8.2 Using Reports Settings

Use this page to control the rollover of the audit database files, encryption, and video report settings.

8.2.1 Using Audit Settings

The default configuration does not encrypt or roll over the audit databases. If your security model requires you to keep audit records available for years, you need to configure the rollover options and move the rolled-over files to an archive location.

  1. Click Reports > Settings > Audit Settings on the home page of the Privileged Account Manager console.

  2. In Audit Log Settings page, for each audit database file, set the rollover parameters. Rolled-over databases are kept as SQLite databases.

    Audit DB Name: This column lists the configured audit database names. Except for Change Management chngmgnt database name which is present by default, all other database names are populated only when you configure them.

    Rollover Time (hours): Specify the time interval for rolling over the audit file. If the time interval is always reached before the maximum size is reached, the time interval is used for rollover and the size restriction is ignored.

    Rollover Size (MB): Specify the maximum size the file can reach before the audit file is rolled over. If the file always reaches the maximum size before the time interval is reached, the size restriction is used for rollover, and the time interval is ignored.

    Protection: Select None to allow the rollover file to be an unencrypted file or select Encrypted to encrypt the audit database.

    When you select Encrypted to encrypt any database, ensure that the NULL Cipher (clear text) key is disabled at Reports > Settings > Encryption Settings.

    Encrypting the file can impact the performance of your audit managers. Also, the encrypted file can be decrypted by the Privileged Account Manager, but it cannot be displayed on new systems that do not detect the encryption keys.

    To configure the encryption keys, click Reports > Settings > Encryption settings.

  3. If you want to zip the rollover files or move them to another location, use the Rollover Script option to specify a Perl script that can perform these tasks. The script is called whenever an audit database is rolled over.

    For example, the following script uses gzip to compress the rolled-over file and enters an error message in the unifid.log file.

    if ($DBGRP eq 'cmdctrl') {
system("gzip $AUDIT_FILE");
$ctx->log_error("Audit rollover $DBGRP $AUDIT_FILE");
}

  4. Click Finish.

8.2.2 Using Encryption Settings

Use this page to configure when the randomly generated encryption key is changed.

  1. Click Reports > Settings on the home page of the console.

  2. Click Encryption Settings in the task pane.

  3. The NULL Cipher (clear text) key is enabled at Reports > Settings > Encryption Settings by default.

    If the you want to encrypt the databases then you must first disable the null cipher and then change the database to encryption and save, Privileged Account Manager encrypts all the databases, which has the Protection set to Encrypted in Reports > Settings > Audit Settings, with the latest key. This can be very time-intensive and can affect performance until it is completed.

  4. To specify how frequently the key is changed, move the Key Rollover slider to the right and specify a Key Rollover interval by selecting the type of interval (years, months, weeks, or days).

  5. (Optional) In the Encryption Keys list, disable or enable keys by moving the slider to the right or left against the respective Key ID.

    Each time a new key is generated, it is added to the list.

    If you disable a previous key, Privileged Account Manager re-encrypts all databases with the old key to the latest key. This can be very time-intensive and can affect performance until it is completed.

    If you disable the null cipher key, Privileged Account Manager encrypts all the databases, which has the Protection set to Encrypted in Reports > Settings > Audit Settings, with the latest key. This can be very time-intensive and can affect performance until it is completed.

  6. Click Finish.

8.2.3 Using Video Report Filter Settings

To simplify the search of a particular video, Video Capture for Windows has a set of preconfigured filters for any task performed by you, like type, click, and so forth.

NOTE:The Video Report filter is supported only for Windows sessions.

To edit the filter settings:

  1. Click Reports > Settings on the home page of the console.

  2. Click Video Report Settings.

  3. Edit the Video Report Filter Settings.

    By default, Video Report Filter Settings has the following filters:

    Type|click|Checked|Close window|Terminate|msc|user|group|start|stop|Log Off

    You can use any filter from the above mentioned options. Example: Terminate

  4. Click Reports > All Sessions.

  5. Select a Windows session and click Capture. The video Details page is displayed. Click Videos > Filtered Events and enter Terminate in the search box. Only the Terminate filtered events are listed.

