Chat now with support

Get Live Help
Complete Registration

Sign In

Request Pricing

Contact Sales

Security Analytics Engine 1.0 - User Guide

Table of Contents

Security Analytics Engine Overview

Introduction Launch the Security Analytics Engine Administration web site Web site components

Heading bar Main web pages Navigating the Security Analytics Engine Administration web site

Introduction Plugins page Plugins

BlacklistProviderPlugin BuiltinPlugin GeoLocationPlugin MalwareDetectionPlugin

Editing plugins

Introduction Conditions page Condition types

Abnormal Browser Abnormal Location Abnormal Time Associated w/ Malware Dynamic Blacklist Restricted Country Approved Country Whitelist

Adding and managing conditions

Introduction Applications page

Sample Application

Adding and managing applications Adding and managing risk policies

Adding a new risk policy Managing risk policies

Application wizard

Introduction Auditing page Filtering the audit events Configuring the retention settings Displaying details for an individual audit event Adding and managing overrides on the Auditing page

Policy Overrides

Introduction Policy Overrides page Adding and managing overrides on the Policy Overrides page

Fallback Password

Introduction Fallback Administrator Password page

Security Settings

Introduction Security wizard

Adding new authentication providers

Security wizard pages

Glossary About Dell

Introduction

From the Home page of the Security Analytics Engine Administration web site, click on the Plugins link to configure and manage plugins, which retrieve and store the analytic data that is used for performing condition checks and calculating risk scores. How the information in these plugins is used is then customizable for different risk policies through the use of conditions (see Conditions for more information).

Plugins page

The Plugins page is displayed when Plugins is clicked on the Home page of the Security Analytics Engine Administration web page. This page displays all of the plugins that are currently available.

The Plugins page displays all of the plugins for the Security Analytics Engine and a description of the plugin.

The following button appears on the left top of this page:

This button is used for editing a plugin.

The following information is displayed for each plugin:

Displays the type of plugin.

Displays a short description of the plugin.

Plugins

The following plugins are available:

•

BlacklistProviderPlugin

•

•

GeoLocationPlugin

•

MalwareDetectionPlugin

BlacklistProviderPlugin

The BlacklistProviderPlugin is used for determining if the browser IP address is blacklisted by configured open source blacklists, Dell SecureWorks and/or custom blacklists.

When viewing the plugin information on the Edit Plugin page, the top two fields provide information on the plugin and cannot be changed:

BlacklistProviderPlugin1

The Blacklist Provider plugin provides a set of default open source blacklists, optional Dell SecureWorks blacklist and the ability to add additional blacklist sources.

Plugin Configuration

The following settings are available for the plugin in the Plugin Configuration section:

•

Maximum Audit Records - This is the maximum number of blacklist records to list in the details of an audit record. By default, this is 10 audit records. The maximum number of records that can be returned is 20.

(Optional) Dell SecureWorks CTU Blacklist Configuration

•

SecureWorks Portal Token - SecureWorks customers need to enter their SecureWorks issued portal token into this field.

•

Update Frequency (Minutes) - This is how often the Security Analytics Engine will connect to SecureWorks to update the blacklist. By default, this is 1440 minutes. The maximum update frequency is 9999 minutes.

•

List ID - This is the ID of the specific SecureWorks blacklist to retrieve. By default, this is -1.

•

Enabled - Select this check box to enable the blacklist for use by the Security Analytics Engine. This is disabled by default.

(Optional) Default blacklists

The Security Analytics Engine provides a set of pre-configured blacklists upon installation. The following table displays the settings for each of these default blacklists:

Table 2. Default blacklists

Default settings

Swiss Security Blog Zeus List

•

Provider URL - https://zeustracker.abuse.ch/blocklist.php?download=ipblocklist

•

Provider Name - Swiss Security Blog Zeus List

•

Update Frequency (Minutes) - 60

•

Comment Start Pattern - #

•

Enabled - (Selected)

Swiss Security Blog SpyEye List

•

Provider URL - https://spyeyetracker.abuse.ch/blocklist.php?download=ipblocklist

•

Provider Name - Swiss Security Blog SpyEye List

•

Update Frequency (Minutes) - 60

•

Comment Start Pattern - #

•

Enabled - (Selected)

Swiss Security Blog Palevo List

•

Provider URL - https://palevotracker.abuse.ch/blocklists.php?download=ipblocklist

•

Provider Name - Swiss Security Blog Palevo List

•

Update Frequency (Minutes) - 60

•

Comment Start Pattern - #

•

Enabled - (Selected)

Swiss Security Blog Feodo List ACD

•

Provider URL - https://feodotracker.abuse.ch/blocklist/?download=ipblocklist

•

Provider Name - Swiss Security Blog Feodo List ACD

•

Update Frequency (Minutes) - 60

•

Comment Start Pattern - #

•

Enabled - (Selected)

Swiss Security Blog Feodo List B

•

Provider URL - https://feodotracker.abuse.ch/blocklist/?download=badips

•

Provider Name - Swiss Security Blog Feodo List B

•

Update Frequency (Minutes) - 60

•

Comment Start Pattern - #

•

Enabled - (Selected)

OpenBL Default List

•

Provider URL - https://www.openbl.org/lists/base.txt

•

Provider Name - OpenBL Default List

•

Update Frequency (Minutes) - 60

•

Comment Start Pattern - #

•

Enabled - (Selected)

Emerging Threats Compromised IPs List

•

Provider URL - http://rules.emergingthreats.net/blockrules/compromised-ips.txt

•

Provider Name - Emerging Threats Compromised IPs List

•

Update Frequency (Minutes) - 60

•

Comment Start Pattern - #

•

Enabled - (Selected)

BlocklistDE All 48 Hours List

•

Provider URL - http://lists.blocklist.de/lists/all.txt

•

Provider Name - BlocklistDE All 48 Hours List

•

Update Frequency (Minutes) - 60

•

Comment Start Pattern - #

•

Enabled - (Selected)

BlocklistDE Strong IPs List

•

Provider URL - http://lists.blocklist.de/lists/strongips.txt

•

Provider Name - BlocklistDE Strong IPs List

•

Update Frequency (Minutes) - 60

•

Comment Start Pattern - #

•

Enabled - (Selected)

(Optional) Custom Blacklist Providers (Text IP List)

This section allows you to pull in a custom internal blacklist or an externally available blacklist, such as an open source blacklist.

Click Add a new TextListProviders element to display the following fields:

•

Provider URL - The URL used to retrieve the text blacklist (for example, http://localhost/sampleblacklist.txt)


	NOTE: The blacklist must be in a plain text format, with a single IP address per line, and support using an optional network mask length (for example, 172.28.100.0/24).

•

Provider Name - The name of the text list provider.

•

Update Frequency (Minutes) - This is how often the Security Analytics Engine will connect to the provider to update the text blacklist. The maximum update frequency is 9999 minutes.

•

Comment Start Pattern - In order to ignore comments in the text file, enter the character used to distinguish the comments from the blacklist items (for example, #).

•

Enabled - Select this check box to enable the text blacklist for use by the Security Analytics Engine.

•

Delete - Click this button to remove the custom blacklist.

The following type of condition is available for this plugin:

•

Dynamic Blacklist

Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating

© 2025 One Identity LLC. ALL RIGHTS RESERVED. Terms of Use Privacy Cookie Preference Center