Security Analytics Engine 1.2

NOTE: This condition is associated with the SonicWALLPlugin type which requires that the Security Analytics Engine Installer - SonicWALL Processor Service.msi and SonicWALL firewall be installed and configured. See the Security Analytics Engine SonicWALL Configuration Guide for more information.

NOTE: The SonicWALLPlugin is associated with this condition and provides important settings

Categorized as a Behavior condition, this type of condition always causes the risk score to increase if the user or IP address is associated with a blacklist. The following parameters are available:

Table 10: Associated w/ Blacklist parmeters
Parameter	Description	Associated default condition
Identifier	Enter a name for the condition.	Associated w/ Blacklist (Default)
Description	Enter a description for the condition.	Blacklist association detected for the user or IP address.
Days To Check	The number of days to check for blacklist association. A maximum of 365 days can be checked.	7
Minimum Count	The minimum number of times activity associated with a blacklist has been detected per day. This must be a value between 1 to 9999.	1
Minimum Days	The minimum number of days that meet the Minimum Count criteria. A maximum of 365 days can be entered. The number of days entered must be equal to or lower than the Days To Check parameter.	1
Use Blacklist Type(s)	Select the blacklist(s) to use: All lists Dell SecureWorks Custom text list(s)	All Lists

Checking for blacklist association

The following procedure explains how the Security Analytics Engine checks the username and IP address attempting to access an application for a blacklist association.

How the Security Analytics Engine checks for blacklist association

A user attempts to access an application that uses an Associated w/ Blacklist condition type to check if the username or IP address is associated with a blacklist.

NOTE: If there is no user ID or IP address available, or the IP address is in a configured DynamicNetwork range, checking the selected blacklists is not relevant. Therefore, the request is considered not associated with a blacklist and the risk score is not affected.

The Security Analytics Engine compares the username and IP address against the SonicWALL records that were detected within the specified number of days to check. If this check returns as false (there is no record associated with a blacklist during that time frame), the request is not considered associated with a blacklist and the risk score is not affected.
If this check returns as true (there is a record associated with a blacklist that fits all the parameters), the request is considered associated with a blacklist and the risk score is increased.

Associated w/ Country

Conditions > Condition categories > Behavior > Associated w/ Country

NOTE: The SonicWALLPlugin is associated with this condition and provides important settings.

Categorized as a Behavior condition, this type of condition always causes the risk score to increase if the user or IP address is associated with malware in a specified country. The following parameters are available:

Table 11: Associated w/ Country parameters

Parameter

Description

Associated default condition

Identifier

Enter a name for the condition.

Associated w/ Country (Default)

Description

Enter a description for the condition.

User or IP address identified as being associated with activity in specific countries.

Days To Check

The number of days to check for country association. A maximum of 365 days can be checked.

Minimum Count

The minimum number of times activity in a listed country has been detected per day. This must be a value between 1 to 9999.

Minimum Days

The minimum number of days that meet the Minimum Count criteria. A maximum of 365 days can be entered. The number of days entered must be equal to or lower than the Days To Check parameter.

Country

From the drop-down list of countries, select the check box for each country that is considered high risk if a user or IP address is associated with activity in the country.

3 item(s) selected - Iran, Islamic Republic of; Sudan; Syrian Arab Republic

NOTE: These countries are from the following list posted by the U.S. Department of State.

Checking for country association

The following procedure explains how the Security Analytics Engine checks the user and IP address attempting to access an application for an association with activity in a specified country.

How the Security Analytics Engine checks for country association

A user attempts to access an application that uses an Associated w/ Country condition type to check if the username or IP address is associated with activity in a specified country.

NOTE: If there is no user ID or IP address available, or the IP address is in a configured DynamicNetwork range, checking for country association is not relevant. Therefore, the request is considered not associated with activity and the risk score is not affected.

The Security Analytics Engine compares the username and IP address against the records that were detected within the specified number of days to check. If this check returns as false (there is no record associated with activity during that time frame), the request is not considered to come from a user or IP address associated with activity in a specified country and the risk score is not affected.
If this check returns as true (there is a record of activity for that username or IP address in that country that fits all the parameters), the request is considered associated with the country and the risk score is increased.

Associated w/ Malware

Conditions > Condition categories > Behavior > Associated w/ Malware

NOTE: The SonicWALLPlugin is associated with this condition and provides important settings.

Categorized as a Behavior condition, this type of condition always causes the risk score to increase if the user or IP address is associated with malware. The following parameters are available:

Table 12: Associated w/ Malware parameters
Parameter	Description	Associated default condition
Identifier	Enter a name for the condition.	Associated w/ Malware (Default)
Description	Enter a description for the condition.	User or IP address identified as being associated with malware detection.
Days To Check	The number of days to check for malware association. A maximum of 365 days can be checked.	7
Minimum Count	The minimum number of times malware has been detected. This must be a value between 1 to 9999.	1

Checking for malware association

The following procedure explains how the Security Analytics Engine checks the username and IP address attempting to access an application for an association with malware.

