To enable the automatic response “Add to Pending” within PTA when unmanaged credentials are found, the PTAUser needs to have the minimum permissions for the PasswordManager_pending safe as follows:

List Accounts: This permission allows the PTAUser to view the accounts in the safe and their properties.

View Safe members: This permission allows the PTAUser to view the members of the safe and their authorizations.

Add accounts (includes update properties): This permission allows the PTAUser to add new accounts to the safe and update their properties, such as name, address, platform, and policy.

Update Account content: This permission allows the PTAUser to update the password of the accounts in the safe.

Update Account properties: This permission allows the PTAUser to update the properties of the existing accounts in the safe, such as name, address, platform, and policy.

These permissions are required for the PTAUser to be able to detect unmanaged privileged accounts and add them to the pending accounts queue in the PasswordManager_pending safe. The PTAUser also needs to have the same permissions for the PasswordManager_reconcile safe to enable the automatic response “Reconcile credentials” for suspicious password change events.  References :  Configure PTA Remediations ,  Safe Member Authorizations

 After deploying a new HTML5 Gateway in your organization, you configure the PSM to use the HTML5 Gateway by navigating to the Administration section in the PVWA.  From there, you go to Options, then Privileged Session Management, and under Configured PSM Servers, you will find the option to Add PSM Gateway 1 . This is where you can specify the details of the newly deployed HTML5 Gateway to ensure that the PSM can utilize it for secure remote access to target machines through an HTML5-based session.

References :

CyberArk’s official documentation provides a step-by-step guide on how to install and configure the PSM HTML5 Gateway, including the process of adding the gateway to the PSM configuration 1 .

For more detailed instructions and best practices on configuring the PSM with an HTML5 Gateway, refer to the CyberArk Defender PAM course materials and study guides

It is possible to restrict the time of day, or day of week that a verify process can occur by using the  Verify Time Window  parameter in the  Platform Management  page. This parameter allows the administrator to define a time window for each platform, during which the verify process can be performed. The verify process will not run outside of this time window, unless it is manually initiated by the administrator. This feature can help reduce the load on the target systems and the network during peak hours.  References :

[Defender PAM Course], Module 4: Managing Accounts, Lesson 2: Account Verification, Slide 8: Verify Time Window

[Defender PAM Documentation], Version 12.3, Administration Guide, Chapter 4: Managing Platforms, Section: Verify Time Window

 To configure the CyberArk Vault to send data to Privileged Threat Analytics (PTA), you must edit the  dbparm.ini  file on the Vault.  This file contains parameters that specify how the Vault should forward syslog events to PTA, ensuring that the Vault can send secured syslog data to PTA for analysis and threat detection 1 .  References :

CyberArk Docs: Configure Vault Trusted Connection to PTA 2

Netenrich: CyberArk Vault via Syslog 1

For a Privileged Threat Analytics (PTA) detection of a “Suspected Credential Theft,” the automatic remediation that can be configured is  Rotate Credentials . This remediation action is designed to automatically initiate password changes when PTA identifies a suspected credential threat, such as a credential theft event.  By rotating the credentials, CyberArk ensures that the potentially compromised credentials are changed, thus mitigating the risk of unauthorized access 1 .

References :

CyberArk’s official documentation on configuring PTA remediations, which includes information on automatic password rotation for suspected credential threats 2 .

Additional details on the remediation actions that can be configured for different types of PTA detections, including Suspected Credential Theft 1 .

 It is possible to restrict the time of day, or day of week that a reconcile process can occur by using the  Reconcile Safe  option in the  Platform Management  section of the  PrivateArk Client . This option allows the administrator to define the  reconcile schedule  for each platform, which specifies when the reconcile process can run and how often it should be performed. The reconcile schedule can be set to run daily, weekly, monthly, or on specific days and times. By restricting the reconcile process, the administrator can reduce the risk of unauthorized access to the accounts and improve the performance of the system.  References :

[Defender PAM Course], Module 5: Reconcile and Rotate, Lesson 1: Reconcile and Rotate Overview, Slide 9: Reconcile Safe

[Defender PAM Study Guide], Section 5.1: Reconcile and Rotate Overview, Page 24: Reconcile Safe

[CyberArk Documentation], Privileged Access Security Implementation Guide, Chapter 5: Configure the Vault, Section 5.4: Configure Platforms, Subsection 5.4.2: Reconcile Safe

A. Store the CD in a physical safe and mount the CD every time Vault maintenance is performed . This option ensures that the CD is kept in a secure location when not in use, and that the keys are available when needed.  This is the default option suggested by CyberArk 1 .

B. Copy the entire contents of the CD to the system Safe on the Vault . This option allows the Vault to access the keys from the system Safe, which is a special Safe that stores the Vault configuration files and keys.  The system Safe is encrypted and protected by the Vault, and can only be accessed by authorized users 2 .

D. Store the server key in a Hardware Security Module (HSM) and copy the rest the keys from the CD to a folder on the Vault Server and secure it with NTFS permissions . This option provides an additional layer of security for the server key, which is the most critical key for the Vault. An HSM is a physical device that stores and manages cryptographic keys in a tamper-resistant and isolated environment.  The Vault can integrate with an HSM to store and retrieve the server key 3 . The rest of the keys can be stored in a folder on the Vault Server and secured with NTFS permissions, which restrict access to authorized users and groups.

The following option is  not  secure and should be avoided:

C. Copy the entire contents of the CD to a folder on the Vault Server and secure it with NTFS permissions . This option exposes the keys to potential risks, such as unauthorized access, data corruption, or deletion. NTFS permissions are not sufficient to protect the keys from malicious or accidental actions.  Moreover, this option does not comply with the CyberArk best practices, which recommend to store the keys on a removable media or an HSM

In the Private Ark client, to update users’ Vault group memberships, you use the  Update > Member Of tab . This tab allows administrators to manage which groups a user is a member of.  By adding or removing groups in this tab, you can effectively update the user’s group memberships and, consequently, their access permissions within the Vault 1 .

References :

CyberArk’s official documentation on managing users in the Private Ark client, which includes instructions on how to update users’ group memberships

The Central Policy Manager (CPM) in CyberArk most commonly uses the  ODBC  (Open Database Connectivity) interface when connecting to a database. ODBC is a standard API for accessing database management systems (DBMS).  The CPM supports remote password management on all databases that support ODBC connections, and the machine running the CPM must support ODBC, version 2.7 and higher 1 .  References :

CyberArk Docs: Databases that support ODBC connections 1

https://docs.cyberark.com/Product-Doc/OnlineHelp/PAS/Latest/en/Content/PASIMP/Using-Logon-Accounts-for-SSH-and-Telnet-Connections.htm?Highlight=logon%20account