Identity Cloud

Dashboards

After running the Autonomous Access journey, access the dashboard to view the results.

A tour of the Activity dashboard

The Autonomous Access displays the results of its machine learning processing on the Activity dashboard.

The Activity dashboard displays a sortable list of "anomalous" events that was discovered during the AI/ML pipeline run. Each event displays a summary of the event with the following information:

  • User Identifier. The username on the account. The example image displays an anonymized username. However, in your tenant, you will see the user’s actual name listed in the entry.

  • Date of Occurrence. The date that the anomalous event occurred.

  • Risk Score. The risk score associated with the event. A risk score is a combination of the likelihood that an anomalous behavior event and/or a known threat is detected. Thus, a risk score of 100 indicates the highest likelihood that this access attempt was an anomaly and/or a known threat.

  • Heuristics. The type of heuristic used in the AI/ML analytics. The heuristic indicates the type of risk threat, such as "Automated User Agent," "Brute Force," "Credential Stuffing," "Impossible Traveller," and "Suspicious IP."

  • City, Country. The geolocation information for city and country.

  • Browser Type. The browser type that the user was using during the anomalous event.

You can also sort the Activity events list by descending risk score (default option), event time, and username.

Figure 1: The Autonomous Access Activity dashboard

auto access activity page

The image displays an anonymized user identifier. In your tenants, you see actual user names.

In the right column, the Activity dashboard displays a world map with the number of risky events displayed in each circle. You can click and drag directly on the map to see events in other countries. If you click one of the red numbers, you will see a summary of the number of risky events and the average risk score associated with those events.

Figure 2: Summary of risky geolocation events

auto access activity numbers

Activity detail page

To investigate a particular anomalous event, click a risky transaction event in the left-hand column. The Activity Detail dashboard displays the specific details of the risky transaction including transaction ID, user, risk score, time, location, device, and user agent plus a map of where the activity took place. The detail dashboard also lists the previous risky authentication attempts and the possible type of heuristic discovered (for example, Credential Stuffing). Any category that differs from normal behavior is marked with "Unusual <category>" (for example, "Unusual City").

Figure 3: Activity detail page

auto access activity detail

Filtering by date range

You can filter the display and risky events in a number of useful ways. If you select the Date filter, you can filter the dashboard to display only certain dates and ranges. The options are:

  • Today. Display only events that occurred today.

  • This Week. Display only the events that occurred this week.

  • This Month. Display only the events that occurred this month.

  • Customer. Display the events based on your selected calendar date range.

Figure 4: Activity dashboard date filtering

auto access date filtering

Filtering by risk score

The Activity dashboard also supports filtering by risk score range between 50 and 100.

Figure 5: Active Page Risk Score Filtering

auto access risk score filtering

Advanced filtering

The Activity dashboard also supports advanced filtering based on attribute type and value as well as heuristic filter. The attributes are derived from the information in the user agent string. The AI/ML pipelines use the heuristics that may have occurred in the selected timeframe.

Use the Advanced Filtering:
  1. On the Activity dashboard, click Filters. You will see a Filters dialog/modal appear.

  2. Under Attribute Filters, click the Feature drop-down list, and select one of the following attributes:

    • City. The city where the risky event occurred, for example, Bristol, Singapore.

    • Country. The country where the risky event occurred, for example, United States, Singapore, Great Britain.

    • Device. The device that may have made the risky action, for example, iPad, Mac, Other.

    • Device Type. The device type of the system that made the risky action, for example, Apple, Samsung.

    • OS. The operating system of the computer, for example, iOS, Linux, Android.

    • OS Version. The operating system version, for example, 10, 11, 14.

    • Time of Day. The timestamp of the risk event.

    • User Agent. The User-Agent request header that lets servers identify the browser and operating system to the web server.

    • User ID. The user ID of the account that may have been compromised.

  3. Enter a value for the attribute filter that you entered in the previous step.

  4. Click the Heuristics menu, and select one of the following heuristics:

    • Anomaly detection. A threat where the user’s location, time of access, operating system version, device model and type, browser version and type differs from normal behavior and context.

    • Automated user agent filter. A detected threat where an automated bot is in the user-agent string.

    • Brute force prevention. A detected threat where direct users are failing multiple authentication attempts.

    • Credential stuffing. A detected threat where an IP address is frequently used across a number of users.

    • Impossible traveller filter. A detected threat where an attacker exhibits multiple authentication attempts from various locations in a short time span, making such travel impossible for a single person.

    • Suscipious IP check. A detected threat where different users are coming from the same IP address.

  5. When done, click Apply. The Activity dashboard displays only those criteria that matches your filter.

Figure 6: Activity dashboard advanced filtering

auto access advanced filtering

Copyright © 2010-2022 ForgeRock, all rights reserved.