Behavior Profiles

Behavior profiles allow PAM System Administrators to create custom configurations to take automatic actions based on the behavior profiles of users.

Common examples would be a Behavior Profile where a user unlocks too many secrets in a short amount of time or a user frequently downloads files during a remote session.

These behavioral events could then trigger actions such as blocking the user’s access or terminating their session, allowing PAM to perform self-monitoring with automated remediation.

Create Behavior Profiles

Any user who has been granted the global System Administrator role may access and modify the Command Control policies, located at Administration > Behavior Profiles.

To create a new profile, navigate to Administration > Behavior Profiles and click the Add button. 

Create your policy by entering the values as required.

Name

Enter a unique, but descriptive name for your profile.

When applying the policy, the user will be selecting your policy by name only from a dropdown menu.

Description

Enter a description for your profile.

 

 

Next, click the Add Rule button to begin configuring your behavior profile rules.

Behavior Profile Rules are comprised of two components; first the Trigger which are the user actions or events that are being monitored and the second is the Rule Actions which are the automatic remediation actions performed. 

Your rule may only include a single Trigger; however, this same rule may include multiple Rule Actions.

The available Triggers are described below. 

Please note that depending on the selected Rule Type, there may be more or less options are available.

Rule Type

Select the rule from dropdown menu that will be used to trigger the action.

 

Threshold Count

This parameter specifies the number of times the selected type of a user’s behavior should occur before it triggers execution of the rule’s actions.

Threshold Size (Kb)

This parameter specifies the minimum size of the content (in kilobytes) involved in the user behavior to count as a trigger condition for the rule’s actions to execute.

You may leave this parameter blank or specify -1 to indicate that this rule applies to content of any size.

Rate (min)

This parameter defines the duration (in minutes) of the user behavior event should happen to trigger the rule action.

For example, it might be acceptable for a user to transfer 50 files during an entire session; however, transferring 50 files in the course of 5 minutes should cause a session termination.

For events related to remote sessions, leave this parameter blank or specify -1 to indicate that the system should count user behavior threshold for the duration of the current session.

Rule Description

This read only field provides human readable feedback describing the current rule configuration to confirm the expectations of the rule’s behavior.

The available Rule Actions are described below. 

You can disable a behavior profile by unchecking all options in this Rule Actions section.

Please note that depending on the rule type selected, the Rule Actions parameters may contain more or less options.

Log Event

This action causes the system to generate an Audit Log event (using the audit category Analytics) in response to the specified user behavior.

 

Interested parties could subscribe to daily or weekly reports as well as to real-time notifications related to the analytics events to monitor behavior of system users or to fine tune user behavior configuration.

 

The events from the audit log could also be streamed to a SIEM systems for correlation analysis.

Terminate Session

This action causes the system to terminate the user’s current session to the remote endpoint in response to the specified user behavior.

Block User

This action causes the system to block a user in response to the specified user behavior from all system activities.

 

A blocked user may still login to PAM; however, until they are unblocked, they will not have access to any objects or settings, this includes all permissions and roles even System Administrators.

 

Blocked users can only be unblocked by System Administrators from the Administration > Global Roles screen by removing the blocked role or from the Users report by selecting the Unblock option for this user.

Reset Password

This action causes the system to schedule a password reset task for the asset(s) involved in the specified user behavior.

 

When you are finished, click the Save button to complete the rule creation. This new rule will be added to the Behavior Profile. 

If you wish to add more rules to this profile, click the Add Rule button and repeat the process. 

Each Behavior Profile can contain multiple rules.

When you are finished creating your Behavior Profile, click the Save button to complete the profile creation.

Edit or Delete Behavior Profiles

To edit or delete an existing profile, navigate to Administration > Behavior Profiles and click the Edit or Delete button next to your desired profile. 

If editing a profile, be sure to click the Save button when you are finished with your changes.

Edit or Delete Behavior Profiles Rules

To edit or delete an existing profile's rules, navigate to Administration > Behavior Profiles and click the Edit button next to your desired profile.

When you are on the Behavior Profile’s Edit page, click the Edit or Delete button next to your desired rule.

Make the required changes and click the Save button when finished.

Applying Behavior Profiles

Behavior Profiles are applied to Records through the use of Workflow Bindings. 

When you configure Workflow Bindings, you will have the option to select one Behavior Profile that will be applied to all users that are bound to this object’s workflow. 

The Profile will then be applied to their interactions related to this Record.

Please visit Workflows article for additional information and configuration options.