Behavior analysis
This section presents the reports that are compiled from the behavior that each user creates when using the senhasegura and the managed devices and credentials. This behavior is based on time, time, quantity and data segments used within a historical basis of all users or the user in question.
Although reports are focused on the type of anomaly, all user actions within the proxy session and password withdrawal activities are evaluated and scored considering all types of behavioral monitoring.
Excessive access
Menu Behavior ➔Behavior Analysis ➔ Excessive number of accesses.
It presents a ranking of credential accesses. Within each register it is possible to perform detailing through the registration action to have detailed access to the use of the credential.
The report of Excessive number of credential accesses presents the following information:
Target: credential destination device;
Credential: Credential that had excessive access;
Protocol: Protocol used in the session;
Privileged: Indicative of whether or not it is a credential for privileged use;
Accesses: Number of times the credential was used;
In turn, the detail report "Unusual access", accessible by the registration action, contains the following information:
ID: Usage identifier;
Origin: Ip of user who made use of;
User: Name of user who made use of;
Target: Target credential destination device;
Credential: Credential that had excessive access;
Protocol: Protocol used in the session;
Start: Login;
Ends: End of Session;
Duration: Session duration;
Privileged?: Indicative of whether or not it's a privileged use credential;
Origin?: Indicates if the origin is unusual to the use of the credential;
Destination?: Indicates if the destination is unusual to use the credential;
Credential?: Indicates if the use of the credential is unusual to the user;
Timetable?: Indicates if the time of use is unusual;
Duration?: Indicates if the session duration is unusual;
Risk: Is the risk score of this session given the amount of behavioral anomalies found;
Accesses at unusual time
Menu Behavior ➔ Behavior Analysis ➔ Accesses at unusual time.
Presents the list of all proxy accesses that occurred at unusual times. The following fields are present:
ID: Usage identifier;
Origin: Ip of user who made use of;
User: Name of user who made use of;
Target: Target credential destination device;
Credential: Credential that had excessive access;
Protocol: Protocol used in the session;
Privileged: Indicative of whether or not it is a credential for privileged use;
Start: Login;
Ends: End of Session;
Duration: Session duration;
Risk: Is the risk score of this session given the amount of behavioural anomalies found;
Accesses by unusual origin
Menu Behavior ➔ Behavior Analysis ➔ Accesses by unusual origin.
It presents a ranking of origins that scored more in quantity of accesses with anomalies, and its average risk score of these sessions. The detail will present the "Unusual Access" report, described above.
ID: Usage identifier;
Origin: Ip of user who made use of;
User: Name of user who made use of;
Target: Target credential destination device;
Credential: Credential that had excessive access;
Protocol: Protocol used in the session;
Privileged: Indicative of whether or not it is a credential for privileged use;
Start: Login;
Ends: End of Session;
Duration: Session duration;
Risk: Is the risk score of this session given the amount of behavioural anomalies found;
Accesses with unusual average length
Menu Behavior ➔ Behavior Analysis ➔ Accesses with unusual average length.
It is the relationship of proxy accesses with unusual length of time based on the pattern of user sessions. It presents the following fields:
ID: Usage identifier;
Origin: Ip of user who made use of;
User: Name of user who made use of;
Target: Target credential destination device;
Credential: Credential used for access;
Protocol: Protocol used in the session;
Start: Login;
Ends: End of Session;
Duration: Session duration;
Risk: Is the risk score of this session given the amount of behavioural anomalies found;
Unusual credential view
Menu Behavior ➔ Behavior Analysis ➔ Unusual credential view.
It presents a ranking of credentials that have suffered the most consultations with risk scores involved. The detail will present the "Unusual credential view" report, described above. The following columns are presented:
Device: Device hosting the credential;
Username: Credential that is ranked;
Password Type: Type of credential;
Additional information: Additional information from the credential, if you have;
Privileged?: Indicative of whether or not the credential is privileged;
Viewing data: Number of queries that were executed to this credential;
Total Risk: Sum of risk scores of the uses of this credential;
Views on unusual time
Menu Behavior ➔ Behavior Analysis ➔ Views on unusual time.
