Chatee ahora con Soporte
Chat con el soporte

Security Analytics Engine 1.2 - User Guide

Security Analytics Engine Overview Plugins Conditions Shared Policies Applications Auditing Issued Alerts Policy Overrides Fallback Password

Duplicating a shared risk policy in an application

To duplicate a shared risk policy in an application

NOTE: When duplicated, shared risk policies create non-shared risk policies. After being duplicated, the new non-shared risk policy is only available for the current application and is managed using the Application wizard.
  1. On the Applications page, select the application currently using the shared risk policy you want duplicated.
  2. Click the button to open the Edit Application dialog.
  3. In the Policies section, select the shared risk policy to duplicate and click the button to open the Add Policy dialog populated with the conditions and scores assigned in the original shared risk policy.
  4. In the Policy Name field, enter a name for the new non-shared risk policy.
  5. After editing the duplicate risk policy, click the Accept button to return to the Edit Application dialog.
  6. The duplicated risk policy now appears in the Policies section. Click Save to return to the Applications page.

Deleting a shared risk policy from an application

To delete a shared risk policy from an application

IMPORTANT: The Security Analytics Engine is not aware of applications’ usage of risk policies. Before deleting a shared risk policy, ensure that the application is not sending requests to evaluate the shared risk policy that is to be deleted.

NOTE: Deleting a shared risk policy from an application does NOT delete the shared risk policy from use in all applications. To permanently delete a shared risk policy you must use the Shared Policies page. See To delete a shared risk policy for more information.
  1. On the Applications page, select the application currently using the shared risk policy.
  2. Click the button to open the Edit Application dialog.
  3. In the Policies section, select the shared risk policy to delete and click the button.
  4. A dialog is displayed confirming that you want to delete the selected shared risk policy. Click the Delete button.
  5. The deleted shared risk policy no longer appears listed in the Policies section of the Edit Application dialog, but is still available for use in all applications. Click Save to return to the Applications page.

Application wizard

The Application wizard consists of a series of dialogs displayed when the Add button or the Edit button are clicked on the Applications page. This wizard is used to connect applications to the Security Analytics Engine and manage the risk policies associated with them.

The following table provides a description of the options available in the Application wizard.

Table 27: Application wizard
Add Application/Edit Application dialogs

These dialogs allow you to add or edit an application. They are accessed by either clicking the button to open the Add Application dialog, or selecting a previously created application and clicking the button to open the Edit Application dialog.

Application Name

Enter a unique name for the application. This is a display name that is only used while managing your application within the Administration web pages.

Application Description

(Optional) Enter a brief description for the application. This description is only used within the Administration web pages.

Client API ID

Enter the client’s API ID. The API ID cannot be a used again for another application.

Client API Secret

Click the button in this field to display the text of the API secret.

Generate New

Clicking this button generates a new client API secret.

Policies section - This section of the wizard allows you to add new risk policies and edit existing risk policies. The risk policies currently applied to the application are listed.

Click this button to open the Add Policy dialog.

After selecting a risk policy, click this button to open the Edit Policy dialog. This page is identical to the Add Policy dialog except it includes all information previously entered for the selected risk policy.

NOTE: This button is replaced by the button when a shared risk policy is selected from the table. See Adding and managing shared risk policies for information on editing shared risk policies.

After selecting a shared risk policy, click this button to open the View Policy dialog where you can preview the shared risk policy and simulate risk scores using the button in the upper right corner of the dialog. Edits to the shared risk policy cannot be made on this dialog.

NOTE: This button replaces the button when a shared risk policy is selected from the table.

After selecting a risk policy, click this button to duplicate the selected risk policy. The Add Policy dialog appears populated with the settings from the original risk policy.

NOTE: When duplicated, shared risk policies create non-shared risk policies. The duplicate risk policy is only available for the current application and is managed using the Application wizard.

The function of this button changes depending on the type of risk policy selected.

  • After selecting a risk policy, click this button to delete the selected risk policy. A confirmation dialog appears, click Delete to delete the risk policy.
  • After selecting a shared risk policy, click this button to remove the selected shared risk policy from the application. A confirmation dialog appears, click Remove to remove the risk policy. To delete a shared risk policy, see Deleting a shared risk policy.

Click this button to open the Available Shared Policies dialog.

Policies list - Displays a list of all the risk policies associated with the current application. For each application listed, the following details are provided:

Policy Name

The name assigned to the risk policy on the Add/Edit Policy dialog.

Description

The optional description of the risk policy from the Add/Edit Policy dialog.

Shared

Check marks in this column indicate that this is a shared risk policy.

Alertable

Check marks in this column indicate that alerting is enabled for the risk policy. All risk policies with alerting enabled that appear in the Policies section will generate alerts.

The following buttons appear across the bottom of the Application wizard.

Save

Click this button to save the application.

Close

Click this button to close the dialog. If changes were made to the application, a warning appears allowing you to select whether to save the changes before closing the dialog.

Add Policy/Edit Policy dialogs

These dialogs allow you to add or edit a risk policy. They are accessed by either clicking the button to open the Add Policy dialog, or selecting a previously created application and clicking the button to open the Edit Policy dialog.

