Chatta subito con l'assistenza
Chat con il supporto

Security Analytics Engine 1.2 - User Guide

Security Analytics Engine Overview Plugins Conditions Shared Policies Applications Auditing Issued Alerts Policy Overrides Fallback Password

Adding a new shared risk policy

To add a new shared risk policy

  1. On the Shared Policies page, click the button to open the Add Shared Policy dialog.
  2. In the Policy Name field, enter a unique display name for the shared risk policy. This name is only used within the Administration web pages.
  3. (Optional) In the Description field, enter a brief description of the shared risk policy. This description is only used within the Administration web pages.
  4. (Optional) Select the Disable Policy Override check box to disable overrides for this shared risk policy. This setting applies to all applications that use the shared risk policy.
  5. (Optional) Use the Alerting section of this dialog to set up email alerts for this risk policy. Click Alerting to display the following settings:
    • Notify Admin - Select the check box to begin sending email alerts and in the field enter the email address of the person that will be receiving the alerts.
    • Notify User - Select the check box to send an email alert to the user attempting access when they exceed a certain score.
    • - If Notify User is selected, click this button to open the Customize User Alert Email dialog which is used for customizing the subject and descriptive body text of the alert email sent to the user. Once edits are made, click Accept to close the dialog.
    • Alert When - Select one of the following options:
      • Always - Send alerts when a risk policy is evaluated by the application and when the application updates user behavior data.
      • Only when specified - Sends an alert when the risk policy used for evaluation generates a risk score for the application.
    • Scores <nn> Or More - In this field enter the minimum risk score (1 to 100) a user must receive in order for an alert to be sent.

    IMPORTANT: When multiple, identical alerts for the same risk policy occur within a 5-minute period, the Security Analytics Engine only sends one alert. If alerting is used in risk policies with multiple conditions, you may want to assign different scores for each condition since there is a chance that a user may attempt access twice in that 5-minute window and trigger different conditions yet still cause the same score.
  6. Click the button in the upper right corner to open the Select conditions to monitor dialog.
  7. Select the check box to the left of a condition name to add that condition to the risk policy. All selected conditions remain highlighted so you can track which conditions are being used in the risk policy.
  8. Repeat Step 7 until you have selected all the conditions to apply to the risk policy.

    Multiple conditions of the same type are allowed in a risk policy and are useful for adding levels of risk to a type of condition. For example, one Abnormal Browser condition can increase a risk score if the browser was unused for 15 days while a second Abnormal Browser condition can further increase the risk score if the browser was unused for 30 days. If a browser that has not been used in over 30 days is used for access, both will be triggered causing both assigned scores to be included in the risk score.

  9. Click the OK button to close the dialog.
  10. The Add Shared Policy dialog displays the selected conditions according to category. Each condition has a slider associated with it that is used to assign a percentage to the condition. Assign each condition a percentage according to how much of a risk you consider a user that triggers the condition during an access attempt.

    NOTE: Hovering over a condition displays a button. Clicking this button displays the condition’s description.
  11. (Optional) Each condition can also be assigned modifiers. These modifiers are used to either increase or decrease the score of a triggered condition in cases when a modifier is also triggered. This allows you to control how a single condition is calculated without lessening or intensifying the effect of another condition which should not be impacted by those same, or possibly any, modifiers. The following steps are required for adding a modifier to a condition:
    • Locate the condition which is to be assigned a modifier.
    • Select the button located to the left of the condition name to open the Select condition modifiers dialog.
    • On the Select condition modifiers dialog, select a check box located to the left of a condition name to add that condition as a modifier of the original condition. All selected conditions remain highlighted so you can track which conditions are being used as modifiers of the original condition.
    • Click OK to close the dialog.
    • Each modifier will now appear listed beneath the original condition with a scroll bar set at 100%. Move the slider in increments of 10 to set the impact each modifier will have on the condition score. Depending on how each modifier was configured on the Conditions page (Can increase risk, Can decrease risk, or Can both increase or decrease risk), the following settings are available:
      • 0% - A modifier set to this percentage automatically causes the condition score to be 0% regardless of any other modifiers triggered. (Can decrease risk or Can both increase or decrease risk)
      • 10%-90% - A modifier set between these two percentages decreases the condition score when triggered. (Can decrease risk or Can both increase or decrease risk)
      • 100% - A modifier set to this percentage will not affect the condition when triggered. (Can decrease risk, Can increase risk, or Can both increase or decrease risk)
      • 110%-200% - A modifier set between these two percentages increases the condition score when triggered. (Can increase risk or Can both increase or decrease risk)
  12. (Optional) To preview possible risk scores that can occur for the risk policy, click the button in the upper right corner of the dialog to enable Preview Mode. Edits to the risk policy are allowed while preview mode is active.
    • Select the check boxes to the left of any conditions or modifiers to preview the risk score that occurs if they are triggered during an access attempt. The Risk Score field at the top of the dialog updates as selections are made.
    • Click the button to close preview mode.
  13. Once each condition and modifier has been assigned a percentage, click Save to save the shared risk policy and return to the Shared Policies page.

