Starling Identity Analytics & Risk Intelligence Hosted - User Guide

Starling Identity Analytics & Risk Intelligence Getting started Settings Collaborators Collector agents Licensing Rules Risk Verification Reports

Risk Profile panes

On the Risk Profile page there are two panes displayed at the bottom of the page. They display information on the matched rules and entitlements for the account.

Matched Rules pane
Matched Rules

This displays the number of entitlement classification rules that are currently triggered by the account’s entitlements. The table below specifies each of those matched entitlement classification rules.

To search based on a rule name, hover over this icon to display the Filter Rules field. Begin typing the name of the rule you want to locate and the Matched Rules table will update accordingly.

Rules

This column lists the name of the rule. A rule that resulted in an increased risk level for an existing high risk account is indicated by a icon. A rule that resulted in a newly designated high risk account is indicated by a icon.

Direct Entitlements/Group Entitlements display

The center portion of this table uses colored bars (a key is provided at the bottom of the table) to reflect the type and number of entitlement(s) associated with the entitlement classification rule (for example, a combination bar of light and dark blue shows that within the same entitlement classification rule both Direct Entitlements and Group Entitlements were matched). Hover over the bar for an explanation of what is being displayed.

Entitlements

This displays the total number of entitlement matches within the entitlement classification rule, regardless of whether they were direct or group entitlements.

Matched Entitlements pane
Matched Entitlements

This displays the number of entitlements that trigger the rules matched by this account. The table below specifies each of those matched entitlements.

To search based on an entitlement name, hover over this icon to display the Filter Entitlements field. Begin typing the name of the entitlement you want to locate and the Matched Entitlements table will update accordingly.

Permissions

This column lists the names of the entitlements. An entitlement that resulted in an increased risk level for the account is indicated by a icon. An entitlement that resulted in a newly designated high risk account is indicated by a icon.

Trustee

This column lists the name of the trustee that has been granted the permission.

Instance

This column lists the name of the instance in which the entitlement was granted to the account.

Target

For Active Directory and Active Rules entitlements this column shows the target container (Group, Domain-DNS, Organization-Unit, and so on) associated with the granted permissions. For Safeguard entitlements, this column shows either the entitlement name, user name, or a path-like value (which includes the entitlement name, policy name, and possibly an account name) associated with the granted permission. It also displays the number of targets that have been granted the permission.

Direct Entitlements/Group Entitlements display

This unlabeled column uses colored bars to indicate whether the permission is a direct or group entitlement. Hover over the bar for the entitlement type.

Rules

This column lists the number of rules the entitlement is associated with.

Selecting any rules or entitlements listed in these panes will display the associated Account Evaluation Details page

Introduction to Account Evaluation Details

The Account Evaluation Details page is used for displaying information regarding individual rules and entitlements assigned to an account in your data source. This page is displayed by clicking any of the matched rules or entitlements listed for an account on the Risk Profile page.

Account Evaluation Details page

To display the Account Evaluation Details page, click any of the matched rules or entitlements listed for an account on the Risk Profile page. The Account Evaluation Details page is used for displaying information regarding the rules and entitlements assigned to an account in your data source.

The following information appears on this page:

(Account name)

This pane displays the name and information regarding the account. Increased high risk accounts are indicated by a icon. New high risk accounts are indicated by a icon.

Matched Rules

This displays the number of entitlement classification rules that are currently triggered by the account’s entitlements.

Entitlements

This displays the total number of entitlement matches within the entitlement classification rule.

This toggle is used to alter the list below based on whether you are interested in information regarding the rules or entitlements for the listed user. For more information, see Rules view and Entitlements view.

Rules view

The Account Evaluation Details list is displayed at the bottom of the Account Evaluation Details page. When Rules is selected, via the toggle located above the list, the following information appears:

(Rule name)

This is the name of the rule. A rule that resulted in an increased risk level for an existing high risk account is indicated by a icon. A new high risk rule that is associated with the account is indicated by a icon.

To locate a specific rule, hover over the icon above the list to display the Filter Rules field. Begin typing the name of the rule you want to locate and the Rules view will update accordingly.

Entitlements

This displays the total number of entitlement matches within the entitlement classification rule. Depending on the data collected, there may be multiple permissions listed that are related to a single entitlement. For example, a permission may be assigned to both a local and built-in account; however, it is still related to the same entitlement and so is only counted once. In some cases there may be multiple entitlements that when combined will match the entitlement classification rule. When this occurs, a Multiple Entitlements drop-down menu can be expanded to show the entitlements which were combined.

(Verification)

This displays the current verification status for the associated rule. The following statuses may appear:

  • Request verification: This link is available for requesting verification that the listed user should in fact match this rule. For more information, see Requesting verification.
  • Pending verification: This status shows that a request for verification has occurred but has not yet been completed. Click the icon for additional information on the status. A pending verification request may be canceled by an administrator manually on the Verification page, or may be canceled automatically by Starling Identity Analytics & Risk Intelligence if the configuration or data is changed which causes the rule to no longer be matched for the account. This can occur when the rule is disabled or deleted, a default rule is replaced with a cloned rule, the data source instance is unlicensed, or the matched entitlements are removed from the data source instance for the account.
  • Risk verified: This status shows that the user has been confirmed as needing to match the listed rule. Click the icon to open the Verification Details page for additional information on the status.
  • Requires mitigation: This status shows that although the data source currently has the user matching this rule, this should not be the case. Any rules marked as Requires mitigation should be removed for the user within the data source.

Expanding a rule in the list displays a table with the following information:

Permissions

This is the type of permission assigned to the entitlement classification rule. A rule that resulted in an increased risk level for an existing high risk account is indicated by a icon. A new high risk rule that is associated with the account is indicated by a icon. Clicking the permission will switch to the Entitlements view for the permission.

Trustee Type

This is the type of trustee associated with the rule. The following types may appear:

  • Direct: Indicates a direct membership.
  • Group: Indicates a direct member of a group that gives them rights to the trustee.
  • Group (Member & Nested): Indicates both a direct member and a member of a nested group that gives them rights to the trustee.
  • Group (Nested): Indicates a member of a nested group that gives them rights to the trustee.
Trustee

This is the trustee associated with the rule. If the permission is granted due to a nested membership, indicated by a Trustee Type of either Group (Member & Nested) or Group (Nested), the name of the trustee can be clicked to open the Group Membership Details dialog. This dialog displays the name of the account, the trustee, whether it is a direct (true) or indirect (false) group membership, and lists the nested groups that allowed for rights to the trustee.

Data Source

This is the type of data source associated with the rule.

Instance

This is the instance associated with the rule.

Granted Target

This column displays the name of the target or, in cases where multiple targets apply, the type of target. It also displays the number of targets that have been granted the permission when there are multiple targets. Clicking a link in this column opens the associated Target Details page.

Affected (object type)

When applicable, this column will be displayed to show the number of objects affected by the permission. Clicking on the value opens the Affected Object page which lists the affected and unaffected objects associated with the rule. If the affected objects are the same as the granted targets then nothing will be listed in this column. If there are no affected objects then the Affected Objects page will not be available for the permission.

Related Documents