Presents all events where a user made a query on a particular credential at an unusual time.
ID: Usage identifier;
Origin: Ip of user who made use of;
User: Name of user who made use of;
Device: Target credential destination device;
Username: Credential that had unusual use;
Password Type: Type of credential;
Additional information: Additional information from the credential, if you have;
Privileged?: Indicative of whether or not the credential is privileged;
Viewing date: Date and time the consultation took place;
Risk: Sum of risk scores of the uses of this credential;
Views with unusual credential
Menu Behavior ➔ Behavior Analysis ➔ Views with unusual credential.
It shows all events in which a user made a query to a specific credential that he does not normally use.
ID: Usage identifier;
Origin: Ip of user who made use of;
User: Name of user who made use of;
Device: Target credential destination device;
Username: Credential that had unusual use;
Password Type: Type of credential;
Additional information: Additional information from the credential, if you have;
Privileged?: Indicative of whether or not the credential is privileged;
Viewing date: Date and time the consultation took place;
Risk: Sum of risk scores of the uses of this credential;
Views with unusual origin
Menu Behavior ➔ Behavior Analysis ➔ Views with unusual origin.
Presents all events where a user made a query to a particular credential from an unusual source.
ID: Usage identifier;
Origin: Ip of user who made use of;
User: Name of user who made use of;
Device: Target credential destination device;
Username: Credential that had unusual use;
Password Type: Type of credential;
Additional information: Additional information from the credential, if you have;
Privileged?: Indicative of whether or not the credential is privileged;
Viewing date: Date and time the consultation took place;
Risk: Sum of risk scores of the uses of this credential;
Audited command
Menu Behavior ➔ Occurrences ➔ Audited command.
Ranking of proxy sessions by audited commands that were executed. The details show which were these sessions.
Command: Name of the audited command that was executed;
Criticism: Criticism of command;
Sessions: Number of sessions in which the command was executed;
Sessions by command and device
Menu Behavior ➔ Occurrences ➔ Device.
Ranking of proxy sessions by audited commands that were executed on which devices and what credential was used. The breakdown shows which were these sessions.
Command: Name of the audited command that was executed;
Remote device: Target device of the command;
Sessions: Number of sessions in which the command was executed;
Sessions by command and credential
Menu Behavior ➔ Occurrences ➔ Credential.
Ranking of proxy sessions by audited commands that were executed and on which devices were executed and which credential was used. The detail shows what those sessions were.
Command: Name of the audited command that was executed;
Action during session: Action that was taken according to the registration of the audited command;
Remote device: Target device of the command;
Credential: Credential that was used;
Sessions: Number of sessions in which the command was executed;
Sessions by command and local user
Menu Behavior ➔ Occurrences ➔ Local user.
Ranking of proxy sessions by audited commands, target device, credential used and which account was used. The detail shows what those sessions were.
Command: Name of the audited command that was executed;
Action during session: Action that was taken according to the registration of the audited command;
Remote device: Target device of the command;
Credential: Credential that was used;
Local User: senhasegura user account that made use of;
Sessions: Number of sessions in which the command was executed;
This functionality analyzes credential password changes made by the user. Administrator users will be notified whenever another user manually changes a credential's password that senhasegura has successfully rotated in the last attempt. According to what was defined in User Behavior in the Unusual change password field of how many password changes are necessary to characterize a risk then notification and a report with the occurrence of this event listed containing the information on who and when changed the password. This occurrence is listed in the menu Behavior ➔ Behavior Analysis ➔ User Posture
Example of a scenario: User accessed module PAM Core ➔ Credentials ➔ All ➔ Edit choose a credential that already has successful password changes, change the value of the "Password" field and save. This can be risky behavior. And it is defined by the admin user in Settings ➔ System Parameters ➔ System Parameters ➔ User Behavior important! This report must be available to all users who have the Behavior.list permission.
To create a report in the Behavior ➔ Behavior Analysis ➔ Unusual password change module.