Behavior Profiles and Event Analytics

Behavior profiles allows XTAM System Administrators to create custom configurations to take automatic actions based on the behavior profiles of users. Common examples would be a Behavior Profile where a user unlocks too many secrets in a short amount of time or a user frequently downloads files during a remote session. These behavioral events could then trigger actions such as blocking the user’s access or terminating their session, allowing XTAM to perform self-monitoring with automated actions.

 

How To Create Behavior Profiles

How To Apply Behavior Profiles to User or Records

How To Edit Behavior Profiles and their Rules

How To Delete Behavior Profiles and their Rules

 

XTAM-Behavior-Profiles-Analytics

Create Behavior Profiles

How To Create Behavior Profiles:

  1. Login to XTAM with a System Administrator account. Only System Administrators may create and manage behavior profiles.
  2. Navigate to Administration > Behavior Profiles.
  3. Click the Add button to create a new profile.
  4. Enter a Name (required) and a Description (optional) for your new profile.
  5. Click the Add Rule button to create a new rule for this profile.
  6. Configure your rule using the below descriptions as guidelines.
    • Trigger: Defines the behavior that will automatically trigger the rule’s action.

      • Rule Type: Select the rule from dropdown menu that will be used to trigger the action. Please note that depending on the rule type selected, the remaining parameters may contain more or less options.

      • Threshold Count: This parameter specifies the number of times the selected type of a user’s behavior should occur before it triggers execution of the rule’s actions.

      • Threshold Size (Kb): This parameter specifies the minimum size of the content (in kilobytes) involved in the user behavior to count as a trigger condition for the rule’s actions to execute. You may leave this parameter blank or specify -1 to indicate that this rule applies to content of any size.

      • Rate (min): This parameter defines the duration (in minutes) of the user behavior event should happen to trigger the rule action. For example, it might be acceptable for a user to transfer 50 files during an entire session; however, transferring 50 files in the course of 5 minutes should cause a session termination. For events related to remote sessions, leave this parameter blank or specify -1 to indicate that the system should count user behavior threshold for the duration of the current session.

      • Rule Description: This read only field provides human readable feedback describing the current rule configuration to confirm the expectations of the rule’s behavior.

    • Rule Actions: This section describes the rule actions that execute in response to a user behavior condition defined in the previous section. You can disable a behavior profile by unchecking all options in this Rule Actions section. Please note that depending on the rule type selected, the Rule Actions parameters may contain more or less options.

      • Log Event: This action causes the system to generate an Audit Log event (using the audit category Analytics) in response to the specified user behavior. Interested parties could subscribe to daily or weekly reports as well as to real-time notifications related to the analytics events to monitor behavior of system users or to fine tune user behavior configuration. The events from the audit log could also be streamed to a SIEM systems for correlation analysis.

      • Terminate Session: This action causes the system to terminate the user’s current session to the remote endpoint in response to the specified user behavior.

      • Block User: This action causes the system to block a user in response to the specified user behavior from all system activities. A blocked user may still login to XTAM; however, until they are unblocked, they will not have access to any objects or settings, this includes all permissions and roles even System Administrators. Blocked users can only be unblocked by System Administrators from the Administration > Global Roles screen by removing the blocked role or from the Users report by selecting the Unblock option for this user.

      • We strongly recommend having at least 2 System Administrator accounts for XTAM, but if you only have 1 and you have blocked its access, you will need to run the DBUnblock command from the XTAM host server to manually unblock this account. To run this command you will need access to the XTAM host server, permissions to execute commands and access to the XTAM Master Password. We highly recommend having at least 2 System Administrator accounts to avoid these types of scenarios.

      • Reset Password: This action causes the system to schedule a password reset task for the asset(s) involved in the specified user behavior.
      • XTAM-Behavior-Profiles-Rule-Configuration

  7. Click the Save button to finish creating your rule for this profile.

  8. You may add additional rules to this Behavior Profile using the Add Rule and repeating the process or you may click the Save button to finish creating this profile.

Apply Behavior Profiles to User or Records

How To Apply Behavior Profiles to User or Records.

Behavior Profiles are applied to XTAM Users or Records as Workflow Binding objects thus allowing the profile to be uniquely customized to specific containers, records, IP addresses, time of day and more.

 

  1. Navigate to the container or object where the profile is to be applied and select the Manage > Workflows option from the menu.
  2. Select Actions > Edit for the existing binding that you wish to apply this profile. If you do not have any bindings, please review our Approval Workflows article for additional information about Workflows and their Bindings.
  3. For the Behavior Profile option, select the profile name from the dropdown menu.XTAM-Behavior-Profiles-Binding-Rule
  4. Click the Save button to save your updated workflow binding.

Now you may test the applied Behavior Profile with the User that is associated to this binding.

Edit Behavior Profiles and their Rules

How To Edit Behavior Profiles and their Rules.

  1. Login to XTAM with a System Administrator account. Only System Administrators may manage behavior profiles.
  2. Navigate to Administration > Behavior Profiles.
  3. Click the Edit button corresponding to the Behavior Profile you wish to edit.
  4. On the Behavior Profile’s edit page, you may update the Name, Description or add additional rules as needed.
  5. If you wish to edit an existing rule in this profile, click the Edit button corresponding to the rule, make the required changes and finally click its Save button to complete the rule change.
  6. Click the Save button on the Behavior Profile screen to save all your changes.

Delete Behavior Profiles and their Rule

How To Delete Behavior Profiles and their Rules.

  1. Login to XTAM with a System Administrator account. Only System Administrators may manage behavior profiles.
  2. Navigate to Administration > Behavior Profiles.
    • If you wish to delete a Behavior Profile entirely, click the Delete button next to the corresponding profile. Click OK in the confirmation dialog to complete the deletion of your selected profile.

    • If you wish to delete a Rule within a Behavior Profile, click the Behavior Profile’s Edit button and once in the Profile, click the Delete button next to the corresponding rule that you wish to remove from the profile. Click OK in the confirmation dialog to delete the selected rule. Once the rule has been deleted, you must click the Profile’s Save button to complete this process.

< Back to XTAM Request and Approval Workflows