Modifying attribute matchers

Attribute matchers match incoming attributes to attributes in a device fingerprint. The predefined matchers are set to default values. You can modify those values to customize the risk calculations for your policies.

About this task

Each predefined matcher uses specific properties.

exact_match

The exact_match matcher checks whether the values of an attribute in a registered device and an incoming request exactly equal each other. Use this matcher if the more specialized matchers are not appropriate for the attribute. This matcher cannot be modified.

location_matcher

The location matcher checks whether the location of a device is within a specific distance from the previous known locations of a device.

Comparison

Indicates how you want the attribute matcher to calculate the accuracy range of the location coordinates.

Distance

Specifies the maximum distance between the new location and the historic locations. The value is in kilometers. The default value is 40.

login_time_matcher

The login matcher compares and analyzes the historical login time data for the user with the current login time of the user.

Threshold

Indicates the probability that a user might log in at a particular time. Valid values are 0 to 1. The default value is 0.3. This default value indicates the probability that the user logs in approximately within an hour of the previous login times. If you set a lower value, the odds of a return value of true are higher and the risk score is lower. If you set a higher value, the odds of a return value of true are lower and risk score is higher. For example, if you set a value of 0.5, the matcher almost always returns false. The login time analysis collects data for eight login times before it provides input for risk score calculation.

ipaddr_matcher

The IP address matcher compares an inclusion list (trusted) or exclusion list (not trusted) of IP addresses with the historical IP addresses of the device.

Trusted addresses

IPV4 addresses

IP and Netmask: Specifies the IP address and its netmask to include. Include X.X.X.X as a value to compare the incoming IP address with the IP address with which the device is registered.

IPV6 addresses

IP and Prefix: Specifies the IP address and its prefix to include. Include X:X:X:X:X:X:X:X as a value to compare the incoming IP address with the IP address with which the device is registered.

Untrusted addresses

IPV4 addresses

IP and Netmask: Specifies the IP address and its netmask to exclude. Include X.X.X.X as a value to compare the incoming IP address with the IP address with which the device is registered.

IPV6 addresses

IP and Prefix: Specifies the IP address and its prefix to exclude. Include X:X:X:X:X:X:X:X as a value to compare the incoming IP address with the IP address with which the device is registered.

Use the IP reputation database for classification of IP addresses

Select this box to check the requesting IP address against the addresses in the IP Reputation database. Addresses in the database are associated with one or more classifications. If the requesting address matches an address in the database, the database returns a score for each classification that is associated with the address.

The IP reputation threshold for classifications

The score that is compared to the classification score of an IP address. Select a score between 0 and 100 below the Untrusted tab in IP Address Matcher Properties. The default value is 50.

Procedure

1. Log in to the local management interface.
2. Click AAC.
3. Under Policy, click Attributes.
4. Click Matchers.
5. Click the icon for the matcher.
6. Change the properties.
7. Click Save.
8. When you modify an attribute matcher, a message indicates that there are changes to deploy. If you are finished with the changes, deploy them.

   For more information, see Deploying pending changes.

Results

The modified attribute matcher is saved.