Symantec Access Management

Dears,

Need your kind support to figure out the below queries for Risk Authentication:

1) We need to write one rule Risk Authentication rule using ClientIPAddress. If the ClienIPAddress does not match any thing such as UntrustedIP, TrustedIP or any list, considering it as unknown, the action would be increaseauth. 
2) Does CA provides malware/Threat based IP addresses data. I can only see Geolocation and Anonymizers IP data.
3) Why we have two tables for ARQGEOANONYMIZER and ARQGEOPOINT:

Best Regards

Hi Javed,

Here are the answers to your queries.
1) We need to write one rule Risk Authentication rule using ClientIPAddress. If the ClienIPAddress does not match any thing such as UntrustedIP, TrustedIP or any list, considering it as unknown, the action would be increaseauth.

---> You can create a combination rule say ClientIPAddressCheck, this rule will have the configuration as such ( NOT in UntrustedIP AND TrustedIP) and you can assign INCREASEAUTH advise to it and set the priority of execution.

2) Does CA provides malware/Threat based IP addresses data. I can only see Geolocation and Anonymizers IP data.

---> We only have the Anonymizer and the Geolocation data, Anonymizer data contains malware IP's as well.
3) Why we have two tables for ARQGEOANONYMIZER and ARQGEOPOINT:

---> We have two tables each as these are big tables and at a time one is active, you can look in ARRFCONFIGURATION table which is active table and that will be serving the transactions, When you try to upload the Quova data again ( Normally bi-weekly to get latest IP's information) , the data is put into the table which is not serving the transactions so we do not impact the running txns, Once data is uploaded recommendation is to swap the tables so now the new table will have all the data and refresh will make the table which you uploaded the data.
Above is the reason why we have two tables.

-Namish




Original Message:
Sent: 03-25-2021 02:25 AM
From: Mohammad Javed
Subject: Risk Authentication Queries

Dears,

Need your kind support to figure out the below queries for Risk Authentication:

1) We need to write one rule Risk Authentication rule using ClientIPAddress. If the ClienIPAddress does not match any thing such as UntrustedIP, TrustedIP or any list, considering it as unknown, the action would be increaseauth.
2) Does CA provides malware/Threat based IP addresses data. I can only see Geolocation and Anonymizers IP data.
3) Why we have two tables for ARQGEOANONYMIZER and ARQGEOPOINT:

Best Regards

Dear Namish Tiwari

I really appreciate your helpful response to my queries.

1) We need to write one rule Risk Authentication rule using ClientIPAddress. If the ClienIPAddress does not match any thing such as UntrustedIP, TrustedIP or any list, considering it as unknown, the action would be increaseauth.

---> You can create a combination rule say ClientIPAddressCheck, this rule will have the configuration as such ( NOT in UntrustedIP AND TrustedIP) and you can assign INCREASEAUTH advise to it and set the priority of execution.

---> I am actually new to writing the risk rules hence it becomes confusing sometimes. When we select the CLIENTIPADDRESS in "Select Data Element" we also have to mention the "Select Operator". If you can guide me here please. Below is a screenshot from my configuration:

2) Does CA provides malware/Threat based IP addresses data. I can only see Geolocation and Anonymizers IP data.

---> We only have the Anonymizer and the Geolocation data, Anonymizer data contains malware IP's as well.
--> I examined the Anonymizer data and the information available on CA website, but it doesn't specifically tells that any of the listed IPs are related to any Malware/Threat. These are anonymous IPs which are labelled by their recent activity and only resembles that they could be a possible suspicious activity candidates. 

Best Regards,
Original Message:
Sent: 03-29-2021 12:52 PM
From: Namish Tiwari
Subject: Risk Authentication Queries

Hi Javed,

Here are the answers to your queries.
1) We need to write one rule Risk Authentication rule using ClientIPAddress. If the ClienIPAddress does not match any thing such as UntrustedIP, TrustedIP or any list, considering it as unknown, the action would be increaseauth.

---> You can create a combination rule say ClientIPAddressCheck, this rule will have the configuration as such ( NOT in UntrustedIP AND TrustedIP) and you can assign INCREASEAUTH advise to it and set the priority of execution.

2) Does CA provides malware/Threat based IP addresses data. I can only see Geolocation and Anonymizers IP data.

