Note: This feature is unavailable in the Identity Enterprise Basic Plan.
- To subscribe to the Standard Plan, please use your owner account to sign in to your Identity Enterprise Manager and go to Settings > Plan & Billing > Upgrade Plan.
- To apply for a free trial, please use your owner account to sign in to your Identity Enterprise Manager and go to Settings > Plan & Billing > Feature Usage > Apply for Plan Add-Ons.
Behavior Detection allows you to configure security policy rules based on user behavior. For example, you can configure a policy that requires multi-factor authentication when a user signs in from a new location or uses a new device. You can track specific user behaviors and when they should take effect. After configuring a user behavior condition, you can add it to your security policy rules to regulate when users must provide multi-factor authentication.
The behavior detection feature enables administrators to configure when users are required to provide a second form of authentication.
To use behavior detection, you need to specify the following information:
- The type of user behavior to track.
- Details about the granularity, scope, or number of previous successful authentications for evaluating user behavior.
Note that you do not need to specify the user action for defining the tracked behavior conditions. Instead, you need to specify the user actions separately when adding behavior conditions to the sign-on policies for the behavior detection to take effect.
Default Behavior Rules
The table below lists all default behavior detection rules and related settings. For details about behavior types definition, see Behavior Types below.
|Behavior Type||Details||Check Against Last|
|New City||New City||20 authentications|
|New State||New State||15 authentications|
|New Country||New Country||10 authentications|
|New Geo-Location||New Geo-Location (20 kilometers)||20 authentications|
|New Device||New Device||20 authentications|
|New IP||New IP||50 authentications|
|Velocity||Velocity (805 km/h)||Calculated velocity|
|Connect to One-Click WiFi within 30 minutes||Connected to One-Click WiFi||30 minutes|
|Connect to One-Click VPN within 30 minutes||Connected to One-Click VPN||30 minutes|
|Enter site within 30 minutes||Entry||30 minutes|
New Device: When a user signs in with a device that is different from the last successful sign-in, the system checks the device against the last 20 successful sign-ins to determine if the sign-in attempt is from a new client.
Note: The device check is client-based, hence, if a user signs in from a new browser the system will consider this as signing in from a new client (equivalent to signing in from a new device).
|IP address||New IP: When a user signs in with an IP address that is different from the last successful sign-in, the system will check the detected IP against the last 50 successful sign-ins to determine if the sign-in attempt is from af new IP address.|
|Velocity||Velocity: Velocity is a measurement used to identify suspicious sign-ins. The velocity measures the distance and time elapsed between two locations the user signed in from. The velocity is then checked against the geographic distance and time elapsed between two consecutive sign-ins. The default velocity is 805 km/h (500 mph).|