Editing a shared risk policy

After a shared risk policy is added, it appears on the Shared Policies page where it can be edited.

To edit a shared risk policy

  1. On the Shared Policies page, select the shared risk policy to edit.
  2. Click the button to open the Edit Shared Policy dialog.
  3. (Optional) To change the alerting configuration for the shared risk policy, click Alerting to expand the section and make any necessary changes.
  4. To change the conditions currently used by the shared risk policy, click the button to open the Select conditions to monitor dialog.
  5. After making changes to the selected conditions, click OK to close the Select conditions to monitor dialog and return to the Edit Shared Policy dialog.
  6. Use the slider bars to assign each condition a percentage according to how much of a risk you consider a user that triggers the condition during an access attempt.
  7. To add or edit the modifiers for a condition, use the button to the left of the condition name to open the Select condition modifiers dialog.
  8. After selecting modifiers for the condition, click OK to close the dialog.
  9. Each modifier now appears listed beneath the original condition with a scroll bar set at 100%. Move the slider to set the impact each modifier will have on the condition score. Depending on how each modifier was configured on the Conditions page (Can increase risk, Can decrease risk, or Can both increase or decrease risk), the following settings are available:
    • 0% - A modifier set to this percentage automatically causes the condition score to be 0% regardless of any other modifiers triggered. (Can decrease risk or Can both increase or decrease risk)
    • 10%-90% - A modifier set between these two percentages decreases the condition score when triggered. (Can decrease risk or Can both increase or decrease risk)
    • 100% - A modifier set to this percentage will not affect the condition when triggered. (Can decrease risk, Can increase risk, or Can both increase or decrease risk)
    • 110%-200% - A modifier set between these two percentages increases the condition score when triggered. (Can increase risk or Can both increase or decrease risk)
  10. (Optional) To preview possible risk scores that can occur for the shared risk policy, click the button in the upper right corner of the dialog to enable Preview Mode. Edits to the shared risk policy are allowed while preview mode is active.
    • Select the check boxes to the left of any conditions or modifiers to preview the risk score that occurs if they are triggered during an access attempt. The Risk Score field at the top of the dialog updates as selections are made.
    • Click the button to close preview mode.
  11. After making edits, click Save to save the changes and close the dialog.

Deleting a shared risk policy

After a shared risk policy is added, it appears on the Shared Policies page where it can be deleted.

To delete a shared risk policy

NOTE: You must remove the shared risk policy from each application using the Applications page before you will be able to delete the shared risk policy on the Shared Policies page. See To delete a shared risk policy from an application for more information.
  1. On the Shared Policies page, select the shared risk policy to delete.
  2. Click the button to delete the shared risk policy.
  3. A dialog is displayed confirming that you want to delete the shared risk policy. Click the Delete button.

Shared Policy wizard

The Shared Policy wizard consists of a series of dialogs displayed when the Add button or the Edit button are clicked on the Shared Policies page. This wizard is used to create risk policies that can be shared by multiple applications.

The following table provides a description of the options available in the Shared Policy wizard.

Table 24: Shared Policy wizard
Add Shared Policy/Edit Shared Policy dialogs

These dialogs allow you to add or edit a shared risk policy. They are accessed by either clicking the Add button to open the Add Shared Policy dialog, or selecting a previously created shared risk policy and clicking the Edit button to open the Edit Shared Policy dialog.

Policy Name

Enter a unique name for the shared risk policy.

Description

(Optional) Enter a brief description for the shared risk policy.

Disable Policy Override

Select this check box to disable overrides for this risk policy. This setting applies to all applications that use the shared risk policy.

How does this work?

Click this link to open the Using the Policy Editor dialog which provides a brief overview of how to use the Policy Editor. Click Close to close the dialog.