  6. Click Update.

NOTE:After editing the filter configuration, if you want the initial filter configuration, then click Reset > Update.

Viewing Report Data

  1. Click Reports on the home page of the console.

  2. Select the report from Built-In Reports.

  3. The navigation pane displays the following information about each instance of the report.

    Column

    Description

    Start Time

    Displays the date and time when the report started.

    NOTE:It displays the session start time as set in the Manager.

    End Time

    Displays the date and time when the report ended.

    User

    Displays the name of the user who issued the command.

    Host

    Displays the name of the host from which the command was issued.

    Run As

    Displays the name of the user who issued the command.

    Run Host

    Displays the name of the host who issued the command.

    Audit ID

    Displays the unique ID of the audit record.

    Command

    Displays the command that was executed.

    Authorized

    Displays whether the rule for this command is authorized.

    Capture

    Displays whether the rule for this command was captured as video or as keystrokes.

    Audits

    Displays Audit ID and the respective capture details.

    User Domain

    Displays the user domain of the user who issued the command.

     

     

    Disconnect Type

    Displays the date, time, and disconnect type: Manual or Automatic.

NOTE:When second factor authentication is enabled through Advanced Authentication in Privileged Account Manager, a user requests some session and is prompted to select second factor authentication Chain (Example: Access Control permission has 'Secondary Authentication:yes') and successfully completes. Two duplicate Access Control sessions are audited in the Reporting Console with the same Audit ID. Authorized: No, Capture: Yes and Authorized: yes, Capture: yes. This is because of the time it takes to sync with the Advanced Authentication data.

Filtering the Viewable Records

Use the Filters to build a list of matching conditions that allows you to customize the records that are displayed in the Report Data tab. This allows you to build reports that show only the information that your users require.

  1. Click Reports on the home page of the console.

  2. Click any of the four types of reports namely, Sessions, Administrator Activities, Credential Checkouts, and Shared Key Checkouts for which you want to view in the navigation pane.

  3. Click Filters.

  4. Select from the following conditions. You can combine conditions with AND logic, which requires the report to match all conditions that have been joined with an AND. You can also combine conditions with OR logic, which requires the report to match either the conditions before the OR or the conditions after the OR.

    Authorized: Select this option to use session authorization by the Command Control as a matching criteria. Use the Yes/No drop-down list to specify whether the session matches when the session was authorized or not.

    Session Capture: Select this option to use session capture as a matching criteria. Use the Yes/No drop-down list to specify whether the report matches when the session capture was authorized or not.

    User: Select whether you want to match on the submitting user or the run user. For the matching type, select one of the following:

    • Select Matches or Doesn’t Match, then specify an exact value or a value with an asterisk (*) wildcard such as jo*.

    • Select Regexp or Doesn’t Regexp, then specify a regular expression.

    User Domain: Select whether you want to match the domain on the native mapped user or the second factor authenticated user. For the matching type, select one of the following:

    • Select Matches or Doesn’t Match, then specify an exact value or a value with an asterisk (*) wildcard such as jo*.

    • Select Regexp or Doesn’t Regexp, then specify a regular expression.

    Host: Select whether you want to match on the submitted host or the run host. For the matching type, select one of the following:

    • Select Matches or Doesn’t Match, then specify an exact value or a value with an asterisk (*) wildcard such as jo*.

    • Select Regexp or Doesn’t Regexp, then specify a regular expression.

    Command: Select whether you want to match on the submitted command or the audited command. An audited command is a command that has been audited within a session capture. Audited commands are collected when the session used the pcksh shell with the audit option. For the matching type, select one of the following:

    • Select Matches or Doesn’t Match, then specify an exact value or a value with an asterisk (*) wildcard such as jo*.

    • Select Regexp or Doesn’t Regexp, then specify a regular expression.

    Audit ID: Select to match the session on the audit ID assigned to the session. For the matching type, select one of the following:

    • Select Matches or Doesn’t Match, then specify an exact value or a value with an asterisk (*) wildcard such as 4bd*.

    • Select Regexp or Doesn’t Regexp, then specify a regular expression.

    Session Start: Select to match the session on when it started or when it ended. Select either Session Start or Session End, select After or Before for the matching operator, then use the calendar to specify a date and use the time fields to specify the hour and minute.

