Key features

Identity Cloud add-on capability

Contact your ForgeRock representative if you are interested in adding Autonomous Access to your Identity Cloud subscription. Refer to Add-on capabilities.

Autonomous Access provides the following features:

Fully-native Identity Cloud deployment: ForgeRock’s Autonomous Access and its components are fully cloud-native, deployed into your new or existing development, staging, and production tenants. The data Autonomous Access gathers is stored for three months in the risk dashboard and six months in the cloud for optimal artificial intelligence/machine learning (AI/ML) analytics.

Machine learning-based anomaly detection: Autonomous Access uses AI/ML-based detection analytics centered around user behavior and geospatial contextual information at authentication. Anomaly detection includes location, time of day, operating system version, device model and type, browser type and version, and other data. Autonomous Access’s AI/ML decisions are explainable and provide the reasoning for its scoring rather than black box results with no transparency.

User and entity behavior analytics (UEBA) is a security tool that uses machine learning to analyze network activity to flag online anomalies in a user’s behavioral profile. ForgeRock’s UEBA signal is complementary, meaning it can be used with other threat signals.

Autonomous Access attempts to answer the following questions when running its analytics:

Individual user behavior: Is this behavior anomalous compared to the user’s normal behavior?
Compare to a group of users: If the user typically behaves similarly to a group of users (for example, a department), is the user’s current behavior different in this situation?
Compare to all users: Is the user’s behavior different from any other behavior the platform has seen?

Autonomous Access features

Feature	Description
Real time threat detection	In addition to anomaly detection, Autonomous Access AI/ML analytics engine discovers the following risk threats using heuristics: Credential stuffing: Detects if a single IP is trying to access many users over a period of time by taking a total count of users being accessed by a single IP. Suspicious IPs: Detects the total count of authentication attempts across all users by a single IP. An IP is deemed suspicious if the IP is making too many authentication attempts over a period of time. Automated user agent filter: Detects if automated bots exist in the user-agent string. Impossible traveler: Detects if users are authenticated from two locations too far apart for a person to travel between these points at an impossible speed. Brute force: Detects the frequency of authentication attempts for a user over a period of time. If the frequency is high, then Autonomous Access flags the event as a possible brute force attack. Prevent double jeopardy. Prevents flagging a user for some reason or risk score if they successfully passed step up authentication. For example, if a user in France travels to Singapore and is flagged for an unusual location and passes step up authentication, Autonomous Access will not flag the user again the next time the user logs in again and within a default time window (60 minutes) from the same city (Singapore). Allow/block IP addresses. Overrides a risk score in cases where known IPs are triggered as false positives. For example, many users and organizations use VPNs for their online access; however, VPN use always triggers a credential stuffing rule, since many users are coming from the same IP address. You can override this behavior by adding the VPN IP address to an allow list. Conversely, you can completely avoid known dangerous IP addresses regardless of the risk score. You can set up a block list that prevents a range of IP addresses to your system.
Autonomous Access dashboards	Autonomous Access dashboard displays an intuitive risk activity page showing all suspected access threats occurring in the past three months across a world-wide company. Authorized users can click on an event to drill down to examine the details. The dashboards display the risky events specific to the realm that you are in.
Autonomous Access nodes	Three Autonomous Access nodes integrate within your journeys. No custom coding and connectors are required for these nodes. The following Autonomous Access nodes are available: Autonomous Access signal node: The signal node determines the heuristics and anomaly detection to include in the risk score generation. The node begins making API calls to the Autonomous Access AI server to collect and extract data from a pre-defined data source. After you run an AI/ML training workflow to generate the risk scores and models, the Autonomous Access AI server returns the risk score and accompanying information for each event to the decision node. Autonomous Access decision node: The decision node determines the actionable journey paths based on where a risk score lies within predetermined range of scores. Autonomous Access result node: The result node collects the risk predictions and results for successful and failed outcomes and writes them to the Autonomous Access AI server. The nodes are all specific to the realm that you are in. For further customizations, you can leverage the more than 100+ ForgeRock nodes within your journeys to implement in your use cases. For more information, refer to Nodes.
Out-of-the-Box journey	Identity Cloud provides a preconfigured Autonomous Access journey with nodes. You can use this journey as a starting template for your specific use cases and requirements. Identity Cloud Analytics dashboard also reports successful or failed Autonomous Access journeys. For more information, refer to Journeys.
Custom features	Autonomous Access lets you add custom features using YAML-based risk configuration and scripted nodes. For example, you can configure Autonomous Access with the following custom features: Multiple policies: Companies typically require multiple risk policies for its various use cases. Autonomous Access provides a single risk policy out-of-the-box, but you can configure multiple policies. Custom logic: Autonomous Access uses the highest risk score of all triggered signals by default. For example, if you have a UEBA signal with a score of 30 and an impossible traveler score of 60; the resulting score of these events is 60. However, you can also change the logic to use the sum of all triggered signals for your applications. For example, a UEBA score of 30 and an impossible traveler score of 60 results in a sum score of 90, which triggers a high risk.

