Access Detection and Analytics

Access Detection recognizes facts of access usage from the data incoming to Observed from different integrations. It is a complex multi-stage data analysis process with integration-specific dependencies. There are base and per-integration components that participate in data collection, cleaning, analyzing and interpreting. At the high-level of abstraction of the flow, Access Detection captures raw events associated with getting an authorized access to the target resources, and identifies active sessions, closed sessions, additional properties. For some integrations, it also reads entries from text logs and provides more context information.

Both active and closed sessions represent a single act of access usage. Often one session event provides more information about the circumstances it happened in, and this information is captured in ‘additional properties' of the session events. The range of the information available for an integration and recognized as additional properties of a session is determined by the capabilities of the integration itself. Basically, additional properties can be anything, and often they fit into the formula of a key-value pair.

Analytics vs Access Detection

With the large amount of integration data describing facts of the access usage, Access Detection feeds this data to Analytics, where it gets processed further and visualized with the functional capabilities of Analytics, such as data representation in the grid versus chart views, sorting, search, basic and advanced filtration, etc.

Analytics is a tool to view what data was actually collected by Access Detection from the corporate targets onboarded as integrations in ObserveID. It can be the data from one integration or a combination of integrations.

Interrelationships

Analytics is a tool for data analysis, data selection, and representation adjustments. Access Detection is an engine for feeding the analysis with data. Analytics and Access Detection are intertwined, and support one another. Consider some cases, as an example:

  • to view what logons were blocked on the target, open Analytics and see the Access Detection data about the sessions that were blocked due to the enabled Blocked List policies on the target. For more details, see: Block Access
  • to filter the Access Detection data against the Exception List policies, so that the data in the Analytics report to be as precise as possible and skip system, diagnostics information, or other session data that are redundant in the final representation of the report, see: Remove Access Detection data from Analytics