000030239 - How to investigate inconsistencies in numbers in forensic summary report and case management

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000030239
Applies ToRSA Product Set: Adaptive Authentication (OnPrem)
RSA Product/Service Type: Adaptive Authentication (OnPrem)
RSA Version/Condition: 7.x
Platform: Other
Platform (Other): All
O/S Version: All
Product Name: null
Product Description: null
IssueWhile auditing the forensic summary a customer noticed inconsistencies in some of the numbers for an end user with an IP from a black listed country. The numbers were not matching what was seen in the AAoP case management application.
TasksEnsure all forensic logs are being transferred to RSA Central or counts will be off. Check for error handling on failed file transfers and timing issues. Refer to the RSA Adaptive Authentication (On-Premise) 7.x Operations Guide for details on how to interact with RSA Central.
When auditing numbers in Forensic or Policy Summary reports against case management, note the timezone on the records retrieved. To account for all user accesses indicated on the reports you will need to query case management for the last portion of the previous day depending on your offset from GMT.