Managing Risky Behaviors

OneAccess can detect abnormal account behavior. After the function is enabled, the system detects abnormal user behavior based on the preset behavior rules. When a risk is triggered, the system sends an alarm in real time.

There are four types of risks:

Abnormal IP address: The login IP address of the account is inconsistent with the common IP address.

Abnormal location: The login location of an account is inconsistent with the common location.
Abnormal device: The login device (browser or terminal device) is inconsistent with the common device.
Account lockout: The number of incorrect password attempts exceeds the threshold set in the password policy, the account will be locked.

When the configured behavior triggers a risk, the system sends a risk notification through email, SMS, or DingTalk.

Adding a Behavior

Log in to the administrator portal.
On the top navigation bar, choose Security > Risk Behavior Manage.

On the risky behavior management page, click Add operation, and set parameters.

**Table 1** Behavior parameters
Parameter	Description
* Behavior name	Name of a risky behavior.
* Risk type	Risk event type. The options include Error location, Error device, Error IP, and Account Locked.
Location type	Abnormal location range. You can define abnormal location events based on the selected location type. NOTE: This parameter is available only when location type is set to Error location.
* Frequency settings	Set a default value for the IP addresses, devices, and locations that are frequently used for login. If the default values are not used, abnormal behaviors are displayed in the risk events and risk dashboard. NOTE: When risk type is set to Account Locked, this parameter is not available. If the number of incorrect password attempts exceeds the threshold specified in the password policy, the account is locked, the behavior is marked as a risk event, and is displayed in the risk events and risk dashboard.
Description	Description of the added behavior.

Click OK. The behavior is added. The added risky behavior is displayed in the risky behavior list. You can filter the risky behavior by risk type.

Editing a Behavior

Log in to the administrator portal.
On the top navigation bar, choose Security > Risk Behavior Manage.
Click Modify in the Operation column of the target behavior to modify its configuration.
Click OK.

Deleting a Behavior

Log in to the administrator portal.
On the top navigation bar, choose Security > Risk Behavior Manage.
Click Delete in the Operation column of the target behavior.
Click OK.

Disabling a Risky Behavior

Log in to the administrator portal.
On the top navigation bar, choose Security > Risk Behavior Manage.
In the Status column of the target behavior, click .
Click OK.

Enabling a Risky Behavior

After a risky behavior is enabled, the system detects abnormal user behavior based on the preset behavior rules. When a risk is triggered, the system sends an alarm in real time.

Log in to the administrator portal.
On the top navigation bar, choose Security > Risk Behavior Manage.
In the Status column of the target behavior, click .
Click OK.

Setting Notifications

When the configured behavior triggers a risk, the system sends a risk notification based on your setting.

On the risky behavior management page, click Notify setting.

In the displayed dialog box, set the notification method and objective.

**Table 2** Notification parameters
Parameter	Description
* Notification method	Way in which the system sends a notification when a risk behavior is triggered. Notifications can be sent through email, SMS, or DingTalk. If you select email or DingTalk, set the gateway by referring to Email Gateway and DingTalk Gateway.
* Send objective	Object to which the system sends a notification when a risk behavior is triggered. By default, notifications are sent to all users. You can also exclude specified users.