Identity Cloud

Configure the risk settings

Customers in different industry verticals require varying risk policies and heuristics in their applications. ForgeRock designed Autonomous Access’s risk configuration with this in mind.

To enable easy configuration of its risk parameters, Autonomous Access stores its risk configuration settings in a YAML-based file. Users who have the Data_Analyst role can modify the parameters to set how risk is evaluated and how the response Autonomous Access sends data back to its node. The Autonomous Access server polls the configuration file every ten minutes (default) for changes to the file.

Misconfiguration of the file can result in an inoperable service. ForgeRock Professional Services group can assist in the risk configuration process.

Grant Autonomous Access roles

ForgeRock Identity Platform provides two roles that let users use different aspects of Autonomous Access:

  • Fraud analyst. The fraud analyst role lets users access the Risk dashboard, but they cannot run any training or configuration.

  • Data analyst. The data analyst role lets users access the risk administration menu options on Identity Cloud admin UI, but they cannot access the Risk dashboard.

    Administrators are automatically granted both roles and can assign these roles to other users.

Setting Autonomous Access roles

  1. In the Identity Cloud admin UI, go to Identities > Manage. Search for the user(s) to whom you want to assign the roles.

  2. In the Identity Cloud admin UI, go to Native Consoles > Access Management.

  3. Click Identities, and then click the Groups tab.

  4. If the Data_Analyst and Fraud_Analyst groups are not present, you will need to add them as follows:

    1. Click Add Group.

    2. In the Group ID field, enter Data_Analyst, and then click Create.

    3. Repeat the previous step and create a Fraud_Analyst group. Both groups appear in the Groups tab.

  5. Go to Identities > Manage. Select a user to whom you want to add the role.

  6. Click the Groups tab, and in the Name field, select Data_Analyst or Fraud Analyst.

  7. Repeat again to add the roles to other users.

Risk configuration

The risk configuration page provides an extremely extensible and performant server configuration giving the end user full control of their Autonomous Access system.

Edit the risk configuration

  1. On the Autonomous Access UI, go to Risk Administration > Risk Config.

  2. Edit any of the threshold parameters for each heuristic if necessary.

    version: "1.1"
    bruteForce:
      BRUTE_FORCE_WINDOW_MS: 300000
      BRUTE_FORCE_COUNT_THRESHOLD: 20
      BRUTE_FORCE_RISK_SCORE: 100
    credentialStuffing:
      CREDENTIAL_STUFFING_WINDOW_MS: 600000
      CREDENTIAL_STUFFING_COUNT_THRESHOLD: 5
      CREDENTIAL_STUFFING_RISK_SCORE: 100
    impossibleTravel:
      IMPOSSIBLE_TRAVEL_SPEED_CUTOFF_MPH: 700
      IMPOSSIBLE_TRAVEL_RISK_SCORE: 100
    suspiciousIp:
      SUSPICIOUS_IP_WINDOW_MS: 300000
      SUSPICIOUS_IP_COUNT_THRESHOLD: 10
      SUSPICIOUS_IP_RISK_SCORE: 100
    uebaConfig:
      RISK_SCORE_RATIO: 0.25
      RISK_SCORE_CENTER_SIGMA: 50
      RISK_SCORE_BASELINE_THRESSHOLD_SIGMA: 6
      USER_COUNT_CUTOFF_FOR_SCORE: 20
    userAgentRule:
      USER_AGENT_RULE_RISK_SCORE: 100
    doubleJeoPardy:
      MFA_TIMEOUT: 60
    heuristicsConfig:
      HEURISTIC_RISK_SCORE_COMPUTE_STRATEGY: max
    processConfig:
      risk_score_threshold: 50
      UEBA_AGGREGATION_STRATEGY: max
      HEURISTIC_AGGREGATION_STRATEGY: max
      RISK_PROCESS_TIMEOUT: 950
    distributed_attack_heuristic:
      DISTRIBUTED_ATTACK_WINDOW_MS: 600000
      DISTRIBUTED_ATTACK_COUNT_THRESHHOLD: 7
      DISTRIBUTED_ATTACKC_RISK_SCORE: 100
    block_and_allow_list:
      BLOCK_LIST: []
      ALLOW_LIST: []

    The properties are defined as follows:

    Risk configuration properties

    Brute force

    BRUTE_FORCE_WINDOW_MS

    Number of milliseconds back in time to look for brute force events. Default: 300000. Minimum: 0.

    BRUTE_FORCE_COUNT_THRESHOLD

    Number of events required to trigger the rule. Default: 20. Minimum: 1.

    BRUTE_FORCE_RISK_SCORE

    Brute force risk score returned if the rule is tripped. Default: 100. Minimum: 1.

    Credential stuffing

    CREDENTIAL_STUFFING_WINDOW_MS

    Number of milliseconds back in time to look for credential stuffing events. Default: 600000. Minimum: 0.

    CREDENTIAL_STUFFING_COUNT_THRESHOLD

    Number of events required to trigger the rule. Default: 5. Minimum: 1.

    CREDENTIAL_STUFFING_RISK_SCORE

    Credential stuffing risk score returned if the rule is tripped. Default: 100. Minimum: 1; maximum: 100.

