page.

When you click on an anomaly in the table, you are shown a more comprehensive details page about the anomaly. In addition to the details, you can perform all actions available for incidents, except Allow List rules.

Comprehensive details include:

Comprehensive Anomaly Details

Search:

Field	Description

Description	A detailed description of the anomaly stating the activity performed, by whom, from where and to where. You can click Learn how to investigate this type of incident to jump to the Data Risk Analytics Incidents Online Help where you can get in depth details on each of the incidents Data Risk Analytics is warning against.
Comment	A field where you can type any information that would further assist in understanding the anomaly.
Creation Influencing Reasons	Information on the reasons for creating the anomaly.
Source and Destination Details	Full details of the source that performed the suspicious action and the destination on which the action was performed. Note: For IBM Db2 for z/OS cluster and IBM Db2 for z/OS database that is NOT part of a cluster destinations, the details presented are Cluster Name and Cluster Member.
Anomaly Details	Specific information about what was accessed, operations performed by the source, etc.
Typical Behavior	Information about the typical activity conducted when accessing this asset in addition to typical activity conducted by this user.

Was this topic helpful?

Like Dislike

Data Risk Analytics User Guide

Filters

Source Type

Application Security

Data Security

Network Security

Application Performance

Product Versions

Hypervisor Installation

Document Type

Access

Product Area

Anomalies

Table of Contents

Anomalies

Provide feedback for this topic

Save PDF

Provide feedback for this topic