Generating an Adaptive Access activity report

You can generate an Adaptive Access activity report from the IBM® Security Verify administrative console.

Before you begin

  • You must have administrative permission or be a member of the helpdesk group to complete this task.
  • Log in to the IBM Security Verify administration console as an Administrator.

Procedure

  1. Select Reporting & diagnostics > Reports.
    The tiles for authentication activity, application usage, administrator activity, and multi-factor authentication activity are displayed. The Adaptive access tile shows the summary information for the past 24 hours.
  2. Select the View Report link on the Adaptive access tile.
    The summary report for the current day displays
    • The number of total invocations
    • The number of very high risk attempts
    • The number of high risk attempts
    • The number of medium risk attempts
    • The number of low risk attempts

    A color-coded, scalable graphical representation of the number of invocations for the selected time period is displayed. You can move the mouse pointer along the date line to see daily summaries of the risk levels that were detected. The time period can be up to 90 days. The graph scale is based on the data sets and the time is displayed invocation as local time.

    The authentication activity for individual users is also displayed. See Table 1. Select an event to see the details associated with it. See Adaptive Access event details.

  3. After the graph, the authentication activity for individual users is displayed.
    Table 1. Individual activity information
    Information Attributes Descriptions
    Time Stamp time The date and time that the adaptive access event occurred.
    User
    User name
    data.username
    Realm
    data.realm
    Includes the
    User name
    The Unique identifier for logging in to Verify. It can be the same as the email address of the user.
    Realm
    The identity source attribute that helps distinguish users from multiple identity sources that have the same user name.

    This information is displayed in the Users & Groups > Users tab, and in the Edit User dialog box.

    For the following identity sources:
    • Cloud Directory, the realm value is cloudIdentityRealm.
    • IBMid, the realm value is www.ibm.com.
    • SAML Enterprise, the realm value can be any unique name that you assigned when you created the identity source.
    • OnPrem LDAP, the realm value can be any unique name that you assigned when you created the identity source.
    Risk level data.risk_level
    • Very high
    • High
    • Medium
    • Low
    Reason data.decision_reason See Table 2.
    Policy action data.policy_action
    Block (Override)
    The block action overrides all other decisions in the policy.
    MFA (Override)
    The MFA action overrides all other decisions in the policy.
    Allow (Override)
    The allow action overrides all other decisions in the policy.
    Block and redirect
    The user cannot access the application and is redirect to the specified URL or URI.
    Block
    The user is denied.
    MFA always
    Always require MFA, even in the same session.
    MFA per session
    If not already done, force MFA.
    Continue
    The user is allowed without updating the Adaptive user record.
    Allow
    The user is allowed.
    Policy
    • data.policy_name
    • data.policy_id
    The policy name and ID that are applied to the event.
    Application data.applicationname The name of the application that is accessed.
    Location
    • data.city
    • data.region
    • data.country
    The city, state, and country where the event occurred.
    Device
    • data.browser
    • data.os
    The browser and operating system that were used by the device.
    Client IP data.origin The IP address of the device that made the authentication request. The details contain an X-Force IP report link to evaluate the threat value of the address.
    Table 2. Decision reasons
    Decision reason Description
    Access from a device pending MFA A device was prompted for MFA and the MFA was not completed. In the next session on the same device for the same user, MFA is prompted again. The risk score remains the same from the last session.
    Access from a known and trusted device The access was made with a device that was previously used by the user. It is a trusted device based on Trusteer’s device intelligence.
    Access from a known device with a new connection The access was made with a device that was previously used by the user. However, access is through a different internet service provider (ISP), a different geographical location, or a different connection method.
    Access with a change in device attributes The access was made by using a new device or a known device with significant change in its attributes. Both hardware and software attributes are examined to determine a change in device attributes.
    Access with a user behavior change Trusteer’s risk engine learns the user behavior by analyzing the access patterns. When change in the user behavior is noticed, an alert is sent. An example of a behavior change is accessing for the first time after working hours.
    Access including risky device indication The device attributes were determined as risky based on Trusteer’s security intelligence. Trusteer’s security intelligence constantly expands and updates based on deep research and data analysis.
    Risk service unavailable - medium risk applied The system was unable to complete the risk assessment. The policy action for medium risk level was applied.
    Access from a device that passed MFA in the current session The user's account was accessed from a device that completed MFA successfully in the current session.
    Access by the same device following multi-factor authentication failure The user's account was accessed by a device that previously failed an MFA challenge. An extra MFA challenge is required to verify the legitimacy of the access.
    Access with a risky location indication The user's account was accessed using a new device that has geolocation attributes that are considered risky and are not associated with the account.
    Suspicious access from a malware infected device The user's account was accessed using a device that is infected with malware.
    Access with a risky language indication The user's account was accessed using a new device that has browser language attributes that are considered risky and are not associated with the account.
    Access with a risky hosting service indication The user's account was accessed using a new device that is connecting from a known risky hosting service that is not associated with the account.
    Access with a virtual machine indication The user’s account was accessed using a device that has characteristics that are associated with using a virtual machine.
    Access with a remote access tool indication The user’s account was accessed using a device that is suspected to be remotely controlled by another device.

    Select an event to see the details associated with it. See Adaptive Access event details.

  4. Optional: Select Filters to filter the results.
    You can search by
    Identity
    Filter selections are user name and realm.
    Source
    Filter selections are client IP and location.
    Event details
    Filter selections are risk level, policy name, policy ID, application name, reason, and session ID.
    You can use any combination of filters to refine your results. Select Apply filters to modify the report. The selected filters are displayed above the graph. You can clear the filters by selecting the Reset link.
    Note: The search fields are case-sensitive.
  5. Change the date range for the report.
    Select the From and To dates to display the calendar drop downs and select the dates for the report. You can't go back more than 90 days.
    Note: The To date cannot exceed the current date.
  6. Select Run Report.
    The Report information is refreshed.
  7. Optional: Generate a CSV file for the report.
    1. Click Generate CSV.
    2. Follow the directions in Downloading a CSV report.