Chatee ahora con Soporte
Chat con el soporte

Security Analytics Engine 1.2 - User Guide

Security Analytics Engine Overview Plugins Conditions Shared Policies Applications Auditing Issued Alerts Policy Overrides Fallback Password

Dynamic Blacklist

NOTE: The BlacklistProviderPlugin is associated with this condition and provides important settings.

Categorized as a Network condition, this type of condition always causes the risk score to increase if the access attempt originates from a blacklisted IP address. The following parameters are available:

Table 18: Dynamic Blacklist parameters
Parameter Description Associated default condition

Identifier

Enter a name for the condition.

Dynamic Blacklist (Default)

Description

Enter a description for the condition.

Dynamic blacklist sources identified the request as being from a blacklisted IP address.

Use Blacklist Type(s)

Select the blacklist(s) to use:

  • All lists
  • Dell SecureWorks
  • Custom text list(s)

All Lists

Checking for a blacklisted IP address

The following procedure explains how the Security Analytics Engine checks the IP address against one or more blacklists to determine if the access attempt is from a blacklisted IP address.

How the Security Analytics Engine checks for a blacklisted IP address

  1. A user attempts to access an application that uses a Dynamic Blacklist condition type to check if an IP address is on a blacklist.
  2. The Security Analytics Engine compares the IP address used in the access attempt against the blacklists currently enabled for the BlacklistProviderPlugin. If this check returns as true (the IP address is included in a blacklist), the risk score is increased.
  3. If this check returns as false (the IP address is not in a blacklisted network), the risk score is not affected.

Network List

NOTE: The BuiltinPlugin is associated with this condition and provides important settings.

Categorized as a Network condition, this type of condition determines if the request originates from a specific IP address. The following parameters are available:

Table 19: Network List parameters
Parameter Description Associated default condition

Identifier

Enter a name for the condition.

Whitelist (Default)

Description

Enter a description for the condition.

Originated from a whitelisted IP address range.

Risk Type Value

Select the impact the condition will have on the risk score:

  • Can increase risk - Selecting this option causes the risk score to increase if the access attempt comes from a listed network.
  • Can decrease risk - Selecting this option causes the condition score to decrease if the access attempt comes from a listed network. A condition with this setting can only be used as a modifier in a risk policy.
  • Can both increase or decrease risk - Selecting this check box allows you to configure the risk score to either increase or decrease.

NOTE: In order to avoid application configuration errors, this parameter cannot be edited once the condition has been saved.

Can decrease risk

Include Local IP Addresses

Select this option to include all web server local host IP addresses when evaluating configured loopback addresses.

(Selected)

Subnet Definitions

The following fields and buttons appear in this section:

NOTE: For Whitelist (Default) there are two subnet definitions (IPv4 and IPv6).

Network IP Address

Enter the network IP address.

IPv4

  • 127.0.0.1

IPv6

  • ::1

IP Subnet Mask

Enter the subnet mask.

IPv4

  • 255.0.0.0

IPv6

  • ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff

Delete

Click this button to remove the subnet definition.

N/A

Add

Click to add additional subnet definitions to the list.

N/A

Checking for a specific network

The following procedure explains how the Security Analytics Engine checks the IP address to determine if the access attempt is from a listed network.

How the Security Analytics Engine checks for specific networks

  1. A user attempts to access an application that uses a Network List condition type to check if an IP address is in a listed network.
  2. The Security Analytics Engine compares the IP address used in the access attempt against the list of networks. If this check returns as true (the IP address is in a listed network), the risk score is affected.

    NOTE: If the Include Local IP Addresses parameter is selected and a loopback IP address is configured in the list, the Security Analytics Engine will also return true if the IP address used is one of the local IP addresses configured on the web server.
  3. If this check returns as false (the IP address is not in a listed network), the risk score is not affected.

User

The following conditions are available in the User category:

Table 20: User conditions
Condition type Plugin Default condition

Role List

BuiltinPlugin

Application Role (Default)

Last Logon

LdapPlugin

Last Logon (Default)

LDAP Group

LdapPlugin

LDAP Group (Default)

Role List

NOTE: The BuiltinPlugin is associated with this condition and provides important settings.

Categorized as a User condition, this type of condition determines if the user belongs to certain application roles to increase/decrease protection for accounts with specific roles. The following parameters are available:

Table 21: Role List parameters
Parameter Description Associated default condition

Identifier

Enter a name for the condition.

Application Role (Default)

Description

Enter a description for the condition.

User belongs to certain application specific roles.

Risk Type Value

Select the impact the condition will have on the risk score:

  • Can increase risk - Selecting this option causes the risk score to increase if the access attempt comes from a listed role.
  • Can decrease risk - Selecting this option causes the condition score to decrease if the access attempt comes from a listed role. A condition with this setting can only be used as a modifier in a risk policy.
  • Can both increase or decrease risk - Selecting this check box allows you to configure the risk score to either increase or decrease.

NOTE: In order to avoid application configuration errors, this parameter cannot be edited once the condition has been saved.

Can increase risk

Role Definitions

The following field and buttons appear in this section:

Role

Enter the name of an application specific role to check the user against.

  • Admin
  • Helpdesk

Delete

Click this button to remove the corresponding role from the list of role definitions.

N/A

Add

Click to add additional roles to the list.

N/A

Checking for application roles

The following procedure explains how the Security Analytics Engine checks if the user belongs to the specified role(s).

How the Security Analytics Engine checks application roles

  1. A user attempts to access an application that uses a Role List condition type to determine if the user belongs to any application specific roles.
  2. The Security Analytics Engine checks if this access attempt is from a specified role. If this check returns as false (the account is not in a specified role or has no assigned roles), the risk score is not affected.

    NOTE: In cases where a user has multiple roles, each role is checked to see if it corresponds with any of the roles specified in the Application Roles condition.
  3. If the check returns as true (the account is in a specified role), the risk score is affected.
Documentos relacionados

The document was helpful.

Seleccionar calificación

I easily found the information I needed.

Seleccionar calificación