    Disconnect Type: Select to match based on the Disconnect Type of the session. For the matching type, select one of the following:

    • Select Matches or Doesn’t Match, then specify an exact value or a value with an asterisk (*) wildcard such as 4bd*.

    • Select Regexp or Doesn’t Regexp, then specify a regular expression.

    (): Select to group conditions so that the record is displayed if it matches the conditions defined by one group in the filter.

  5. Click Apply.

Modifying General Report Information

Use the General tab to keep the report’s name and description in sync with the configured filter and to restrict access to the report by assigning read and update roles.

  1. Click Reporting on the home page of the console.

  2. Click Command Control Reports in the navigation pane.

  3. Select the report in the navigation pane.

  4. Click the General tab in the navigation pane.

  5. Modify the values of the following fields:

    Report name: Specify a new name for the report.

    Description: Describe the type of records that the report displays.

    Roles: Specify values if you want to allow users read access to this report and the ability to update specific information such as its name, description, and filters.

    • Read: To enable read access, specify a unique name for the read role for this report.

    • Update: To enable update rights, specify a unique name for the update role for this report.

    If you use the same name for a role on multiple reports, the role grants rights to multiple reports. If you use the same name for both the read role and the update role, the role grants both read and update rights.

    To assign these roles to a group, see Audit Reports Permissions.

  6. To save your changes, click Apply, or to discard your changes, click Reset.

Selecting Log Files

The Audit Manager indexes any rolled-over audit database. You use the Log Files tab to select which of these rolled-over databases is used to display information in the Report Data tab. This allows you to review archived data or current activity.

Only the audit databases currently in the audit directory view are displayed. If an audit database has been taken offline (zipped or moved), it does not appear in the list.

  1. Click Reporting on the home page of the console.

  2. Click Command Control Reports in the navigation pane.

  3. Select the report in the navigation pane.

  4. Click the Log Files tab in the navigation pane.

  5. Select the log files that are required for the report.

    To include all available log files, select the All log files box.

  6.  Click Apply.

Replaying Keystrokes

Where a rule has been configured to capture session information, you can review the entire session in the report.

  1. Click Reports on the home page of the console.

  2. Click Command Control Reports in the navigation pane.

  3. Select the report in the navigation pane.

  4. In the navigation pane, select the session that you want to review

    Commands for the session data that have been captured are indicated by a Yes in the Capture column.

  5.  Click Keystroke Replay in the task pane.

  6. Edit the following fields:

    Terminal Type: Change the terminal type if it is set incorrectly.

    Find: To find a specific command or string in the report, specify the text in the text box, then click Find. If the report contains hundreds of lines, this allows you to find the command you are interested in.

    Show control characters: Use this option to show or hide control characters on the screen.

    Show audited commands: Use this option to show or hide the full list of audited commands. If this option is enabled, the screen shows the actual commands that are being run when a user types a command. You can also view each input command individually by mousing over the command.

    Show profile commands: Use this option to show or hide the commands run in the user’s login profile when the user’s pcksh login shell has auditing configured to level 2.

  7. From the list of input commands, select a command, then click Output.

  8. Use the Play, Rewind, and Pause buttons to review the data.

  9. Click Cancel to return to the list of reports.

Removing a Report

IMPORTANT:This action can not be undone.

  1. Click Reports on the home page of the console.

  2. Click Command Control Reports in the navigation pane.

  3. Select the report you want to delete.

  4. Click Delete Report in the task pane.

  5. Click Finish.

Generating an Activity Report

The Activity Report option allows you to generate a graphical snapshot of all the audit records currently being displayed in the report. The activity report can then be printed, providing a visual record for managers to see the number of commands each host is processing, the names of users requesting sessions, and the number of sessions accepted or rejected.

  1. Click Reporting on the home page of the console.

  2. Click Command Control Reports in the navigation pane.

  3. Select the report you want to generate an activity report for.

  4. Click Activity Report in the task pane.

    The navigation pane displays the selected activity report.

