000032285 - Understanding custom event types in RSA Adaptive Authentication (OnPrem) 7.x

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000032285
Applies ToRSA Product Set: Adaptive Authentication (OnPrem)
RSA Product/Service Type: Adaptive Authentication (OnPrem)
RSA Version/Condition: 7.x
IssueRisk scores are normalized separately over a combination of org_id, channel_indicator, event_type and user_defined_event_type fields.
Custom event types can be tied to a built-in event type in the backoffice application and are identified by the user_defined_event_type field in the event_log table.
It is important that enough activity is coming in for this grouping to normalize consistently.
TasksNormalization looks back on data from the past 7 days and is based on the preliminary score distribution alone and not case management feedback (case management feedback is crucial for the accuracy of risk scores, but not normalization). The minimum volume required for reasonable normalization is 4K transactions over 7 days. For a good normalization 8K transactions over 7 days.
To create a new event type, go to Backoffice -> Policy Management -> Manage Custom Event Types -> New.  The event_log table column user_defined_event_type, comes from the Event Name. If you do not tie it to a predefined event, it is under the CLIENT_DEFINED event type. In the SOAP analyze request, the XML element clientDefinedEventType corresponds to the user_defined_event_type and is tied to eventType which would be CLIENT_DEFINED unless it was tied to a predefined event type such as SESSION_SIGNIN. Below is an example of the SOAP analyze request's eventDataList.