Starling Identity Analytics & Risk Intelligence Hosted - User Guide

Starling Identity Analytics & Risk Intelligence Getting started Settings Collaborators Collector agents Licensing Rules Risk Verification Reports

Introduction to Rules

Accessed through the Rules link in the navigation bar, the Rules page is used for selecting and managing the entitlement classification rules that are available for the configured data sources. Starling Identity Analytics & Risk Intelligence evaluates these entitlement classification rules in order to identify the high risk accounts associated with your data source(s).

Default rules

A number of default entitlement classification rules are included. These default rules perform their evaluations against configured data sources; however, by overriding a default rule you can select individual data sources. Adding a new rule will override any existing default rule of that type until all customized rules for it are deleted. Once the custom rules are deleted, the default rule (including any previous edits) will reappear on the Rules page. See Available rules for information on the default rules.

Rules page

The Rules page is displayed when the Rules link is clicked in the navigation bar. The Rules page is used for managing the entitlement classification rules that Starling Identity Analytics & Risk Intelligence will use to help you identify high risk accounts.

The following options appear on this page:

New Rule

This opens the New Rule page used to add a rule from the data source. For more information see, Adding a new rule.

Hovering over this icon displays a search box used to locate specific rules within the Rules table. To use the field, start typing the name of the rule in the field and the table will automatically update to display rules that match.

For information on the table appearing at the bottom of the Rules page, see Rules table. For information on the default rules, see Available rules.

Rules table

The Rules table is displayed at the bottom of the Rules page. It displays information on the entitlement classification rules currently configured for Starling Identity Analytics & Risk Intelligence.

The following information and options appear listed in the table:

Name

This is the name of the entitlement rule. If the rule is only applicable to a specific type of data source module, the type of data source module will be indicated before the rule's name (for example, ActiveRoles: Configuration Modify and Safeguard: Admin or Partition Owner).

Description

This is a description of the rule.

Matched Accounts

This displays the number of matched accounts.

Status

This is the current status of the entitlement rule.

Clicking one of the rules (or the button associated with it) will open the Rule Details page where you can modify the current settings and view additional information about the rule. See Available rules for information on the default rules.

IMPORTANT: You are unable to delete a default rule, but default rules can be disabled using the Rule Details page (for more information, see Disabling a rule).

IMPORTANT: Adding a new rule will override any existing default rule of that type. The default rule will then be hidden until all customized rules for it are deleted. Once the custom rules are deleted, the default rule (including any previous edits) will reappear on the Rules table.

Available rules

The following table lists all of the rules that are available on the Rules page and the related permissions that impact an evaluation:

Table 4: List of available rules
Rule name Data source(s) Permissions

Account Best Practices - Computers

 

Active Roles, Active Directory

For more information, see Account Best Practices rules.

Account Best Practices - Users

Active Roles, Active Directory, Azure Active Directory

For more information, see Account Best Practices rules.

ActiveRoles: Configuration Full Control

Active Roles

Detected permissions:

  • Create Child AND Delete Child AND List Children AND Self AND Read Property AND Write Property AND List Object AND Extended Rights AND Delete AND Read Control AND Write DACL AND Write Owner AND Delete Tree AND Copy Object

ActiveRoles: Configuration Modify

Active Roles

Detected permissions:

  • Create Child
  • Delete Child
  • Write Property
  • Extended Rights
  • Delete
  • Write DACL
  • Write Owner
  • Delete Tree
  • Copy Object

Ignored permissions:

  • Write Property: EDSVA-Client-Version on EDS-Client-Session AND Write Property: EDSA-LDAP-Server on Domain AND Extended Right: Access Personal Settings on EDS-WI-Interface

Change Group Type and Scope

Active Roles

Detected permissions:

  • Write Property: Group Type of Groups

Active Directory

Detected permissions:

  • Write Property: Group Type of Groups

Create Groups

Active Roles

Detected permissions:

  • Create Child: Groups

Active Directory

Detected permissions:

  • Create Child: Groups

Create Organizational Units

Active Roles

Detected permissions:

  • Create Child: Organizational Unit
Active Directory

Detected permissions:

  • Create Child: Organizational Unit

Create Users

Active Roles

Detected permissions:

  • Create Child: Users

Active Directory

Detected permissions:

