2.4 OOTB User Authentication Rules Supported
OARM provides out-of-the-box (OOTB) authentication rules that alert you to potential attacker so that you can take corrective action.
The following table lists the OOTB user authentication rules supported by OARM.
| Rule | Description |
|---|---|
| Block based on Risky IP | This rule will be triggered if an IP has previously been marked as a risky IP by the security team. |
| Block based on active anonymizer | This rule determines whether the IP address being used has been confirmed as an anonymizer within the last six months by the IP Location data provider. |
| Challenge based on Suspect Anonymizer | This rule determines whether the IP address being used has been confirmed as an anonymizer in the last two years but not in the last six months by the IP Location data provider. |
| Challenge based on Risky Device | This rule will be triggered if a device has previously marked as risky by the security team. |
| Challenge based on Country | This rule will be triggered if a user has logged in less than 20% of the time from this country in the last three months. |
| Challenge based on Less frequently used Autonomous System Number (ASN) | This rule will be triggered if a user activity occurs from a less frequently used Autonomous System Number (ASN). |
| Challenge based on Connection type | This rule will be triggered if a user has logged in with this connection type less than 6% of the time in the last month. |
| Challenge based on Routing type that is not utilized very often | This rule will be triggered if the user activity occurs via a less commonly used Routing type. |
| Challenge based on Least frequently used ISP | This rule will be triggered if user activity occurs from sparingly used ISPs. |
| Challenge based on Device | This rule will be triggered if a user has used this device to log in less than 10% of the time over the past month. |
| Challenge based on State from which least access happens | This rule will be triggered if user activity occurs from states with the least amount of activity. |
| Challenge based on Indicate Less Visited Time of day | This rule will be triggered if the user activity occurs at a rarely used time, such as 1 AM local time, when most users are dormant.
This is a pattern-based authentication method in which an entity is a member of the pattern bucket less than a certain percentage of the time with all entities in the picture. |
| Challenge based on Browser locale from which least access happens | This rule is triggered if the user activity occurs in a browser locale with the least access.
This is a pattern-based authentication method in which an entity is a member of the pattern bucket less than a certain percentage of the time with all entities in the picture. |
| Challenge based on Connection type that is not utilized very often | This rule will be triggered if the user activity occurs via a less commonly used connection type.
This is a pattern-based authentication method in which an entity is a member of the pattern bucket less than a certain percentage of the time with all entities in the picture. |
| Challenge based on Country from which least access happens | This rule will be triggered if the user activity occurs from states with the least amount of activity. |
| Challenge based on Day of week with the lowest number of visitors | This rule will be triggered if the user activity if the user activity occurs on the days of the week with the fewest visitors.
This is a pattern-based authentication method in which an entity is a member of the pattern bucket less than a certain percentage of the time with all entities in the picture. |
| Challenge based on Risky countries | This rule will be triggered if a country has previously been marked as a risky country by the security team. |
| Challenge based on Unknown Anonymizer | There are currently no positive test results available. The initial anonymizer assignment is based on other sources and has yet to be confirmed by the IP Location data provider. This address is removed from the list if no positive test results are obtained. |
| Challenge based on Dormant Device | This rule will be triggered if a device has not been used in thirty days and more than two users login from it within twenty-four hours. |
| Challenge based on Device with many failures | This rule will be triggered if a device makes more than four unsuccessful login attempts within eight hours. |
| Challenge based on Maximum devices per user | This rule will be triggered if a user logs in using more than two devices within eight hours. |
| Challenge based on device maximum velocity | This rule will be triggered if a device appears to have traveled faster than jet speed in the last 20 hours since its last login. |
| Challenge based on risky connection type | This rule will be triggered if a connection type has previously been marked as a risky connection type by the security team. |
| Challenge based on limit activity from dormant IPs | This rule will be triggered if a dormant IP address is used excessively in a user activity. |
| Challenge based on based on limit user activity surge from an IP | This rule will be triggered if there is an increase in user activity from a specific IP address. |
| Challenge based on based on private anonymizer | This IP address allegedly contains anonymous proxies that are not publicly accessible. As a result, automated tools cannot be used to test them on a regular basis. These addresses are typically associated with commercial ventures that provide anonymity services to the general public. Addresses with this designation are derived from ownership data or obtained from reliable sources. |
| Challenge based on user blocked recently | This rule will be triggered if a user has been blocked more than twice in the last eight hours. |
| Challenge based on maximum users per device | This rule will be triggered if more than four users log in using the same device within thirty days. |
| Challenge based on day of the week | This rule will be triggered if the user activity occurs on days of the week with the fewest visitors. |
| Challenge based on Time of day | This rule will be triggered if a user has accessed within the current time range less than 3% of the time in the last month. |
| Does user have a profile | This rule determines whether the pattern auto learning feature is enabled and whether the user has a historical behavior profile. |
| Is there enough pattern data available? | This rule determines whether there is enough pattern data available for auto-learning rules to use. |
| Predict if current session is fraudulent | This rule checks to see if the current session is predicted to be fraudulent using the Oracle Data Miner fraud classification model. |
| Predict if current session is anomalous | This rule predicts whether the current session is anomalous based on the anomaly ODM model. |