Customize risk profiles

AFA analyzes device configuration and reports security risks using risk profiles, which define sets of security risk items and their security levels.

By default, AFA uses a Standard Risk Profile for all devices, which includes a set of standard risk items. Each risk item represents an XQL query that AFA performs on simulation results to detect risks.

Create custom risk profiles as needed, including different combinations of risk items, changing severity levels of each risk item, or creating custom risk items. Custom risk items enable you to define complex risks by composing your own XQL queries.

Note: After making changes to risk profiles, you must run a new analysis before seeing any changes in AFA reports.

Edit a Risk Profile: Watch to learn how to edit a risk profile to suit your network needs.

View a risk profile

This procedure describes how to view a specific risk profile in the AFA Administration area, as well as the details shown.

Do the following:

  1. Access the AFA Administration area. Click your username in the toolbar and select Administration.

  2. Click the ComplianceRisk Profiles tab, displaying the Standard risk profile with risk items displayed in a grid below.

    The risk item grid includes the following data:

    Code The risk item code.
    Risk Level

    The severity level applied to the risk level.

    The severity level is also indicated by the color bar on the left of the row, as follows:

    • Brown = Low
    • Yellow = Medium
    • Orange = Suspected High
    • Red = High
    • Grey = Ignored

    Note: Ignored risk items are listed in AFA reports towards the bottom of the Risk Assessment page, and not in the main page with other detected risks. For more details, see RISKS page.
    Title The risk item's title, or name.
    From / To The source and destination zone of connections specified by the risk item.
    Brand The relevant device brand for the risk item.

  3. To load a different risk profile, select it from the Select risk profile dropdown menu above the grid. The page is updated with the selected risk profile.

Continue with any of the following:

Back to top

Add a new risk profile

Add a new risk profile by creating one from scratch, modifying an existing profile and saving it under a new name, or importing a spreadsheet that specifies safe traffic.

Create a new risk profile from scratch

Create a new risk profile from scratch when you want to start with completely empty risk items.

Do the following:

  1. Access the Risk Profiles tab in the AFA Administration area. For details, see View a risk profile.
  2. Click + Create new risk profile, and enter a name for your new profile.
  3. Customize your risk items as needed. For details, see Customize risk items.
  4. When you're done, click Save and then OK to confirm.

Your new risk profile is ready to use in your next AFA analysis.

Back to top

Create a new risk profile from an existing one

Create a new profile by starting with an existing one when you want to use the existing one as a basis for your new profile.

Do the following:

  1. View the specific risk profile you want to start with in the Risk Profiles tab in the AFA Administration area. For details, see View a risk profile.
  2. Customize your risk items as needed for your new profile. In the Risk profile notes field, enter a description for your new risk profile.
  3. Click Save As, and enter a new name for your new profile.
  4. Click OK, and then OK again to confirm.

Your new risk profile is ready to use in your next AFA analysis.

Tip: While the Standard risk profile is read-only, you can use it as the basis for a custom profile. Then, you can define your custom profile as the default risk profile for all future reports. For details, see Set a default risk profile.

Create a new risk profile from a spreadsheet

Create a custom risk profile by uploading a spreadsheet that defines safe and risky traffic. When you upload this file, AFA creates a new risk profile. By default, any traffic not included in the spreadsheet is defined as a risk.

Use the template provided in the AFA Administration area to create this spreadsheet.

Do the following:

  1. Open the Risk Profiles tab in the AFA Administration area. For details, see View a risk profile.

  2. Click Import from spreadsheet. In the Import risk profile dialog, Download sample spreadsheet.

  3. Save the file locally using a meaningful name, and populate it with details about the traffic you want to allow or define as risky. For details, see Spreadsheet requirements.

  4. When your spreadsheet is ready, return to the Import risk profile dialog, and click Choose File. Browse to and select the file you edited, and the click OK to upload the file.

    AFA generates your new risk profile, defining any traffic that is not specified in your uploaded file as a risk.

    AFA optimizes your risks, and combines similar items to create the fewest number of new risk items possible.

  5. Click Save as to save your new Risk Profile. Enter a meaningful name, and click OK.

Your new risk profile is ready to use in your next AFA analysis.

Note: When you upload a spreadsheet, AFA optimizes risk creation by combining traffic flows when possible. This may result in individual risks with wide definitions.

In such cases risk descriptions specify the traffic or server that triggered the risk to help you understand why the risk was triggered.

Spreadsheet requirements

The spreadsheet uploaded to AFA to generate a custom risk profile must include the following sheets:

  • Traffic. Defines the traffic you want to mark as allowed or risky by the generated risk profile.

    Modify the number of rows or columns as needed to describe the traffic.

  • Networks. Defines network objects used in the Traffic sheet.

  • Services. Defines service objects used in the Traffic sheet.

Across all sheets in the spreadsheet:

  • Object names are case-sensitive.
  • Comments are supported in all sheets, only outside the data table, title rows or columns. Add # before the comment text.

For more details, see Populate the Traffic sheet and Populate the Networks and Services sheets.

