Chat now with support
Chat with Support

Security Analytics Engine 1.0 - User Guide

Introduction

From the Home page of the Security Analytics Engine Administration web site, click on the Plugins link to configure and manage plugins, which retrieve and store the analytic data that is used for performing condition checks and calculating risk scores. How the information in these plugins is used is then customizable for different risk policies through the use of conditions (see Conditions for more information).

Plugins page

The Plugins page is displayed when Plugins is clicked on the Home page of the Security Analytics Engine Administration web page. This page displays all of the plugins that are currently available.

Plugins

BlacklistProviderPlugin

Maximum Audit Records - This is the maximum number of blacklist records to list in the details of an audit record. By default, this is 10 audit records. The maximum number of records that can be returned is 20.
SecureWorks Portal Token - SecureWorks customers need to enter their SecureWorks issued portal token into this field.
Update Frequency (Minutes) - This is how often the Security Analytics Engine will connect to SecureWorks to update the blacklist. By default, this is 1440 minutes. The maximum update frequency is 9999 minutes.
List ID - This is the ID of the specific SecureWorks blacklist to retrieve. By default, this is -1.
Enabled - Select this check box to enable the blacklist for use by the Security Analytics Engine. This is disabled by default.
Provider URL - https://zeustracker.abuse.ch/blocklist.php?download=ipblocklist
Provider URL - https://spyeyetracker.abuse.ch/blocklist.php?download=ipblocklist
Provider URL - https://palevotracker.abuse.ch/blocklists.php?download=ipblocklist
Provider URL - https://feodotracker.abuse.ch/blocklist/?download=ipblocklist
Provider URL - https://feodotracker.abuse.ch/blocklist/?download=badips
Provider URL - https://www.openbl.org/lists/base.txt
Provider URL - http://rules.emergingthreats.net/blockrules/compromised-ips.txt
Provider URL - http://lists.blocklist.de/lists/all.txt
Provider URL - http://lists.blocklist.de/lists/strongips.txt
Click Add a new TextListProviders element to display the following fields:
Provider URL - The URL used to retrieve the text blacklist (for example, http://localhost/sampleblacklist.txt)
Provider Name - The name of the text list provider.
Update Frequency (Minutes) - This is how often the Security Analytics Engine will connect to the provider to update the text blacklist. The maximum update frequency is 9999 minutes.
Comment Start Pattern - In order to ignore comments in the text file, enter the character used to distinguish the comments from the blacklist items (for example, #).
Enabled - Select this check box to enable the text blacklist for use by the Security Analytics Engine.
Delete - Click this button to remove the custom blacklist.
Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating