2 Types of Reports:

1. PrivateArk report - intended for Vault admins

2. PVWA report - intended for auditors

===============================

Type of Reports in PVWA:

Operational Reports
1. Privileged Accounts inventory report - information about all the privileged
accounts in the system
Permission needed:
* List accounts
* View safe members

2. Applications inventory or AIM report - information about the application IDs in

the system
Permission needed:
Audit users

Audit/Compliance Reports
3. Privileged Accounts compliance status report - information about the CPM status
for each account
- validates compliance with the policy
Permission needed:
* List accounts
* View Audit
* Confirm safe request
* Member of the PVWA monitor group
* Member of the auditors group - to run the report for the entire Vault

4. Entitlement Report - information about accounts/safes that users can access in

the system
Permission needed:
Manage or audit users

5. Activity Log report - all audit information/data in the vault

Permission needed:
* User related activities: Audit users
* Safe/Account related activities: View audit

===============================

Group that a user needs to be a part of to run report

* PVWA Monitor Group (Default group)

===============================

Types of Reports in PrivateArk

1. Safes list
2. Owners list
3. Active/Non-active safes
4. License capacity report
5. Users list
6. Active/Non-active users
7. Entitlement report
===============================

Permissions required by PTAUser on PasswordManager_Pending safe?

1. List accounts
2. View safe members
3. Add accounts
4. Update account content
5. Update account properties

===============================

Permissions required PTAUser and PTAAppUser on relevant safes

1. List accounts
2. View safe members
3. Retrieves accounts
4. Initiate CPM account management operations

===============================

PTA Logs

* Diamond.log - main PTA log

* Diamond-Utility.log - PTA utility log name
* Log_upgrade.log - PTA upgrade log name
* Statistics.log - PTA statistics log name
* Prepwiz.log - PTA installation and configuration log name

===============================

PARagent.ini - file for configuring remote control agent in the vault

- used to change debugging levels on the vault without having to restart the vault
- file for configuring the vault to send SNTP traps to the monitoring solution

DBParm.ini - file for configuring the vault server to forward activity logs to a
SIEM or syslog server.
- file for adjusting the LDAP synchronization parameters, for setting the RADIUS
server
- file for adding new firewall rules

TSParm.ini - file for configuring the physical disks used to store vault data

Passparm.ini - file for configuring password policy for users of the vault

Basic_psm.ini - file that contains the information required to start the PSM.

==============================

Built-in Vault Users

1. Master
2. Administrator
3. Backup
4. Auditor
5. Batch
6. Operator
7. Notification Engine
8. DR
===============================
Status and Privileges that CPM should have for all safes:
Must be an owner with:
* Monitor
* Retrieve
* Store
* Delete

===============================

2 Ways of viewing the ITALog

1. Log on to the vault, navigate to server folder under the PrivateArk Install
location
2. Access the system safe from the PrivateArk client

===============================

Permissions in PVWA:

Permission to access the report tab - Auditor

===============================

PSM provides audits for the following events:

1. SQL commands
2. SSH Keystrokes
3. Windows titles
4. Universal keystrokes

===============================

5 Criteria for a safe model

1. Organizational structure
2. Security classification
3. Functional structure
4. Compliance requirements
4. Geographical structure

===============================

Failover procedure is triggered when the CPM detects one of the following events:

1. Failure of vault services

2. Failure of Storage availability
3. Failure of Virtual IP availability
4. Loss of Quorum ownership

===============================

Three aspects of Vault Authorizations.

1. Can be assigned only at the user level

2. Cannot be inherited via group membership
3. Defined only via the PrivateArk client
===============================

How can PTA contain in-progress attacks automatically?

* Onboarding unmanaged accounts

* Rotating credentials
* Reconciling credentials
* Terminating or suspending sessions

===============================

What is PTA designed to do?

1. Collect
2. Detect
3. Alert
4. Respond
5. Automate

===============================

What are the OS Installation prerequisites for Basic PSM functionality?

* Windows R2 or Windows 2016 with only remote Desktop Services (RDS) Session Host
Role
* Remote Desktop Session Host (requires RDS CAL licensing)

===============================

2 Utilities for changing the debug levels on the Vault

1. PARagent.ini
2. PrivateArk Server Central Administration

===============================

4 Things that you can specify through access control

1. Location of Access
2. Days of Access
3. Window Time for access
4. Time limits

===============================

Describe the two phases of Windows Discovery.

• Phase One:
- Log into the PVWA
- Configure the Discovery
- The CPM Scanner retrieves the Discovery
- CPM Scanner reads the directory to build the list of machines to scan

• Phase Two:
- The CPM Scanner scans the devices for accounts and dependencies
- Then uploads them to the pending safe

===============================

Describe the two phases of the process with both Windows and Unix Accounts
Discovery.

* Phase One:
- Windows, Auto Discovery queries a directory container (like Active Directory) for
a list of machines
- Unix, a CSA file with the target IP addresses is uploaded to the system

*Phase Two:
- Using the list of machines generated in phase one, Auto Discovery will log into
each machine and discover accounts and dependencies

===============================

Examples of Kerberos Attacks:

* Over pass-the-hash
* DC sync
* PAC attacks
* Golden ticket

===============================

3 Types of Accounts Usages

1. Configuration file
2. Windows Registry
3. Database string

===============================

What abuse or bypass of PAS does PTA monitor?

* Unmanaged privileged access

* Suspected credential theft
* Suspicious password change
* Suspicious activities detected in a privileged session (PSM)

===============================

What critical privileged account related risks in the IT environment does the PTA
monitor?

* Exposed credentials
* Unconstrained delegation
* Dual usage

===============================

What behavior and attacks are detected by the PTA?

* Known attacks that bypass security controls

* Kerberos authentication attacks
* Privileged account statistical anomalies
* Privileged account related risks
* Risk in privileged sessions

===============================

What systems/components are collected from by the PTA?

* CyberArk Vault
* SIEM
* Active Directory
* Network
* Amazon Web Services

===============================

During PSM installation, what groups or permissions are created and assigned to the
PSM safe?

* PSM App Users: used to retrieve from the Vault, create recording safes, upload
recordings, etc.
* PSM Master: manages the safe where the recording are stored
* PSM GW_<Machine Name>: Gateway user through which the PSM user will access the
Vault to retrieve the target machine password
* PSMApp_<MachineName>: used by the PSM for internal processing

===============================

2 Main categories of Users and groups in the system?

Locally managed (CyberArk)

* Users that are created automatically in the Vault (built-in)
* Users that are added manually to the Vault

Transparent Managed (LDAP):

* Users that are automatically provisioned from an external directory

===============================

When should you change the Master Password?

* If the chain of custody is in the question

* It's been used to login as Master

===============================

Describe the steps to login with Master.

1. Login with the Master Password
2. Use the Recovery Private Key
3. Login where the location is ("EmergencyStationIP = ")

===============================

Level of Authentication required by Master?

* Password
* Master CD
* Specified terminal

===============================

2 Reasons to have automatic onboarding rules

1. Minimizes the time it takes to onboard and securely manage accounts

2. Reduces the time spent reviewing pending accounts and prevent human errors from
occurring during manual onboarding
===============================

Groups who have the authority to review security events in the PVWA

1. Vault admins
2. Security admins
3. Security operators

===============================

Difference between PVWA and PrivateArk Client safe permissions

PrivateArk: deals with owners's list and files

PVWA: deals with members' list and accounts

===============================

Difference between users and accounts

Users:
Applications/components/people who have been granted access to the system

Accounts:
The actual privileged account IDs such as personal admin, generic or shared
accounts and service accounts which are stored in safes

===============================

Describe safe authorizations

* Assigned to users/groups
* Can be inherited via group membership
* Can be defined in the PrivateArk client or PVWA (typically done in the PVWA)

===============================

Keys required to be present to start the PrivateArk server service

1. Server key
2. Recovery public key