How the Security Analytics Engine checks for malware association

A user attempts to access an application that uses an Associated w/ Malware condition type to check if the username or IP address is associated with malware.

NOTE: If there is no user ID or IP address available, or the IP address is in a configured DynamicNetwork range, checking for malware is not relevant. Therefore, the request is considered not associated with malware and the risk score is not affected.

The Security Analytics Engine compares the username and IP address against the malware records that were detected within the specified number of days to check. If this check returns as false (there is no record associated with malware during that time frame), the request is not considered associated with malware and the risk score is not affected.
If this check returns as true (there is a record associated with malware that fits all the parameters), the request is considered associated with malware and the risk score is increased.

Authentication List

Conditions > Condition categories > Behavior > Authentication List

NOTE: The BuiltinPlugin is associated with this condition and provides important settings.

Categorized as a Behavior condition, this type of condition determines the method of authentication used for access. The following parameters are available:

Table 13: Authentication List parameters

Parameter

Description

Associated default conditions

Identifier

Enter a name for the condition.

Weak Authentication (Default)

Strong Authentication (Default)

Description

Enter a description for the condition.

Weak Authentication (Default)

Request used a weak method of authentication.

Strong Authentication (Default)

Request used a strong method of authentication.

Risk Type Value

Select the impact the condition will have on the risk score:

Can increase risk - Selecting this option causes the risk score to increase if the access attempt comes from a listed authentication method.
Can decrease risk - Selecting this option causes the condition score to decrease if the access attempt comes from a listed authentication method. A condition with this setting can only be used as a modifier in a risk policy.
Can both increase or decrease risk - Selecting this check box allows you to configure the risk score to either increase or decrease.

NOTE: In order to avoid application configuration errors, this parameter cannot be edited once the condition has been saved.

Weak Authentication (Default)

Can increase risk

Strong Authentication (Default)

Can decrease risk

Authentication Definitions

From the drop-down list, select the check box to the left of an authentication method to check for it during an access attempt.

Weak Authentication (Default)

14 item(s) selected - SAML 1.1 Password, SAML 2.0 Internet Protocol, SAML 2.0 InternetProtocolPassword, SAML 2.0 MobileOneFactorUnregistered, SAML 2.0 MobileOneFactorContract, SAML 2.0 Password, SAML 2.0 PasswordProtectedTransport, SAML 2.0 PreviousSession, SAML 2.0 Telephony, SAML 2.0 Telephony (“Nomadic”), SAML 2.0 Telephony (Personalized), SAML 2.0 Telephony (Authenticated), SAML 2.0 Unspecified, SAML 1.1 Unspecified

Strong Authentication (Default)

34 item(s) selected - SAML 1.1 Kerberos, SAML 1.1 Secure Remote Password (SRP), SAML 1.1 Hardware Token, SAML 1.1 SSL/TLS Certificate-Based Client Authentication, SAML 1.1 PGP Public Key, SAML 1.1 SPKI Public Key, SAML 1.1 XKMS Public Key, SAML 1.1 XML Digital Signature, SAML 2.0 Kerberos, SAML 2.0 MobileTwoFactorUnregistered, SAML 2.0 MobileTwoFactorContract, SAML 2.0 Public Key - X.509, SAML 2.0 Public Key - PGP, SAML 2.0 Public Key - SPKI, SAML 2.0 Public Key - XML Digital Signature, SAML 2.0 SmartcardPKI, SAML 2.0 Smartcard, SAML 2.0 SoftwarePKI, SAML 2.0 Secure Remote Password, SAML 2.0 SSL/TLS Certificate-Based Client Authentication, SAML 2.0 TimeSyncToken, ADSF IWA, CAM Multi-factor Windows Radius, CAM Multi-factor Password Radius, CAM Multi-factor Kerberos Radius, CAM Multi-factor Certificate Radius, CAM Multi-factor Kerberos Certificate, CAM Multi-factor Windows Certificate, CAM Multi-factor Password Certificate, CAM Multi-factor Windows Authy, CAM Multi-factor Password Authy, CAM Multi-factor Kerberos Authy, CAM Multi-factor Certificate Authy, CAM Multi-factor Certificate Certificate

Checking for an authentication method

The following procedure explains how the Security Analytics Engine checks the method of authentication used during an access attempt.

How the Security Analytics Engine checks for an authentication method

A user attempts to access an application that uses an Authentication List condition type to check the method of authentication used for access.
The Security Analytics Engine checks if this access attempt is from one of the specified methods of authentication. If this check returns as false (it is not from a specified method), the risk score is not affected.
If the check returns as true (it does use a specified method), the risk score is affected.

Please select your product:

To serve you better, please complete the Purpose of your Chat:

Recommended Solutions for Your Problem

Security Analytics Engine 1.2 - User Guide

Associated w/ Blacklist

Checking for blacklist association

Associated w/ Country

Checking for country association

Associated w/ Malware

Checking for malware association

Authentication List

Checking for an authentication method