How to Configure Session Intelligence
This guide describes how to configure and manage the Session Intelligence feature in the 12Port Platform for PAM. Session Intelligence enables dynamic, in-session monitoring and enforcement for brokered remote sessions, using behavior-based policies with AI-driven risk assessment.
Terminology
Before configuring Session Intelligence, familiarize yourself with the following key terms:
- Session Intelligence: A platform capability that provides dynamic monitoring and control of brokered remote sessions based on user behavior and contextual risk.
- Session Intelligence Policy: A collection of rules that define risky or anomalous user behaviors and specify automated response actions the platform should take to contain them.
- Session Intelligence Rule: A specific condition that defines a user behavior deemed potentially risky, along with one or more response actions.
- Session Intelligence Rule Condition: The part of a rule that defines which behavior to monitor and what thresholds constitute a threat.
- Session Intelligence Rule Action: The automated response triggered when a rule condition is met.
- Behavior Analytics: A set of mechanisms used to evaluate a user’s behavior over time, enabling detection of risks based on historical session data.
Defining Session Intelligence Rules
Each policy consists of one or more rules. A Session Intelligence Rule defines the monitored behavior and its associated risk thresholds, along with the actions that will be executed if the rule is triggered.
Some rules are based on static thresholds (e.g., number of file transfers), while others leverage Behavior Analytics to detect deviations from established behavioral baselines.
Session Intelligence Rule Conditions
A rule condition includes the type of behavior to monitor and the associated risk parameters. Supported rule types include:
- Clipboard Transfer
- File Transfer
- Session
- Session Events
Each Rule Type allows configuration of specific risk metrics:
| Condition | Description |
|---|---|
| Number of File Transfers | Number of files transferred per session. |
| File Size | Size threshold of individual files transferred. |
| Frequency of File Transfers | Number of file transfers per minute. |
| Number of Clipboard Transfers | Total clipboard operations per session. |
| Object Size | Size of data moved via clipboard transfers. |
| Frequency of Clipboard Transfers | Clipboard transfers per minute. |
| Session Length | Duration of the session in minutes. |
| Number of Events | Combined number of file, clipboard, and keyboard events per session. |
| Frequency of Events | Number of user events (file transfers, clipboard transfers, keyboard events) per minute. |
| User Variation | Behavior deviation compared to the same user’s previous sessions. The condition triggers the actions based on the accumulated statistics about past sessions. |
| Asset Variation | Behavior deviation compared to other users' sessions of the same asset. The condition triggers the actions based on the accumulated statistics about past sessions. |
| Rule Condition Description | A human-readable explanation of the rule's configured behavior and thresholds. |
Note
User and asset variation thresholds require historical data and are only applicable after a sufficient number of sessions have been recorded for analysis.
Session Intelligence Rule Actions
When a rule condition is triggered, one or more automated actions can be executed to mitigate risk. The following actions are supported:
| Action | Description |
|---|---|
| Log Event | Records the rule violation in the system event log, associating the user and asset involved. |
| Terminate Session | Ends the current session but leaves the access request active. The user can reconnect as needed. It can be combined with request workflows to temporarily pause access, avoiding the need to submit a new access request through the full multi-level approval process. |
| Complete Request | Ends the session and completes the access request, requiring reapproval before further access is granted. |
| Block User | Blocks the user account from accessing 12Port. |
| Reset Credentials | Triggers a credential rotation task for the associated asset credentials. |
Configuring Session Intelligence Policies
Session Intelligence policies are referenced in Access Profiles, which define user permissions and controls for accessing remote assets. By associating a Session Intelligence policy with an access profile, you can enforce behavioral monitoring and dynamic response for specific users, groups and assets.
Policies can be reused across access profiles, providing flexibility in applying different behavioral controls based on user role, containers, asset sensitivity, or access context.
Example: File Transfer Policy Configuration
To configure a policy that monitors excessive file transfers:
- Login with a Site Administrator account.
- Navigate to Management > Session Intelligence and click Add.
- Enter a unique, but recognizable Name and an optional Description.
- Toggle on the Enabled parameter.
- Click Add Rule and create the following configuration:
- Rule Type:
File Transfer - Number of File Transfers: Set threshold (e.g.,
10) - File Size: Set threshold (e.g.,
100Mbs) - Frequency of File Transfers:
5(per minute) - User Variation:
0(disabled) - Asset Variation:
0(disabled)
- Rule Type:
- Under Actions, select:
Log EventTerminate Session
- Click Ok to save the rule.
8. Click Save to save the policy.
To assign the policy to a user(s) and asset:
- Locate an existing Access Profile or Create a new Access Profile
- In the Add or Edit Access Profile page, select the enabled Session Intelligence Policy from the Intelligence Policy dropdown selector.
- Click Save.
After the Access Profile is assigned or updated on the asset, start a new session with a user managed by the profile and exceed the defined rule conditions. Observe the rule's Actions are performed when the rule conditions are exceeded.
Example: Action - Log Event:
