Managing threat detection

IBM® Security Verify can analyze and correlate patterns across tenants to detect threat indicators, such as attempts to brute force access, credential stuffing attacks and deviations in established usage patterns. The alerts are available as part of the audit event stream and can be used to take proactive remediation action, such as disabling compromised user accounts or application clients.

Before you begin

  • You must have administrative permission to complete this task.
  • Log in to the IBM Security Verify administration console as an Administrator. For more information, see Accessing IBM Security Verify.

About this task

Note: Verify threat detection and remediation detects and remediates certain types of malicious IP traffic. While it doesn't guarantee 100% of malicious IP addresses are detected or remediated, it does improve your security and reduces your security risks.

Admins can set their Verify SaaS environment to alert and/or proactively block login traffic that results from identified attacks. The attacks can originate from attacks on your specific IBM Security Verify SaaS environment or attacks that are identified from other Verify SaaS tenants in which your tenant can take proactive mitigation.

IBM Security Verify detects suspicious traffic with indicators of attack to generate threat events. An Admin can review the events by using a Threat Events report and take manual proactive actions such as blocking a user.

Procedure

  1. Select Security > Threat detection.

    If no previous policy exists in the tenant, click the Create threat policy button to configure a new threat detection and remediation policy.

    For existing policies, the screen displays the records in a tabular format listed by Name, Status, Description, Theme, Created on and Last updated.

    Click the Grid icon or List icon to switch between the Grid and List view.

    Click the open list of options icon and select to Enable or Delete the created policy. In the List view, hovering-over the record displays the Edit as draft icon.

  2. Click Create threat policy button to create a new threat detection and remediation policy. Refer Creating a threat policy for further details.
  3. The created threat policy can be enabled. For enabled policy, the Status gets displayed as Active in the main Threat detection screen. Refer Enabling threat policy for further details.
    Note: Only one threat detection policy can be enabled at a time. Enabling a threat detection policy while the other is active, disables the currently enabled policy
  4. After creating the policy, it can be reviewed and changes can be made before enabling. Refer Editing threat policyfor further details.