Chatee ahora con Soporte
Chat con el soporte

Security Analytics Engine 1.0 - Help Desk User Guide

Introduction

When a user is unable to log in to an application due to a high threat level, the help desk operator is able to create an override to allow them access. This is done by locating the audit event and creating an override for the user that will allow them to access Security Analytics Engine protected applications for a specified period of time.

Auditing page

The Auditing page is displayed when Auditing is clicked on the Home page of the Security Analytics Engine Administration web site.
The Auditing page displays a list of the events for the applications currently utilizing the Security Analytics Engine. These results are filtered using the fields located at the top of the page.
Filtering options
The following are the filtering options at the top of the page:
* 
NOTE: Refreshing the screen returns the Auditing page to its default settings.
From
This field specifies a start date for searching events. By default, this is the current date. Click the button to display a calendar from which to select a start date for searching events.
To
This field specifies an end date for searching events. By default, this is the current date. Click the button to display a calendar from which to select an end date for searching events.
Application(s)
This drop-down list displays the currently configured applications. Select to display auditing information for all applications or a specific application. By default, auditing events for all applications are displayed.
Max Records
This field is used for setting the maximum number of records (1-10000) to return for the search. By default, this is 1000 records.
Search
The Search button updates the Audit Events table located beneath the filtering options.
Filter Results
This field is used to filter the displayed events based on the keywords entered. The table is updated automatically as characters are entered into the field.
Audit Events table
The following information is displayed for each event in the Audit Events table located beneath the filtering options:
Date/Time
This column displays the date and time the event was detected.
Application
This column displays the name of the application.
Message
This column displays the message associated with the event and the threat level assigned to the access attempt.
Policy
This column displays the risk policy that was evaluated.
User Name
This column displays the name of the user who accessed, or attempted to access, an application protected by the Security Analytics Engine.
IP Address
This column displays the IP address of the user who accessed, or attempted to access, an application protected by the Security Analytics Engine.
Event Details pane
When an event is selected from the audit events list, a Details button appears at the bottom of the screen. Clicking the Details button will open a panel along the bottom of the page with the following fields and button:
Conditions that returned TRUE
(Default) This section shows the conditions evaluated for the application that returned true and thus impacted the threat level sent to the application. The score listed to the right of a condition name is the score assigned to the triggered condition. Selecting a condition will display information regarding what caused the condition to return as true.
Clicking show all will switch to displaying the Monitored Conditions section.
One of the following icons will appear to the left of each condition name:
- indicates a good condition.
- indicates a bad condition.
Monitored Conditions
Displayed when the show all link is clicked, this will display all conditions that were monitored during the access attempt. Selecting a condition will display information regarding what caused the condition to return as true or false.
Clicking show only true will switch to displaying the Conditions that returned TRUE section.
One of the following icons will appear to the left of each condition name:
- indicates a good condition.
- indicates a bad condition.
Override
If there is no override currently assigned to the user, clicking this button will open the Add Override dialog. If there is an override currently assigned to the user, the Modify Override dialog will be displayed.

Filtering the audit events

The following procedure explains how to filter the events displayed in the Audit Events table.
To filter audit events:
* 
NOTE: Refreshing the screen removes filtering and returns the Auditing page to its default settings.
1
From the Home page, click Auditing to open the Auditing page.
2
In the From field, click the button to display a calendar and select the start date.
3
In the To field, click the button to display a calendar and select the end date.
4
In the Application(s) field, select to display auditing information for all applications or a specific application.
5
In the Max Records field, set the maximum number of records (1-10000) to return for the search. By default, this is 1000 records.
6
Click the Search button to update the Audit Events table.
7
To further filter the list of events, enter characters into the Filter Results field. The Audit Events table is updated automatically.
8
The results can also be sorted to help you locate a specific event. To sort the data:
Click on the column heading to be used for the sort criteria.
The sort order will be in ascending order, but can be changed to descending order by clicking the heading a second time.
To remove the sort order from a column, click the column heading until the arrow disappears.

Displaying details for an individual audit event

The following procedure explains how to view a detailed explanation of the conditions that were evaluated during an audit event.
To display details for an individual audit event:
1
From the Home page, click Auditing to open the Auditing page. By default, the audit events for the current date are displayed.
2
Select an event and click the Details button on the bottom left of the page (see Filtering the audit events for information on locating a specific event and/or an event from a previous date).
3
A new panel appears at the bottom of the page displaying the Conditions that returned TRUE section on the left side of the panel. This section displays the conditions evaluated for the application that returned true and thus impacted the threat level sent to the application. The score listed to the right of the condition name is the score assigned to the triggered condition.
One of the following icons will appear to the left of each condition name:
- indicates a good condition.
- indicates a bad condition.
Clicking the show all link will display all conditions that were monitored during the access attempt regardless of whether they returned true or false.
4
Selecting a condition from the left column will display additional information in the right column regarding the condition. Each condition includes the following additional details:
<plugin name> - <condition name> (Result: <true/false>) - This displays the name of the plugin, the name of the condition and whether the condition returned as true or false during the access attempt. For example, BuiltinPlugin1 - IsAbnormalTime (Result: true).
Use the expand properties button (right arrow) to the left of the heading to display the following information for the condition:
Parameters - Use the expand properties button (right arrow) to the left of this heading to display each condition parameter with its current setting. For example, Days = 30.
Details - Use the expand properties button (right arrow) to the left of this heading to display information on what caused the condition to trigger or not trigger during the access attempt.
5
To close the Details panel, click the Details button.
Documentos relacionados

The document was helpful.

Seleccionar calificación

I easily found the information I needed.

Seleccionar calificación