Security Analytics Engine 1.0


	CAUTION: Making changes to this setting after auditing has begun will affect the events currently stored in the database. If the new number of days is less than the previous number of days, all auditing information currently stored in the database which does NOT fit within the new range will be permanently deleted. Resetting the number of days back to the previous setting will NOT undo the deletion. If the new number of days is greater than the previous number of days, all events currently in the database will follow the new retention setting. Please note that this is a background task which may take some time. Depending on the number of audit events in the table and the length of time the Auditing page has been open, some of the audit events appearing in the audit events table may no longer exist. You will need to refresh the page to ensure that the displayed audit events accurately reflect the events stored in the database.

Audit Events table

The following information is displayed for each event in the Audit Events table located beneath the filtering options. By default, the audit events for the current date are displayed.

Date/Time

This column displays the date and time the event was detected.

Application

This column displays the name of the application

Message

This column displays the message associated with the event and the threat level assigned to the access attempt.

Policy

This column displays the risk policy that was evaluated.

User Name

This column displays the name of the user who accessed, or attempted to access, an application protected by the Security Analytics Engine.

IP Address

This column displays the IP address of the user who accessed, or attempted to access, an application protected by the Security Analytics Engine.

Event Details pane

When an event is selected from the audit events list, a Details button appears at the bottom of the screen. Clicking the Details button will open a panel along the bottom of the page with the following fields and button:

Conditions that returned TRUE

This section shows the conditions evaluated for the application that returned true and thus impacted the threat level sent to the application. The score listed to the right of a condition name is the score assigned to the triggered condition. Selecting a condition will display information regarding what caused the condition to return as true.

Clicking show all will switch to displaying the Monitored Conditions section.

One of the following icons will appear to the left of each condition name:

•

- indicates a good condition.

•

- indicates a bad condition.

Monitored Conditions

Displayed when the show all link is clicked, this will display all conditions that were monitored during the access attempt. Selecting a condition will display information regarding what caused the condition to return as true or false.

Clicking show only true will switch to displaying the Conditions that returned TRUE section.

One of the following icons will appear to the left of each condition name:

•

- indicates a good condition.

•

- indicates a bad condition.

Override

If there is no override currently assigned to the user, clicking this button will open the Add Override dialog. If there is an override currently assigned to the user, the Modify Override dialog will appear. See Adding and managing overrides on the Auditing page for more information.

Filtering the audit events

The following procedure explains how to filter the events displayed in the Audit Events table. By default, the audit events for the current date are displayed.

To filter audit events:


	NOTE: Refreshing the screen removes filtering and returns the Auditing page to its default settings.

From the Home page, click Auditing to open the Auditing page.

In the From field, click the

button to display a calendar and select the start date.

In the To field, click the

button to display a calendar and select the end date.

In the Application(s) field, select to display auditing information for all applications or a specific application.

In the Max Records field, set the maximum number of records (1-10000) to return for the search. By default, this is 1000 records.

Click the Search button to update the Audit Events table.

To further filter the list of events, enter characters into the Filter Results field. The Audit Events table is updated automatically.

The results can also be sorted to help you locate a specific event. To sort the data:

•

Click on the column heading to be used for the sort criteria.

•

The sort order will be in ascending order, but can be changed to descending order by clicking the heading a second time.

•

To remove the sort order from a column, click the column heading until the arrow disappears.

Configuring the retention settings

The number of days that audit events will be retained in the database is configurable on the Audit Events page when logged in using an administrator or Fallback account.

To set the number of days to retain audit events in the database:


	CAUTION: Making changes to this setting after auditing has begun will affect the events currently stored in the database. If the new number of days is less than the previous number of days, all auditing information currently stored in the database which does NOT fit within the new range will be permanently deleted. Resetting the number of days back to the previous setting will NOT undo the deletion. If the new number of days is greater than the previous number of days, all events currently in the database will follow the new retention setting. Please note that this is a background task which may take some time. Depending on the number of audit events in the table and the length of time the Auditing page has been open, some of the audit events appearing in the audit events table may no longer exist. You will need to refresh the page to ensure that the displayed audit events accurately reflect the events stored in the database.

From the Home page, click Auditing to open the Auditing page.

Click the Settings button (

) in the upper right corner of the screen.

The Audit Settings dialog will appear. In the Retention Days field, enter the number of days to retain the audit events. Entering 0 will retain all events indefinitely, otherwise there is a maximum of 1095 days. By default, this is set to 90 days.


	NOTE: Keep in mind that the longer the amount of time, the more space these events will require in the database.

Click the Save button to save the changes.

A confirmation dialog will appear. Click the Save button.

A loading screen is displayed while the changes are made. Once the loading screen closes, the changes are in effect and all auditing information currently stored in the database which did NOT fit within the new range will be deleted.

Refresh the page to update the audit events table.


	NOTE: It may take additional time for the audit events table to reflect the changes to the database.

Displaying details for an individual audit event

The following procedure explains how to view a detailed explanation of the conditions that were evaluated during an audit event.

To display details for an individual audit event:

From the Home page, click Auditing to open the Auditing page. By default, the audit events for the current day are displayed.

Select an event and click the Details button on the bottom left of the page (see Filtering the audit events for information on locating a specific event and/or an event from a previous date).

A new panel appears at the bottom of the page displaying the Conditions that returned TRUE section on the left side of the panel. This section displays the conditions evaluated for the application that returned true and thus impacted the threat level sent to the application. The score listed to the right of the condition name is the score assigned to the triggered condition.

One of the following icons will appear to the left of each condition name:

•

- indicates a good condition.

•

- indicates a bad condition.

Clicking the show all link will display all conditions that were monitored during the access attempt regardless of whether they returned true or false.

Selecting a condition from the left column will display additional information in the right column regarding the condition. Each condition includes the following additional details:

•

<plugin name> - <condition name> (Result: <true/false>) - This displays the name of the plugin, the name of the condition and whether the condition returned as true or false during the access attempt. For example, BuiltinPlugin1 - IsAbnormalTime (Result: true).

Use the expand properties button (right arrow) to the left of the heading to display the following information for the condition:

•

Parameters - Use the expand properties button (right arrow) to the left of this heading to display each condition parameter with its current setting. For example, Days = 30.

•

Details - Use the expand properties button (right arrow) to the left of this heading to display information on what caused the condition to trigger or not trigger during the access attempt.

To close the Details panel, click the Details button.

Please select your product:

To serve you better, please complete the Purpose of your Chat:

Recommended Solutions for Your Problem

Security Analytics Engine 1.0 - User Guide

Auditing page

Filtering the audit events

Configuring the retention settings

Displaying details for an individual audit event