Risk rule categorization or risk rule sets
The predefined risk rules in the Risk Rule Configurator are categorized into two types based on whether the risk incident is triggered by user or device behavior.
| Category | Description |
|---|---|
| User behavior based risk rule | The Blocked URL Access (Secure Browser), Out of
compliance (OOC) events, and SIM change detected on device rules
are considered risky user behavior. The risk score that is associated with these risk incidents
gradually decreases if the risk incident is not repeated by the user. Note: The risk incident is not
removed from the security dashboard immediately. The incident is removed when the risk score becomes
zero.
Example: If a user's risk score is zero and the user accesses blocked URLs 3 - 5 times, the condition that is defined in the Blocked URL Access (Secure Browser) risk rule becomes true and a risk incident of a medium severity is created against the device and the user who is assigned to that device. A risk score of 75 is assigned to the device. If the user does not repeatedly access blocked URLs, the risk score gradually decreases to 48 and eventually to zero. When the risk score becomes zero, the risk incident is removed from the Security Dashboard. If the user continues to access blocked URLs, the risk score increases to 75 - 120. The risk score is assigned depending on the number of blocked URLs that the user accessed and the number of times the user accessed these URLs. |
| Device-based risk rule | Any predefined risk rule that is not categorized as a user behavior-based risk rule. The risk score that is associated with the corresponding risk incident decreases immediately (becomes zero) when the risk is remediated and removed from the Security Dashboard. |
Administrator actions available in the Risk Rule Configurator
In the Risk Rule Configurator, administrators can perform the following actions:
- Administrators can enable or disable a risk rule for the organization from the predefined risk rules. By default, every risk rule is enabled and a severity is associated with each risk rule.
- Administrators can enable or disable a rule description under a risk rule. This allows
administrators to only use risk rule descriptions that are necessary for monitoring an
organization's risk factors. This option is available for all risk rules in the rule
set.
Example: Administrators can enable the Older version of MaaS360 app risk rule and choose to monitor only the MaaS360 app version =7.30 AND Platform=Android and then enable this rule description while disabling other rule descriptions under this rule name.
- When you enable a rule name, administrators can assign an incident severity (high, medium, or low) to the risk rule. Based on severity, a risk score is assigned to a device and the user when a risk is detected on the user's device. Click Save to save and apply the risk rules configuration to the organization's risk security monitoring.
- Administrators can also use the Search option to search for a specific risk in the Risk Rule Configurator.
- Click on the Collapse Rule sets
icon to view all the rule names. You can view and enable or disable at the rule name
level. Click on the Expand Rule sets
icon to expand the view of all rule names including the rule description and severity
details.