Security Analytics Engine Overview
Plugins
Conditions
Introduction
Conditions page
Condition categories
Shared Policies
Application
Behavior
Adding and managing conditions
Abnormal Authentication
Abnormal Time
Associated w/ Application Category
Associated w/ Application Threat Level
Associated w/ Blacklist
Associated w/ Country
Associated w/ Malware
Authentication List
Location
Network
User
Introduction
Shared risk policies
Shared Policies page
Adding and managing shared risk policies
Shared Policy wizard
Applications
Introduction
Risk policies
Applications page
Adding and managing applications
Adding and managing risk policies
Application wizard
Auditing
Introduction
Auditing page
Filtering the audit events
Configuring the retention settings
Displaying details for an individual audit event
Downloading audit events information
Adding and managing overrides on the Auditing page
Issued Alerts
Policy Overrides
Fallback Password
Security Settings
Glossary
Audit Events table
Event details
On the Auditing page, there are two types of audit events displayed in the table related to each access attempt. The first event generated displays the risk score information for the audit event while the second displays whether or not authentication was successful. For more information, see To display details for an individual audit event.
|
• |
True only - (Default) This option displays the conditions and modifiers evaluated for the application that returned true, and thus impacted the risk score sent to the application. |
|
• |
Show all - This option displays all conditions and modifiers in the evaluated risk policy. |
Click this button to open the Policy Viewer dialog which displays the risk policy that was evaluated during the access attempt. Click Close to close the dialog and return to the Auditing page.
If there is no override currently assigned to the user, clicking this button will open the Add Override dialog. If there is an override currently assigned to the user, this option will open the Modify Override dialog. See Adding and managing overrides on the Auditing page for more information.
This displays the risk score, which is the combined value of the triggered conditions and modifiers.
for increased, 
for decreased, and 
for no effect).
icon will display information regarding the condition parameters.
Click the Show Policy Evaluation button in this column to display information about the risk score associated with the authentication event.
|
NOTE: The Show Policy Details button will be grayed out if incorrect credentials were entered during the access attempt. |
Download options
button at the bottom left of the Auditing page to display the following download options:|
• |
|
• |
|
• |
|
• |
Filtering the audit events
|
1 |
From the Home page, click Reports to open the Reports page. |
|
2 |
From the Reports page, click Auditing to open the Auditing page. |
|
3 |
In the From field, click anywhere in the field to display a calendar and select the start date. You can also manually edit the date in the field (mm/dd/yyyy). |
|
4 |
In the To field, click anywhere in the field to display a calendar and select the end date. You can also manually edit the date in the field (mm/dd/yyyy). |
|
5 |
In the Application(s) field, select to display auditing information for all applications or a specific application. |
|
6 |
In the Max Records field, set the maximum number of records (1-10000) to return for the search. By default, this is 1000 records. |
|
7 |
Click the Search button to update the Audit Events table. |
|
8 |
buttons to the right of each column heading. For more information, see