Chat now with support
Chat with Support

Security Analytics Engine 1.1 - User Guide

Security Analytics Engine Overview Plugins Conditions Shared Policies Applications Auditing Issued Alerts Policy Overrides Fallback Password Security Settings Glossary

BlacklistProviderPlugin

The BlacklistProviderPlugin is used for determining if the browser IP address is blacklisted by configured open source blacklists, Dell SecureWorks and/or custom blacklists.
When viewing the plugin information on the Edit Plugin page, the top two fields provide information on the plugin and cannot be changed:
Instance Name
BlacklistProviderPlugin1
Description
The Blacklist Provider plugin provides a set of default open source blacklists, optional Dell SecureWorks blacklist and the ability to add additional blacklist sources.
Plugin Configuration
The following settings are available for the plugin in the Plugin Configuration section:
Maximum Audit Records - This is the maximum number of blacklist records to list in the details of an audit record. By default, this is 10 audit records. The maximum number of records that can be returned is 20.
(Optional) Dell SecureWorks CTU Blacklist Configuration
SecureWorks Portal Token - SecureWorks customers need to enter their SecureWorks issued portal token into this field to enable the SecureWorks blacklist. When this field is empty, the SecureWorks blacklist is disabled.
Update Frequency (Minutes) - This is how often the Security Analytics Engine will connect to SecureWorks to update the blacklist. By default, this is 1440 minutes. The maximum update frequency is 9999 minutes.
List ID - This is the ID of the specific SecureWorks blacklist to retrieve. By default, this is -1.
(Optional) Default blacklists
The Security Analytics Engine provides a set of pre-configured blacklists upon installation. The following table displays the settings for each of these default blacklists:
Table 2. Default blacklists
Blacklist
Default settings
Swiss Security Blog Zeus List
Provider URL - https://zeustracker.abuse.ch/blocklist.php?download=ipblocklist
Provider Name - Swiss Security Blog Zeus List
Update Frequency (Minutes) - 60
Comment Start Pattern - #
Enabled - (Selected)
Swiss Security Blog Palevo List
Provider URL - https://palevotracker.abuse.ch/blocklists.php?download=ipblocklist
Provider Name - Swiss Security Blog Palevo List
Update Frequency (Minutes) - 60
Comment Start Pattern - #
Enabled - (Selected)
Swiss Security Blog Feodo List ACD
Provider URL - https://feodotracker.abuse.ch/blocklist/?download=ipblocklist
Provider Name - Swiss Security Blog Feodo List ACD
Update Frequency (Minutes) - 60
Comment Start Pattern - #
Enabled - (Selected)
Swiss Security Blog Feodo List B
Provider URL - https://feodotracker.abuse.ch/blocklist/?download=badips
Provider Name - Swiss Security Blog Feodo List B
Update Frequency (Minutes) - 60
Comment Start Pattern - #
Enabled - (Selected)
OpenBL Default List
Provider URL - https://www.openbl.org/lists/base.txt
Provider Name - OpenBL Default List
Update Frequency (Minutes) - 60
Comment Start Pattern - #
Enabled - (Selected)
Emerging Threats Compromised IPs List
Provider URL - http://rules.emergingthreats.net/blockrules/compromised-ips.txt
Provider Name - Emerging Threats Compromised IPs List
Update Frequency (Minutes) - 60
Comment Start Pattern - #
Enabled - (Selected)
BlocklistDE All 48 Hours List
Provider URL - http://lists.blocklist.de/lists/all.txt
Provider Name - BlocklistDE All 48 Hours List
Update Frequency (Minutes) - 60
Comment Start Pattern - #
Enabled - (Selected)
BlocklistDE Strong IPs List
Provider URL - http://lists.blocklist.de/lists/strongips.txt
Provider Name - BlocklistDE Strong IPs List
Update Frequency (Minutes) - 60
Comment Start Pattern - #
Enabled - (Selected)
(Optional) Custom Blacklist Providers
This section allows you to pull in a custom internal blacklist or an externally available blacklist, such as an open source blacklist.
Click Add to display the following fields:
Provider URL - The URL used to retrieve the text blacklist (for example, http://localhost/sampleblacklist.txt)
* 
NOTE: The blacklist must be in a plain text format, with a single IP address per line, and support using an optional network mask length (for example, 172.28.100.0/24).
Provider Name - The name of the text list provider.
Update Frequency (Minutes) - This is how often the Security Analytics Engine will connect to the provider to update the text blacklist. The maximum update frequency is 9999 minutes.
* 
NOTE: Some externally available blacklists may have additional restrictions regarding update frequency.
Comment Start Pattern - In order to ignore comments in the text file, enter the character used to distinguish the comments from the blacklist items (for example, #).
Enabled - Select this check box to enable the text blacklist for use by the Security Analytics Engine.
Delete - Click this button to remove the custom blacklist.
After making changes to the plugin, click the Validate button in the lower right corner to check that the configuration is valid.
Conditions
The following type of condition is available for this plugin:
Dynamic Blacklist

