Security Analytics Engine Overview
Introduction to the Security Analytics Engine
Launch the Administration web site (fallback)
Web site components
Plugins
Introduction to plugins
Plugins page
Available plugins
BlacklistProviderPlugin
BuiltinPlugin
GeoLocationPlugin
LdapPlugin
SonicWALLPlugin
Editing a plugin
Conditions
Introduction to conditions
Conditions page
Condition categories
Shared Policies
Application
Behavior
Adding and managing conditions
Abnormal Authentication
Abnormal Time
Associated w/ Application Category
Associated w/ Application Threat Level
Associated w/ Blacklist
Associated w/ Country
Associated w/ Malware
Authentication List
Location
Network
User
Introduction to shared risk policies
Shared risk policies
Shared Policies page
Adding and managing shared risk policies
Shared Policy wizard
Applications
Introduction to applications
Risk policies
Applications page
Adding and managing applications
Adding and managing risk policies
Adding and managing shared risk policies in an application
Auditing
Adding a shared risk policy to an application
Duplicating a shared risk policy in an application
Deleting a shared risk policy from an application
Application wizard
Introduction to auditing
Auditing page
Filtering the audit events
Configuring the retention settings
Displaying details for an individual audit event
Downloading audit events information
Adding and managing overrides on the Auditing page
Issued Alerts
Policy Overrides
Fallback Password
Editing a risk policy
After a risk policy is added to an application, it appears listed on the Applications page and can now be edited.
- On the Applications page, select the application currently using the risk policy.
- Click the
button to open the Edit Application dialog.
- In the Policies section, select the risk policy to edit and click the
- (Optional) To change the alerting configuration for the risk policy, click Alerting to expand the section and make any necessary changes.
- To change the conditions currently used by the risk policy, click the
button to open the Select conditions to monitor dialog.
- After making changes to the selected conditions, click OK to close the Select conditions to monitor dialog and return to the Edit Policy dialog.
- Use the slider bars to assign each condition a percentage according to how much of a risk you consider a user that triggers the condition during an access attempt.
- To add or edit the modifiers for a condition, use the
button to the left of the condition name to open the Select condition modifiers dialog.
- After selecting modifiers for the condition, click OK to close the dialog.
- Each modifier now appears listed beneath the original condition with a scroll bar set at 100%. Move the slider to set the impact each modifier will have on the condition score. Depending on how each modifier was configured on the Conditions page (Can increase risk, Can decrease risk, or Can both increase or decrease risk), the following settings are available:
- 0% - A modifier set to this percentage automatically causes the condition score to be 0% regardless of any other modifiers triggered. (Can decrease risk or Can both increase or decrease risk)
- 10%-90% - A modifier set between these two percentages decreases the condition score when triggered. (Can decrease risk or Can both increase or decrease risk)
- 100% - A modifier set to this percentage will not affect the condition when triggered. (Can decrease risk, Can increase risk, or Can both increase or decrease risk)
- 110%-200% - A modifier set between these two percentages increases the condition score when triggered. (Can increase risk or Can both increase or decrease risk)
- (Optional) To preview possible risk scores that can occur for the risk policy, click the
button in the upper right corner of the dialog to enable Preview Mode. Edits to the risk policy are allowed while preview mode is active.
- Select the check boxes to the left of any conditions or modifiers to preview the risk score that occurs if they are triggered during an access attempt. The Risk Score field at the top of the dialog updates as selections are made.
- Click the
button to close preview mode.
- Once you have finished editing the risk scores, click the Accept button to approve the changes and close the Edit Policy dialog.
- Click the Save button on the Edit Application dialog to save the application and return to the Applications page.
Deleting a risk policy
After a risk policy is added to an application, it appears listed on the Applications page and can be deleted.
To delete a risk policy
|
|
IMPORTANT: The Security Analytics Engine is not aware of applications’ usage of risk policies. Before deleting a risk policy, ensure that the application is not sending requests to evaluate the risk policy that is to be deleted. |
- On the Applications page, select the application currently using the risk policy.
- Click the
- In the Policies section, select the risk policy to delete and click the
button.
- A dialog is displayed confirming that you want to delete the selected risk policy. Click the Delete button.
- The deleted risk policy no longer appears listed in the Policies section of the Edit Application dialog. Click Save to return to the Applications page.
Adding and managing shared risk policies in an application
Shared risk policies allow for the same risk policy to be used by multiple applications. Shared risk policies can only be viewed, duplicated and selected for use by an application on the Applications page. The creation and management of shared risk policies is done through the Shared Policies page (see Adding and managing shared risk policies for more information). See the following sections for more information:
- Adding a shared risk policy to an application
- Duplicating a shared risk policy in an application
- Deleting a shared risk policy from an application
Adding a shared risk policy to an application
Applications > Adding and managing shared risk policies in an application > Adding a shared risk policy to an application
To add a shared risk policy to an application
|
|
NOTE: Shared risk policies can only be selected for use by an application on the Applications page. The creation of shared risk policies is done through the Shared Policies page (see Adding a new shared risk policy for more information). |
- On the Applications page, select the application which will use the shared risk policy.
- Click the
- The Policies section of the Edit Application dialog is used for adding and managing the risk policies assigned to the application. To add a new shared risk policy, click the
button to open the Available Shared Policies dialog.
- Select a shared risk policy from the list of available shared risk policies. To select multiple shared risk policies, use the CTRL or Shift keys.
- Click the Accept button to approve your selection and return to the Edit Application dialog.
- (Optional) To preview a selected shared risk policy, click the