Feature

Description

Real time threat detection

In addition to anomaly detection, Autonomous Access AI/ML analytics engine discovers the following risk threats using heuristics:

Credential stuffing: Detects if a single IP is trying to access many users over a period of time by taking a total count of users being accessed by a single IP.
Suspicious IPs: Detects the total count of authentication attempts across all users by a single IP. An IP is deemed suspicious if the IP is making too many authentication attempts over a period of time.
Automated user agent filter: Detects if automated bots exist in the user-agent string.
Impossible traveler: Detects if users are authenticated from two locations too far apart for a person to travel between these points at an impossible speed.
Brute force: Detects the frequency of authentication attempts for a user over a period of time. If the frequency is high, then Autonomous Access flags the event as a possible brute force attack.
Prevent double jeopardy. Prevents flagging a user for some reason or risk score if they successfully passed step up authentication. For example, if a user in France travels to Singapore and is flagged for an unusual location and passes step up authentication, Autonomous Access will not flag the user again the next time the user logs in again and within a default time window (60 minutes) from the same city (Singapore).
Allow/block IP addresses. Overrides a risk score in cases where known IPs are triggered as false positives. For example, many users and organizations use VPNs for their online access; however, VPN use always triggers a credential stuffing rule, since many users are coming from the same IP address. You can override this behavior by adding the VPN IP address to an allow list. Conversely, you can completely avoid known dangerous IP addresses regardless of the risk score. You can set up a block list that prevents a range of IP addresses to your system.

Autonomous Access dashboards

Autonomous Access dashboard displays an intuitive risk activity page showing all suspected access threats occurring in the past three months across a world-wide company. Authorized users can click on an event to drill down to examine the details. The dashboards display the risky events specific to the realm that you are in.

Autonomous Access nodes

Three Autonomous Access nodes integrate within your journeys. No custom coding and connectors are required for these nodes. The following Autonomous Access nodes are available:

Autonomous Access signal node: The signal node determines the heuristics and anomaly detection to include in the risk score generation. The node begins making API calls to the Autonomous Access AI server to collect and extract data from a pre-defined data source. After you run an AI/ML training workflow to generate the risk scores and models, the Autonomous Access AI server returns the risk score and accompanying information for each event to the decision node.
Autonomous Access decision node: The decision node determines the actionable journey paths based on where a risk score lies within predetermined range of scores.
Autonomous Access result node: The result node collects the risk predictions and results for successful and failed outcomes and writes them to the Autonomous Access AI server.

The nodes are all specific to the realm that you are in.

For further customizations, you can leverage the more than 100+ ForgeRock nodes within your journeys to implement in your use cases. For more information, refer to Nodes.

Out-of-the-Box journey

Identity Cloud provides a preconfigured Autonomous Access journey with nodes. You can use this journey as a starting template for your specific use cases and requirements. Identity Cloud Analytics dashboard also reports successful or failed Autonomous Access journeys. For more information, refer to Journeys.

Custom features

Autonomous Access lets you add custom features using YAML-based risk configuration and scripted nodes. For example, you can configure Autonomous Access with the following custom features:

Multiple policies: Companies typically require multiple risk policies for its various use cases. Autonomous Access provides a single risk policy out-of-the-box, but you can configure multiple policies.
Custom logic: Autonomous Access uses the highest risk score of all triggered signals by default. For example, if you have a UEBA signal with a score of 30 and an impossible traveler score of 60; the resulting score of these events is 60. However, you can also change the logic to use the sum of all triggered signals for your applications. For example, a UEBA score of 30 and an impossible traveler score of 60 results in a sum score of 90, which triggers a high risk.