Dynamic Blacklist
|
|
NOTE: The BlacklistProviderPlugin is associated with this condition and provides important settings. |
Categorized as a Network condition, this type of condition always causes the risk score to increase if the access attempt originates from a blacklisted IP address. The following parameters are available:
| Parameter | Description | Associated default condition |
|---|---|---|
|
Identifier |
Enter a name for the condition. |
Dynamic Blacklist (Default) |
|
Description |
Enter a description for the condition. |
Dynamic blacklist sources identified the request as being from a blacklisted IP address. |
|
Use Blacklist Type(s) |
Select the blacklist(s) to use:
|
All Lists |
Checking for a blacklisted IP address
The following procedure explains how the Security Analytics Engine checks the IP address against one or more blacklists to determine if the access attempt is from a blacklisted IP address.
How the Security Analytics Engine checks for a blacklisted IP address
- A user attempts to access an application that uses a Dynamic Blacklist condition type to check if an IP address is on a blacklist.
- The Security Analytics Engine compares the IP address used in the access attempt against the blacklists currently enabled for the BlacklistProviderPlugin. If this check returns as true (the IP address is included in a blacklist), the risk score is increased.
- If this check returns as false (the IP address is not in a blacklisted network), the risk score is not affected.
Network List
|
|
NOTE: The BuiltinPlugin is associated with this condition and provides important settings. |
Categorized as a Network condition, this type of condition determines if the request originates from a specific IP address. The following parameters are available:
| Parameter | Description | Associated default condition | ||
|---|---|---|---|---|
|
Identifier |
Enter a name for the condition. |
Whitelist (Default) | ||
|
Description |
Enter a description for the condition. |
Originated from a whitelisted IP address range. | ||
|
Risk Type Value |
Select the impact the condition will have on the risk score:
|
Can decrease risk | ||
|
Include Local IP Addresses |
Select this option to include all web server local host IP addresses when evaluating configured loopback addresses. |
(Selected) | ||
Subnet DefinitionsThe following fields and buttons appear in this section:
| ||||
|
Network IP Address |
Enter the network IP address. |
IPv4
IPv6
| ||
|
IP Subnet Mask |
Enter the subnet mask. |
IPv4
IPv6
| ||
|
Delete |
Click this button to remove the subnet definition. |
N/A | ||
|
Add |
Click to add additional subnet definitions to the list. |
N/A | ||
Checking for a specific network
The following procedure explains how the Security Analytics Engine checks the IP address to determine if the access attempt is from a listed network.
How the Security Analytics Engine checks for specific networks
- A user attempts to access an application that uses a Network List condition type to check if an IP address is in a listed network.
-
The Security Analytics Engine compares the IP address used in the access attempt against the list of networks. If this check returns as true (the IP address is in a listed network), the risk score is affected.
NOTE: If the Include Local IP Addresses parameter is selected and a loopback IP address is configured in the list, the Security Analytics Engine will also return true if the IP address used is one of the local IP addresses configured on the web server. - If this check returns as false (the IP address is not in a listed network), the risk score is not affected.
User
The following conditions are available in the User category:
| Condition type | Plugin | Default condition |
|---|---|---|
|
Application Role (Default) | ||
|
Last Logon (Default) | ||
|
LDAP Group (Default) |
Role List
|
|
NOTE: The BuiltinPlugin is associated with this condition and provides important settings. |
Categorized as a User condition, this type of condition determines if the user belongs to certain application roles to increase/decrease protection for accounts with specific roles. The following parameters are available:
| Parameter | Description | Associated default condition | ||
|---|---|---|---|---|
|
Identifier |
Enter a name for the condition. |
Application Role (Default) | ||
|
Description |
Enter a description for the condition. |
User belongs to certain application specific roles. | ||
|
Risk Type Value |
Select the impact the condition will have on the risk score:
|
Can increase risk | ||
Role DefinitionsThe following field and buttons appear in this section: | ||||
|
Role |
Enter the name of an application specific role to check the user against. |
| ||
|
Delete |
Click this button to remove the corresponding role from the list of role definitions. |
N/A | ||
|
Add |
Click to add additional roles to the list. |
N/A | ||
Checking for application roles
The following procedure explains how the Security Analytics Engine checks if the user belongs to the specified role(s).
How the Security Analytics Engine checks application roles
- A user attempts to access an application that uses a Role List condition type to determine if the user belongs to any application specific roles.
-
The Security Analytics Engine checks if this access attempt is from a specified role. If this check returns as false (the account is not in a specified role or has no assigned roles), the risk score is not affected.
NOTE: In cases where a user has multiple roles, each role is checked to see if it corresponds with any of the roles specified in the Application Roles condition. - If the check returns as true (the account is in a specified role), the risk score is affected.