  5. To print the report, click Print.

  6. To return to the list of reports, click Cancel.

Viewing a Report in a Comma-separated Values (CSV) Format

You can view an audit report in a CSV format when Privileged Account Manager is installed on a Linux or a UNIX server. Run the sreplay -c <host> command to view the report. For more information about the sreplay command refer, Section 10.8, sreplay Command Line Options.

8.2.4 Configuring Video Capture

Video Capture monitors the user activity by capturing videos of every task performed by the user.

  • You can schedule compression and archiving of video files to external storage.

  • You can turn the Video Capture feature ON or OFF for a particular user based on your requirement. This way you can manage your system’s storage capacity.

  • You can off-load the session screen to video conversion operation to a dedicated video off-load agent. This way, you can improve the agent performance.

  • For Windows session, you can browse the text log of a user and select a particular task and watch the video. This way, you do not have to go through the entire video but watch the video of the specific user activity that you require.

  • For Windows session, you can search for a particular event in a video based on the keyword search option. For example, if an important file is deleted, then you can search for all the user activities where a deletion task is performed just by the keyword search, and then select the video of your interest.

Configuring the Video Path (Optional)

The video path is where all the recorded videos are stored. This feature creates the path by default.

NOTE:This video path configuration and audit settings are specific to respective hosts. To maintain consistency ensure that all the hosts with the Audit Manager package contain appropriate video configuration.

For example, if the Framework Manager has 2 hosts with the Audit Manager package and one has the Video Subfolder Configuration enabled, and other has the option disabled results in the videos being stored in different folder structure. To avoid this, ensure that the video configuration is consistent across all the hosts.

To modify the video storage path:

  1. Click Hosts on the home page of the console.

  2. Select the host for which you want to configure the video path.

  3. Click Packages > Audit > Audit Settings.

  4. Specify the following:

    Video Path: Specify the path where the videos must be stored. Ensure that you have created the new folders before you change the path. If you want to store the video in a shared folder, you must specify the video path in the format:

    \\<ip address>\<sharedfolder>

    Video Subfolder Configuration: Select Enable to store the videos in the subfolders created under the Video Path, that is, <Video Path>/<Host Name>/<Year>/<Month>/<Session ID>.

    Select Disable to store the videos directly in the path specified in Video Path.

    Shared Folder Access Domain: If you want to store the video in a shared folder, select the domain on which the shared folder is located.

    Shared Folder Access Credentials: If you want to store the video in a shared folder, select the credentials to access the shared folder.

    If the Audit Manager is in a non Windows environment, change the path accordingly.

    NOTE:

    • Access credential drop-down will contain only those credentials which are created in the Command Control under Privileged Accounts.

    • The access credential for the Windows shared folder must have write permission.

  5. Click Finish.

Configuring Video Archival (Optional)

To archive the videos:

  1. Click Reports > Settings on the home page of the console.

  2. Click Audit Settings.

  3. Add the following sample script under Rollover Script:

    \nuse warnings;\nuse File::Copy; \n  $ctx->log_info(\"===================================================================================\");\nif ($DBGRP eq \'cmdctrl\') {\n    my $srcdir = ($^O eq \'MSWin32\') ? \"C:/Program Files/Netiq/npum/service/local/audit/video/capture/\" :  \"/opt/netiq/npum/service/local/audit/video/capture/\"; \n\n    my $dest = ($^O eq \'MSWin32\') ? \"C:/Program Files/Netiq/npum/service/local/audit/videobck/\" : \"/opt/netiq/npum/service/local/audit/videobck/\";\n\n    my $fileage = 1;     #Age in days \n\n    opendir(DIR, $srcdir) or die $ctx->log_error(\"Can\'t open $srcdir: $!\");\n    my @files = grep {!/^\\. $/ } readdir(DIR);\n    foreach my $file (@files) {\n        my $old = \"$srcdir/$file\";\n        if( (-f $old) && ($fileage< -M $old) ) {\n    unlink glob \"\'/opt/netiq/npum/service/local/audit/videobck/*.*\'\";\n    \n            move($old, $dest) or die $ctx->log_error(\"Move $old -> $dest failed: $!\");\n      \n        }\n    }  \n    close(DIR);\n    $ctx->log_info(\"Backup Complete\");\n}

  4. Click Update.

Configuring the Video Conversion Settings

Using the video conversion settings, you can optimize the videos conversion process based on quality, size, and CPU utilization.

