2.2 Configuring Risk Rules

Table 2-1 Risk Rules

Rule	Description
Cookie Rule	Use this rule if you want to track login attempts from a browser-based application that has a specific cookie value or name. For example, you have a financial application and a user accessing this application has cookies stored on the browser. If the cookie has a specific value or name, the risk level is low. If the user’s browser has no cookies stored, the risk level is high.
External Parameters Rule	Use this rule to consider inputs from external providers to evaluate the risk associated with an access attempt.
HTTP Header Rule	Use this rule to track the requests that contain a specific value in the HTTP header. For example, if you want to track HTTP requests containing the custom HTTP header information, you can define the action to be performed on the evaluation of this rule.
IP Address Rule	Use this rule to define a condition to track login attempts from an IP address, range of IP addresses, an IP subnet range, or a list of IP addresses from an external provider. For example, if you are aware that login attempts from a specific range of IP addresses are riskier, you can define a rule to watch for such login attempts. When a request originates from the specified IP address range, you can prompt for additional authentication.
User Last Login Rule	This rule creates a cookie in the browser after successful additional authentication. Subsequent login verifies this cookie. Use this rule to define the duration for which the cookie is valid. When the cookie is expired, the user is prompted for additional authentication. For example, this rule can be used to evaluate if the user is logging in by using the same browser that was used earlier for a login attempt. You can define the risk level and request additional authentication, as necessary.
User Time of Login Rule	Use this rule to define a condition based on the user’s attempts to log in within a specific duration. For example, if the usual login pattern for an employee is between 9 a.m. to 5 p.m., you can define a rule that takes action if the login pattern differs from the observed pattern.

To configure a rule, perform the following steps:

Click the Risk Rules () icon > plus icon.
Specify the rule name and the description.
Select the preferred type of rule from Choose a Rule Type.

Configure the following rules as required:

Cookie Rule	External Parameters Rule	HTTP Header Rule
IP Address Rule	User Last Login Rule	User Time of Login

For description of these rules, see Table 2-1.

Specify the name of the cookie.
Specify the value of the cookie. The different search criteria that you can use are Is and Is Not.
[Optional] If the cookie is not found, but you want to create a cookie after the user authenticates, select Create cookie if the user authenticates successfully.
1. Specify the validity of the cookie in hours.
2. Specify the path for the cookie.

IMPORTANT:A cookie is set when a user authenticates using second-factor authentication. The cookie is not created if the risk is low and the user authenticates using primary authentication method.

External Parameters Rule

Select Negate Result to reverse the result of the rule evaluation. For example, if this rule fetches authentication details of a request using a specific IP address, use Negate Result to make the rule to not consider inputs from that IP address.
Specify the URL of the external source to retrieve GET requests that return simple JSON responses.
1. Select Get parameters from an external source and specify Source URL.
2. Select Authentication Type for authenticating the external source URL.
3. If you selected Basic Authentication in Authentication Type, specify Username and Password to access the specified external source.
4. Specify the Request Timeout value. After the specified time, the request is expired.
5. Select a Request Method that is accepted by the specified external source.
6. Select request parameters.
Add the following details for a parameter set:
1. Name of the parameter.
2. Specify a regular expression if required. For example, an external source sends the following value for the Virtual IPv4 parameter:
  
  The Virtual IP address is 127.0.0.1
  
  To extract the IP address from this string, specify the following value:
  
  (?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\\.){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)
  
  This expression extracts the IP address 127.0.0.1 from the string and uses it for evaluating the configured condition. For information about regular expression syntax, see the Javadoc for java.util.regex.Pattern.
3. Select a relational or string operator to define a relationship between parameter and parameter value. For example, whether a parameter must contain the specified parameter value or it must not be equal to the specified value.
4. Specify a parameter value for evaluation.
5. Click Add Parameter to add more parameters in this parameter set.
(Conditional) Click Add Parameter Set to define additional parameter set.
For two or more parameter sets, specify how the conditions for parameters must match. The available options are Or and And.

HTTP Header Rule

Specify the HTTP header Name.
Specify the value that you want an HTTP header to include.

For example, if you want to search for an HTTP header that includes the value NetIQ, you can use the search criterion Equals. Whereas, if you want to query for an HTTP header that does not include the value NetIQ, use Does Not Contain.

IP Address Rule

Specify the condition whether to allow login using the IP addresses in the list.
To manually add IP addresses, select Manually enter the Datasource. You can specify a single IP address, IP address range, IP address subnet, or upload a text file containing IP addresses. To specify IPv4 subnets, use the Classless Inter-Domain Routing (CIDR) notation.

Click Add to List.

Sample text format
```
# Example IP List
10.0.0.0
172.16.0.0
192.168.0.0
```
Each entry in the text files must be on a separate line.
To consider the list of IP addresses provided by an external provider or an internal web service, select Dynamically consume from the Datasource.
1. Specify URL of the provider.
2. Specify Connection Timeout. After this time, an unresponsive connection is closed.
3. Specify Refresh Interval. The connection will be refreshed at the specified interval.
The external provider provides the list of IP addresses in text or JSON formats.

Sample text format

# Example IP List

10.0.0.0

172.16.0.0

192.168.0.0

Sample JSON format

["10.0.0.0","172.16.0.0","192.168.0.0"]
Specify how the conditions for the rule must match. The available options are Is and Is Not.
To validate the user history recorded in the database, select Check user history. You can use this option only when Record user history is enabled in the User History tab.

IMPORTANT:You cannot specify the IP subnet in the IPv6 format. Instead, you can use the IP range condition and define it in the IPv6 format.

User Last Login Rule

Specify the name of the last login cookie.
Specify the path for the cookie.
Specify the validity of the cookie in days.
If you want the cookie to be secured by HTTPS, select Secure Cookie.
Specify the number of days the cookie can be accessed from the same device or system. This value must be less than the value in Max Age.
Specify the crypto key to encrypt the cookie.

IMPORTANT:The User Last Login cookie is set only when a user is authenticated by using second-factor authentication. This cookie is not created if the risk is assessed to be low and the user authenticates by using the primary authentication method.

User Time of Login