Condition categories
Conditions are used to define how the information stored and retrieved by a plugin is used by an application. The Security Analytics Engine provides a selection of default conditions which are usable by risk policies without requiring additional configuration. You can also create customizable conditions of any type (see Creating a new condition).
There are five condition categories available in the Security Analytics Engine:
Application
The following condition is available in the Application category:
| Condition type | Plugin | Default condition |
|---|---|---|
|
Abnormal Browser (Default) |
Abnormal Browser
|
|
NOTE: The BuiltinPlugin is associated with this condition and provides important settings. |
Categorized as an Application condition, this type of condition always causes the risk score to increase if the browser is determined to be abnormal. The following parameters are available:
| Parameter | Description | Associated default condition |
|---|---|---|
|
Identifier |
Enter a name for the condition. |
Abnormal Browser (Default) |
|
Description |
Enter a description for the condition. |
Browser considered abnormal for the user. |
|
Days To Check |
The number of days to check for the browser ID. For example, if set to 3 the data from the last three days is used for comparison. A maximum of 365 days can be checked. |
30 |
Checking for an abnormal browser
The following procedure explains how the Security Analytics Engine checks the browser attempting to access an application to determine if it is an abnormal browser for the user.
How the Security Analytics Engine checks for an abnormal browser
- A user attempts to access an application that uses an Abnormal Browser condition type to check for abnormal browsers.
- The Security Analytics Engine checks if this access attempt is from a browser not used by the user within the time period specified by the condition. If this check returns as false (it is a previously used browser), the browser is considered normal and the risk score is not affected.
- If this check returns as true (the browser was not previously used within the specified time period), the browser is considered abnormal and the risk score is increased.
Behavior
The following conditions are available in the Behavior category:
| Condition type | Plugin | Default condition(s) |
|---|---|---|
|
Abnormal Authentication (Default) | ||
|
Abnormal Time (Default) | ||
|
Associated w/ Application Category (Default) | ||
|
Associated w/ Application Threat Level (Default) | ||
|
Associated w/ Blacklist (Default) | ||
|
Associated w/ Country (Default) | ||
|
Associated w/ Malware (Default) | ||
|
Weak Authentication (Default) Strong Authentication (Default) |