Suspected Credential Theft (SCT) detection

This topic describes Suspected Credential Theft.


Suspected Credential Theft (SCT) enables you to detect when an account was used to connect to an asset without first retrieving credentials from the CyberArk PAM Vault. This type of detection can alert you to potential credentials theft by an unauthorized user or attacker.

SCT supports detections of unauthorized connections to the following machines:

  • Windows on-premise and Cloud-hosted machine/VM

  • *NIX on-premise and Cloud-hosted machine/VM

ISI integrates with your SIEM system to forward logon data to ISI and then ISI analyzes the logon activity. For more information, see Configure ISI to receive SIEM events.

If suspicious login activity is detected, you receive an SCT alert and can review and investigate it in the ISI Explorer window.

In addition, you can configure ISI to remediate SCT events. If there is an SCT event, ISI automatically triggers a request to the CyberArk PAM Vault to rotate the credentials of the detected account.

For more information, see View and analyze Suspected Credential Theft events.

Considerations and expected behavior

  • Currently only the Splunk SIEM configuration with heavy forwarders is supported.

  • It may take approximately 24 hours for newly onboarded accounts to be assessed by SCT detection. During this period, you will not get SCT alerts on accounts that are already being managed in the CyberArk PAM Vault.

  • SCT detection only supports accounts that are stored in CyberArk's PAM Vault with an address of FQDN or hostname. Accounts stored by IP address are not currently supported.

  • SCT is triggered only when the credentials were not retrieved from CyberArk's PAM Vault within 8 hours prior to when the account connected to the target machine.

  • SCT events do not contain information about the user who leveraged the account that initiated the detected connection.