Imperva Cyber Community

communities_1.jpg
 View Only

  • 1.  DRA report on Issues

    Posted 11-05-2019 13:01
    I needed a way to report on the issue types and determine if there was a type that was creating excessive issues.
    As reporting is not available in DRA, I had to use a database query to gather the information I needed.

    Here's a query that can be ran on the DRA admin appliance and will create a report of issue types and count of issues
    sudo -u postgres bash -c "psql -d itp -c \"
SELECT issue_type, COUNT(*) from managed_issues GROUP BY issue_type ORDER BY issue_type;
\"" 2>/dev/null​

    This will return a list with a count --

    issue_type               | count
-------------------------+------- 
ABUSE_MULTIPLE_DB        | 29 
ABUSE_SINGLE_DB          | 7 
ACCOUNT_MISUSE           | 10
. . .

    The issue_type does not exactly match the issue type names that are used when filtering in DRA, but are similar enough to determine the issues.



    #DataRiskAnalytics(formerlyCounterBreach)


  • 2.  RE: DRA report on Issues

    Posted 11-05-2019 15:23
    It is true that DRA does not have reporting - the idea is to provide a view that lists the issues and incidents via a dashboard so you can analyze the data presented.
    In looking at your query, we do provide that data in our view but not in the summary  form you show. 

    DRA is an emerging product, can you elaborate on how the summary helps you in your job and how you envision using this in the future.
    Now would be a good time to provide input that will help us develop the solution with our customers needs top-of-mind.


  • 3.  RE: DRA report on Issues

    Posted 11-05-2019 16:31
    We have had DRA running for a couple of months now, and I use this query to determine if there are groups of issues that may require further research or whitelisting.

    We can also use it to report to management what types of issues we are finding.

    One issue that it helped with was for machine takeover.
    We noticed a high count for machine takeover, and determined that it was caused by a pool of shared VMs.
    The prefix of the shared VMs was whitelisted to reduce the issues.

    So instead of filtering the issue list by each type, we can just review counts and then work the high count issues.


  • 4.  RE: DRA report on Issues

    Posted 11-05-2019 16:59
    Excellent feedback - ​I have opened a feature request based on this use case 
    Your are listed as the contact 
    The FR number is - 00467104

    Thank you


  • 5.  RE: DRA report on Issues

    Posted 11-05-2019 15:50
    Another useful option I have used in the past for similar situations (in the absence of built-in reporting) is to export to CSV and throw it in a pivot table (in Excel or equivalent of your choice). Then you can easily sort by issue type, users, or other fields to find what entities or policies are creating the most noise. If you really need a formatted report, then the same can also be used to create graphs and charts.

    ------------------------------
    Nathan Albury
    Program Manager, Services
    Imperva
    ------------------------------

    Original Message