Chat now with support
Chat with Support

Security Analytics Engine 1.2 - User Guide

Security Analytics Engine Overview Plugins Conditions Shared Policies Applications Auditing Issued Alerts Policy Overrides Fallback Password

Last Logon

 NOTE: The LdapPlugin is associated with this condition and provides important settings.

Categorized as a User condition, this type of condition always causes the risk score to increase if the user has not logged in within the specified number of days. The following parameters are available:

Table 22: Last Logon parameters
Parameter Description Associated default condition

Identifier

Enter a name for the condition.

Last Login (Default)

Description

Enter a description for the condition.

Active Directory user account has not logged in within a set number of days.

Days To Check

The number of days to check for the Active Directory user. A maximum of 365 days can be checked. The minimum number of days is dependent upon the ms-DS-Logon-Time-Sync-Interval attribute which controls how frequently the domain updates the data which is then utilized by the LdapPlugin. By default this domain attribute is set to 14 days, in which case the value entered into this field would need to be between 14 to 365 days. If necessary, previously created conditions will automatically update to be within the acceptable range should the domain attribute be reconfigured.

 NOTE: Entering 0 disables this parameter as long as the Include Never Logged On check box is selected. If the Include Never Logged On check box is cleared, there must be a valid value entered into this field.

30

Include Never Logged On

Select this check box to consider users that have never before logged on to have failed the Days to Check parameter.

 NOTE: This check box must be selected if the Days To Check parameter is set to 0.

(Selected)

Checking an Active Directory account for last logon activity

The following procedure explains how the Security Analytics Engine checks if the Active Directory user logged in within the set number of days.

How the Security Analytics Engine checks an Active Directory account for last logon activity

  1. An Active Directory user attempts to access an application that uses a Last Logon condition type to determine if the account has logged in within the set number of days.
  2. The Security Analytics Engine checks if this access attempt is from an account that has logged on within the specified time period. If this check returns as false (the account has logged in within the time period), the risk score is not affected.

  3. If the check returns as true (the account has not logged in within the time period), the risk score is affected.

    		 NOTE: If the Include Never Logged On check box is selected, a first time login for an Active Directory user account will automatically return true.

LDAP Group

 NOTE: The LdapPlugin is associated with this condition and provides important settings.

Categorized as a User condition, this type of condition determines if the request originates from a user belonging to a certain LDAP Group in order to increase or decrease protection for accounts of certain groups. The following parameters are available:

Table 23: LDAP Group parameters
Parameter Description Associated default condition

Identifier

Enter a name for the condition.

LDAP Group (Default)

Description

Enter a description for the condition.

User identified as belonging to a certain LDAP group.

Risk Type Value

Select the impact the condition will have on the risk score:

  • Can increase risk - Selecting this option causes the risk score to increase if the access attempt comes from a listed group.
  • Can decrease risk - Selecting this option causes the condition score to decrease if the access attempt comes from a listed group. A condition with this setting can only be used as a modifier in a risk policy.
  • Can both increase or decrease risk - Selecting this check box allows you to configure the risk score to either increase or decrease.

NOTE: In order to avoid application configuration errors, this parameter cannot be edited once the condition has been saved.

Can increase risk

Ldap Groups

The following field and buttons appear in this section:

Group Name

Select the LDAP group name(s) from the drop-down menu to test for membership.

(Default LDAP groups are dependent upon on the groups currently available in the domain)

Delete

Click this button to remove the corresponding LDAP group from the list.

N/A

Add

Click to add additional LDAP groups to the list.

N/A

Checking for an LDAP group member

The following procedure explains how the Security Analytics Engine checks if an access attempt is from a user belonging to a configured LDAP group.

How the Security Analytics Engine checks for an LDAP group member

  1. A user attempts to access an application that uses an LDAP Group condition type to check if the user belongs to an LDAP group.
  2. The Security Analytics Engine checks if this access attempt is from a specified group. If this check returns as false (it is not an account in a specified group), the account is considered low-risk and the risk score is not affected.
  3. If the check returns as true (it is an account in a specified group), the risk score is affected.

Adding and managing conditions

Although a set of default conditions is available with the Security Analytics Engine, each condition is customizable in order to accommodate the needs of any application. See the following sections for more information:

Viewing a condition

All default conditions can be viewed on the Conditions page, and non-default conditions can be edited or deleted.

To view a default condition

  1. On the Conditions page, select a default condition.
  2. Click the button to open the View Condition dialog.
  3. After viewing the condition, click the Close button to close the dialog.
Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating