Chat now with support
Chat with Support

Security Analytics Engine 1.1 - User Guide

Security Analytics Engine Overview Plugins Conditions Shared Policies Applications Auditing Issued Alerts Policy Overrides Fallback Password Security Settings Glossary

Risk policies

Before you begin working with risk policies, you need to be aware that they should perform two different roles for an application: evaluating and alerting. Although configured using the same settings, a risk policy used for alerting and a risk policy used for evaluation should be designed with that specific role in mind. An application does not distinguish between a shared risk policy and a non-shared risk policy, therefore you can use any combination of shared and non-shared risk policies for alerting and evaluation.
A risk policy that an application selects to use for evaluation will most likely be similar to the risk policy used in the Sample Application provided by default with the Security Analytics Engine (for more information, see Sample Application). It consists of all the conditions that you want checked during an access attempt and those conditions will operate together to create a single risk score which the application will then use to determine whether to allow an access attempt, request additional authentication information from the user, or deny access. Alerts can be configured for the risk policy providing the evaluation in which case they will issue an alert when the generated risk score exceeds the configured threshold.
A risk policy designed for alerting will in its simplest form consist of a single condition without modifiers. When an access attempt occurs, all risk policies with alerting enabled that are associated with the application will send alerts. Due to the method used for calculating risk scores, an alert sent with information about a single triggered condition will not always be the same as the amount it contributed to the risk score during the access attempt.

Applications page

The Applications page is displayed when Applications is clicked on the Home page of the Security Analytics Engine Administration web site. From this page you can launch the Application wizard to add new or edit existing applications, and create and manage the risk policies being used by applications.
The Applications page displays all of the applications currently using the Security Analytics Engine and the risk policies used by each application.
The following buttons and field appear across the top of the page:
This button is used for adding a new application.
This button is used for editing an existing application.
This button is used for deleting an existing application.
The following information is displayed for each configured application:
Application Name
Displays the name assigned to the application when it was created.
Description
Displays the description of the application. This description was added when the application was created.
Policies
Displays the risk policies currently available for use by the application. To distinguish between shared risk policies and risk policies, shared risk policies are marked as ‘(shared)’. It is the responsibility of the client application to determine which risk policy to evaluate during access attempts.

Sample Application

A sample application (Sample Application) and risk policy (Sample) are added upon installation of the Security Analytics Engine. These function as both an example of how to configure your own applications and a starting point as you begin to create risk policies. For that reason, the sample application can be reconfigured to direct to an actual application and the sample risk policy edited to fit this new application.
The following settings are used in the Sample Application and Sample risk policy:
Table 25. Sample Application settings
Field
Setting
Application Name
Application Description
This is a sample application.
Client API ID
Demo Client
Client API Secret
<nn> (A 34-character secret)
Policies
Sample
Table 26. Sample risk policy settings
Field
Setting
Policy Name
Sample
Description
Sample Policy
Disable Policy Override
(Cleared)
Alerting
Notify Admin
(Cleared)
Notify User
(Cleared)
Alert When
Always
Scores <nn> Or More.
(Cleared)
The following conditions are configured for the Sample risk policy. See Condition categories for information on the settings within these conditions.
Application
Abnormal Browser (Default)
20%
Modifiers:
Whitelist (Default) - 0%
Strong Authentication (Default) - 50%
Behavior
Abnormal Authentication (Default)
20%
Modifiers
Whitelist (Default) - 0%
Strong Authentication (Default) - 50%
Abnormal Time (Default)
20%
Modifiers
Whitelist (Default) - 0%
Strong Authentication (Default) - 50%
Associated w/ Blacklist (Default)
90%
Associated w/ Country (Default)
70%
Associated w/ Malware (Default)
90%
Associated w/ Application Threat Level (Default)
60%
Associated w/ Application Category (Default)
30%
Weak Authentication (Default)
20%
Modifiers:
Whitelist (Default) - 0%
Location
Restricted Country (Default)
70%
Abnormal Location (Default)
20%
Modifiers:
Whitelist (Default) - 0%
Strong Authentication (Default) - 50%
Network
Dynamic Blacklist (Default)
90%
User
Application Role (Default)
10%
Modifiers:
Whitelist (Default) - 0%
Strong Authentication (Default) - 50%
LDAP Group (Default)
10%
Modifiers:
Whitelist (Default) - 0%
Strong Authentication (Default) - 50%
Last Logon (Default)
30%

Adding and managing applications

In order for an application to connect with the Security Analytics Engine, it must first be configured on the Applications page. Once an application has been added, it can be assigned risk policies, send alerts due to high scores, and audit event information can be collected.
Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating