chapter 9 Flashcards
Discovery and
Onboarding Methods
(blank)
- Add multiple accounts from file
- Accounts Discovery & Onboarding Rules
(blank)
- Discovery and Audit (DNA)
- Rest API
Add a single account
Continuous Accounts Discovery
what are the steps to add a single account?
select system type
assign to platform
store in safe
define properties
Frequently there is a need to upload many known accounts from an existing repository
* This is especially valuable during the early stages of implementing CyberArk PAM,
migrating from another solution, or when onboarding a new department into the
PAM solution
You can download a sample CSV file
* Once you have provided the data on the accounts to create, you can then upload the file to the system for processing,
either by browsing to the file or using drag & drop
Account parameters to be uploaded to the Vault are entered into a text file as Comma Separated Values (CSV)
* Each row represents an
account and contains the
properties for that account
what are some of the limitations of using a file to create accounts?
Linked accounts and dependencies are not supported
(blank)
(blank)
* The upload process cannot be cancelled once started
* You must wait for the current file to finish uploading before
you can upload another file
* Multiple users cannot upload files at the same time
- All accounts must be uploaded into existing
Safes and groups - Each file can contain a maximum of 10,000 accounts
Accounts Discovery Workflow processes
(blank) - continually scan the windows and linux environments to detect privileged credentials and accounts
onboard - add all discovered privileged accounts to the pending list to validate privilege
(blank) - automatically add privileged accounts to be managed and rotated in the digital vault
onboarding rules - minimize the time to onboards accounts and prevents human errors that may occur during manual onboarding
discover
manage
Windows Discovery steps
(blank) creates the
Discovery
- CPM Scanner connects to the Vault and collects the task
- CPM scans the Directory
- CPM authenticates to the targets and scan for Accounts
- Accounts are filtered by the Automatic Onboarding Rules
- Accounts which fit a rule are onboarded in the appropriate Safe
- Accounts which do not fit a rule are stored in the <blank> for manual onboarding</blank>
vault admin
pending safe
what are the steps for Running a New Windows Discovery
go to (blank) tab.
Under Accounts Feed,
click on Pending & Discovery and then
Discovery Management.
* Available to members of the Vault Admins group
then click new windows discovery
accounts
what information is needed to run a new windows discovery
1
2
3
4
5
6
domain name
choose if a secure connection will be used to connect to active directory
scan account name - Be a domain account
* Have the following
permissions:
⎼ Read permissions on the
Active Directory
⎼ Local administrative rights on discovered Windows servers and workstations
OU of Servers / Workstations in AD
- CPM to perform the scan
- Whether to run a recurring or one-time discovery
once the discovery is created, what happens?
the new discovery will be listed on the (blank) page
the status will be listed as (blank) until the processes starts
the status will change to running when the process starts
you have buttons to stop or delete the discovery
discovery managment
pending
Multiple discoveries from
different (blank) can run
simultaneously
* Accounts found will be
categorized as Privileged /Non-Privileged:
⎼ The categorization is based on the group membership
⎼ If the account is a member of any Local Administrators group, the account is privileged
⎼ The account will remain privileged until removed from all machines it
was discovered on
CPM Scanners
Accounts that do not match any Onboarding Rule will be listed in (blank)
Pending Accounts
you can click on any pending account to see further details in the (blank) pane
account preview
For Windows accounts, the (blank) column shows you if any account is used anywhere else
(a usage), such as for a Windows service or scheduled task.
Dependencies
Select one or more accounts from the list of Pending accounts and click Onboard Accounts
Information needed for onboarding accounts:
1
2
the safe in chich these accounts should be stored, you can either choose an existing safe or create a new one
the platform - what type of account are these?
do they require a separate platform?
is reconciliation available?
Once onboarded, the new accounts can be found in the (blank)
accounts view
(blank) - minimize the time it takes to onboard and to manage accounts securely, reduce the time spent reviewing pending accounts, and prevent human errors from occurring during manual onboarding
automatic onboarding rules
the onboarding wizard walks you through each stage of the rule creation process and ensures that each rule is unique
1
2
3
4
5
6
select system type - windows or *nix
select scope - * Machine type
* Account type
* Account Category
* Privileged account type
* Optionally, a user or
machine name string to
match
assign to platform - Select the target Platform
that will be associated with accounts that match this rule
store in safe - Select the Safe in which the accounts will be stored
define properties -
* Name
* Description
* Initial password settings
NOTE
if a reconcile account is associated with the Platform and the parameter Auto Verify on Add is set to Yes, you can completely automate the
onboarding process by having the passwords for these accounts changed immediately and
automatically by CyberArk PAM
- (blank) apply to both Accounts Discovery and using the Add discovered
accounts feature of the REST API - Discovered accounts are automatically processed by the onboarding rules and provisioned
in the Vault - Accounts that cannot be processed by any of the rules are added to the Pending Accounts list and can be reviewed and onboarded manually
- Automatic Onboarding Rules only apply to accounts without dependencies.
- A new rule takes precedence over an existing rule
Onboarding Rules
Information needed for
running a (blank) Discovery
- CSV file containing IP
addresses of Unix/Linux
machines - Unix user to perform the scan
and get the accounts - A default password
- CPM Scanner
- Whether or not to scan for SSH Keys
- reoccurring or one-time
unix
Continuous accounts
discovery via log-in events for:
1
2
3
4
5
6
windows
unix-like
oracle
aws
azure
other
CyberArk (blank) detects unmanaged
privileged access events
* The PTA can detect when a connection to a machine or a cloud service is made with a
privileged account that is not stored in the Vault and automatically onboard the account
* This detection is supported out of
the box for Windows, UNIX, AWS, and Azure accounts
* Other platforms can be supported by building custom plug-ins for PTA
Privileged Threat
Analytics
The PTA continuously
monitors (blank) groups
* Faster response time
* Automatic response
windows local administrator
- The (blank) is a set of REST- based services running on the PVWA that allow scripts and applications to communicate with the Vault.
- It is used by CyberArk applications as well as third party applications, allowing organizations to develop custom interactions with the Vault to automate
business processes.
EXAMPLE:
Integrating the process of adding a new Windows
machine to the company’s network with automatic provisioning of the target server local
Administrator account in the Vault
PAM Web Services API
There are three main REST methods that are relevant for the
process of onboarding accounts:
1
2
3
- Add account - The Add Account method will
be used when the target Safe and Platform are known to the
onboarding utility - Add discovered accounts
- CyberArk discovery and upload mechanisms, as well as third-party discovery mechanisms, will use the Add
Discovered Accounts method in order to upload discovered accounts (and dependencies) to the Pending Safe or onboard the accounts directly via automatic onboarding rules. - Create bulk upload of
accounts
- The Create bulk upload of accounts method is used to upload multiple accounts to existing Safes
* It is also used when adding multiple accounts from a file via the PVWA Web UI
