Chat now with support
Chat with Support

Security Analytics Engine 1.2 - User Guide

Security Analytics Engine Overview Plugins Conditions Shared Policies Applications Auditing Issued Alerts Policy Overrides Fallback Password

Abnormal Authentication

 NOTE: The BuiltinPlugin is associated with this condition and provides important settings.

Categorized as a Behavior condition, this type of condition always causes the risk score to increase if the authentication is determined to be abnormal. The following parameters are available:

Table 6: Abnormal Authentication parameters
Parameter Description Associated default condition

Identifier

Enter a name for the condition.

Abnormal Authentication (Default)

Description

Enter a description for the condition.

Authentication deviated from previously established pattern.

Period, Minutes

The number of minutes to check for failed authentication attempts. A maximum of 9999 minutes can be checked.

60

Maximum Attempts

The maximum number of failed authentication attempts to allow for a user within the specified time period (Period, Minutes parameter). A maximum of 7 attempts are allowed.

3

Checking for abnormal authentication

The following procedure explains how the Security Analytics Engine checks the access attempts to determine if it is abnormal authentication behavior for the user.

How the Security Analytics Engine checks for abnormal authentication

  1. A user attempts to access an application that uses an Abnormal Authentication condition type to check for failed authentication attempts.
  2. The Security Analytics Engine determines if the access attempt is considered abnormal based on the number of failed access attempts within the set time period. If this check returns false (the user has passed authentication within the parameters), the access attempt is considered normal and the risk score is not affected.
  3. If the user fails to authenticate within the specified parameters, the risk score is increased.

Abnormal Time

 NOTE: The BuiltinPlugin is associated with this condition and provides important settings.

Categorized as a Behavior condition, this type of condition always causes the risk score to increase if the access request does not fall within the normal access time pattern previously established by the user. The following parameters are available:

Table 7: Abnormal Time parameters
Parameter Description Associated default condition

Identifier

Enter a name for the condition.

Abnormal Time (Default)

Description

Enter a description for the condition.

Request failed to follow normal time pattern established by the user.

Days To Check

The number of days to check the access times for a user. For example, if set to 3 the data from the last three days is used for comparison. A maximum of 365 days can be checked.

30

Minimum Count

The minimum number of access times required to establish a normal access time. This cannot exceed 99 access times.

1

Tolerance, Hours

The number of hours before and after the access time to accept. For example, if the user habitually logs in at 8 a.m. and the tolerance is set to 1, any time between 7 a.m. and 9:59 a.m. is considered acceptable. The maximum tolerance setting is 12 hours.

1

Checking for an abnormal time

The following procedure explains how the Security Analytics Engine checks the time of an access attempt to determine if it is an abnormal access time for the user.

How the Security Analytics Engine checks for an abnormal time

  1. A user attempts to access an application that uses an Abnormal Time condition type to check for an abnormal access time.
  2. The Security Analytics Engine uses stored information in order to determine if an access attempt corresponds with an established normal access time. The following three factors determine the normal access time:
    • The number of days to use for comparison.
    • A set of hourly time slots during which the user previously logged in. For example, a login any time between 6:00 a.m. and 6:59 a.m. would be associated with the 6 a.m. time slot.
    • A tolerance level for access times. This allows a user to access an application within a time period rather than limiting access to an exact time.

    The Security Analytics Engine gathers the normal access time information and checks the current access attempt to see if it falls within the pattern established by the user. If this check returns as true (there is both enough data to determine an access pattern and the access attempt fits within this pattern), the access time is considered normal and the risk score is not affected.

  3. If this check returns as false (it occurred outside of the normal access time or there is not enough data to compare the access attempt to), the access time is considered abnormal and the risk score is increased.

Associated w/ Application Category

 NOTE: This condition is associated with the SonicWALLPlugin type which requires that the Security Analytics Engine Installer - SonicWALL Processor Service.msi and SonicWALL firewall be installed and configured. See the Security Analytics Engine SonicWALL Configuration Guide for more information.

 NOTE: The SonicWALLPlugin is associated with this condition and provides important settings.

Categorized as a Behavior condition, this type of condition always causes the risk score to increase if the user or IP address is associated with a configured application category. The following parameters are available:

Table 8: Associated w/ Application Category parameters
Parameter Description Associated default condition

Identifier

Enter a name for the condition.

