Configure the risk settings
Customers in different industry verticals require varying risk policies and heuristics in their applications. Ping Identity designed Autonomous Access’s risk configuration with this in mind.
To enable easy configuration of its risk parameters, Autonomous Access stores its risk configuration settings in a YAML-based file.
Users who have the Data_Analyst
role can modify the parameters to set how risk is evaluated and how the response Autonomous Access
sends data back to its node.
The Autonomous Access server polls the configuration file every ten minutes (default) for changes to the file.
Misconfiguration of the file can result in an inoperable service. ForgeRock Professional Services group can assist in the risk configuration process. |
Grant Autonomous Access roles
Ping Identity Platform provides two roles that let users use different aspects of Autonomous Access:
-
Fraud analyst. The fraud analyst role lets users access the Risk dashboard, but they cannot run any training or configuration.
-
Data analyst. The data analyst role lets users access the risk administration menu options on Advanced Identity Cloud admin UI, but they cannot access the Risk dashboard.
Administrators are automatically granted both roles and can assign these roles to other users.
Setting Autonomous Access roles
-
In the Advanced Identity Cloud admin UI, go to Identities > Manage. Search for the user(s) to whom you want to assign the roles.
-
In the Advanced Identity Cloud admin UI, go to Native Consoles > Access Management.
-
Click Identities, and then click the Groups tab.
-
If the
Data_Analyst
andFraud_Analyst
groups are not present, you will need to add them as follows:-
Click Add Group.
-
In the Group ID field, enter
Data_Analyst
, and then click Create. -
Repeat the previous step and create a
Fraud_Analyst
group. Both groups appear in theGroups
tab.
-
-
Go to Identities > Manage. Select a user to whom you want to add the role.
-
Click the Groups tab, and in the Name field, select
Data_Analyst
orFraud Analyst
. -
Repeat again to add the roles to other users.
Risk configuration
The risk configuration page provides an extremely extensible and performant server configuration giving the end user full control of their Autonomous Access system.
Edit the risk configuration
-
On the Autonomous Access UI, go to Risk Administration > Risk Config.
-
Edit any of the threshold parameters for each heuristic if necessary.
version: "1.1" bruteForce: BRUTE_FORCE_WINDOW_MS: 300000 BRUTE_FORCE_COUNT_THRESHOLD: 20 BRUTE_FORCE_RISK_SCORE: 100 credentialStuffing: CREDENTIAL_STUFFING_WINDOW_MS: 600000 CREDENTIAL_STUFFING_COUNT_THRESHOLD: 5 CREDENTIAL_STUFFING_RISK_SCORE: 100 impossibleTravel: IMPOSSIBLE_TRAVEL_SPEED_CUTOFF_MPH: 700 IMPOSSIBLE_TRAVEL_RISK_SCORE: 100 suspiciousIp: SUSPICIOUS_IP_WINDOW_MS: 300000 SUSPICIOUS_IP_COUNT_THRESHOLD: 10 SUSPICIOUS_IP_RISK_SCORE: 100 uebaConfig: RISK_SCORE_RATIO: 0.25 RISK_SCORE_CENTER_SIGMA: 50 RISK_SCORE_BASELINE_THRESSHOLD_SIGMA: 6 USER_COUNT_CUTOFF_FOR_SCORE: 20 userAgentRule: USER_AGENT_RULE_RISK_SCORE: 100 doubleJeoPardy: MFA_TIMEOUT: 60 heuristicsConfig: HEURISTIC_RISK_SCORE_COMPUTE_STRATEGY: max processConfig: risk_score_threshold: 50 UEBA_AGGREGATION_STRATEGY: max HEURISTIC_AGGREGATION_STRATEGY: max RISK_PROCESS_TIMEOUT: 950 distributed_attack_heuristic: DISTRIBUTED_ATTACK_WINDOW_MS: 600000 DISTRIBUTED_ATTACK_COUNT_THRESHHOLD: 7 DISTRIBUTED_ATTACKC_RISK_SCORE: 100 block_and_allow_list: BLOCK_LIST: [] ALLOW_LIST: []
The properties are defined as follows:
Risk configuration properties
Brute force
BRUTE_FORCE_WINDOW_MS
Number of milliseconds back in time to look for brute force events. Default: 300000. Minimum: 0.
BRUTE_FORCE_COUNT_THRESHOLD
Number of events required to trigger the rule. Default: 20. Minimum: 1.
BRUTE_FORCE_RISK_SCORE
Brute force risk score returned if the rule is tripped. Default: 100. Minimum: 1.
Credential stuffing
CREDENTIAL_STUFFING_WINDOW_MS
Number of milliseconds back in time to look for credential stuffing events. Default: 600000. Minimum: 0.
CREDENTIAL_STUFFING_COUNT_THRESHOLD
Number of events required to trigger the rule. Default: 5. Minimum: 1.
CREDENTIAL_STUFFING_RISK_SCORE
Credential stuffing risk score returned if the rule is tripped. Default: 100. Minimum: 1; maximum: 100.
