Security Analytics Engine Overview
Introduction to the Security Analytics Engine
Launch the Administration web site (fallback)
Web site components
Plugins
Introduction to plugins
Plugins page
Available plugins
BlacklistProviderPlugin
BuiltinPlugin
GeoLocationPlugin
LdapPlugin
SonicWALLPlugin
Editing a plugin
Conditions
Introduction to conditions
Conditions page
Condition categories
Shared Policies
Application
Behavior
Adding and managing conditions
Abnormal Authentication
Abnormal Time
Associated w/ Application Category
Associated w/ Application Threat Level
Associated w/ Blacklist
Associated w/ Country
Associated w/ Malware
Authentication List
Location
Network
User
Introduction to shared risk policies
Shared risk policies
Shared Policies page
Adding and managing shared risk policies
Shared Policy wizard
Applications
Introduction to applications
Risk policies
Applications page
Adding and managing applications
Adding and managing risk policies
Adding and managing shared risk policies in an application
Auditing
Adding a shared risk policy to an application
Duplicating a shared risk policy in an application
Deleting a shared risk policy from an application
Application wizard
Introduction to auditing
Auditing page
Filtering the audit events
Configuring the retention settings
Displaying details for an individual audit event
Downloading audit events information
Adding and managing overrides on the Auditing page
Issued Alerts
Policy Overrides
Fallback Password
Deleting an application
After an application is added, it appears on the Applications page where it can be deleted.
To delete an application
- On the Applications page, select the application to delete.
- Click the
button to delete the application.
- A dialog is displayed confirming that you want to remove the application and its associated risk policies from the Security Analytics Engine. Click the Delete button.
Adding and managing risk policies
After an application had been added, it appears on the Applications page with the associated risk policies listed in the Policies column. It is the responsibility of the client application to determine which risk policy to evaluate during access attempts, however all risk policies with alerting enabled will automatically send alerts once they are configured for the application. For more information on using risk policies for evaluating and alerting, see Risk policies.
See the following sections for more information:
Adding a new risk policy
To add a new risk policy
- On the Applications page, select the application which will use the new risk policy.
- Click the
button to open the Edit Application dialog.
- The Policies section of the Edit Application dialog is used for adding and managing the risk policies assigned to the application. To add a new risk policy, click the
button to open the Add Policy dialog.
- In the Policy Name field, enter a unique name for the risk policy.
- (Optional) In the Description field, enter a description for the risk policy.
- (Optional) Select the Disable Policy Override check box to disable overrides for this risk policy.
- (Optional) Use the Alerting section of this dialog to set up email alerts for this risk policy. Click Alerting to display the following settings:
- Notify Admin - Select the check box to begin sending email alerts and in the field enter the email address of the person that will be receiving the alerts.
- Notify User - Select the check box to send an email alert to the user attempting access when they exceed a certain score.
- If Notify User is selected, click this button to open the Customize User Alert Email dialog which is used for customizing the subject and descriptive body text of the alert email sent to the user. Once edits are made, click Accept to close the dialog.
- Alert When - Select one of the following options:
- Always - Send alerts when a risk policy is evaluated by the application and when the application updates user behavior data.
- Only when specified - Sends an alert when the risk policy used for evaluation generates a risk score for the application.
-
Scores <nn> Or More - In this field enter the minimum risk score (1 to 100) a user must receive in order for an alert to be sent.
IMPORTANT: When multiple, identical alerts for the same risk policy occur within a 5-minute period, the Security Analytics Engine only sends one alert. If alerting is used in risk policies with multiple conditions, you may want to assign different scores for each condition since there is a chance that a user may attempt access twice in that 5-minute window and trigger different conditions yet still cause the same score. - Click the
button in the upper right corner to open the Select conditions to monitor dialog.
- Select the check box to the left of a condition name to add that condition to the risk policy. All selected conditions remain highlighted so you can track which conditions are being used in the risk policy.
-
Repeat Step 9 until you have selected all the conditions to apply to the risk policy.
Multiple conditions of the same type are allowed in a risk policy and are useful for adding levels of risk to a type of condition. For example, one Abnormal Browser condition can increase a risk score if the browser was unused for 15 days while a second Abnormal Browser condition can further increase the risk score if the browser was unused for 30 days. If a browser that has not been used in over 30 days is used for access, both will be triggered causing both assigned scores to be included in the risk score.
- Click the OK button to close the dialog.
-
The Edit Policy dialog displays the selected conditions according to category. Each condition has a slider associated with it that is used to assign a percentage to the condition. Assign each condition a percentage according to how much of a risk you consider a user that triggers each condition during an access attempt.
NOTE: Hovering over a condition displays a button. Clicking this button displays the condition’s description.
- (Optional) Each condition can also be assigned modifiers. These modifiers are used to either increase or decrease the score of a triggered condition in cases when a modifier is also triggered. This allows you to control how a single condition is calculated without lessening or intensifying the effect of another condition which should not be impacted by those same, or possibly any, modifiers. The following steps are required for adding a modifier to a condition:
- Locate the condition which is to be assigned a modifier.
- Select the
button located to the left of the condition name to open the Select condition modifiers dialog.
- On the Select condition modifiers dialog, select the check box located to the left of a condition name to add that condition as a modifier of the original condition. All selected conditions remain highlighted so you can track which conditions are being used as modifiers of the original condition.
- Click OK to close the dialog.
- Each modifier will now appear listed beneath the original condition with a scroll bar set at 100%. Move the slider in increments of ten to set the impact each modifier will have on the condition score. Depending on how each modifier was configured on the Conditions page (Can increase risk, Can decrease risk, or Can both increase or decrease risk), the following settings are available:
- 0% - A modifier set to this percentage automatically cause the condition score to be 0% regardless of any other modifiers triggered. (Can decrease risk or Can both increase or decrease risk)
- 10%-90% - A modifier set between these two percentages decreases the condition score when triggered. (Can decrease risk or Can both increase or decrease risk)
- 100% - A modifier set to this percentage will not affect the condition when triggered. (Can decrease risk, Can increase risk, or Can both increase or decrease risk)
- 110%-200% - A modifier set between these two percentages increases the condition score when triggered. (Can increase risk or Can both increase or decrease risk)
- (Optional) To preview possible risk scores that can occur for the risk policy, click the
button in the upper right corner of the dialog to enable Preview Mode. Edits to the risk policy are allowed while preview mode is active.
- Select the check boxes to the left of any conditions or modifiers to preview the risk score that occurs if they are triggered during an access attempt. The Risk Score field at the top of the dialog updates as selections are made.
- Click the
button to close preview mode.
- Once each condition and modifier has been assigned a percentage, click Accept to approve the risk policy and return to the Edit Application dialog.
- Click the Save button on the Edit Application dialog to save the application and return to the Applications page.
Duplicating a risk policy
After a risk policy is added to an application, it appears listed on the Applications page and can now be duplicated.
- On the Applications page, select the application currently using the risk policy you want duplicated.
- Click the
- In the Policies section, select a risk policy to duplicate and click the
button to open the Add Policy dialog populated with the conditions and scores assigned in the original risk policy.
- In the Policy Name field, enter a name for the risk policy.
- After editing the duplicate risk policy, click the Accept button to return to the Edit Application dialog.
- The duplicated risk policy now appears in the Policies section. Click Save to return to the Applications page.