Threat‑based user blocking

Edit online

Proactively remediate ongoing attacks by using threat‑based access policies to automatically block suspicious users, expanding IP‑based protections to user‑level enforcement during the SSO flow.

Before you begin

  • You must have administrative permission to complete this task.
  • Log in to the IBM® Verify administration console as an Administrator. For more information, see Accessing IBM Verify.

About this task

The attackers are currently enrolling extensive numbers of MFA devices (Voice/SMS OTP) for users across multiple geographies, resulting in customers manually deactivating compromised accounts identified through the Threat Detection service. While IP‑based blocking is available, there is no automated way to stop suspicious users. A user‑level blocking mechanism during the SSO flow is needed to address this gap.

The Threat Intelligence (TI) service is enhanced to include the userId from the current SSO session, enabling identification of whether the authenticated user is suspicious.

A new custom attribute is created for the SSO flow: ibm:threat_is_suspicious_user. It is similar to existing threat-related custom attributes and available during the SSO flow.

Procedure

  1. Log in as an administrator on IBM Verify. Navigate to the profile icon and click Switch to admin.
  2. Select Security > Access policies. Create or update existing Access policy.
    • Define the Policy rules (SSO) by using the Custom attribute ibm:threat_is_suspicious_user. For example,

      Condition: ibm:threat_is_suspicious_user is in true

      Action: Block or enforce MFA or Allow

  3. Save and publish the Access policy.
  4. Select Applications > Application settings > Sign-on and then add this created policy to the selected application.

What to do next

  • When a user logins to IBM Verify and attempts to access the application, the Threat Intelligence (TI) service evaluates if the user is suspicious.
  • If the user is found suspicious, then based on the action defined in the Access policy rule, the user is blocked or MFA.
  • If the user is not suspicious, user is allowed to access the application.