Incorporating the Classify and Mitigate values for DIM Incidents to improve your Risk Vectors and influence an Entity Type's Risk Score
How are the Classification and Mitigation values associated to a (Data in Motion) DIM Incident?
When a user actions a DIM Incident by using a DIM Remediation Action, the user can also Classify and mark an Incident as Mitigated (or not Mitigated) by using related action buttons (see below).
How do I use the Classification and/or Mitigation value for my DIM Incident to influence a Risk Score?
In order to influence any Risk Score, you must create or update a Risk Vector for a specific Entity Type (Application, Computer Endpoint, IP, Person, or User). Once you have your Entity Type selected and have a base SQL query designed, you can then reference the Classification and Mitigation columns and values to limit the data that is evaluated by the Risk Vector, therefore, impacting the Risk Score.
How do I incorporate the Classification and/or Mitigation values into my Risk Vector?
Adding the DIM Classification and/or Mitigation references to a Risk Vector requires some basic SQL skills. In order to add these fields and associated values to your Risk Vector query you must first verify that the LDW_DIMIncidents table is part of the Risk Vector query.
The image above is a SQL Query that is looking DIM Endpoint Incidents over the last 30 days. Now let's break down the two relevant sections of the SQL query above.
1) In the image below, we are limiting the DIM Incidents being evaluated to only those incidents that have been marked as Not Mitigated
2) In the image below we are further limiting the DIM Incidents being evaluated to only those incidents that have been classified as 1 (Violation), 2 (Investigate), or 3 (Un reviewed).
By adding the Classification (EventClassificationID) and Mitigation (IsEventMitigated) fields to our Risk Vector query, we can further ensure that only risky or questionable DIM Incidents and Actions are taken into account when creating the Risk Vector and in turn influencing the Risk Score.
Subscribing will provide email updates when this Article is updated. Login is required.