Impossible travel
IMPOSSIBLE_TRAVEL_SPEED_CUTOFF_MPH
Speed in miles per hour above which the events will be flagged. Default: 700 mph. Minimum: 1; maximum: 5000.
IMPOSSIBLE_TRAVEL_RISK_SCORE
Impossible travel risk score returned if the rule is tripped. Default: 100. Minimum: 1; maximum: 100.
Suspicious IP
SUSPICIOUS_IP_WINDOW_MS
Number of milliseconds back in time to look for suspicious IP events. Default: 300000. Minimum: 60 maximum: 480.
SUSPICIOUS_IP_COUNT_THRESHOLD
Number of events required to trigger the rule. Default: 10. Minimum: 1.
SUSPICIOUS_IP_RISK_SCORE
Suscipious risk score returned if the rule is tripped. Default: 100.
UEBA config
RISK_SCORE_RATIO
Used for the calculation of the risk score. Default: 0.25. Minimum: 0; maximum: 1.
RISK_SCORE_CENTER_SIGMA
Used for the calculation of the risk score. Default: 50. Minimum: 1.
RISK_SCORE_BASELINE_THRESHOLD_SIGMA
Used for the calculation of the risk score. Default: 6. Minimum: 1
User agent rule
USER_COUNT_CUTOFF_FOR_SCORE
Used for the calculation of the risk score. Default: 20. Minimum: 10
USER_AGENT_RULE_RISK_SCORE
User agent rule risk score when an incoming user agent string is matched against a known pattern of botnet user agents. Default: 100. Minimum: 1; maximum: 100.
Double jeopardy
MFA_TIMEOUT
Multifactor authentication timeout in minutes if double jeopardy is enabled. Default: 60.
Heuristics config
HEURISTIC_RISK_SCORE_COMPUTE_STRATEGY
Type of strategy to determine the heuristic risk score. Options are:
-
max: Final risk score is the maximum heuristic risk score assigned to the user. Default.
-
avg: Final risk score is the average of all heuristic risk scores assigned to a user.
-
softmax: Final risk score is measured as a percentage and obtained from the softmax function.
-
sum_floor_to_hundred: Final risk score is capped at 100.
Process config
RISK_SCORE_THRESHOLD
Risk score threshold for UEBA and heuristics, displayed on the risk dashboard. Default: 50. Minimum: 1; maximum: 100.
UEBA_AGGREGATION_STRATEGY
Type of aggregation strategy for UEBA signals:
-
max: Final risk score is the maximum UEBA risk score assigned to the user. Default.
-
avg: Final risk score is the average of all UEBA risk scores assigned to a user.
-
softmax: Final risk score is measured as a percentage and obtained from the softmax function.
-
sum_floor_to_hundred: Final risk score is capped at 100.
HEURISTIC_AGGREGATION_STRATEGY
Not needed.
RISK_PROCESS_TIMEOUT
Max timeout in milliseconds of the risk processing time. Once the timeout occurs, risk scores are no longer processed. Default: 950ms. Min: 1ms; Max: 1000 ms.
Block and Allow list
BLOCK_LIST: [ ]
Overrides the risk score of IP addresses in the block list with a value of 100. You must also enable the
Allow/Block List
heuristic on your journey’s Signal node.-
Support IPv4 and IPv6 formats.
-
Specify single IP addresses, like 10.0.48.0, or IP subnets, like 10.0.48.0/24.
-
Cannot use regular expressions or wildcards with the IP addresses.
-
Subjects IPs on the block list to heuristics and machine learning and overrides their computed risk score with a score of 100.
ALLOW_LIST: [ ]
Overrides the risk score of IP addresses in the allow list with a value of 0. Allow list IP addresses bypass heuristics and machine learning analytics. You must also enable the
Allow/Block List
heuristic on your journey’s Signal node.-
Support for IPv4 and IPv6 formats.
-
Specify single IP addresses, like 10.0.48.0, or IP subnets, like 10.0.48.0/24.
-
Cannot use regular expressions or wildcards with the IP addresses.
-
Assigns a risk score of 0 to any IPs on the allow list and excludes them from heuristics and machine learning.
distributed_attack_heuristic:
DISTRIBUTED_ATTACK_WINDOW_MS
Number of milliseconds back in time to look for distributed attack events. Default: 60000. Minimum: 0.
DISTRIBUTED_ATTACK_COUNT_THRESHOLD
Number of events required to trigger the rule. Default: 7.
DISTRIBUTED_ATTACK_RISK_SCORE
Risk score returned if the rule is tripped. Default: 100. Minimum: 1.
-
-
After you have made your changes to the file, click Save. The Preview Risk Evaluation popup window appears.
-
On the Preview Risk Evaluation popup window, do the following:
-
Click Bucket Search to select your data source location or type the name of the data source location.
-
Optional. Enter an object prefix to filter your search results.
-
Next to your desired object, click the trailing dots, and then click Preview Object to display your data source change(s).
-
Click Preview Risk Evaluation to review a simulated risk evaluation for the first event.
-
If you are satisfied with your change(s), click Save Config.
-