Policy Name

Enter a unique name for the risk policy.

Description

(Optional) Enter a brief description for the risk policy.

Disable Policy Override

Select this check box to disable overrides for this risk policy.

How does this work?

Click this link to open the Using the Policy Editor dialog which provides a brief overview of how to use the Policy Editor. Click Close to close the dialog.

Click this button to open the Select conditions to monitor dialog.

Click this button to preview the risk policy. Once preview mode is active, select any of the check boxes to the left of a condition or modifier name to preview the risk score that would occur should the selected items be triggered during an access attempt. The Risk Score field displays the risk score that would occur if all the selected conditions and modifiers were triggered.

Click the button to close preview mode.

Accept

Click this button to approve the risk policy. The risk policy will not be saved until the Save button is clicked on the Add/Edit Application page.

Close

Click this button to close the dialog. If changes were made to the risk policy, a warning appears allowing you to select whether to save the changes before closing the dialog.

Alerting section - This section of the wizard allows you to configure alerting for the risk policy. Click the Alerting heading on the left-hand side of the dialog to display the available settings.

IMPORTANT: When multiple, identical alerts for the same risk policy occur within a 5-minute period, the Security Analytics Engine will only send one alert. If alerting is used in risk policies with multiple conditions, you may want to assign different scores for each condition since there is a chance that a user may attempt access twice in that 5-minute window and trigger different conditions yet still cause the same score.

Notify Admin

Select the check box to begin sending email alerts and in the field enter the email address of the person that will be receiving the alerts.

Notify User

Select the check box to send an email alert to the user attempting access when they exceed a certain score.

If Notify User is selected, click this button to open the Customize User Alert Email dialog which is used for customizing the subject and descriptive body text of the alert email sent to the user. Once edits are made, click Accept to close the dialog.

Alert When

Select one of the following options:

  • Always - Send alerts when a risk policy is evaluated by the application and when the application updates user behavior data.
  • Only when specified - Sends an alert when the risk policy used for evaluation generates a risk score for the application.

Scores <nn> Or More

In this field enter the minimum risk score (1 to 100) a user must receive in order for an alert to be sent.

The following appear based on the selections made on the Select conditions to monitor dialog. For each category, a slider bar appears for each of the conditions and moves from left to right to increase the condition score in increments of 10 between 0%-100%. A condition set to 0% will not affect the risk score when triggered and a condition set to 100% will cause the highest possible risk score when triggered.

Application

Beneath this collapsible heading are the selected conditions within the Application category.

Behavior

Beneath this collapsible heading are the selected conditions within the Behavior category.

Location

Beneath this collapsible heading are the selected conditions within the Location category.

Network

Beneath this collapsible heading are the selected conditions within the Network category.

User

Beneath this collapsible heading are the selected conditions within the User category.

This button appears to the left of each condition name and when clicked displays the modifiers currently assigned to the condition. If no modifiers are currently selected for the condition, this button is grayed out.

This button appears to the left of each condition name and when clicked opens the Select condition modifiers dialog. Click OK to close the dialog once selections are made.

This button appears to the left of each modifier name and when clicked removes the modifier from the condition.

The following sliders appear for each modifier selected on the Select condition modifiers dialog, depending on how it was configured on the Conditions page (Can increase risk, Can decrease risk, or Can both increase or decrease risk):

The Can increase risk slider moves in increments of 10 between 100%-200%. A modifier set to 100% will not affect the condition when triggered and a modifier set between 110%-200% increases the condition score.

The Can decrease risk slider moves in increments of 10 between 0%-100%. A modifier set to 100% will not affect the condition when triggered and a modifier set to between 10%-90% decreases the condition score. A modifier set to 0% cancels out the condition score.

The Can both increase or decrease risk slider moves in increments of 10 between 0%-200%. A modifier set to 0% cancels out the condition score, a modifier set to between 10%-90% decreases the condition score, a modifier set to 100% will not affect the condition when triggered, and a modifier set between 110%-200% increases the condition score.

Select conditions to monitor/Select condition modifiers dialog

These dialogs allow you to add or edit the conditions/modifiers selected for the risk policy. They are accessed by either clicking the button to open the Select conditions to monitor dialog, or selecting the button associated with a condition to open the Select condition modifiers dialog.

Name

This column displays the names of all available conditions/modifiers. Select the check box for a condition/modifier to use it within the risk policy.

Type

This column displays the type of condition/modifier.

Close

Click this button to close the dialog if no changes have been made. This button is replaced by the OK button if changes have been made.

OK

Click this button to save changes and return to the Add Policy/Edit Policy dialog. This button replaces the Close button if changes have been made.

Available Shared Policies dialog

Opened when the button is clicked on the Add Application/Edit Application dialog, this dialog is used to select a shared risk policy for the application. Any shared risk policies that are not already associated with the current application are listed.

Accept

Click this button to approve your selection and close the dialog.

Close

Click this button to close the dialog.

Auditing

Topics:
Documentos relacionados

The document was helpful.

Seleccionar calificación

I easily found the information I needed.

Seleccionar calificación