BuiltinPlugin

The BuiltinPlugin is used for determining the browser being used, the time of access, the type of authentication used, the strength of the authentication used, user roles, and if the incoming IP address is from a whitelisted network.
When viewing the plugin information on the Edit Plugin page, the top two fields provide information on the plugin and cannot be changed:
Instance Name
BuiltinPlugin1
Description
The Builtin plugin provides historical tracking capabilities, including abnormal time, unknown browser and determining whether or not an IP address is within a specific network range.
Plugin Configuration
The following setting is available for the plugin in the Plugin Configuration section:
Maximum Days Tracking - This specifies the number of days to keep the tracking data. By default, this is 30 days. The maximum number of days tracking data can be retained is 365 days.
(Optional) Custom Authentication Context
This section allows you to add custom authentication methods that can be checked for during access attempts.
Click Add to display the following fields:
URN - This is the uniform resource name.
Display Name - This is the display name for the authentication method.
Delete - Click this button to remove the custom authentication method.
After making changes to the plugin, click the Validate button in the lower right corner to check that the configuration is valid.
Conditions
The following types of conditions are available for this plugin:
Abnormal Authentication
Abnormal Browser
Abnormal Time
Role List
Authentication List
Network List

GeoLocationPlugin

The GeoLocationPlugin is used for determining the location of the user or browser that is attempting to access the application.
When viewing the plugin information on the Edit Plugin page, the top two fields provide information on the plugin and cannot be changed:
Instance Name
GeolocationPlugin1
Description
The Geolocation plugin provides IP-based geolocation capabilities, including determining country location and if the travel time from the previous location is reasonable.
Plugin Configuration
The following settings are available for the plugin in the Plugin Configuration section:
Maximum Days Tracking - This specifies the number of days to track the location data. By default, this is 30 days. The maximum number of days tracking data can be retained is 365 days.
(Optional) VPN Network Definitions
This section allows you to configure a list of IP/subnet network addresses associated with an internal network.
Click Add to display the following fields:
IP Address - This is for configuring an IPv4 or IPv6 address.
IP Subnet Mask - This is for configuring the optional IPv4 or IPv6 subnet mask.
Enable - Select this check box to enable the configured VPN network definition.
Delete - Click this button to remove the VPN network.
After making changes to the plugin, click the Validate button in the lower right corner to check that the configuration is valid.
Conditions
The following types of conditions are available for this plugin:
Abnormal Location
Country List

LdapPlugin

The LdapPlugin supports the risk factors and identity information gathered from the LDAP server.
When viewing the plugin information on the Edit Plugin page, the top two fields provide information on the plugin and cannot be changed:
Instance Name
LdapPlugin1
Description
The LDAP plugin provides support for risk factors and identity information, gathered from LDAP server.
Plugin Configuration
The following settings are available for the plugin in the Plugin Configuration section:
Server - This is the name (or IP address) of the LDAP server, Active Directory® domain or the domain controller to which the Security Analytics Engine will connect. If the field is left empty, the domain controller of the current Active Directory domain is used.
Port - This is the TCP/IP port of the LDAP server. Active Directory uses ports 389 for LDAP and 3268 for Global Catalog. By default this is set to use port 389.
User Name - Enter the user name to use for connecting to the LDAP or Active Directory server.
Password - Enter the password for the specified user.
Base DN - This is the Base DN value for the LDAP server (e.g., dc=example, dc=com). If left empty, the Security Analytics Engine will attempt to automatically detect the Base DN.
After making changes to the plugin, click the Validate button in the lower right corner to test the configuration.
Conditions
The following types of conditions are available for this plugin:
Last Logon
LDAP Group
Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating