Threat actors
AppSentinels Security Platform detects threat activities carried out against the application, and threat details are presented on the Dashboard. Threat activities are categorized by failed or successful attack attempts by known or unknown users of the application.
The AppSentinels Threat Assessment engine provides comprehensive fingerprinting capabilities for threat activities. Threat activities are grouped by the threat actors responsible for the activity. Threat actor details include their source IP address and geolocation, the list of attack tactics and techniques used, the number of attack attempts, and whether the attacks succeeded.
The engine also assigns a threat level and a recommendation to block or monitor the threat actor depending on the nature of the attacks they carry out. The recommendation can be manually overridden.
Threat actor details are accessible from the Threat Actors tab in the left navigation menu. Threat activities are displayed in two views: Summary view and Monitored Users view.
| Summary view is a collection of widgets with User State, Threat-Level, Activity, Attack Tactics, and other statistics. Monitored Users view is a listing of the application users with their user ID, state, threat level, geolocation, and other operational data. |
|
In the Monitored Users view, the users are listed with the following data:
Monitored User
The IP address or user ID of the user.
Risk
The AppSentinels-assigned threat level based on the risk posed by the user— High, Medium, or Low.
Attempts
The number of attempts made by the user.
Tactics
The tactic used by the user to carry out the threat activity. For example, Exfiltration OR Privilege Escalation.
Techniques Used
The list of attack techniques the user used to carry out the threat activity. For example, Broken Object Level Authorization, Broken User Authentication, and Protocol Attack.
Geolocation
The geolocation from where the user carried out the attack— Private IP, Unknown, or Public IP.
Recommended State
The AppSentinels-recommended monitoring state for the user based on the threat activities from the user— Block or Monitor.
State
.The current monitoring state for the user.
| Block |
AppSentinels policies have restricted the user's access to the application. |
| Monitor |
All the activities from this user are being logged. |
| Whitelist |
AppSentinels policies do not restrict the user's access to the application. |
Managed
The label for how the current state was assigned to the user.
| System |
The current state is auto-assigned by the AppSentinels Threat Assessment engine. |
| Manual |
The current state is user-assigned. |
First Discovered
The date and time when a threat activity from the user was first discovered.
Last Observed
The date and time when the threat activity from the user was last observed.