立即与支持人员聊天

获得即时帮助
完成注册

登录

请求定价

联系销售人员

Security Analytics Engine 1.1 - User Guide

Security Analytics Engine Overview

Introduction Launch the Security Analytics Engine Administration web site Web site components

Heading bar Main web pages Navigating the Security Analytics Engine Administration web site Filter data

Introduction Plugins page Plugins

BlacklistProviderPlugin BuiltinPlugin GeoLocationPlugin LdapPlugin SonicWALLPlugin

Editing plugins

Introduction Conditions page Condition categories

Abnormal Browser

Abnormal Authentication Abnormal Time Associated w/ Application Category Associated w/ Application Threat Level Associated w/ Blacklist Associated w/ Country Associated w/ Malware Authentication List

Abnormal Location Country List

Dynamic Blacklist Network List

Role List Last Logon LDAP Group

Adding and managing conditions

Creating a new condition Managing conditions

Shared Policies

Introduction Shared risk policies Shared Policies page Adding and managing shared risk policies

Adding a new shared risk policy Managing shared risk policies

Shared Policy wizard

Introduction Risk policies Applications page

Sample Application

Adding and managing applications

Adding a new application Managing applications

Adding and managing risk policies

Adding a new risk policy Managing risk policies Managing shared risk policies in an application

Application wizard

Introduction Auditing page

Filtering options Retention settings option Audit Events table Event details Download options

Filtering the audit events Configuring the retention settings Displaying details for an individual audit event Downloading audit events information Adding and managing overrides on the Auditing page

Adding a policy override Managing a policy override

Introduction Issued Alerts page

Filtering options Issued Alerts table

Filtering the issued alerts

Policy Overrides

Introduction Policy Overrides page Managing overrides on the Policy Overrides page

Fallback Password

Introduction Fallback Administrator Password page

Security Settings

Introduction Security wizard

Adding new authentication providers

Security wizard pages

Network

The following conditions are available in the Network category:

Table 17. Network conditions
Condition type	Plugin	Default condition
Dynamic Blacklist	BlacklistProviderPlugin	Dynamic Blacklist (Default)
Network List	BuiltinPlugin	Whitelist (Default)

Dynamic Blacklist


	NOTE: The BlacklistProviderPlugin is associated with this condition and provides important settings.

Categorized as a Network condition, this type of condition always causes the risk score to increase if the access attempt originates from a blacklisted IP address. The following parameters are available:

Table 18. Dynamic Blacklist parameters

Associated default condition

Enter a name for the condition.

Dynamic Blacklist (Default)

Enter a description for the condition.

Dynamic blacklist sources identified the request as being from a blacklisted IP address.

Use Blacklist Type(s)

Select the blacklist(s) to use:

•

•

Dell SecureWorks

•

Custom text list(s)

Checking for a blacklisted IP address

The following procedure explains how the Security Analytics Engine checks the IP address against one or more blacklists to determine if the access attempt is from a blacklisted IP address.

How the Security Analytics Engine checks for a blacklisted IP address

1

A user attempts to access an application that uses a Dynamic Blacklist condition type to check if an IP address is on a blacklist.

2

The Security Analytics Engine compares the IP address used in the access attempt against the blacklists currently enabled for the BlacklistProviderPlugin. If this check returns as true (the IP address is included in a blacklist), the risk score is increased.

3

If this check returns as false (the IP address is not in a blacklisted network), the risk score is not affected.

Network List


	NOTE: The BuiltinPlugin is associated with this condition and provides important settings.

Categorized as a Network condition, this type of condition determines if the request originates from a specific IP address. The following parameters are available:

Table 19. Network List parameters

Associated default condition

Enter a name for the condition.

Whitelist (Default)

Enter a description for the condition.

Originated from a whitelisted IP address range.

Risk Type Value

Select the impact the condition will have on the risk score:

•

Can increase risk - Selecting this option will cause the risk score to increase if the access attempt comes from a listed network.

•

Can decrease risk - Selecting this option will cause the condition score to decrease if the access attempt comes from a listed network. A condition with this setting can only be used as a modifier in a risk policy.

•

Can both increase or decrease risk - Selecting this check box will allow you to configure the risk score to either increase or decrease.

NOTE: In order to avoid application configuration errors, this parameter cannot be edited once the condition has been saved.

Can decrease risk

Include Local IP Addresses

Select this option to include all web server local host IP addresses when evaluating configured loopback addresses.

Subnet Definitions

The following fields and buttons appear in this section:

NOTE: For Whitelist (Default) there are two subnet definitions (IPv4 and IPv6).

Network IP Address

Enter the network IP address.

•

•

Enter the subnet mask.

•

•

ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff

Click this button to remove the subnet definition.

Click to add additional subnet definitions to the list.

Checking for a specific network

The following procedure explains how the Security Analytics Engine checks the IP address to determine if the access attempt is from a listed network.

How the Security Analytics Engine checks for specific networks

1

A user attempts to access an application that uses a Network List condition type to check if an IP address is in a listed network.

2

The Security Analytics Engine compares the IP address used in the access attempt against the list of networks. If this check returns as true (the IP address is in a listed network), the risk score is affected.


	NOTE: If the Include Local IP Addresses parameter is selected and a loopback IP address is configured in the list, the Security Analytics Engine will also return true if the IP address used is one of the local IP addresses configured on the web server.

3

If this check returns as false (the IP address is not in a listed network), the risk score is not affected.

User

The following conditions are available in the User category:

Table 20. User conditions
Condition type	Condition/Modifier	Default condition
Role List	BuiltinPlugin	Application Role (Default)
Last Logon	LdapPlugin	Last Logon (Default)
LDAP Group	LdapPlugin	LDAP Group (Default)

相关文档

The document was helpful.

选择评级

I easily found the information I needed.

选择评级

© 2025 One Identity LLC. ALL RIGHTS RESERVED. 使用条款隐私 Cookie Preference Center