Analytics Findings and Risk

This feature is currently available only to customers participating in a Public Preview. For details, see Preview Program.

Analytics generate alerts based on different rules, the deviation from those rules, or any risk detected on the account. For example, an alert could be generated when an attempt is made to guess the account password.

Based on the alerts that are triggered for each user, the Delinea Platform calculates the risk of the platform account. This risk is taken into account only if the alert is unresolved. The analytics feature calculates a risk score for each user: low, medium, high, or N/A if no alerts were found for the user.

Refer to the Threat Center for basic information regarding alerts.

Risk Scores

Risk is shown in the Risk Score column in the Users table. (From the left navigation, select Access > Users.) For more information about the Users table, see Managing User Accounts.

You can select a user from the list to view a details page, then select the User risk tab. This tab shows the user's risk score and the alerts that contributed to the score. If the risk exists and has alerts, you can review how each alert contributes to the user risk from this page to understand why it was triggered.

If you find any alert that contributes to the user risk but determine that the alert is wrong or is an expected risk, you can mark the alert as a false positive. This resolves the alert and reduces the user's risk.

Configuring Risk

Although Analytics is enabled by default on all platform tenants, the following features allow you to align it more closely with your needs:

  • Alert Settings

    Alert settings allow you to define a query of existing inventories and generate an alert when the query produces matching results. See Configuring Alert Settings.

  • Risk Configuration

    By understanding risk, you can highlight the identified weaknesses and prioritize actions according to the potential impact of a security breach. See Configuring Risk .

  • Risk-Based Access Control

    In order to use analytics risk scores and control access to the platform, you need to create an identity policy. Refer to Identity Policies.

  • Identity Policies with Authentication

    By configuring an identity policy with an authentication rule, you are able to take control access based on risk.

    Select Access, then Identity policies. Create a new policy or chose an existing policy.

    Select the Authentication tab. In the Authentication Rules section, click Edit, then Add Rule. Supply a Name for the new rule and select an Authentication profile or add a new profile. For Authentication conditions, specify the risk for the associated users and select the appropriate risk values. Click Save, then Add.

    We recommend setting a policy that requires High/Critical risk users to only use the corporate IP and login with MFA. See Authentication Profiles.

Permissions

These permissions are required to view and manage alerts on the Alerts page, as well as the Analytics Dashboard. Permissions are assigned to a role, then the role is assigned to a user. Refer to Roles and Permissions.

View Alerts - allows you to view all alerts on the Alerts page. From the dashboard, click the linked title in the Latest Alerts pane.

Update Alerts - allows you to mark false positives for alerts.

Manage Alerts - allows you to view the Risk Analysis page and the Risk Configuration page, where risk scores are managed and defined.

View Cases - allows you to view caseUsing Cases (aggregated sets of alerts). See Using Cases.

Update Cases - allows you to close cases.

Manage cases - allows you to view the Case Management page, where you can change the case severity.

 

Responding to Risk

The Delinea Platform enables you to define identity authentication policies that incorporate user risk as a key factor in access decisions.

Multi-factor authentication (MFA) rules for federated logins are only enforced if the Apply additional MFA after federation option is selected. Delinea recommends enabling this option to ensure risk-based controls are applied to identity provider (IdP)-based logins.

For best results, create a dedicated group that includes all IdP-based identities. This group can be used in addition to any existing permission groups and should serve as the target for applying risk-based authentication policies.

Risk Report

You can schedule a report of all risky users. This report provides insight into the landscape of risky users, according to low/medium/high/critical risk.
Select Insights > Reports and select Schedule a Report. Specify Risky Accounts as the report Type and select the Frequency of the report. Add the email of any Recipients (press Enter after each email). See Recurring Reports.
Click Schedule.