Click this button to open the Select conditions to monitor dialog. Click OK to close the dialog.

Click this button to preview the risk policy. Once preview mode is active, select any of the check boxes to the left of a condition or modifier name to preview the risk score that would occur should the selected items be triggered during an access attempt. The Risk Score field displays the risk score that would occur if all the selected conditions and modifiers were triggered.

Click the button to close preview mode.

Save

Click this button to save the shared risk policy.

Close

Click this button to close the dialog. If changes were made to the shared risk policy, a warning appears allowing you to select whether to save the changes before closing the dialog.

Alerting section - This section of the wizard allows you to configure alerting for the shared risk policy. Click Alerting to display the available settings.

IMPORTANT: When multiple, identical alerts for the same risk policy occur within a 5-minute period, the Security Analytics Engine will only send one alert. If alerting is used in risk policies with multiple conditions, you may want to assign different scores for each condition since there is a chance that a user may attempt access twice in that 5-minute window and trigger different conditions yet still cause the same score.

Notify Admin

Select the check box to begin sending email alerts and in the field enter the email address of the person that will be receiving the alerts.

Notify User

Select the check box to send an email alert to the user attempting access when they exceed a certain score.

If Notify User is selected, click this button to open the Customize User Alert Email dialog which is used for customizing the subject and descriptive body text of the alert email sent to the user. Once edits are made, click Accept to close the dialog.

Alert When

Select one of the following options:

  • Always - Send alerts when a risk policy is evaluated by the application and when the application updates user behavior data.
  • Only when specified - Sends an alert when the risk policy used for evaluation generates a risk score for the application.

Scores <nn> Or More

In this field enter the minimum risk score (1 to 100) a user must receive in order for an alert to be sent.

The following appear based on the selections made on the Select conditions to monitor dialog. For each category, a slider bar appears for each of the conditions and moves from left to right to increase the condition score in increments of 10 between 0%-100%. A condition set to 0% will not affect the risk score when triggered and a condition set to 100% will cause the highest possible risk score when triggered.

Application

Beneath this collapsible heading are the selected conditions within the Application category.

Behavior

Beneath this collapsible heading are the selected conditions within the Behavior category.

Location

Beneath this collapsible heading are the selected conditions within the Location category.

Network

Beneath this collapsible heading are the selected conditions within the Network category.

User

Beneath this collapsible heading are the selected conditions within the User category.

This button appears to the left of each condition name and when clicked displays the modifiers currently assigned to the condition. If no modifiers are currently selected for the condition, this button is grayed out.

This button appears to the left of each condition name and when clicked opens the Select condition modifiers dialog. Click OK to close the dialog once selections are made.

This button appears to the left of each modifier name and when clicked removes the modifier from the condition.

The following sliders appear for each modifier selected on the Select condition modifiers dialog, depending on how it was configured on the Conditions page (Can increase risk, Can decrease risk, or Can both increase or decrease risk):

The Can increase risk slider moves in increments of 10 between 100%-200%. A modifier set to 100% will not affect the condition when triggered and a modifier set between 110%-200% increases the condition score.

The Can decrease risk slider moves in increments of 10 between 0%-100%. A modifier set to 100% will not affect the condition when triggered and a modifier set to between 10%-90% decreases the condition score. A modifier set to 0% cancels out the condition score.

The Can both increase or decrease risk slider moves in increments of 10 between 0%-200%. A modifier set to 0% cancels out the condition score, a modifier set to between 10%-90% decreases the condition score, a modifier set to 100% will not affect the condition when triggered, and a modifier set between 110%-200% increases the condition score.

Select conditions to monitor/Select condition modifiers dialog

These dialogs allow you to add or edit the conditions/modifiers selected for the shared risk policy. They are accessed by either clicking the button to open the Select conditions to monitor dialog, or selecting the button associated with a condition to open the Select condition modifiers dialog.

Name

This column displays the names of all available conditions/modifiers. Select the check box for a condition and modifier to use it within the shared risk policy.

Type

This column displays the type of condition or modifier.

Close

Click this button to close the dialog if no changes have been made. This button is replaced by the OK button if changes have been made.

OK

Click this button to save changes and return to the Add Policy/Edit Policy dialog. This button replaces the Close button if changes have been made.

Related Documents

The document was helpful.

Seleziona valutazione

I easily found the information I needed.

Seleziona valutazione