Documentation

Introduction

Use this guide to connect Exabeam UEBA to SecureAuth IdP in order to enable User Risk Adaptive Authentication analysis.

For more information on configuring Adaptive Authentication, see Adaptive Authentication Tab Configuration.

Exabeam takes existing security-related output from logs and log systems (e.g. Splunk) and analyzes that data for anomalous behavior in a process called Stateful User Tracking. Indicators of anomalous behavior include usage patterns like time of day, location, device, VPN connection, and credentials. Exabeam then assigns the user a Risk Score.

SecureAuth IdP accesses that score via API and then takes action based on the level of threat indicated by that score. The SecureAuth IdP admin can configure score thresholds for High, Medium and Low risk behavior and assign an Action to take for each level.

In SecureAuth IdP version 9.2, a new offering is available from SecureAuth's Prevent Threat Service package. Advanced adaptive capability powered by machine learning tracks and analyzes the login behavior patterns of authorized users for a period of time to identify their normal patterns, and then assigns each user a personal risk score. Bad actors' attempts to impersonate authorized users in order to gain access to the targeted site fail, since a login behavior pattern and risk score are unique to each user. See Machine learning User Risk Score calculations in Adaptive Authentication (version 9.2) and SecureAuth IdP 9.2.0-19 hotfix for machine learning deployment for more information.

Prerequisites

1. Ensure SecureAuth IdP v9.1+ is running

2. Have an existing on-premises installation of Exabeam UEBA

3. Have a Trusted Certificate installed on the Exabeam server

Web Admin Configuration Steps
For SecureAuth IdP v9.1...
Data
Profile Connection Settings

 

1. In the Profile Connection Settings section, configure the following settings:

a. Select REST API (read only) from the Data Server dropdown

b. Provide the root URL of the Exabeam instance in the Base URL field

c. Enter /api/user/{username}/info in the Get Profile Relative URL field

d. Select Cookie from the Authentication Method dropdown

e. Provide the Username of an Exabeam service account that has access to retrieve user profile information

f. Provide the Password associated with the Username

g. In Authentication Relative URL, enter /api/auth/login

Profile Fields

 

2. In the Profile Fields section, map the riskScore JSON path to a chosen Property (e.g. Phone 4) as follows:

a. Click the Source link next to the selected Property (usually "Default Provider")

b. In the dropdown that appears, select REST

 

c. In the Field text box, enter the riskScore JSON path: {userInfo}{riskScore}

The curly braces are SecureAuth's method of denoting key levels, i.e. the riskScore key is a child of the userInfo key

Click Save once the configurations have been completed and before leaving the Data page to avoid losing changes

Adaptive Authentication

 

3. Check Enable User Risk

4. In the From field of each risk level (High, Medium, Low), enter the User Risk score that will trigger the action for that level

5. From the Action dropdown for each risk level (High, Medium, Low), configure the action to be taken when the User Risk score of an end-user falls within the specified range

6. In the No Score Returned field, configure the action to take when the Adaptive Authentication engine is unable to retrieve an end-user's risk score

This can occur if the user is not found in the data source or does not have a score assigned in the data source

See the KB article Unable to Communicate with the User Risk Adaptive Authentication Data Provider for more information if SecureAuth IdP is unable to communicate with the data source

7. From the Profile Field dropdown, select the Property (configured on the Data page) to which the Profile Field containing the User Risk score is mapped

Click Save once the configuration has been completed and before leaving the Adaptive Authentication page to avoid losing changes

For SecureAuth IdP v9.2...
User Risk (without Machine Learning)
Adaptive Authentication
User Risk

 

1. In the User Risk section, toggle the switch to Enabled to enable this analysis feature

2. Click Add User Risk Score Provider

Add New Risk Provider

 

3. Configure the Risk Ranges for Minimum, Medium, High, and Maximum risk scores

4. Under Connection Settings, enter the Risk Score Provider Name

5. Enter the Base URL of the Exabeam instance in the format https://services.company.com:59

6. Enter /api/user/{username}/info in the Get Profile Relative URL field

7. Select Cookie from the Authentication Method dropdown

8. Enter a Username from the Exabeam service account that has access to retrieve user profile information

9. Provide the Password associated with the Username

10. Enter /api/auth/login in the Authentication Relative URL field

11. From the Risk Score User Identifier dropdown, select the field to store the user risk score – which is the directory Profile Field mapped to the Property configured on the Data page

NOTE: The default setting is User Authenticated ID which is usually used by SecureAuth User Risk

 See Property selections...

