Security Analytics Engine Overview
Introduction to the Security Analytics Engine
Launch the Administration web site (fallback)
Web site components
Plugins
Introduction to plugins
Plugins page
Available plugins
BlacklistProviderPlugin
BuiltinPlugin
GeoLocationPlugin
LdapPlugin
SonicWALLPlugin
Editing a plugin
Conditions
Introduction to conditions
Conditions page
Condition categories
Shared Policies
Application
Behavior
Adding and managing conditions
Abnormal Authentication
Abnormal Time
Associated w/ Application Category
Associated w/ Application Threat Level
Associated w/ Blacklist
Associated w/ Country
Associated w/ Malware
Authentication List
Location
Network
User
Introduction to shared risk policies
Shared risk policies
Shared Policies page
Adding and managing shared risk policies
Shared Policy wizard
Applications
Introduction to applications
Risk policies
Applications page
Adding and managing applications
Adding and managing risk policies
Adding and managing shared risk policies in an application
Auditing
Adding a shared risk policy to an application
Duplicating a shared risk policy in an application
Deleting a shared risk policy from an application
Application wizard
Introduction to auditing
Auditing page
Filtering the audit events
Configuring the retention settings
Displaying details for an individual audit event
Downloading audit events information
Adding and managing overrides on the Auditing page
Issued Alerts
Policy Overrides
Fallback Password
Adding a policy override
When a user has failed to authenticate due to a high risk score, you can create an override to allow that user access for a specified time period.
|
|
IMPORTANT: To avoid allowing a malicious user access to applications, only create an override when you are positive the user is legitimate. |
|
|
IMPORTANT: Since adding an override causes the Security Analytics Engine to return a risk score of 0, alerts will not be sent for the user until the override has expired. |
To add a policy override
- From the left pane, click Reports to open the Reports page.
- From the Reports page, click Auditing to open the Auditing page. By default, the audit events for the current date are displayed.
- Select a risk score event from the list that is associated with the user (see Filtering the audit events for information on locating a specific event and/or an event from a previous date).
- Click the Override button to open the Add Override dialog.
-
The name of the user appears in the User Name field. Verify that this is the correct user for the override.
NOTE: This field cannot be edited. - For Browser ID, select the browser ID that corresponds to the selected audit event or select Any to allow any browser.
- In the User Address field, select the IP address that corresponds to the selected audit event or select Any to allow any IP address.
- In the Expires in field, use the following drop-down menus to specify the length of time the override will apply. The override must last a minimum of 30 minutes.
- Days - Select the number of days the override will be in effect (0 to 31). By default, this is set to 1.
- Hours - Select the number of hours the override will be in effect (0 to 23). By default, this is set to 0.
- Minutes - Select the number of minutes the override will be in effect (0 to 59). By default, this is set to 0.
- Click the Save button to save the override and close the dialog. The override is now in effect and alerting has been stopped for the user until the specified expiration time.
Editing a policy override on the Auditing page
Auditing > Adding and managing overrides on the Auditing page > Editing a policy override on the Auditing page
|
|
NOTE: Once created, policy overrides can also be managed from the Policy Overrides page which lists all active policy overrides. |
|
|
IMPORTANT: Since adding an override causes the Security Analytics Engine to return a risk score of 0, alerts will not be sent for the user until the override has expired. |
To edit a policy override
- From the left pane, click Reports to open the Reports page.
- From the Reports page, click Auditing to open the Auditing page. By default, the audit events for the current date are displayed.
- Select a risk score event from the list that is associated with a current override. See Filtering the audit events for information on locating a specific event and/or an event from a previous date.
- Click the Override button to open the Modify Override dialog.
- The following information is displayed for the override:
-
Last Updated By: <nn> - The username of the administrator or help desk operator that last created or modified the override.
NOTE: This field cannot be edited. -
User Name - The name of the user to whom the override applies.
NOTE: This field cannot be edited. - Browser ID - The browser ID to which the override applies.
- User Address - The IP address to which the override applies.
-
Expires In - The time left before the override expires. The override must last a minimum of 30 minutes.
Make any necessary changes to the override.
-
- Click the Save button to save the changes to the override and close the dialog. The changes to the override are now in effect and alerting is still stopped for the user the specified expiration time.
Deleting a policy override on the Auditing page
Auditing > Adding and managing overrides on the Auditing page > Deleting a policy override on the Auditing page
|
|
NOTE: Once created, policy overrides can also be managed from the Policy Overrides page which lists all active policy overrides. |
To delete a policy override
- From the left pane, click Reports to open the Reports page.
- From the Reports page, click Auditing to open the Auditing page. By default, the audit events for the current date are displayed.
- Select a risk score event from the list that is associated with a current override. See Filtering the audit events for information on locating a specific event.
- Click the Override button to open the Modify Override dialog.
- Click the Delete button to delete the policy override.
- A confirmation dialog appears. Click the Delete button. Risk scores will now be reported and alerting is enabled for the user.
Issued Alerts
Issued Alerts