The video conversion settings are global settings that will be applied to all the policies which have the Video Capture option enabled. Based on this configuration, the images are captured for the sessions and converted to videos.

To edit the Video Conversion Settings:

  1. On the home page of the console, click Command Control.

  2. In the left pane, click Command Control.

  3. In the right pane, click Video Settings.

  4. In the right pane, edit the following fields for Windows and SSH:

    Settings: Select Default or Low Priority to use the predefined settings, you cannot modify the predefined settings.

    Select Customize to customize the video settings.

    Video fps: This option determines the quality of the video. The Video fps value that is set is the maximum video fps that can be achieved. Based on the factors such as type of Processor, RAM capacity, CPU availability, and so on, the video fps may vary.

    If the video fps value is high, the video quality is good and consumes more storage.

    Video Duration: Select the Video duration as 1 min or 2 min based on the requirement.

    If the video duration is more, the number of video files are less.

    Video Conversion Priority: This option determines the video conversion process priority in the CPU. By setting the priority, you can ensure that other operations of the CPU are uninterrupted.

    Set this option to Low when the video conversion is not of high priority.

    Set this option to Normal when the video conversion process is of moderate or high priority.

  5. Click Save.

Enabling Video Capture

To enable video capture:

  1. Add a resource. For more information, see Contextual Help.

  2. Click Command Control on the home page of the console, then click Create a rule.

  3. Select the account that you created from the Credentials drop-down list.

  4. Select the following options:

    For Windows:

    Session Capture: Set this option to ON to enable session capture

    Video Capture: Set this option to ON to enable video capture

    For SSH:

    Session Capture: Set this option to ON to enable session capture.

    X11 Enable: Set this option to Yes to enable X11 application access.

    Video Capture: Set this option to ON to enable video capture.

  5. Click Finish.

Converting the FLV Videos to WebM

Privileged Account Manager supports videos only in WebM format. If you have videos in FLV format, you need to convert the videos to WebM format to enable the playback of the recorded videos.

Convert the FLV Videos to WebM in Windows

To convert the videos to WebM format, download the FFmpeg executable from the download site and execute the following command:

ffmpeg.exe -i <input_file_name>.flv -c:v libvpx-vp9 -speed 8 -deadline realtime <output_file_name>.webm

Convert the FLV Videos to WebM in Linux/Unix

To convert the videos to WebM format, download the FFmpeg executable from the download site and execute the following command:

./ffmpeg -i <input_file_name>.flv -c:v libvpx-vp9 -speed 8 -deadline realtime <output_file_name>.webm

8.2.5 Viewing the Videos

To view the videos:

  1. Click Reports on the home page of the console, and click Built-In Reports > All Sessions, Disconnected Sessions, Change Logs, Credential Checkouts, or Shared Key Checkouts.

  2. Select the session report you want to view, the Details page is displayed

  3. In the Capture column, click on the video icon.

    The video icon is displayed only if video capture is enabled for that session.

    NOTE:

    • If the recorded videos with .flv extension are not displayed, ensure that you have converted those videos to .webm format. For more information, refer to Converting the FLV Videos to WebM.

    • Video playback is not supported in Edge Browser as Edge browser does not support WebM format. Instead, use Google Chrome or Mozilla Firefox to play the videos.

  4. The following information about the session is displayed.

    • Overview

    • Keystrokes

    • Screenshots

    • Videos

  5. In the Video screen, click the button to play the video.

    Time: The time when the event occurred.

    Standard Input: Action performed by the user.

    All events: Displays all the events.

    Filtered events: You can filter the events based on the predefined filter option.

    Find: Searches the events based on the options provided by you.

8.2.6 Video Off-Load

Privileged Account Manager audits all the privileged session operations in the form of keystrokes and videos based on the command control rule configuration. If you have enabled video capture in the rule, the video is generated in the agent where the session is running. In an agentless environment, such as SSH relay with X11 enabled, the video is generated in the SSH relay manager. After the video is generated, it is sent to the audit manager in the audit zone.

