Starling Identity Analytics & Risk Intelligence Hosted - User Guide

Starling Identity Analytics & Risk Intelligence Getting started Settings Collaborators Collector agents Licensing Rules Risk Verification Reports

Editing a rule

From the Rule Details page, you can edit an existing entitlement classification rule.

To edit a rule

  1. From the Rules page, click the rule (or the button associated with it) that you want to edit. This opens the Rule Details page.
  2. On the Rule Details page, use the configuration options to make any changes to the rule. The rule must have a unique name, a description, and at least one data source must be selected.

    NOTE: To edit the name or description of a custom rule, click the button to the right of the field. Once you finish editing the rule name or description, you must click the button to save your edits. This will only save the changes made in that field. To remove any edits made in those fields, use the button.

    NOTE: There are specific configuration options for the Account Best Practices, Highly Privileged Group Members, and Highly Privileged Role Members rules. For more information, see Account Best Practices rulesHighly Privileged Group Members rule and Highly Privileged Role Members rule.

    NOTE: Once you have finished editing the rule, clicking Preview shows what happens if the new rule is applied.

  3. Click Save to save changes and close the dialog.

Account Best Practices rules

From the Rules page, you can configure the Account Best Practices - Computers for your Active Directory and Active Roles data sources, while the Account Best Practices - Users rule can be configured for your Active Directory, Active Roles, and Azure Active Directory data sources. These rules focus on accounts with specific properties or behaviors that may lead to a security risk for your organization.

NOTE: Adding a new rule will override any existing default rule of that type. The default rule will then be hidden until all customized rules for it are deleted. Once the custom rules are deleted, the default rule (including any previous edits) will reappear on the Rules table.

Configuring the Account Best Practices rules

  1. From the Rules page, use one of the following methods to open the Rule Details page:
    • To create a new Account Best Practices rule:
      1. Click New Rule to open the New Rule page.
      2. In the Select Rule Template drop-down menu, select Account Best Practices - Computers or Account Best Practices - Users.
    • To clone the existing Account Best Practices rule:

      1. Click the Account Best Practices rule (or the button associated with it) that you want to clone. This opens the Rule Details page.
      2. On the Rule Details page, click Clone.
  2. Enter a unique name for the rule.
  3. Enter a description for the rule.
  4. Select which data source(s) will be evaluated by the rule. For each type of data source a new section will be made available under Best Practices.
  5. For each data source, the practices set to be evaluated are indicated with a check mark. Selecting a check mark will clear the check box and remove the practice from the evaluation. Additional configuration options are available for some of the listed practices:

    • Minimum Age of Account (Days): Use this field to specify the minimum age of the accounts to monitor (0-365). Once an account has reached this age it will be checked for the associated practice.
    • Timespan (Days): Use this field to specify a timespan during which to check for the practice (1-365).
    • Maximum Frequency: Use this field to specify how often a practice that is being monitored has occurred within the set timespan (1-99).

      NOTE: During a collection, parameters that report based on the frequency of an action (Password Has Been Reset Too Frequently and Account Has Been Locked Out Too Frequently) are only able to detect the last time the action has occurred. Therefore an action may have occurred multiple times between two collections, but will only count once toward Maximum Frequency.

    The following are the default configurations for each type of data source:

    NOTE: Once you have finished configuring the rule, clicking Preview shows what happens if the new rule is applied.

  6. Click Save to add the rule. The rule is now available for use.

Highly Privileged Group Members rule

From the Rules page, you can configure the Highly Privileged Group Members rule for your configured data sources to focus on accounts within specific domains or groups.

NOTE: Adding a new rule will override any existing default rule of that type. The default rule will then be hidden until all customized rules for it are deleted. Once the custom rules are deleted, the default rule (including any previous edits) will reappear on the Rules table.

