Manage Privileged Risky Activity rules

This topic describes how to view, edit, add, and delete Privileged Risky Activity rules.

Privileged Risky Activity rules enable you to detect suspicious commands during live and recorded sessions in your environment.

You can add Privileged Risky Activity rules or edit the default rules. For more information about Privileged Risky Activity detection, see Privileged Risky Activity detection.

View Privileged Risky Activity rules

1. From Privilege Cloud, click the Service picker, and select Identity Security Intelligence (ISI).

   

   A new browser tab opens and displays the ISI Explorer page.

2. In the left pane, select Settings > Risk Model and then select the Privileged Risky Activity Rules tab.

Privileged Risky Activity rules contain the following fields:

Field	Description
Category	Activity categories: SSH commands: For UNIX only SQL commands: For databases only Windows titles: For Windows only Universal keystrokes: For all platforms SCP commands: Secure copy - for UNIX only
Pattern	A valid pattern for the selected category. Regular expressions are case sensitive for all categories. The pattern must include at least three non-special characters.
Description (Optional)	Description of the suspicious session activity.
Remediation	The type of remediation to perform when an event occurs for this rule. No action: No remediation Suspend: Suspends the PSM session Terminate: Terminates the PSM session Make sure that the following is set in the Privilege Cloud Live Sessions Monitoring settings: The AllowPSMNotifications parameter is set to Yes In Live Sessions Monitoring Settings, the Privilege Cloud Session Risk Managers group is listed under these two settings: Suspending Live Sessions Users and Groups Terminating Live Sessions Users and Groups For more information, see Configure live session monitoring.
Score (1-100)	A score between 1 - 100 that reflects the risk level of the suspicious session activity. 70-100: High risk 31-69: Medium risk 0-30: Low risk
Active	The status of the rule - whether it is active (on) or not. When a rule is active and activity is detected based on this rule, the system creates an alert. Default: Active (on)

Edit a rule

1. In the Privileged Session Analysis Rules tab, locate the rule that you want to change, and next to the Status column, click Edit.

2. Change the relevant fields, and click Save.

Change a rule's risk score

1. In the Privileged Session Analysis Rules tab, locate the rule whose risk score you want to change, and next to the Status column, click Edit.

2. In the Score field, enter the number that represents the risk that you want to assign to this rule:

   • 70-100: High risk

   • 31-69: Medium risk

   • 0-30: Low risk

3. Click Save.

Set a remediation action for a rule

1. In the Privileged Session Analysis Rules tab, locate the rule that you want to set a remediation action for, and next to the Status column, click Edit.

2. In the Remediation field, select the action that you want to set for this rule:

   • No action

   • Suspend

   • Terminate

   For more information about Remediation settings, see Remediation.

3. Click Save.

Add a rule

1. In the Privileged Session Analysis Rules tab, click Add in the upper right corner of the page.

2. In the Category field, select the relevant option from the drop-down list.

3. In the Pattern field, enter the command pattern for the category that you selected.

4. In the Description field, enter a description for the rule.

5. In the Remediation area, select the type of remediation to perform when an event occurs for this rule.

6. In the Score field, assign a risk score.

7. In the Active field, select on for the rule to be included in the analytics.

8. Click Add.

Delete a rule

1. In the Privileged Session Analysis Rules tab, locate the rule that you want to delete, and next to the Status column, click Delete.

2. Click Yes to confirm the deletion.