Property selections available from the Risk Score User Identifier dropdown include:

  • Phone 1
  • Phone 2
  • Phone 3
  • Phone 4
  • Email 1
  • Email 2
  • Email 3
  • Email 4
  • Aux ID 1
  • Aux ID 2
  • Aux ID 3
  • Aux ID 4
  • Aux ID 5
  • Aux ID 6
  • Aux ID 7
  • Aux ID 8
  • Aux ID 9
  • Aux ID 10

12. Enter {userInfo}{riskScore} as the Risk Score JSON Path of the Risk Score User Identifier

13. Click Save to save the Exabeam user risk configuration

 

14. Under User Risk Score Actions, specify the action SecureAuth IdP will take if the user risk score falls within the specified range by making a selection from the dropdown (see Definitions for more information on actions)

a. High Risk - SecureAuth IdP will execute this action if the user risk score falls within the upper range

b. Medium Risk - SecureAuth IdP will execute this action if the user risk score falls within the middle range

c. Low Risk - SecureAuth IdP will execute this action if the user risk score falls within the lower range

d. Score Unavailable - SecureAuth IdP will execute this action if the user risk score cannot be retrieved

This action can occur if the user is not found in the data source or does not have a score assigned in the data source

See the KB article Unable to Communicate with the User Risk Adaptive Authentication Data Provider for more information if SecureAuth IdP is unable to communicate with the data source

User Risk with Machine Learning Feature
Data
Profile Fields

 

1. In the Profile Fields section, map the riskScore JSON path to a chosen Property (e.g. Phone 4) as follows:

a. Click the Source link to the right of the selected Property (usually labeled "Default Provider")

b. Select REST from the dropdown

c. In the Field text box, enter {userInfo}{riskScore} as the riskScore JSON path

The curly braces are SecureAuth's method of denoting key levels, i.e. the riskScore key is a child of the userInfo key

Click Save once the configuration has been completed and before leaving the Data page to avoid losing changes

Adaptive Authentication
User Risk

 

2. In the User Risk section, toggle the switch to Enabled to enable this analysis feature

3. Click Add User Risk Score Provider

Add New Risk Provider

 

4. Configure the Risk Ranges for Minimum, Medium, High, and Maximum risk scores

5. Under Connection Settings, enter the Risk Score Provider Name

6. Enter the Base URL of the Exabeam instance in the format https://services.company.com:59

7. Enter /api/user/{username}/info in the Get Profile Relative URL field

8. Select Cookie from the Authentication Method dropdown

9. Enter a Username from the Exabeam service account that has access to retrieve user profile information

10. Provide the Password associated with the Username

11. Enter /api/auth/login in the Authentication Relative URL field

12. From the Risk Score User Identifier dropdown, select the field to store the user risk score – which is the directory Profile Field mapped to the Property configured on the Data page

NOTE: The default setting is User Authenticated ID which is usually used by SecureAuth User Risk

 See Property selections...

Property selections available from the Risk Score User Identifier dropdown include:

  • Phone 1
  • Phone 2
  • Phone 3
  • Phone 4
  • Email 1
  • Email 2
  • Email 3
  • Email 4
  • Aux ID 1
  • Aux ID 2
  • Aux ID 3
  • Aux ID 4
  • Aux ID 5
  • Aux ID 6
  • Aux ID 7
  • Aux ID 8
  • Aux ID 9
  • Aux ID 10

13. Enter {userInfo}{riskScore} as the Risk Score JSON Path of the Risk Score User Identifier

14. Click Save to save the Exabeam user risk configuration

 

15. Under User Risk Score Actions, specify the action SecureAuth IdP will take if the user risk score falls within the specified range by making a selection from the dropdown (see Definitions for more information on actions)

a. High Risk - SecureAuth IdP will execute this action if the user risk score falls within the upper range

b. Medium Risk - SecureAuth IdP will execute this action if the user risk score falls within the middle range

c. Low Risk - SecureAuth IdP will execute this action if the user risk score falls within the lower range

d. Score Unavailable - SecureAuth IdP will execute this action if the user risk score cannot be retrieved

This action can occur if the user is not found in the data source or does not have a score assigned in the data source

See the KB article Unable to Communicate with the User Risk Adaptive Authentication Data Provider for more information if SecureAuth IdP is unable to communicate with the data source

Click Save once the configuration has been completed and before leaving the Adaptive Authentication page to avoid losing changes

  • No labels