Configuring the Highly Privileged Group Members rule

  1. From the Rules page, use one of the following methods to open the Rule Details page:
    • To create a new Highly Privileged Group Members rule:
      1. Click New Rule to open the New Rule page.
      2. In the Select Rule Template drop-down menu, select Highly Privileged Group Members.
    • To clone the existing Highly Privileged Group Members rule:

      1. Click the Highly Privileged Group Members rule (or the button associated with it) that you want to clone. This opens the Rule Details page.
      2. On the Rule Details page, click Clone.
  2. Enter a unique name for the rule.
  3. Enter a description for the rule.
  4. Select which data source(s) will be evaluated by the rule. For each type of data source a new pane will be made available under Groups.
  5. For each data source you can use the following configuration options:
    • (Optional) Groups with data source domain drop-down menu: Use these settings to specify data source domains. Specifying a name in the Enter a data source domain field will evaluate data source domains based on that name. Use Groups in any data source domain if you do not want to limit the evaluations to specifically named domains, but still want to evaluate based on the configured group.
    • (Optional) Groups with name drop-down menu: Use these settings to specify groups by name. Specifying a name in the Enter a group name field will evaluate groups based on that name and that match the above configured domain. Leave the field blank if you do not want to limit the evaluations to specifically named groups, but still want to evaluate based on the configured domain.
    • (Optional) To remove a previously configured domain, click the button.
    • (Optional) Click Add Group to configure additional data source domains and groups.

    The default Highly Privileged Group Members rule is configured to evaluate groups in your Active Directory and Active Roles data source domains with the name Administrators, Domain Admins, Enterprise Admins, Schema Admins, Hyper-V Administrators, DnsAdmins, Account Operators, Backup Operators, Cert Publishers, Group Policy Creator Owners, Protected Users, and Server Operators for each of your configured Active Directory and Active Roles data sources.

    NOTE: Once you have finished configuring the rule, clicking Preview shows what happens if the new rule is applied.

  6. Click Save to add the rule. The rule is now available for use.

Highly Privileged Role Members rule

From the Rules page, you can configure the Highly Privileged Role Members rule for your configured Azure Active Directory data sources to focus on accounts with specific roles.

NOTE: Adding a new rule will override any existing default rule of that type. The default rule will then be hidden until all customized rules for it are deleted. Once the custom rules are deleted, the default rule (including any previous edits) will reappear on the Rules table.

Configuring the Highly Privileged Role Members rule

  1. From the Rules page, use one of the following methods to open the Rule Details page:
    • To create a new Highly Privileged Role Members rule:
      1. Click New Rule to open the New Rule page.
      2. In the Select Rule Template drop-down menu, select Highly Privileged Role Members.
    • To clone the existing Highly Privileged Role Members rule:

      1. Click the Highly Privileged Role Members rule (or the button associated with it) that you want to clone. This opens the Rule Details page.
      2. On the Rule Details page, click Clone.
  2. Enter a unique name for the rule.
  3. Enter a description for the rule.
  4. Select which Azure Active Directory data source(s) will be evaluated by the rule.
  5. Use the following configuration options to customize the rule:
    • Data source domain drop-down menu: Use these settings to specify data source domains. Specifying a name in the Enter a data source domain field will evaluate data source domains based on that name. Use Roles in any data source domain if you do not want to limit the evaluations to specifically named domains, but still want to evaluate based on the configured role.
    • Roles with name drop-down menu: Use these settings to specify roles by name. Specifying a name in the Enter a role name field will evaluate roles based on that name and that match the above configured domain.
    • To remove a previously configured domain, click the button.
    • (Optional) Click Add Role to configure additional data source domains and roles.

    The default Highly Privileged Role Members rule is configured to evaluate roles in any data source domain with the name Application Administrator, Application Developer, Billing Administrator, Cloud Application Administrator, Company Administrator, Compliance Administrator, Conditional Access Administrator, Device Administrators, Directory Synchronization Accounts, Directory Readers, Directory Writers, CRM Service Administrator, Exchange Service Administrator, Guest Inviter, Helpdesk Administrator, Information Protection Administrator, Intune Service Administrator, Lync Service Administrator, Power BI Service Administrator, Privileged Role Administrator, Reports Reader, Security Administrator, Security Reader, Service Support Administrator, SharePoint Service Administrator, and User Account Administrator.

    NOTE: Once you have finished configuring the rule, clicking Preview shows what happens if the new rule is applied.

  6. Click Save to add the rule. The rule is now available for use.
Related Documents