Generating an Adaptive Access activity report
You can generate an Adaptive Access activity report from the IBM® Security Verify administrative console.
Before you begin
- You must have administrative permission or be a member of the helpdesk group to complete this task.
- Log in to the IBM Security Verify administration console.
The tiles for authentication activity, application usage, administrator activity, and multi-factor authentication activity are displayed. The Adaptive access tile shows the summary information for the past 24 hours.
Select the View Report link on the Adaptive
The summary report for the current day displays
- The number of total invocations
- The number of very high risk attempts
- The number of high risk attempts
- The number of medium risk attempts
- The number of low risk attempts
A color-coded, scalable graphical representation of the number of invocations for the selected time period is displayed. You can move the mouse pointer along the date line to see daily summaries of the risk levels that were detected. The time period can be up to 90 days. The graph scale is based on the data sets and the time is displayed invocation as local time.
- After the graph, the authentication activity for individual users is displayed.
Table 1. Individual activity information Information Attributes Descriptions Time Stamp
The date and time that the adaptive access event occurred. User
- User name
- User name
- The Unique identifier for logging in to Verify. It can be the same as the email address of the user.
- The identity source attribute that helps distinguish users from multiple identity sources
that have the same user name.
This information is displayed in the Edit User dialog box.tab, and in theFor the following identity sources:
- Cloud Directory, the realm
- IBMid, the realm
- SAML Enterprise, the realm value can be any unique name that you assigned when you created the identity source.
- OnPrem LDAP, the realm value can be any unique name that you assigned when you created the identity source.
- Cloud Directory, the realm value is
- Very high
- Access from a device pending MFA
- A device was prompted for MFA and the MFA was not completed. In the next session on the same device for the same user, MFA is prompted again. The risk score remains the same from the last session.
- Access from a known and trusted device
- The access was made with a device that was previously used by the user. It is a trusted device based on Trusteer’s device intelligence.
- Access from a known device with a new connection
- The access was made with a device that was previously used by the user. However, access is through a different internet service provider (ISP), a different geographical location, or a different connection method.
- Access with a change in device attributes
- The access was made by using a new device or a known device with significant change in its attributes. Both hardware and software attributes are examined to determine a change in device attributes.
- Access with a user behavior change
- Trusteer’s risk engine learns the user behavior by analyzing the access patterns. When change in the user behavior is noticed, an alert is sent. An example of a behavior change is accessing for the first time after working hours.
- Access including risky device indication
- The device attributes were determined as risky based on Trusteer’s security intelligence. Trusteer’s security intelligence constantly expands and updates based on deep research and data analysis.
- Risk service unavailable - medium risk applied
- The system was unable to complete the risk assessment. The policy action for medium risk level was applied.
- Block (Override)
- The block action overrides all other decisions in the policy.
- MFA (Override)
- The MFA action overrides all other decisions in the policy.
- Allow (Override)
- The allow action overrides all other decisions in the policy.
- The user is denied.
- MFA always
- Always require MFA, even in the same session.
- MFA per session
- If not already done, force MFA.
- The user is allowed.
The policy name and ID that are applied to the event. Application
The name of the application that is accessed. Location
The city, state, and country where the event occurred. Device
The browser and operating system that were used by the device. Client IP
The IP address of the device that made the authentication request. The details contain an
X-Force IP reportlink to evaluate the threat value of the address.
Select an event to see the details associated with it. See Adaptive Access event attributes.
Select Filters to filter the results.
You can search by
Note: The search fields are case-sensitive.
- Filter selections are user name and realm.
- Filter selections are client IP and location.
- Event details
- Filter selections are risk level, policy name, policy ID, application name, reason, and session ID.
- Change the date range for the report.
Select the From and To dates to display the calendar drop downs and select the dates for the report. You can't go back more than 90 days.Note: The To date cannot exceed the current date.
Select Run Report.
The Report information is refreshed.