Using Analyst Station

Objective

This guide provides instructions on how to use F5 Distributed Cloud Analyst Station.

---

Prerequisites

• You must have a valid F5 Distributed Cloud Services Account. If you do not have an account, see Create a F5 Distributed Cloud Services Account.
• Analyst Station should be enabled by an F5 Account Protection Manager.
• To use Analyst Station, your enterprise must be integrated with F5 Distributed Cloud Account Protection.

---

Accessing Analyst Station

To access Analyst Station in F5 Distributed Cloud Console:

Step 1: In the F5 Distributed Cloud Console Home Page, click Account Protection.

The Analyst Station dashboard is displayed.

By default, the Analyst Station dashboard lists transactions that Account Protection has assigned the status of Review or Challenge. However, you can filter the display settings so that transactions with the status Block or Allow are also displayed. For instructions on how to filter the display settings, see Filtering the Transactions List.

---

Understanding the Recommendations that Account Protection Assigns to Transactions

All transactions that are displayed in the Analyst Station dashboard have a recommendation that has been assigned by Account Protection. These recommendations are extremely useful for the user to determine which transactions should be blocked, which transactions require further investigation to determine if they are malicious, and which transactions are safe and require no intervention. These recommendations cannot be changed by the user.

Account Protection assigns one of the following four recommendations to a transaction:

1. Allow: This transaction shows normal behavior and requires no further follow-up.
2. Block: Account Protection has identified this transaction as fraudulent with high confidence and recommends that you block it.
3. Review: Account Protection has identified this transaction as suspicious and recommends that it be reviewed by your fraud team.
4. Challenge: Account Protection has identified this transaction as needing further validation by some type of means such as CAPTCHA or multi-factor authentication.

---

Viewing Transaction Details and Providing Feedback

One of the useful features of Analyst Station is that it allows you to view the details of a transaction so that you can determine if it may be fraudulent. When viewing a transaction, you can provide feedback to Account Protection regarding whether or not you think a transaction is fraudulent, or if an entire user session that includes the transaction is fraudulent.

When you report a transaction or user session as fraud, you enable the AI models used by Account Protection to more accurately determine which transactions are suspicious and which transactions should be blocked. You also allow other analysts using Analyst Station to easily locate fraudulent transactions since they can filter the transactions list to view only transactions marked as Fraud or Not Fraud.

To view a transaction's details and provide feedback:

Step 1: In the list of transactions in the Analyst Station dashboard, click the Transaction ID that you want to view.

Step 2: Review the transaction's details.

• When you click on the Transaction ID, the Transaction Details screen appears.

In this screen, you can view the following useful information about the transaction:

• Risk Summary: Shows the risk score, the recommendation from Account Protection for this transaction, user feedback (if provided), and the fraud reasons for that recommendation.
• About Transaction: Shows the Transaction ID, the time at which the transaction occurred, the name of the event type that indicates the location in the web application from where the transaction occurred, and the URL of the web page where the transaction occurred.
• User Session: Shows the User Session that the current transaction is a part of. A User Session is a set of transactions that share the same Session ID and Device ID within a 48-hour time period.
• Associated IDs: Shows the Account ID associated with this transaction, the Device ID of the web browser from where the transaction was initiated, the channel of the transaction (either web or mobile), and the type and version of the web browser (User Agent) from where the transaction was initiated
• Malicious Activity Details: Lists malicious activity (such as malicious script injection or violation of page integrity) detected during the transaction and any relevant details.
• Network: Shows the IP of the location from where the transaction was initiated, the Autonomous System Number (ASN) associated with the transaction, and actual physical location where the transaction occurred.
• Location and IP Address of the Account ID: Scroll down to the bottom of this screen to see the locations and IP addresses that are associated with the Account ID of this transaction.

Step 3: Provide feedback on the transaction.

• To provide feedback on a transaction, click Give Feedback (or Edit Feedback if you have previously provided feedback on this transaction) in the upper right corner of the Transaction Details screen.

  When you do this, the Give Feedback pop-up screen appears.

• In the Give Feedback screen, choose one of the following three options and then click Submit Feedback:

  • This transaction is fraud: Report this transaction as fraud to Account Protection.
  • This user session is fraud: Report all the transactions that are in the user session of the current transaction as fraud to Account Protection.
  • There is no fraud: Report this transaction as not fraud to Account Protection.

---

Filtering the Transactions List

You can use the filter settings in Analyst Station to focus your investigation on specific types of transactions according to the following categories: Transaction ID, Account ID, Recommendation, Device ID, Event Type, Feedback, Channel, User Agent, URL, IP Address, and ASN.

To filter the Transactions List:

• In the Transactions List, click Add Filter.

  A list of filter options appears.

  

• Select the filter option you want, the relevant operator, and the value you want to use for filtering.

  The Transactions List is now filtered according to the criteria you set.

Filtering the Transactions List from the Transactions Summary

From the Transactions Summary, you can easily filter the Transactions List according to the Recommendation or Feedback status. For example, if you click Review in the Transactions Summary, the Transactions List is filtered to show only transactions with the Review recommendation, as shown below.

Notes on Filtering Transactions

• If you click Clear All on the right side of the dashboard, the filter returns to it’s default values (Recommendation = Review or Challenge).
• If you change the default filter settings and then remove your changes by clicking X (see below), the filter returns to its default values.

• If you use the search box to find transactions, the filter settings change to Recommendation = Review or Block or Allow or Challenge.

---

Using Sorting and Search to Find Transactions

You can use sorting and search functionality in the Transactions List to find a specific transaction or a set of transactions.

Find Transactions by Sorting

You can sort transactions by clicking on one of the following column names in the Transactions List:

• Account ID: Displays transactions from the lowest to highest ID number, or vice versa.
• Risk Score: Displays transactions from the lowest to highest risk score, or vice versa.
• Event Type: Displays transactions listed in alphabetical order according to the event type, or reverse alphabetical order according to the event type.
• Start Time: Displays transactions from the earliest to latest start time, or vice versa.
• ASN: Displays transactions listed in alphabetical order according to the ASN, or reverse alphabetical order according to the ASN.
• IP Address: Displays transactions from the lowest to highest IP address, or vice versa.

Find Transactions by Searching

Analyst Station’s search feature can be used to find transactions by means of the Transaction ID, Account ID, Device ID, or IP Address. An exact ID or IP Address must be entered in the search box to obtain results.

This feature can be very useful for finding a group of transactions that share the same Account ID, Device ID, or IP Address.

Note: When using the search feature in Analyst Station, you can search for transactions that have been detected by Account Protection within the past 90 days by selecting Last 90 Days from the Time Period drop-down list.

To find transactions with the search feature:

Step 1: Select the copy box next to the ID or IP Address that you want to search for.

Step 2: Paste the ID/IP Address in the search box.

The Transactions List now displays only those transactions with the ID or IP Address you put in the search box.

---

Customizing the Information Displayed in the Transactions Summary

You can customize the type of information displayed in the Transactions Summary by clicking on the Settings icon in the upper right corner of the screen. When you do this, a list of different types of transaction information appears.

Add or remove display options and then click Apply.

---

Changing the Time Period for Display of Transactions Summary Data

By default, the Transactions Summary lists data on transactions that were detected by Account Protection within the last 24 hours. However, this time period can be changed so that data is listed for transactions detected in the last 7 days or 15 days.

To change the time period for the display of Transactions Summary data:

1. Click Last 24 Hours in the upper right corner of the Transactions Summary.

2. From the drop-down list, select either Last 7 Days or Last 15 Days.

   The Transactions Summary data is then listed according to the time period you chose.

---