The video generation operation consumes more CPU if there are multiple concurrent sessions to the agent or SSH relay manager. Hence, Privileged Account Manager provides an option to configure a server (video off-load agent) exclusively for video generation operation. You can use a video off-load agent, when you are using SSH Relay, Application SSO, or when the agent has limited resources. When the video off-load agent is down, the conversion operation is performed on the Privileged Account Manager agent where the session is running.

Figure 8-1 The following illustrations explains the flow of the video generation process in an agent environment:

Figure 8-2 The following illustrations explains the flow of the video generation process with multiple audit managers:

Setting Up Video Off-Load Agent

The video off-load server is a Privileged Account Manager agent, where the session images are converted to videos. For the system requirements of the video off-load server, see the System Requirements in Privileged Account Manager Documentation website.

To setup and configure a video off-load agent:

  1. Install and register the Privileged Account Manager agent on every video off-load server.

    NOTE:You can use only Linux server as a video off-load server.

    For more information about installing and registering a Privileged Account Manager agent, see Installing and Registering a Framework Agent in the Privileged Account Manager Installation Guide.

  2. Install the videoprocessor package on every video off-load server:

    1. Click Hosts.

    2. Select the host, which is a video off-load server, then click Packages.

    3. Click Install Packages.

    4. Select the videoprocessor package.

    5. Click Next to start installing the selected package.

    6. Click Finish.

    For more information about installing a package on the agent, see Installing Packages on a Host.

  3. Configure a location on every video off-load server to store session images and videos:

    1. Click Hosts.

    2. Select the host, which is a video off-load server, then click Packages.

    3. Select the videoprocessor package.

    4. Click Video Settings.

    5. Specify the Video Processor Path, then click Next.

      Video Processor Path is the location in the video off-load server where:

      • The temporary video capture data that is used for video generation is stored.

      • The generated videos are stored before sending them to the audit manager.

Video Off-Load Settings

Video off-load settings help in tuning the performance of the video off-load agent to optimize the video generation operation based on the resources available on the video-offload agent.

The video off-load setting is a global setting that is applied to all the video off-load agents.

To edit video off-load settings:

  1. Click Command Control > Video Settings.

  2. Click Video Processor and specify the following:

    Apply Settings: Select Default to use the predefined settings, you cannot modify the predefined settings. When you select Default, Conversion Priority is set to Normal and Auto Manage Resources is set to Yes.

    Select Customize to customize the following settings:

    Auto Manage Resources: If you set this option to Yes, then based on the CPU and memory usage at any given time, Privileged Account Manager determines the number of video conversion instances that can be executed simultaneously. For better throughput and optimized CPU and RAM usage, you must set this option to Yes.

    If you set this option to NO, you must define the Number of Simultaneous Instances.

    Number of Simultaneous Instances: Specify the maximum number of video conversion instances that can run simultaneously at a time in the video off-load agent.

    Conversion Priority: This option determines the video conversion process priority in the CPU. By setting the priority, you can ensure that other operations of the CPU are uninterrupted.

    Set this option to Low when video conversion is not of high priority. If you set the priority to Low the video generation operation would be slow and would consume more temporary storage to accumulated the video generation data.

    Set this option to Normal when the video conversion process is of moderate or high priority.

  3. Click Finish.

Enabling Video Off-Load

You must enable Video Off-load in the appropriate Privileged Account Manager rule to transfer the session image to video conversion activity to the video off-load agent.

Before enabling video off-load, ensure that you have setup the video-offload agent. For more information about setting up the video-offload agent, see Setting Up Video Off-Load Agent.

To enable video off-load:

  1. Click Command Control on the home page of the console, then click Create a rule.

  2. (Conditional) If you are creating a new rule, then click Create a rule.

  3. (Conditional) If you are updating an existing rule to support video off-load, then click the appropriate rule.

  4. Select the following options:

    For Windows:

    • Session Capture: Set this option to ON to enable session capture.

    • Video Capture: Set this option to ON to enable video capture.

    • Video Offload: Set this option to ON to enable video off-load.

    For SSH:

    • Session Capture: Set this option to ON to enable session capture.

    • X11 Enable: Set this option to Yes to enable X11 application access.

