Tags allow Kount customers to send custom information with the Kount Control Login Decision. These user-defined text fields are used in Profile or Policy creation. When a Profile or Policy evaluates as true, any associated tags are sent with the API Response.
Managing Tags
The Tags page provides a list of tags you can view, create, edit, and delete. The Tags list shows you when a tag was last edited and the number of policies and profiles assigned to it.
To find the Tags page, go to Decision Manager from the Kount Control Portal, and then click Tags. From this page, you can view the list of tags and their associated metadata.
Creating a tag
- From the Tags page, click Create Tags.
- From the Create Tags page, enter your desired tag name in the textbox. If you decide not to create a new tag, you can go back to the Tags page by clicking All Tags or Cancel.
NOTE: Tag names must be a minimum of three characters. - Once you have entered your tag name, click Save Tag.
NOTE: You cannot have more than 500 tags. To reduce the number of tags you currently have, refer to the deleting a tag section.
Editing a tag
- To edit a tag, click either the edit icon
or the tag name. The Edit Tag page displays. You can edit the tag name, remove a tag from a policy and/or profile, or delete the tag.
- To change the name of the tag, replace the existing name in the Tag Name textbox.
- To remove a tag from a profile and/or policy, click the X in the Remove Tag column to the right of the Profile/Policy name.
- To delete the tag, click the delete icon
in the upper-right corner next to Cancel Changes.
- Once you have made your tag edits, click Save Tag.
Deleting a tag
To delete a tag, click the delete icon in the Delete column.
API Response
When a decision is returned through API, all tags associated to the Profile and Policies that evaluated as true are within the Tags block:
{
"decision": "Allow",
"deviceId": "71dd0ae7bf684fde81ecfbeb50******",
"matchedToDevice": "Device not found",
"sessionId": "a5312b830b2a4b50a37e3c74f0******",
"tags": [
"US_Regulated_Region",
"Subscription"
],
"userProfile": "Subscriber"
}
Frequently Asked Questions
What is Apply No Decision?
When creating a Policy, there is an action that is taken when the conditions evaluate as true. The available actions are Block, Challenge, and Apply No Decision.
When Apply No Decision is chosen as the action for a Policy, and that Policy evaluates as true, it has no affect on the final decision for the Login. However, any Tags that are associated to the Policy will be sent along with the Login API.
This allows Kount customers to send information via the API when certain conditions exist, even when they do not want those decisions to affect the outcome of a Login.
What are some use-cases for Tags?
There are various use-cases for tags, many of them dependent on your organization and how you use data from the Kount Login API. The following are examples of how tags might be used:
- Assigning tags to inform a businesses internal system to know what type of multifactor authentication to use. If the risk is high, the multifactor might be very secure, whereas if the risk is low, a simple captcha or other method could be employed.
- Assigning a tag to know that a login event was from a certain region.
- Assigning a tag to allows an Ops team to investigate potential high risk IP addresses or IP Organizations.
Other use cases
Tags are often used so to get actionable information (like the number of excessive failed attempts or alerting to a scripted attack) into the customer's system.
Excessive failed attempts
For example, a customer wants to know when the number of failed attempts for their login exceeds the bounds of normal operations; and they want Security Operations to be notified through their alerting system. To do so, the customer would:
- Create a Policy counting the number of failed attempts from an IP address when it exceeds their threshold for a given hour and set the Policy to apply no decision
- TAG the policy “failedIPThreshold”
- Set their Splunk to send an alert when it sees the text “failedIPThreshold” accompanying a Kount Control response
Alerting for a scripted attack
A customer wants to be able to alert their Security Operations when they are seeing the signs of a scripted attack. The customer adds a tag to the velocity the NOC wants to watch, and then that tag is sent back with the login API response. Their internal alerting system picks up the tag and alerts Security Operations.
Comments
0 comments
Please sign in to leave a comment.