Associate a risk score to PAN data

You associate a risk score to the PAN data to use the data for triggering MFA. For example, if the data returned by the SQL query is given a 90 risk score, then that score can be used to trigger MFA based on the authentication policy.

You can configure many different risk score associations using SQL query statements. The following example shows user names being associated with a risk score.

To associate a risk score to the PAN data:

  1. Log in to CyberArk Identity User Behavior Analytics.
  2. Click Settings > Threat Intelligence > New.
  3. The Threat Intelligence window opens.

  4. Enter a name for the Threat Intelligence configuration.

  5. Select Black List from the Type drop down list.

  6. Confirm that the Risk Model Type field has Application selected.
  7. Select User Name form the Event Lookup Column field.

  8. Expand the Advanced Configuration options and enter a number into the Risk Score field.

    The risk score maps to a risk level for authentication purposes.

  9. Enter the SQL query statement in the SQL text field.

    For example, this query statement looks for user name data:

    Select distinct srcuser from panw_logging.threat

    If any login request contains the user name, that information is shown in the Result table after you click Preview.

  10. Click Save.

The risk score specified in the Threat Intelligence configuration window (a score of 90 in this example) is then returned to the CyberArk MFA engine and MFA will be triggered or not based on the authentication policy.

Other sample query statements include:

Query Statement Description

Select * from <model name>.threat

Queries the specified model name

Select * from <model name>.$latest-1.threat

Queries the previous snapshot

Select * from <model name>.<snapshot name>.threat

Queries a specific snapshot. The snapshot name/ID is available from Settings > Model > Snapshots

A snapshot must have a status of “Complete” before you can access that PAN data set. You can check a snapshot status from Settings > Model > Snapshots associated with the relevant model.