Associated w/ Application Category (Default)

Description

Enter a description for the condition.

Application category association detected for the user or IP address.

Days To Check

The number of days to check for application category association. A maximum of 365 days can be checked.

7

Minimum Count

The minimum number of times an application category has been detected per day. This must be a value between 1-9999.

1

Minimum Days

The minimum number of days that meet the Minimum Count criteria. A maximum of 365 days can be entered. The number of days entered must be equal to or lower than the Days To Check parameter.

1

Categories

Select the application categories from the drop-down menu to check for association. Although an initial list of categories is automatically displayed, additional time is required for the list to update once the SonicWALL firewall is integrated with the Security Analytics Engine. Depending on the configuration, fully populating the list should take 10 to 60 minutes.

8 item(s) selected - BACKUP-APPS, DOWNLOAD-APPS, GAMING, P2P, PROXY-ACCESS, REMOTE-ACCESS, REMOTE-DEBUG, SCADA-APPS

 NOTE: These are also the only application categories displayed when the SonicWALL firewall has NOT been integrated with the Security Analytics Engine.
Checking for application category association

The following procedure explains how the Security Analytics Engine checks the username and IP address attempting to access an application for an application category association.

How the Security Analytics Engine checks for application category association

  1. A user attempts to access an application that uses an Associated w/ Application Category condition type to check if the username or IP address is associated with the specified application categories.

    		 NOTE: If there is no user ID or IP address available, or the IP address is in a configured DynamicNetwork range, checking the selected application categories is not relevant. Therefore, the request is considered not associated with a category and the risk score is not affected.
  2. The Security Analytics Engine compares the username and IP address against the SonicWALL records that were detected within the specified number of days to check. If this check returns as false (there is no record associated with the specified application categories during that time frame), the request is not considered associated with the configured application categories and the risk score is not affected.
  3. If this check returns as true (there is a record associated with the configured categories that fits all the parameters), the request is considered associated with the configured application categories and the risk score is increased.

Associated w/ Application Threat Level

 NOTE: This condition is associated with the SonicWALLPlugin type which requires that the Security Analytics Engine Installer - SonicWALL Processor Service.msi and SonicWALL firewall be installed and configured. See the Security Analytics Engine SonicWALL Configuration Guide for more information.

 NOTE: The SonicWALLPlugin is associated with this condition and provides important settings.

Categorized as a Behavior condition, this type of condition always causes the risk score to increase if the user or IP address is associated with a configured application threat level. The following parameters are available:

Table 9: Associated w/ Application Threat Level parameters
Parameter Description Associated default condition

Identifier

Enter a name for the condition.

Associated w/ Application Threat Level (Default)

Description

Enter a description for the condition.

Application threat level association detected for the user or IP address.

Days To Check

The number of days to check for application threat level association. A maximum of 365 days can be checked.

7

Minimum Count

The minimum number of times a threat level has been detected per day. This must be a value between 1 to 9999.

1

Minimum Days

The minimum number of days that meet the Minimum Count criteria. A maximum of 365 days can be entered. The number of days entered must be equal to or lower than the Days To Check parameter.

1

Threat Level

Select an application threat level to monitor for:

  • Low
  • Guarded
  • Elevated
  • High
  • Severe

High

Include Higher Threat Levels

Select this check box to include any threat levels returned that are higher than the one selected.

(Selected)

Checking for application threat level association

The following procedure explains how the Security Analytics Engine checks the username and IP address attempting to access an application for an application threat level association.

How the Security Analytics Engine checks for application threat level association

  1. A user attempts to access an application that uses an Associated w/ Application Threat Level condition type to check if the username or IP address is associated with the specified application threat level(s).

    		 NOTE: If there is no user ID or IP address available, or the IP address is in a configured DynamicNetwork range, checking the selected application threat levels is not relevant. Therefore, the request is considered not associated with a threat level and the risk score is not affected.
  2. The Security Analytics Engine compares the username and IP address against the SonicWALL records that were detected within the specified number of days to check. If this check returns as false (there is no record associated with the specified application threat level(s) during that time frame), the request is not considered associated with the configured application threat level(s) and the risk score is not affected.
  3. If this check returns as true (there is a record associated within the configured threat level(s) that fits all the parameters), the request is considered associated with the configured application threat level(s) and the risk score is increased.
Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating