10.7.2 Configuring User History

Enabling to record user history details for a risk policy provides the flexibility to segregate the history details as per your requirement.

Consider a situation where you have configured the following two risk policies:

  • One risk policy assesses authentication requests from internal users in an organization.

  • Another risk policy assesses authentication requests from users external to the organization.

The following risk-rules support enabling user history:

  • Custom Rule

  • Device Fingerprint Rule

  • Geolocation Rule

  • IP Address Rule

  • User Time of Login Rule

To record the history details for internal users only, enable the recording of user history at the risk-based authentication class that is used to authenticate the internal users.

Recording the user history involves the following steps:

  1. Configuring an External Database to Store User History

  2. Enabling User History

  3. Enabling user history while configuring a rule that supports history (see Configuring Rules)

  4. Configuring user history for a risk policy that is linked to an authentication class (see Configuring a Risk-based Authentication Class)

Enabling User History

  1. Click Policies > Risk-based Policies > User History.

  2. Select Enable User History to save the user session details in the database.

  3. Under History Settings, specify the number of days to consider during the rule execution or select the option to consider all historical records. For example, if you specify 10, it indicates that the details of last 10 days must be considered during the rule execution. If you do not specify the number of days, all historical records are considered for the execution.

    NOTE:If you select Built-in Data Store (Bundled eDirectory) as History Data Store, specify the number of entries instead of the number of days. eDirectory supports recording history only up to five entries.

    This setting is not applicable for device fingerprinting. When the Device Fingerprint Rule is configured, the rule evaluates all registered devices as configured in the Device Fingerprint rule irrespective of whether this setting is configured for a specific duration or for all records.

    For example:

    1. Configure a Device Fingerprint Rule to store up to 10 fingerprints.

    2. Under User History, specify to consider only four days during the rule execution.

    3. The rule evaluates all records for ten registered devices instead of considering records for the last four days.

  4. (Conditional) To store details in eDirectory, select Built-in Data Store (Bundled eDirectory).

    NOTE:In a production environment, it is strongly recommended to not use this option.

  5. (Conditional) If you choose to save session details in an external database, select External Database.

    1. Specify the name to identify the driver.

    2. Select the Database Driver. The driver path and dialect are displayed. You can change the driver and dialect details if required.

    3. Specify the Username and Password to access the database.

    4. Specify the URL to access the database.

      NOTE:To configure MySQL as the database, ensure that the database URL is specified as mysql://db_user:db_user@localhost/netiq_risk?autoReconnect=true.

      See Configuring an External Database to Store User History.

Deleting Risk-based Authentication and Device Fingerprint Entries from the Database

If you have enabled user history, details for all login attempts using a risk-policy or a device fingerprint policy are recorded in the database. This might result in huge data occupying a large space. It is recommended to delete the entries periodically after you complete the analysis.

Deleting Entries from MS SQL Server

  1. Go to Start > All Programs > Microsoft SQL Server 2016 > SQL Server Management Studio.

  2. Connect to the database engine.

  3. Expand Databases, you can see the netiq_risk database.

  4. Click New Query.

  5. To check the number of entries in the usrtransaction table, select the following command and click Execute.

    Select * from dbo.usrtransaction;

  6. To delete entries, select the following command and click Execute:

    Delete from dbo.usrtransaction;

    NOTE:This command deletes all entries in the table. If you want to delete a specific range of entries, use the appropriate SQL command.

  7. Perform step 5 and 6 for the device fingerprint table (device_fingerprint) also.

Deleting Entries from MySQL Server

  1. Connect to MySQL Server installed on Linux by using the MySQL client:

    mysql -u root -p password

  2. Connect to the use netiq_risk database.

    use netiq_risk;

  3. List the tables. The usrtransaction table is listed in the list of tables.

    show tables;

  4. Delete entries.

    delete from usrtransaction;

    NOTE:This command deletes all entries in the table. If you want to delete a specific range of entries, use the appropriate SQL command.

  5. Perform step 4 for the device fingerprint table (device_fingerprint) also.

Deleting Entries from Oracle Server

  1. Open Oracle SQL Developer.

  2. Right-click Connections and select New Connection.

  3. Connect to the database engine.

  4. Expand Connections, you can see the netiq_risk database under.

  5. To check the number of entries in the usrtransaction table, select the following command and execute:

    Select * from usrtransaction;

  6. To delete entries, select the following command and execute:

    Delete from usrtransaction;

    NOTE:This command deletes all entries in the table. If you want to delete a specific range of entries, use the appropriate command.

  7. Perform step 5 and 6 for the device fingerprint table (device_fingerprint) also.