How to investigate inconsistencies in numbers in forensic summary report and case management
RSA Product Set: Adaptive Authentication (OnPrem) RSA Product/Service Type: Adaptive Authentication (OnPrem) RSA Version/Condition: 7.x Platform: Other Platform (Other): All O/S Version: All Product Name: null Product Description: null
While auditing the forensic summary a customer noticed inconsistencies in some of the numbers for an end user with an IP from a black listed country. The numbers were not matching what was seen in the AAoP case management application.
Ensure all forensic logs are being transferred to RSA Central or counts will be off. Check for error handling on failed file transfers and timing issues. Refer to the RSA Adaptive Authentication (On-Premise) 7.x Operations Guide for details on how to interact with RSA Central.
When auditing numbers in Forensic or Policy Summary reports against case management, note the timezone on the records retrieved. To account for all user accesses indicated on the reports you will need to query case management for the last portion of the previous day depending on your offset from GMT.