---> We only have the Anonymizer and the Geolocation data, Anonymizer data contains malware IP's as well.
3) Why we have two tables for ARQGEOANONYMIZER and ARQGEOPOINT:

---> We have two tables each as these are big tables and at a time one is active, you can look in ARRFCONFIGURATION table which is active table and that will be serving the transactions, When you try to upload the Quova data again ( Normally bi-weekly to get latest IP's information) , the data is put into the table which is not serving the transactions so we do not impact the running txns, Once data is uploaded recommendation is to swap the tables so now the new table will have all the data and refresh will make the table which you uploaded the data.
Above is the reason why we have two tables.

-Namish




Original Message:
Sent: 03-25-2021 02:25 AM
From: Mohammad Javed
Subject: Risk Authentication Queries

Dears,

Need your kind support to figure out the below queries for Risk Authentication:

1) We need to write one rule Risk Authentication rule using ClientIPAddress. If the ClienIPAddress does not match any thing such as UntrustedIP, TrustedIP or any list, considering it as unknown, the action would be increaseauth.
2) Does CA provides malware/Threat based IP addresses data. I can only see Geolocation and Anonymizers IP data.
3) Why we have two tables for ARQGEOANONYMIZER and ARQGEOPOINT:

Best Regards

Dears,

Your Support on the above pointers is highly appreciated. Waiting for your valuable inputs.

Thanks
Original Message:
Sent: 04-05-2021 12:47 PM
From: Mohammad Javed
Subject: Risk Authentication Queries

Dear Namish Tiwari

I really appreciate your helpful response to my queries.

1) We need to write one rule Risk Authentication rule using ClientIPAddress. If the ClienIPAddress does not match any thing such as UntrustedIP, TrustedIP or any list, considering it as unknown, the action would be increaseauth.

---> You can create a combination rule say ClientIPAddressCheck, this rule will have the configuration as such ( NOT in UntrustedIP AND TrustedIP) and you can assign INCREASEAUTH advise to it and set the priority of execution.

---> I am actually new to writing the risk rules hence it becomes confusing sometimes. When we select the CLIENTIPADDRESS in "Select Data Element" we also have to mention the "Select Operator". If you can guide me here please. Below is a screenshot from my configuration:

2) Does CA provides malware/Threat based IP addresses data. I can only see Geolocation and Anonymizers IP data.

---> We only have the Anonymizer and the Geolocation data, Anonymizer data contains malware IP's as well.
--> I examined the Anonymizer data and the information available on CA website, but it doesn't specifically tells that any of the listed IPs are related to any Malware/Threat. These are anonymous IPs which are labelled by their recent activity and only resembles that they could be a possible suspicious activity candidates.

Best Regards,
Original Message:
Sent: 03-29-2021 12:52 PM
From: Namish Tiwari
Subject: Risk Authentication Queries

Hi Javed,

Here are the answers to your queries.
1) We need to write one rule Risk Authentication rule using ClientIPAddress. If the ClienIPAddress does not match any thing such as UntrustedIP, TrustedIP or any list, considering it as unknown, the action would be increaseauth.

---> You can create a combination rule say ClientIPAddressCheck, this rule will have the configuration as such ( NOT in UntrustedIP AND TrustedIP) and you can assign INCREASEAUTH advise to it and set the priority of execution.

2) Does CA provides malware/Threat based IP addresses data. I can only see Geolocation and Anonymizers IP data.

---> We only have the Anonymizer and the Geolocation data, Anonymizer data contains malware IP's as well.
3) Why we have two tables for ARQGEOANONYMIZER and ARQGEOPOINT:

---> We have two tables each as these are big tables and at a time one is active, you can look in ARRFCONFIGURATION table which is active table and that will be serving the transactions, When you try to upload the Quova data again ( Normally bi-weekly to get latest IP's information) , the data is put into the table which is not serving the transactions so we do not impact the running txns, Once data is uploaded recommendation is to swap the tables so now the new table will have all the data and refresh will make the table which you uploaded the data.
Above is the reason why we have two tables.

-Namish




Original Message:
Sent: 03-25-2021 02:25 AM
From: Mohammad Javed
Subject: Risk Authentication Queries

Dears,

Need your kind support to figure out the below queries for Risk Authentication:

1) We need to write one rule Risk Authentication rule using ClientIPAddress. If the ClienIPAddress does not match any thing such as UntrustedIP, TrustedIP or any list, considering it as unknown, the action would be increaseauth.
2) Does CA provides malware/Threat based IP addresses data. I can only see Geolocation and Anonymizers IP data.
3) Why we have two tables for ARQGEOANONYMIZER and ARQGEOPOINT:

Best Regards