Location
The following condition is available in the Location category:
| Condition type | Plugin | Default condition |
|---|---|---|
|
Abnormal Location (Default) | ||
|
Restricted Country (Default) |
Abnormal Location
|
|
NOTE: The GeoLocationPlugin is associated with this condition and provides important settings. |
Categorized as a Location condition, this type of condition always causes the risk score to increase if the location is determined to be abnormal. The following parameters are available:
| Parameter | Description | Associated default condition |
|---|---|---|
|
Identifier |
Enter a name for the condition. |
Abnormal Location (Default) |
|
Description |
Enter a description for the condition. |
Location failed to conform to previous user or device behavior. |
|
Maximum Travel Speed |
The kilometers per hour a person or device can travel between access attempts. The travel speed cannot exceed 9999 kilometers per hour. |
1000 |
|
Also Report Unknown Location |
Select this check box to report an unknown location, such as an anonymous proxy or satellite provider, as abnormal. If this is not selected, an unknown location will not be considered abnormal. |
(Selected) |
Checking for an abnormal location
The following procedure explains how the Security Analytics Engine checks the location of a user or browser attempting to access an application.
How the Security Analytics Engine checks for an abnormal location
-
A user attempts to access an application that uses an Abnormal Location condition type to check for abnormal geolocations.
NOTE: If there is no user ID or browser ID in the access request, checking the geolocation is not relevant. Therefore, the geolocation is considered normal and the risk score is not affected. - The Security Analytics Engine checks if this access attempt is from an internal network. If this check returns as true (it is from an internal network), the geolocation is considered normal and the risk score is not affected.
- If the internal network check returns as false, the Security Analytics Engine checks the VPN Networks (IP address and subnet mask) configured for the GeoLocationPlugin. If this check returns as true (the VPN is configured), the geolocation is considered normal and the risk score is not affected.
- If the VPN check returns as false, the Security Analytics Engine checks if this is the first access attempt from the IP address for the user or device. If this check returns as true (it is the first access attempt from the IP address), the geolocation is considered abnormal and the risk score is increased.
- Next, the Security Analytics Engine compares the current IP address with the last IP address the user and device successfully signed in on. If the IP addresses match (both the user and device last signed in from this IP address), the geolocation is considered normal and the risk score is not affected.
-
If the IP addresses are different, the OnDemand Service gets passed the incoming IP address and returns the geographic coordinates of the IP address. The Security Analytics Engine compares the geographic coordinates for the current and last IP address, and calculates the distance between them to ensure that the IP addresses are not separated by a distance deemed impossible to travel within the amount of time between access attempts (that is, the user cannot log in to the application from Canada an hour before logging in from India). If the Security Analytics Engine determines that the distance between IP addresses is possible within the time frame, the geolocation is considered normal and the risk score is not affected.
NOTE: If the Security Analytics Engine cannot connect to the OnDemand Service at the time of the access attempt and the Also Report Unknown Location check box is selected, the geolocation is considered abnormal based on the previous steps and the risk score is increased.
If the Security Analytics Engine cannot connect to the OnDemand Service at the time of the access attempt and the Also Report Unknown Location check box is cleared, an unknown geolocation is reported as normal and the risk score is not affected.
- If the Security Analytics Engine determines the distance between the IP addresses is too far apart within the time frame, the Security Analytics Engine considers the geolocation abnormal and the risk score is increased.
Country List
|
|
NOTE: The GeoLocationPlugin is associated with this condition and provides important settings. |
Categorized as a Location condition, this type of condition determines where the request originated from in order to increase or decrease protection for access attempts from specific countries. The following parameters are available:
| Parameter | Description | Associated default condition | ||
|---|---|---|---|---|
|
Identifier |
Enter a name for the condition. |
Restricted Country (Default) | ||
|
Description |
Enter a description for the condition. |
Originated from a country classified as restricted. | ||
|
Risk Type Value |
Select the impact the condition will have on the risk score:
|
Can increase risk | ||
|
Country |
From the drop-down list of countries, select the check box for each country to look for during an access attempt. |
3 item(s) selected - Iran, Islamic Republic of; Sudan; Syrian Arab Republic
|
Checking for a specific country
The following procedure explains how the Security Analytics Engine checks the country of the IP address attempting to access an application against a list of countries.
How the Security Analytics Engine checks for a country
- A user attempts to access an application that uses the Country List condition type to check the location against the list of countries.
- The Security Analytics Engine checks if this access attempt is from an internal network. If this check returns as true (it is from an internal network), then the Security Analytics Engine returns false and the risk score is not affected.
- If the access attempt did not come from an internal network, the Security Analytics Engine checks the VPN networks (configured and enabled using the GeoLocationPlugin). If this check returns as true (the VPN is configured), then the Security Analytics Engine returns false and the risk score is not affected.
-
Next, the Security Analytics Engine connects with the OnDemand Service to check the location of the access attempt against the list of countries specified for the condition. If the location appears on the list, then the risk score is affected.
NOTE: If the Security Analytics Engine cannot connect with the OnDemand Service at the time of the access attempt, the Security Analytics Engine returns false since the country cannot be determined and the risk score is not affected. - If the country does not appear on the list of countries, the risk score is not affected.
Network
The following conditions are available in the Network category:
| Condition type | Plugin | Default condition |
|---|---|---|
|
Dynamic Blacklist (Default) | ||
|
Whitelist (Default) |