CA Threat Analytics integrates with CA Privileged Access Manager to evaluate the risk of privileged user activity to detect and mitigate threats from suspicious activity. Evaluation factors include the location of a privileged user, time and duration of activity, the system connections, and user history for security.
By persistently monitoring activity, CA Threat Analytics identifies the anomalies based on historical user behavior. The analytics server returns a risk level to CA PAM. The risk level can dynamically trigger activities, such as starting session recording or prompting the user to reauthenticate.
The integration of CA Threat Analytics and CA PAMis explained in the following topics:
The two servers interact following this sequence:
The risk level that CA Threat Analytics returns determines the actions which CA PAM takes against the user.
Recording begins for any current connection session until the end of the session. The server records all future connection sessions in their entirety.
Re-authentication and Session Recording
Any current login and device-connection sessions are suspended. CA PAM forces the user to re-authenticate by displaying a login window.
For all applets, session activity pauses and the applet window disappears. The reauthenticate window then opens. For any TCP service, such as PuTTY or OpenSSH, the terminal window remains open, but you cannot enter anything in it.
Session recordings span over time. When the user has a connection session in progress that is being recorded, the following rules also apply:
|Risk Level||Changes To||Behavior|
|Good||Suspect or Bad||
|Suspect or Bad||Good||