Identity Cloud

Dashboards

Autonomous Access provides a simple and intuitive graphical UI displaying the risks detected across your organization. The dashboard displays the risky events specific to the realm that you are in.

This section provides an overview of the available Autonomous Access UIs with your deployment.

Risk dashboard

On the Risk dashboard, Autonomous Access displays a sortable list of "anomalous" or risky events discovered during the AI/ML pipeline run.

To access the Risk dashboard, from the left navigation pane, navigate to Dashboard > Risk.

Each event displays a summary of the event with the following information:

Data Element Description

User Identifier

The username on the account.

Date of Occurrence

The date the anomalous event occurred.

Risk Score

The risk score associated with the event. A risk score is a combination of the likelihood an anomalous behavior event and/or a known threat is detected. Therefore, a risk score of 100 indicates the highest likelihood an access attempt was an anomaly and/or a known threat.

Heuristics

The type of heuristic used in the AI/ML analytics. The heuristic indicates the type of risk threat.

These include:

  • Automated User Agent

  • Brute Force

  • Credential Stuffing

  • Impossible Traveller

  • Suspicious IP

City, Country

The geolocation information for city and country.

Browser Type

The browser type the user was using during the anomalous event.

You can sort the activity events list by clicking Sort: Risk Score and selecting one of the following:

  • Descending risk score (default sorting)

  • Event time

  • Username

auto access activity page
Figure 1. The Autonomous Access Risk dashboard

In the right column, the Risk dashboard displays a world map with the number of risky events in each circle. By default, the dashboard displays all risk scores of 50 and above. You can change this setting by change the risk_score_threshold value in the Risk Configuration. Refer to Configuration.

You can click and drag directly on the map to access events in other countries. If you click one of the red numbers, the dashboard displays a summary of risky events and the average risk score associated with those events.

auto access activity numbers
Figure 2. Summary of risky geolocation events

Risk activity detail page

To investigate a particular risk event, click the activity event in the left-hand column. The Activity Detail modal displays the specific details of the event including transaction ID, user, risk score, time, location, device, and user agent plus a map of where the activity took place.

The modal also lists the user’s last five risky authentication attempts and the possible type of heuristic discovered (for example, Automated User Agent). Any category that differs from normal behavior is marked with "Unusual <category>" (for example, "Unusual City").

auto access activity detail
Figure 3. Activity detail page

Filtering by date range

You can filter the display and risky events in a number of useful ways. If you select the Date filter, you can filter the dashboard to display only certain dates and ranges. The options are:

  • Today: Display only events occurring today.

  • This Week: Display only the events occurring this week.

  • This Month: Display only the events occurring this month.

  • Custom: Display the events based on your selected calendar date range.

auto access date filtering
Figure 4. Risk dashboard date filtering

Filtering by risk score

The Risk dashboard supports filtering by risk score range.

auto access risk score filtering
Figure 5. Activity page risk score filtering

Advanced filtering

The Risk dashboard supports advanced filtering based on attribute type and value as well as heuristic filter. The attributes are derived from the information in the user agent string. The AI/ML pipelines use the heuristics occurring in the selected timeframe.

To use advanced filtering:

  1. On the Risk dashboard, click Filters. A filters dialog/modal appears.

  2. Under Attribute Filters, click the Feature drop-down list, and select one of the following attributes:

    Attribute Description

    City

    The city where the risky event occurred, for example, Bristol or Toronto.

    Country

    The country where the risky event occurred, for example, United States, Singapore , or Great Britain.

    Device

    The device that may have made the risky action, for example, iPad, Mac, or Other.

    Device Type

    The device type of the system that made the risky action, for example, Apple, or Samsung.

    OS

    The operating system of the computer, for example, iOS, Linux, or Android.

    OS Version

    The operating system version, for example, 10, 11, or 14.

    Time of Day

    The timestamp of the risk event.

    User Agent

    The User-Agent request header lets servers identify the browser and operating system to the web server.

    User ID

    The user ID of the account that may have been compromised.

  3. Enter a value for the attribute filter you created in the previous step.

  4. Click the Risk Reason menu to select one of the following heuristics:

    Heuristic Description

    Automated User Agent

    A detected threat where an automated bot is in the user-agent string.

    Brute Force

    A detected threat where direct users are failing multiple authentication attempts.

    Credential Stuffing

    A detected threat where an IP address is attempting to access a number of different users in a period of time.

    Impossible Travel

    A detected threat where an attacker runs multiple authentication attempts from various locations in a short time span, making such travel impossible for a single person.

    Suspicious IP

    A detected threat where a user at an IP address is making many authentication attempts over a period of time.

    Unusual City

    A detected threat where a user at an IP address is making authentication attempts at a different city.

    Unusual Country

    A detected threat where a user at an IP address is making authentication attempts in a different country.

  5. When done, click Apply. The Risk dashboard displays only those criteria that matches your filter.

    auto access advanced filtering
    Figure 6. Risk dashboard advanced filtering
Copyright © 2010-2023 ForgeRock, all rights reserved.