  • Create Child: Users

Delete Groups

Active Roles

Detected permissions:

  • Delete Child: Groups
  • Delete: Groups
  • List Objects In: Domain AND Delete Tree Containing: Groups
  • List Objects In: Managed Unit AND Delete Tree Containing: Groups
  • List Objects In: Built In Domain AND Delete Tree Containing: Groups
  • List Objects In: Container AND Delete Tree Containing: Groups
  • List Objects In: Organizational Unit AND Delete Tree Containing: Groups

Active Directory

Detected permissions:

  • Delete Child: Groups
  • Delete: Groups

Delete Organizational Units

Active Roles

Detected permissions:

  • Delete Child: Organizational Unit
  • Delete: Organizational Unit
  • List Objects In: Domain AND Delete Tree Containing: Organizational Units
  • List Objects In: Managed Unit AND Delete Tree Containing: Organizational Units
  • List Objects In: Organizational Unit AND Delete Tree Containing: Organizational Units

Active Directory

Detected permissions:

  • Delete Child: Organizational Unit
  • Delete: Organizational Unit

Delete Users

Active Roles

Detected permissions:

  • Delete Child: Users
  • Delete: Users
  • List Objects In: Domain AND Delete Tree Containing: Users
  • List Objects In: Managed Unit AND Delete Tree Containing: Users
  • List Objects In: Container AND Delete Tree Containing: Users
  • List Objects In: Organizational Unit AND Delete Tree Containing: Users

Active Directory

Detected permissions:

  • Delete Child: Users
  • Delete: Users

Enable/Disable Users

Active Roles

Detected permissions:

  • Write Property: User Account Control of Users
  • Write Property: EDSA-Account-Is-Disabled of Users

Active Directory

Detected permissions:

  • Write Property: User Account Control of Users

Highly Privileged Group Members

Active Roles, Active Directory, Safeguard, Azure Active Directory

For more information, see Highly Privileged Group Members rule.

Highly Privileged Role Members

Azure Active Directory

For more information, see Highly Privileged Role Members rule.

Modify Group Members

Active Roles

Detected permissions:

  • Write Property: Member of Groups

Active Directory

Detected permissions:

  • Write Property: Member of Groups

Reset User Passwords

Active Roles

Detected permissions:

  • Read Property: Object Class of Users AND Extended Right: Reset Password on Users
  • Write Property: EDSA-Password of Users

Active Directory

Detected permissions:

  • Read Property: Object Class of Users AND Extended Right: Reset Password on Users

Safeguard: Access Request by Local User

Safeguard

Detected permissions:
  • Local User AND Password Access Request
  • Local User AND Session Access Request Account Scope
  • Local User AND Session Access Request Asset Scope
  • Local User AND Session Access Request Linked Account

Safeguard: Access Request via Emergency Access

Safeguard

Detected permissions:
  • Emergency Access AND Password Access Request
  • Emergency Access AND Session Access Request Account Scope
  • Emergency Access AND Session Access Request Asset Scope
  • Emergency Access AND Session Access Request Linked Account

Safeguard: Access Request without 2FA

Safeguard

Detected permissions:
  • User does not require 2FA or certificate/smart card authentication AND Password Access Request
  • User does not require 2FA or certificate/smart card authentication AND Session Access Request Account Scope
  • User does not require 2FA or certificate/smart card authentication AND Session Access Request Asset Scope
  • User does not require 2FA or certificate/smart card authentication AND Session Access Request Linked Account

Safeguard: Admin or Partition Owner

Safeguard

Detected permissions:
  • Any user that has been granted one or more of the following permissions in Safeguard: Authorizer, User, Help Desk, Appliance, Operations, Asset, Directory, Security Policy.
  • Any user that is a Delegated Owner of a Partition.

Safeguard: Session and Password Access Request to Same Account

Safeguard

Detected permissions:
  • Password Access Request AND Session Access Request Account Scope
  • Password Access Request AND Session Access Request Asset Scope
  • Password Access Request AND Session Access Request Linked Account

Unlock Users

Active Roles

Detected permissions:

  • Write Property: Lockout Time of Users
  • Write Property: EDSA-Account-Locked-Out of Users

Active Directory

Detected permissions:

  • Write Property: Lockout Time of Users

Related Documents