Chat now with support
Chat with Support

Security Analytics Engine 1.1 - User Guide

Security Analytics Engine Overview Plugins Conditions Shared Policies Applications Auditing Issued Alerts Policy Overrides Fallback Password Security Settings Glossary

Configuring the retention settings

The number of days that audit events will be retained in the database is configurable on the Audit Events page when logged in using an administrator or Fallback account.
To set the number of days to retain audit events in the database
* 
CAUTION: Making changes to this setting after auditing has begun will affect the events currently stored in the database.
If the new number of days is less than the previous number of days, all auditing information currently stored in the database which does NOT fit within the new range will be permanently deleted. Resetting the number of days back to the previous setting will NOT undo the deletion.
If the new number of days is greater than the previous number of days, all events currently in the database will follow the new retention setting.
Please note that this is a background task which may take some time. Depending on the number of audit events in the table and the length of time the Auditing page has been open, some of the audit events appearing in the audit events table may no longer exist. You will need to refresh the page to ensure that the displayed audit events accurately reflect the events stored in the database.
1
From the Home page, click Reports to open the Reports page.
2
From the Reports page, click Auditing to open the Auditing page.
3
Click the Settings button () in the upper right corner of the screen.
4
The Audit Settings dialog will appear. In the Retention Days field, enter the number of days to retain the audit events. Entering 0 will retain all events indefinitely, otherwise there is a maximum of 1095 days. By default, this is set to 90 days.
* 
NOTE: Keep in mind that the longer the amount of time, the more space these events will require in the database.
5
Click the Save button to save the changes.
6
A confirmation dialog will appear. Click the Save button.
A loading screen is displayed while the changes are made. Once the loading screen closes, the changes are in effect and all auditing information currently stored in the database which did NOT fit within the new range will be deleted.
7
Refresh the page to update the audit events table.
* 
NOTE: It may take additional time for the audit events table to reflect the changes to the database.

Displaying details for an individual audit event

The following procedure explains how to view a detailed explanation of the conditions that were evaluated during an audit event.
* 
NOTE: In some cases, if the user fails to enter valid credentials the authentication event message will say it was a failed authentication and there will be no event details nor associated risk score event for the access attempt.
To display details for an individual audit event
1
From the Home page, click Reports to open the Reports page.
2
From the Reports page, click Auditing to open the Auditing page. By default, the audit events for the current day are displayed.
The following types of audit events will appear:
Risk score events - This type of event displays the risk score information for the audit event. This event will precede its associated authentication event. See Step 3 for information on displaying details for this type of event.
Authentication events - This type of event displays whether or not authentication was successful. This event will appear after its associated risk score event, except in cases where there was no risk score event generated since a user failed to use valid credentials. See Step 7 for information on displaying details for this type of event.
3
Click on a risk score event to open a panel displaying the details about the event (see Filtering the audit events for information on locating a specific event and/or an event from a previous date). By default, this panel will display the conditions and any associated modifiers which were triggered during the access attempt. The score listed to the right of the condition name is the score assigned to the triggered condition with any triggered modifiers also taken into account. Use the expand properties button (right arrow) to the left of a condition name to view the modifiers that were triggered marked with an icon depicting their effect on the condition score ( for increased, for decreased, and for no effect).
Switching the Conditions filter to Show All will display all conditions and modifiers that were monitored during the access attempt regardless of whether they returned true or false.
4
Clicking a condition or modifier from the list will populate the right-hand side of the panel with a brief explanation of why the condition score occurred. Hovering over the icon will display information regarding the condition parameters.
5
From this right-hand section, select any of the items to display additional information regarding why the score occurred.
6
To close the panel, reselect the highlighted risk score event.
7
Click on an authentication event to open a panel displaying information regarding the authentication (see Filtering the audit events for information on locating a specific event and/or an event from a previous date).
8
Click the Show Policy Evaluation button to view the risk policy information. This displays information about the risk score associated with the authentication event.
9
To close the panel, reselect the highlighted authentication event.

Downloading audit events information

The following procedure explains how to download a summary of the audit events information.
To download audit events information
1
(Optional) Use the From, To, and Application(s) filtering options to download audit events from a particular time period. No other filtering options are available.
2
Once the audit events table is displaying the desired events, in the bottom left of the Auditing page click the button.
3
Click the link of your desired file type (Csv, Excel, Word or Pdf) to download the audit events report. Follow any further instructions that may appear as a result of your selection and environment.

Adding and managing overrides on the Auditing page

* 
NOTE: After being created, policy overrides can also be managed on the Policy Overrides page. See Policy Overrides page for more information.
* 
NOTE: In cases where overrides have been disabled for a risk policy, the risk score will always be reported regardless of whether or not there is an override in place for the user.
Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating