Overview
When idemeum captures an application event (either execution event for allowlisting or elevation event for elevation control), it calculates a confidence score for that application.
Confidence score determines how confident we are that allowing execution or elevation of this app is save in our environment. For each application we look at more than 20 signals, calculate the score as a weighted sum across independent signal groups, and then present the score as a recommendation zone.
| Category | Definition |
|---|
| Identity trust | Capturing signals that represent the metadata of the application, including signature, verified publisher, OS binary, etc. |
| Execution context risk | Capturing signals related how application executes, from what path, under what context, what is the parent process chain and more. |
| Prevalence and history | Capturing stats how prevalent this application is across idemeum customers and how and when it was seen in your environment. |
| Malware verdict | Capturing signals, reputation and metadata returned by Sophos reputation API |
| Policy trust | What rules the application matching |
hard block - certainly malicioushigh risk - likely unsafe to allowambiguous- applications and needs careful reviewsoft allow - likely safe to allow for the organizationallow - high confidence of a safe application
Here is the example of the confidence score calculation:
- Signed by Microsoft
- Standard User + running from Program Files
- Low Tenant Prevalence
- CLEAN Reputation
- Publisher allow rule
= 89.5
—> High Confidence Allow
Where confidence score is shown
Confidence score is shown in all places where you are interacting with an application event:
- For each application event in the portal in the
Events table
- For each elevation or execution request in the web portal
- Mobile request notifications
- Email admin notifications
- Tickets we create in the ticketing system
Here is the example of the confidence score displayed in the admin portal Events view:
