サポートと今すぐチャット
サポートとのチャット

Security Analytics Engine 1.0 - User Guide

Dynamic Blacklist

* 
NOTE: The BlacklistProviderPlugin is associated with this condition and provides important settings.
This type of condition, using one or more sources, determines if the request originates from a blacklisted IP address. The following parameters are available:
Table 7. Dynamic Blacklist parameters
Parameter
Description
Default
Identifier
Enter a name for the condition.
Dynamic Blacklist (Default)
Description
Enter a description for the condition.
Determines whether the request originates from a blacklisted IP address, using one or more dynamic blacklist sources.
Use Blacklist Type(s)
From the drop-down list, select the blacklist source(s) to use.
All Lists
Checking for a blacklisted IP address
The following procedure explains how the Security Analytics Engine checks the IP address against one or more blacklists to determine if the access attempt is from a blacklisted IP address.
How the Security Analytics Engine checks for a blacklisted IP address:
1
A user attempts to access an application that uses the Dynamic Blacklist condition type to check if an IP address is on a blacklist.
2
The Security Analytics Engine compares the IP address used in the access attempt against the blacklists currently enabled for the BlacklistProviderPlugin. If this check returns as true (the IP address is included in a blacklist), the risk score is increased.
3
If this check returns as false (the IP address is not in a blacklisted network), the risk score is not affected.

Restricted Country

* 
NOTE: The GeoLocationPlugin is associated with this condition and provides important settings.
This type of condition determines if the request originates from a country considered high risk for access. The following parameters are available:
Table 8. Restricted Country parameters
Parameter
Description
Default
Identifier
Enter a name for the condition.
Restricted Country (Default)
Description
Enter a description for the condition.
Determines whether the request originates from a list of restricted countries.
Country definitions
The following field and buttons appear in this section:
Country
From the drop-down list of 249 countries, select a country that is considered high risk if a user within the country is given access.
Cuba, Iran, Sudan, Syria
NOTE: These countries are from the following list posted by the U.S. Department of State: http://www.state.gov/j/ct/list/c14151.htm
Delete
Click this button to remove the corresponding country from the list of restricted countries.
N/A
Add a new CountryDefinitions element
Click to add additional countries to the list.
N/A
Checking for a restricted country
The following procedure explains how the Security Analytics Engine checks the country of the IP address attempting to access an application against a list of restricted countries.
How the Security Analytics Engine checks for a restricted country:
1
A user attempts to access an application that uses the Restricted Country condition type to check the location against a list of restricted countries.
2
The Security Analytics Engine checks if this access attempt is from an internal network. If this check returns as true (it is from an internal network), then the Security Analytics Engine returns false and the risk score is not affected.
3
If the access attempt did not come from an internal network, the Security Analytics Engine checks the VPN networks (configured and enabled using the GeoLocationPlugin). If this check returns as true (the VPN is configured), then the Security Analytics Engine returns false and the risk score is not affected.
4
Next, the Security Analytics Engine connects with the OnDemand Service to check the location of the access attempt against the list of restricted countries specified for the condition. If the location appears on the list, the location is considered restricted and the risk score is increased.
* 
NOTE: If the Security Analytics Engine cannot connect with the OnDemand Service at the time of the access attempt, the Security Analytics Engine returns false since the country cannot be determined and the risk score is not affected.
5
If the country does not appear on the restricted countries list, the risk score is not affected.

Approved Country

* 
NOTE: The GeoLocationPlugin is associated with this condition and provides important settings.
This type of condition determines if the request originates from a country considered low risk for access. The following parameters are available:
Table 9. Approved Country parameters
Parameter
Description
Default
Identifier
Enter a name for the condition.
Approved Country (Default)
Description
Enter a description for the condition.
Determines whether the request originates from a list of approved countries.
Country definitions
The following field and buttons appear in this section:
Country
From the drop-down list of 249 countries, select a country that is considered low risk if a user within the country is given access.
United States
Delete
Click this button to remove the corresponding country from the list of approved countries.
N/A
Add a new CountryDefinitions element
Click to add additional countries to the list.
N/A
Checking for an approved country
The following procedure explains how the Security Analytics Engine checks the country of a user or browser attempting to access an application against a list of approved countries.
How the Security Analytics Engine checks for an approved country:
1
A user attempts to access an application that uses the Approved Country condition type to check the location against a list of approved countries.
2
The Security Analytics Engine checks if this access attempt is from an internal network. If this check returns as true (it is from an internal network), then the Security Analytics Engine returns false and the risk score is not affected.
3
If the access attempt did not come from an internal network, the Security Analytics Engine checks the VPN networks (configured and enabled using the GeoLocationPlugin). If this check returns as true (the VPN is configured), then the Security Analytics Engine returns false and the risk score is not affected.
4
Next, the Security Analytics Engine connects with the OnDemand Service to check the location of the access attempt against the list of approved countries specified in the condition. If the location appears in the list, the location is considered approved and the risk score is decreased.
* 
NOTE: If the Security Analytics Engine cannot connect with the OnDemand Service at the time of the access attempt, the Security Analytics Engine returns false since the country cannot be determined and the risk score is not affected.
5
If the country does not appear on the approved countries list, the risk score is not affected.

Whitelist

* 
NOTE: The BuiltinPlugin is associated with this condition and provides important settings.
This type of condition determines if the request originates from a whitelisted IP address. The following parameters are available:
Table 10. Whitelist parameters
Parameter
Description
Defaults
Identifier
Enter a name for the condition.
Whitelist (Default)
Description
Enter a description for the condition.
Determines whether the request originates from a specified whitelist IP address range.
Subnet Definitions
The following fields and buttons appear in this section:
NOTE: For Whitelist (Default) there are two subnet definitions (IPv4 and IPv6).
Network IP Address
Enter the network IP address.
IPv4 - 127.0.0.1
IPv6 - ::1
Subnet Mask
Enter the subnet mask.
IPv4 - 255.0.0.0
IPv6 - ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff
Delete
Click this button to remove the subnet definition.
N/A
Add a new SubnetDefinitions element
Click to add additional subnet definitions to the list.
N/A
Checking for a whitelisted IP address
The following procedure explains how the Security Analytics Engine checks the IP address against a whitelist to determine if the access attempt is from a recognized network.
How the Security Analytics Engine checks for a whitelisted IP address:
1
A user attempts to access an application that uses the Whitelist condition type to check if an IP address is in a whitelisted network.
2
The Security Analytics Engine compares the IP address used in the access attempt against a list of whitelisted networks. If this check returns as true (the IP address is in a whitelisted network), the risk score is decreased.
3
If this check returns as false (the IP address is not in a whitelisted network), the risk score is not affected.
関連ドキュメント

The document was helpful.

評価を選択

I easily found the information I needed.

評価を選択