Using Analyst Station

Objective

This guide provides instructions on how to use F5 Distributed Cloud Analyst Station.

---

Prerequisites

• You must have a valid Volterra Account. If you do not have an account, see Create a Volterra Account.
• Analyst Station should be enabled by an F5 Account Protection Manager.
• To use Analyst Station, your enterprise must be integrated with F5 Distributed Cloud Account Protection.

---

Accessing Analyst Station

To access Analyst Station in VoltConsole:

Step 1: In the VoltConsole Home Page, click Account Protection.

The Transactions Summary is displayed.

By default, a list of transactions that Account Protection has determined to be suspicious is displayed. However, you can filter the display settings for the Transactions Summary so that transactions that are blocked or allowed by Account Protection are also displayed. For instructions on how to filter the display settings, see Filtering the Transactions List.

---

Viewing Transaction Details and Providing Feedback

One of the useful features of Analyst Station is that it allows you to view the details of a transaction so that you can determine if it may be fraudulent. When viewing a transaction, you can provide feedback to Account Protection regarding whether or not you think a transaction is fraudulent, or if an entire user session that includes the transaction is fraudulent.

When you report a transaction or user session as fraud, you enable the AI models used by Account Protection to more accurately determine which transactions are suspicious and which transactions should be blocked. You also allow other analysts using Analyst Station to easily locate fraudulent transactions since they can filter the transactions list to view only transactions marked as Fraud or Not Fraud.

To view a transaction's details and provide feedback:

Step 1: In the Transactions Summary screen, click the Transaction ID that you want to view.

Step 2: Review the transaction's details.

• When you click on the Transaction ID, the Transaction Details screen appears.

In this screen, you can view the following useful information about the transaction:

• Summary: Shows the risk score, the recommendation from Account Protection for this transaction, and the fraud reasons for that recommendation.
• Event: Shows the time at which the transaction occurred, the name of the location in the web application from where the transaction occurred, and the URL of the web page where the transaction occurred.
• User Session: Shows the User Session that the current transaction is a part of. A User Session is a set of transactions that share the same Session ID and Device ID within a 48-hour time period. You can see the Transaction ID and fraud reasons for the other transactions in the User Session by clicking on them.
• Account: Shows the Account ID associated with this transaction.
• Device: Shows the Device ID of the web browser from where the transaction was initiated, the channel of the transaction (either web or mobile), and the type and version of the web browser (User Agent) from where the transaction was initiated.
• Malicious Activity Details: Lists malicious activity (such as malicious script injection or violation of page integrity) detected during the transaction and any relevant details.
• Network: Shows the IP of the location from where the transaction was initiated, the Autonomous System Number (ASN) associated with the transaction, and actual physical location where the transaction occurred.

Step 3: Provide feedback on the transaction.

• To provide feedback on a transaction, click Give Feedback (or Edit Feedback if you have previously provided feedback on this transaction) in the upper right corner of the Transaction Details screen.

  When you do this, the Give Feedback pop-up screen appears.

• In the Give Feedback screen, choose one of the following three options and then click Submit Feedback:

  • This transaction is fraud: Report this transaction as fraud to Account Protection.
  • This user session is fraud: Report all the transactions that are in the user session of the current transaction as fraud to Account Protection.
  • There is no fraud: Report this transaction as not fraud to Account Protection.

---

Filtering the Transactions List

You can use the filter settings in Analyst Station to focus your investigation on specific types of transactions according to the following categories: Transaction ID, Account ID, Recommendation, Device ID, Feedback, Channel, User Agent, URL, IP Address, and ASN.

To filter the Transactions List:

• In the Transactions Summary, click Add Filter.

  A list of filter options appears.

  

• Select the filter option you want, the relevant operator, and the value you want to use for filtering.

  The Transactions List is now filtered according to the criteria you set.

Note: You can also filter by Device ID or Account ID by entering the ID number in the search box.

---

Customizing the Information Displayed in the Transactions Summary

You can customize the type of information displayed in the Transactions Summary by clicking on the Settings icon in the upper right corner of the screen. When you do this, a list of different types of transaction information appears.

Add or remove display options and then click Apply.

---

Changing the Time Period for Display of Transactions Summary Data

By default, the Transactions Summary lists data on transactions that were detected by Account Protection within the last 24 hours. However, this time period can be changed so that data is listed for transactions detected in the last 7 days or 30 days.

To change the time period for the display of Transactions Summary data:

1. Click Last 24 Hours in the upper right corner of the Transactions Summary.

2. From the drop-down list, select either Last 7 Days or Last 30 Days.

   The Transactions Summary data is then listed according to the time period you chose.

---