View and analyze Suspected Credential Theft events

This topic describes how to view Suspected Credential Theft events in the Explorer page and analyze detailed information about a Suspected Credential Theft event.

Overview

In the ISI Explorer page, you can view information about Suspected Credential Theft events that occurred within a specific time period.

A Suspected Credential Theft event is generated when a user connects to an asset without first retrieving the required credentials from the Vault within 8 hours prior to when the account connected to the target machine.

A Security Alert event is also generated for Suspected Credential Theft events and any type of risky behavior. For more information about viewing Security Alerts, see View Security Alert events.

The Events table lists all event types and includes detailed information about the events. You can filter the Events table to show only Suspected Credential Theft events or Security Alert events.

View Suspected Credential Theft events

View a Suspected Credential Theft event from an alert

  1. In the alert that you received about an event, click the link to the Explorer page.

    A new browser tab opens. The ISI Explorer page appears with the specific event's Investigate window open.

  2. Review the event's details. See Investigate a Suspected Credential Theft event for more information.

View Suspected Credential Theft events from the Explorer page

  1. From Privilege Cloud, click the Service picker, and select Identity Security Intelligence (ISI).

    A new browser tab opens and displays the ISI Explorer page.

  2. At the top of the Explorer page, in the Query field, enter the query for Suspected Credential Theft events, event_type = 'Privileged.SCT', and click Apply.

    To view all event types, leave the Query field empty.

  3. The default time frame is 15 days. To select a different time frame, click the Calendar button , and select the time frame that you want.

  4. To view Suspected Credential Theft events in the Events table, scroll to the bottom of the Explorer page. To expand the table, rest your mouse pointer in the table and click the double arrow in the top-right corner of the table.

    Suspected Credential Theft events do not have a username associated with the event. Only events that occur during a session have usernames.

Analyze a Suspected Credential Theft event

You can analyze a Suspected Credential Theft event by viewing and investigating the details of an event such as the privileged account that accessed the target machine and the recommended action.

View Suspected Credential Theft event details

  • On the Explorer page, in the Events table, locate the specific Suspected Credential Theft event, and anywhere in the event row, right-click and select Event Details.

    The Event Details window contains several details about the event including the Event ID, Risk Level, and Risk Score.

Investigate a Suspected Credential Theft event

Investigating an event gives you focused information about the event.

  • On the Explorer page, in the Events table, locate the specific Suspected Credential Theft event, and anywhere in the event row, right-click and select Investigate.

    The Investigate window contains the following information:

    • Event time

    • Risk score

    • Detected privileged account that accessed the target machine

    • Target machine address

    • Recommended action