    Impossible travel

    IMPOSSIBLE_TRAVEL_SPEED_CUTOFF_MPH

    Speed in miles per hour above which the events will be flagged. Default: 700 mph. Minimum: 1; maximum: 5000.

    IMPOSSIBLE_TRAVEL_RISK_SCORE

    Impossible travel risk score returned if the rule is tripped. Default: 100. Minimum: 1; maximum: 100.

    Suspicious IP

    SUSPICIOUS_IP_WINDOW_MS

    Number of milliseconds back in time to look for suspicious IP events. Default: 300000. Minimum: 60 maximum: 480.

    SUSPICIOUS_IP_COUNT_THRESHOLD

    Number of events required to trigger the rule. Default: 10. Minimum: 1.

    SUSPICIOUS_IP_RISK_SCORE

    Suscipious risk score returned if the rule is tripped. Default: 100.

    UEBA config

    RISK_SCORE_RATIO

    Used for the calculation of the risk score. Default: 0.25. Minimum: 0; maximum: 1.

    RISK_SCORE_CENTER_SIGMA

    Used for the calculation of the risk score. Default: 50. Minimum: 1.

    RISK_SCORE_BASELINE_THRESHOLD_SIGMA

    Used for the calculation of the risk score. Default: 6. Minimum: 1

    User agent rule

    USER_COUNT_CUTOFF_FOR_SCORE

    Used for the calculation of the risk score. Default: 20. Minimum: 10

    USER_AGENT_RULE_RISK_SCORE

    User agent rule risk score when an incoming user agent string is matched against a known pattern of botnet user agents. Default: 100. Minimum: 1; maximum: 100.

    Double jeopardy

    MFA_TIMEOUT

    Multifactor authentication timeout in minutes if double jeopardy is enabled. Default: 60.

    Heuristics config

    HEURISTIC_RISK_SCORE_COMPUTE_STRATEGY

    Type of strategy to determine the heuristic risk score. Options are:

    • max: Final risk score is the maximum heuristic risk score assigned to the user. Default.

    • avg: Final risk score is the average of all heuristic risk scores assigned to a user.

    • softmax: Final risk score is measured as a percentage and obtained from the softmax function.

    • sum_floor_to_hundred: Final risk score is capped at 100.

    Process config

    RISK_SCORE_THRESHOLD

    Risk score threshold for UEBA and heuristics, displayed on the risk dashboard. Default: 50. Minimum: 1; maximum: 100.

    UEBA_AGGREGATION_STRATEGY

    Type of aggregation strategy for UEBA signals:

    • max: Final risk score is the maximum UEBA risk score assigned to the user. Default.

    • avg: Final risk score is the average of all UEBA risk scores assigned to a user.

    • softmax: Final risk score is measured as a percentage and obtained from the softmax function.

    • sum_floor_to_hundred: Final risk score is capped at 100.

    HEURISTIC_AGGREGATION_STRATEGY

    Not needed.

    RISK_PROCESS_TIMEOUT

    Max timeout in milliseconds of the risk processing time. Once the timeout occurs, risk scores are no longer processed. Default: 950ms. Min: 1ms; Max: 1000 ms.

    Block and Allow list

    BLOCK_LIST: [ ]

    Overrides the risk score of IP addresses in the block list with a value of 100. You must also enable the Allow/Block List heuristic on your journey’s Signal node.

    • Support IPv4 and IPv6 formats.

    • Specify single IP addresses, like 10.0.48.0, or IP subnets, like 10.0.48.0/24.

    • Cannot use regular expressions or wildcards with the IP addresses.

    • Subjects IPs on the block list to heuristics and machine learning and overrides their computed risk score with a score of 100.

    ALLOW_LIST: [ ]

    Overrides the risk score of IP addresses in the allow list with a value of 0. Allow list IP addresses bypass heuristics and machine learning analytics. You must also enable the Allow/Block List heuristic on your journey’s Signal node.

    • Support for IPv4 and IPv6 formats.

    • Specify single IP addresses, like 10.0.48.0, or IP subnets, like 10.0.48.0/24.

    • Cannot use regular expressions or wildcards with the IP addresses.

    • Assigns a risk score of 0 to any IPs on the allow list and excludes them from heuristics and machine learning.

    distributed_attack_heuristic:

    DISTRIBUTED_ATTACK_WINDOW_MS

    Number of milliseconds back in time to look for distributed attack events. Default: 60000. Minimum: 0.

    DISTRIBUTED_ATTACK_COUNT_THRESHOLD

    Number of events required to trigger the rule. Default: 7.

    DISTRIBUTED_ATTACK_RISK_SCORE

    Risk score returned if the rule is tripped. Default: 100. Minimum: 1.

  3. After you have made your changes to the file, click Save. The Preview Risk Evaluation popup window appears.

  4. On the Preview Risk Evaluation popup window, do the following:

    1. Click Bucket Search to select your data source location or type the name of the data source location.

    2. Optional. Enter an object prefix to filter your search results.

    3. Next to your desired object, click the trailing dots, and then click Preview Object to display your data source change(s).

    4. Click Preview Risk Evaluation to review a simulated risk evaluation for the first event.

    5. If you are satisfied with your change(s), click Save Config.

Copyright © 2010-2024 ForgeRock, all rights reserved.