Symantec Privileged Access Management

Expand all | Collapse all

CA Threat Analytics Features

  • 1.  CA Threat Analytics Features

    Posted 01-23-2019 03:31 AM

    Hai All,


    I would like to know more about therat analytics Features

    since just found these link for Deploying & Integrating to CA PAM.

    Deploy CA Threat Analytics Server - CA Privileged Access Manager - 3.2 - CA Technologies Documentation


    my question bellow 


    I would like to know how Risk Escalation works on CA Threat Analytics.

    If I click Acknowladge, what is the impact of the user ? just hide it or change the user from bad to good. 

    is there capability for Threat Analytics to disable the user that recognized as a bad user ?



    2. What is the Managing subnet title means for 


    3.  If we Config the SMTP For Email Notification. so the "default from Address" will send the notification to the "Testuser801"  is it correct ? 

    so we have to enable each of the user to send the email notification from the "default from Address" ?


    I wonder Threat analytics has the "Admin Address" mail to send any of Bad/suspect User"





    Best Regards,


  • 2.  Re: CA Threat Analytics Features

    Posted 01-25-2019 09:56 AM

    I can answer the first question by pointing you to the Integrate with Threat Analytics section of the PAM Wiki:  Integrate with CA Threat Analytics - CA Privileged Access Manager - 3.1.1 - CA Technologies Documentation.  


    The first sentence in this section summarizes the interaction between PAM and TA:

    CA Threat Analytics integrates with CA Privileged Access Manager to evaluate the risk of privileged user activity to detect and mitigate threats from suspicious activity.


    Reading this section you will see the following:

    CA PAM collect event data.

    CA Threat Analytics analyzes event data.

    CA PAM applies mitigations.


    The risk level that CA Threat Analytics returns determines the actions which CA PAM takes against the user.  To give an example, if the risk changes for a user with a policy that doesn't specify recording the recording requirement will be turned off and on.  If the risk for a logged in user changes from Good to Suspect or Bad a recording will be started immediately.  The recording will continue through the end of the session and subsequent sessions will also be recorded, until such a time as the risk level changes back to good.  Take a look at the Enable Mitigation section for the details.


    Regarding the acknowledgement of the risk level change, that feature makes sure that the TA Admin has seen the Risk Level Escalation.  It has no bearing on the behavior described above.  That will continue whether you acknowledge it or not.  You have the option of making an annotation.


    I can also answer the third question.  This page lets you specify the mail server to use to send email notifications.  You also need to specify a from email address, which doesn't have to be a real email address, just something to identify that it came from TA.  IE,  You can also send a test email on this page.  To see where the email will be sent go to the User Accounts on the Settings page.


    I believe that the Manage Subnets page is based on the addresses that have been seen in the data from PAM.  You have the option of adding additional subnets manually.  I will reach out to a colleague for more information, as I'm sure this isn't enough.