Note: To define conditional severities, include the Conditional Severities sheet as well.

You must populate every cell in the Traffic sheet data table, as follows:

Source / destinations

List source network objects in the left column, and destination network objects across the top row.

Destinations do not need to be the same as the sources, but must be network objects defined in the Networks tab, or the predefined Other object.

The Other object includes all IP addresses that are not included in network objects listed on the Networks tab, and generally includes the public internet.

Service objects

Each cell that intersects a source and destination must contain one or more service objects, as follows:

  • To define safe traffic, enter the name of a safe service object.
  • To define risky traffic, enter the name of a risky service object using the following syntax: not(service_object) or !service_object
  • To define multiple service objects in a single cell, enter each object name on a new line in the cell (ALT+ENTER).

Service object values must either be listed on the Services tab, or be one of the following predefined services:

  • Any. All services
  • None. No services.

Tip: Optionally, specify risk severity levels for risk traffic associated with a specific source or destination. For details, see Specify risk severity in your spreadsheet.

Populate the Networks and Services sheets as follows:

Object names List object names in the left column.
Object content

List object content in the same row as the objects name.

Assign multiple values to each object as needed, by specifying multiple values across the row, each value in it's own cell.
Object names Object names support lowercase and uppercase letters, digits, and underscores (_).
Network objects

Network objects support single IP addresses, subnets, or ranges.
Service objects

Service objects support:

  • Protocol/port format for TCP, UDP, and ICMP protocols
  • Other standard names such as SSH, FTP, and so on, including AlgoSec standard services

By default, all risks generated by uploading a spreadsheet are given a Medium severity. To customize this, specify severity levels in the Traffic sheet for risks associated with specific traffic, sources, or destinations.

Do the following:

In the Traffic sheet, add the following characters to your cells to indicate severity levels:

  • H = High
  • S = Suspected high
  • M = Medium
  • L = Low
  • Any conditional ID specified in a Conditional Severities sheet.

Add your severity notations to cells in your Traffic sheet as follows:

Specify severity for all traffic from a specific source

Indicate the severity level with the network object in the left column.
Specify severity for all traffic from a specific destination Indicate the severity level with the network object in the header row.
Specify severity for all traffic from a specific source and to a specific destination

Indicate the severity level with the service object in the intersecting cell.

In such cases:

  • By default, the generated risk will be relevant to all traffic between the services, via services other than those included in the service object.
  • If you specify severity for a risky service object, the generated risk will be relevant to all traffic between the servers via the specified service object.
Specify multiple severity levels for traffic from a specific source to a specific destination

Further segregate traffic by defining a permitted service object and one or more negated service objects in the same intersecting cell, each with a specified severity.

In such cases:

  • Place each object on a new line in the cell (ALT+ENTER)
  • The first object in the cell can be safe or negated. All other objects must be negated.

Note: If a severity is specified for either the traffic, or for a specific source or destination, AFA assigns the specified severity to that risk.

If different severities are assigned to the source and destination, AFA uses the higher severity when generating the risk.

For more details, see Populate the Traffic sheet.

The following table shows an example of a Traffic sheet with severities indicated:

To

From

 Net1 Net2 Net3 PartnerNet PCIzone;S Other
Net1 - !(forbiddenSvc) SecureSrvs ; C2 Any SecureSrvs Any
Net2 Any - Any Any SecureSrvs Any
Net3 OnlySrv/X !(OnlySrv/X) - Any SecureSrvs Any
PartnerNet PartnerSrv !PartnerSrv ; C1 !PartnerSrv ; C1 Any SecureSrvs Any
PCIzone;S

SecureSrvs ; M

!forbiddenSvc ; H

 SecureSrvs SecureSrvs ; C2 SecureSrvs ; C3 - None;H
Other - - http_Services - None;H Any

In this example, AFA will use the data in the highlighted cell to generate risks with the following severities:

High Traffic from PCIZone to Net1, via forbiddenSvc
Medium Traffic from PCIZone to Net1, via any services other than those defined in forbiddenSvc or SecureSrvs
Not risky Traffic from PCIZone to Net1, via SecureSrvs

Note that although the risk specified for all traffic from PCIzone is Suspected high, no traffic from PCIzone to Net1 is specified as Suspected high, as the severities associated with each service object take precedence.

Back to top

Delete a custom risk profile

Delete any unused risk profiles to declutter your system.

Do the following:

  1. View the specific risk profile you want to delete in the Risk Profiles tab in the AFA Administration area. For details, see View a risk profile.
  2. Below the Risk Profile table, click Delete this profile.
  3. Click OK to confirm, and then OK again.

Back to top

Set a default risk profile

By default, the risk profile used when running an analysis is always the Standard risk profile. Set a custom risk profile as the default, as needed.

Do the following;

  1. Access the AFA Administration area. Click your username in the toolbar and select Administration.

  2. Click the ComplianceCompliance Options tab.

  3. In the Default risk profile dropdown, select the risk profile you want to set as default, and click OK.

    For example:

AFA uses the selected risk profile by default when running an analysis.

Back to top