    • Video Capture: Set this option to ON to enable video capture.

    • Video Offload: Set this option to ON to enable video off-load.

    For more information about the rule configuration fields, see the Modifying a Rule.

  5. Click Finish.

For emergency access requests, you can off-load the video generation operation by selecting Video Capture and Video Offload when approving the request.

8.2.7 Change Log Reports

Any GUI-specific operation performed by you is audited by the Change Logs reports. Each operation is tracked, and the log is maintained in the Change Logs report. The default Sample Report displays all of the collected audit records and any associated keystroke capture.

Viewing Report Data

  1. Click Reports > Change Logs on the home page of the console.

    The Details pane displays the following information about each instance of the report.

    Column

    Description

    Change Time

    Displays the date and time when the GUI operation was performed.

    User

    Displays the name of the Framework user who performed the GUI operation.

    Module

    Displays the module where the GUI operation was made.

    Source

    Displays the name of the particular functionality within the module where the GUI operation was performed.

    Audit ID

    Displays the unique ID of the audit record.

    Host

    Displays the name of the host on which the GUI operation was performed.

    Action

    Displays the specific operation performed by the user. For example, registering a host to the Privileged Account Manager Framework.

    Audits

    Displays the Audit details.

8.2.8 Password Management

When a user performs any password check out operation, the password management feature audits the records. Any password specific operation performed by the user is audited by the Password Management feature. Each operation is tracked, and the log is maintained in the Password Management report. The default Sample Report displays all of the collected audit records. For information about accounts refer, Privileged Access to Applications and Cloud Services.

8.2.9 Enabling Password Management

A console package named report_pwdcheckout needs to be installed to enable the Password Management feature.

8.2.10 Viewing Report Data

  1. Click Reports > Built-In Reports on the home page of the console.

  2. Click Credential Checkouts.

  3. The Details pane displays the following information about each instance of the report.

    Column

    Description

    Checkout Time

    Displays the date and time when the password was checked-out.

    Checkin Time

    Displays the date and time when the password was checked-in.

    User

    Displays the name of the user who checked-out the password

    Run As

    Displays the name of the user who checked-out the password

    Run Host

    Displays the name of the host from which the password was issued

    Request ID

    Displays the request ID of the password checkout

    Checked-in By

    Displays the user who check-in the password

    Target

    Displays the target for which password was checked-out

    Audits

    Displays the unique ID details of the audit record

    UEBA Risk

    You can configure the following risk levels for ArcSight Intelligence:

    UEBA_USER_NOT_FOUND

    UEBA_NOT_CONFIGURED

    UEBA_CONFIGURATION_DISABLED

    This rule is configured with the default behavior to consider any user with ArcSight Intelligence score less than 50 as a low-risk user. You can modify this rule to change how the score from ArcSight Intelligence is interpreted. You can modify the value for the score (the default value for the score condition is < 50).

8.2.11 Shared Key Management

Any key specific operations performed by a user is audited by the Shared Key Management feature. Each operation is tracked, and the log is maintained in the Shared Key Management report. The default Sample Report displays all of the collected audit records. For more information about using shared accounts refer, Section 5.0, Working with Credentials.

8.2.12 Enabling Shared Key Management

A console package named report_sharedkeycheckout needs to be installed to enable the Shared Key Management feature.

Viewing Report Data

  1. On the home page of the console, click Reports > Built-In Reports > Shared Key Checkouts.

  2. The Details pane displays the following information about each instance of the report.

    Column

    Description

    Checkout Time

    Displays the date and time when the key was checked-out.

    Check-in Time

    Displays the check-in time of the shared key

    User

    Displays the name of the user who checked-out the key.

    Key

    Displays the name of the checked out key under the shared key domain

    Key Domain

    Displays the shared key domain from which the key was checked-out

    Used

    Displays the number of keys which have been used

    Total Allowed

    Displays the total number of keys available under the shared key domain

    Request ID

    Displays the request ID of the key checkout

    Checked-in by

    Displays the user who check-in the password

    UEBA Risk

    Displays the UEBA risk score of the user

    Target

    Displays the type of the checked-out key

    Audits

    Displays the unique ID details of the audit record