(UPA) detection

This topic describes .


(UPA) detection enables you to detect when a privileged account that is not managed by the CyberArk PAM Vault connects to a target machine. This type of detection can reduce security risks by alerting you about security gaps in your PAM configuration that can potentially be used by malicious actors.

UPA supports detections of unmanaged connections to the following machines:

  • Windows on-premise and Cloud-hosted machine/VM

  • *NIX on-premise and Cloud-hosted machine/VM

ISI integrates with your SIEM system to forward logon data to ISI and then ISI analyzes the logon activity. For more information, see Configure ISI to receive SIEM events.

If an unmanaged privileged account is detected, you can enable a remediation action that adds the account to the CyberArk PAM's Pending Accounts list. The account can then be manually onboarded. We recommend that you enable the automatic remediation option. For more information, see Enable UPA.

Considerations and expected behavior

  • Currently only the Splunk SIEM configuration with heavy forwarders is supported.

  • Unmanaged accounts are considered to be privileged if one of the following scenarios occurs:

    • The accounts were discovered by CyberArk's account discovery tool, are in use, and marked as privileged.

      Discovered accounts are listed in the Privilege Cloud Portal's Pending Accounts page. For more information, see Analyze pending accounts.

    • The account's username matches the following pre-defined naming rules:


      Account username




      root, admin, ec2-user, ubuntu, centos, fedora

      These pre-defined rules are not configurable.

  • ISI does not detect or remediate account dependencies.

  • Detected accounts require manual onboarding to CyberArk's PAM Vault regardless of any automatic onboarding rules, if they exist.