Symantec Privileged Access Management

  • Private Community
 View Only

 PAM intrusion message

Alex Loo's profile image
Alex Loo posted Apr 10, 2025 03:47 AM

PAM logged "Same origin policy violation; possible cross-site request forgery" and "Possible injection attack" message.

  1. How to check PAM to ensure the intrusion is not successful?
  2. Can SMTP alert be configured on PAM for critical events or intrusion ?

Thanks

Ralf Prigl's profile image
Broadcom Employee Ralf Prigl posted Apr 10, 2025 07:21 PM

Hello Alex, You should find this message in the PAM session logs. Whatever web service request triggered them will have an error returned and not be successful. The message also is sent to the configured syslog server(s), and you can create alerts on your integrated SIEM. If you think those messages are generated by mistake and need assistance in tracking down what causes them, open a case with PAM Support.

Alex Loo's profile image
Alex Loo posted Apr 11, 2025 07:16 AM

Hi Ralf,

There were many sessions to PAM logged from firewall but there were only few intrusion messages. Is there any chance that the device was compromised and no message was triggered?

Ralf Prigl's profile image
Broadcom Employee Ralf Prigl posted Apr 12, 2025 01:25 AM

I'm only aware of cases where PAM erred on the safe side, i.e. legitimate requests were rejected because the checking was too broad in scope. If you are not on the 4.2.1 release yet, I would recommend to upgrade soon to either that, or to the upcoming 4.2.2 release, which should be available before the end of the month.