Chat now with support
Chat with Support

Security Analytics Engine 1.2 - User Guide

Security Analytics Engine Overview Plugins Conditions Shared Policies Applications Auditing Issued Alerts Policy Overrides Fallback Password

Audit Events table

The following information is displayed for each event in the Audit Events table. By default, the audit events for the current date are displayed.

Date/Time

This column displays the date and time the event was detected.

Application

This column displays the name of the application.

Resource

This column displays the name of the requested resource. It appears blank when an attribute specifying the resource is not returned by the application.

Message

This column displays the message associated with the event and, when applicable, the risk score assigned to the access attempt. If an override is in place for the user, the message notes that the risk score was overridden resulting in a score of 0 for the access attempt.

Policy

This column displays the risk policy that was evaluated.

User Name

This column displays the name of the user who accessed, or attempted to access, an application protected by the Security Analytics Engine.

IP Address

This column displays the IP address of the user who accessed, or attempted to access, an application protected by the Security Analytics Engine.

Event details

On the Auditing page, there are two types of audit events displayed in the table related to each access attempt. The first event generated displays the risk score information for the audit event while the second displays whether authentication was successful. For more information, see To display details for an individual audit event.

NOTE: In some cases, if the user fails to enter valid credentials the authentication event message notes that it was a failed authentication and there will be no event details nor associated risk score event for the access attempt.

Risk score events

When selected, a risk score event displays the following information and options:

Conditions filter

The Conditions filter drop-down is used to select the type of information to display concerning the risk score. The following options are available:

  • True only - (Default) This option displays the conditions and modifiers evaluated for the application that returned true, and thus impacted the risk score sent to the application.
  • Show all - This option displays all conditions and modifiers in the evaluated risk policy.
View Policy

Click this button to open the Policy Viewer dialog which displays the risk policy that was evaluated during the access attempt. Click Close to close the dialog and return to the Auditing page.

Override

If there is no override currently assigned to the user, clicking this button opens the Add Override dialog. If there is an override currently assigned to the user, this option opens the Modify Override dialog. See Adding and managing overrides on the Auditing page for more information.

Score

This displays the risk score, which is the combined value of the triggered conditions and modifiers.

Condition/Modifier list

Based on the condition filter specified, the left pane displays the conditions evaluated in the selected access attempt event.

The score listed to the right of a condition name is the score resulting from both the condition and any triggered modifiers. Use the expand properties button (right arrow) to the left of a condition name to also display any modifiers for that condition marked with an icon depicting their effect on the condition score ( for increased, for decreased, and for no effect).

Selecting a condition or modifier from the list populates the right-hand side of the panel with the settings information. From this section, you can select any of the items to display a brief explanation of why the condition score occurred and hovering over the icon displays information regarding the condition parameters.

Authentication events

When selected, an authentication event displays the following information and button:

Authenticated

This column displays whether authentication was successful.

Authentication Method

This column displays the type of authentication used.

Authorization

This column displays the authorization action taken by an application based on the risk score calculated by the Security Analytics Engine (for example, step up authentication may have been required due to a moderately high risk score).

Summary

This column summarizes why the access attempt failed or succeeded.

Policy

Click the Show Policy Evaluation button in this column to display information about the risk score associated with the authentication event.

NOTE: The Show Policy Details button is grayed out if incorrect credentials were entered during the access attempt.

Download options

A summary of the information on the Auditing page (excluding any column filtering values) can be downloaded in order to save or print a list of the audit events appearing in the table.

Hover over the button at the bottom left of the Auditing page to display the following download options:

  • Csv
  • Excel
  • Word
  • Pdf

For more information, see To download audit events information.

Filtering the audit events

The following procedure explains how to filter the events displayed in the Audit Events table. By default, the audit events for the current date are displayed.

To filter audit events

NOTE: Refreshing the screen removes filtering and returns the Auditing page to its default settings.
  1. From the left pane, click Reports to open the Reports page.
  2. From the Reports page, click Auditing to open the Auditing page.
  3. In the From field, click anywhere in the field to display a calendar and select the start date. You can also manually edit the date in the field (mm/dd/yyyy).
  4. In the To field, click anywhere in the field to display a calendar and select the end date. You can also manually edit the date in the field (mm/dd/yyyy).
  5. In the Application(s) field, select to display auditing information for all applications or a specific application.
  6. In the Max Records field, set the maximum number of records (1 to 10000) to return for the search. By default, this is 1000 records.
  7. Click the Search button to update the Audit Events table.
  8. To further filter the list of events, use the buttons to the right of each column heading. For more information, see To filter data.
Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating