Add suspicious activities rule

This method adds a new Suspicious Activity rule in the PTA server configuration.

URL

  • Make sure there are no spaces in the URL.

  • The following characters are not supported in URL values: + & %

  • If the URL includes a dot (.), add a forward slash (/) at the end of the URL. For example: api/Safes/MySafe/Members/user@cyber.com/

 

 

 
https://<IIS_Server_Ip>/PasswordVault/API/pta/API/Settings/RiskyActivity/

The following values can be added in the URL. None of them are mandatory.

Resource information

HTTP method

POST

Content type

application/json

Header parameter

Parameter

Authorization

Type

String

Description

The JWT token that identifies the session.

Valid values

A session token that was returned from the “Logon” method.

Parameter

Content-Type

Type

JSON

Description

 

Valid values

 

Body parameters

None

JSON Input

  
{
       "category": "KEYSTROKES",
       "regex": "(.*)netsh(.*)wlan(.*)key=clear(.*)", 
      "score": 40, 
      "description": "Indication of a privileged user using a decoding command in clear text to retrieve a WIFI password.", 
      "response": "NONE", 
       "active": true,
       "scope":{ 
            "vaultUsers":{"mode":"EXCLUDE","list":["john*"]}, 
            "machines":{"mode":"INCLUDE","list":["*"]} 
       }
  }

 

Parameter

category

Type

String

Description

Categories of suspicious activities
Valid values:

  • SSH
  • WINDOWS
  • SCP
  • KEYSTROKES
  • SQL

Parameter

regex

Type

String

Description

Suspicious activity expression in regex form. Must support all characters (including "/" and escaping characters)

Parameter

score

Type

Integer

Description

Activity score. Number must be between 1 and 100

Parameter

description

Type

String

Description

Activity description. The field is mandatory but can be empty

Parameter

response

Type

String

Description

Automatic response to be executed
Valid values:

  • NONE
  • TERMINATE
  • SUSPEND

Parameter

active

Type

Boolean

Description

Indicates if the command is active

scope

Parameter

vaultUsers

Type

String

Description

Vault users scope for the configured suspicious activity

Parameter

mode

Type

String

Description

Indicates whether the list of Vault users will be processed for Suspicious Activity detection
Valid values:

  • INCLUDE - Only Vault users who are on the list will be processed for detection
  • EXCLUDE - Vault users who are on the list will not be processed for detection

Parameter

list

Type

String Array

Description

List of Vault users to be included or excluded for detection

Parameter

accounts

Type

String

Description

Accounts scope for the configured suspicious activity

Parameter

mode

Type

String

Description

Indicates whether the list of accounts will be processed for Suspicious Activity detection
Valid values:

  • INCLUDE - Only accounts on the list will be processed for detection
  • EXCLUDE - Accounts on the list will not be processed for detection

Parameter

list

Type

String Array

Description

List of accounts to be included or excluded for detection

Parameter

machines

Type

String

Description

Machines scope for the configured suspicious activity

Parameter

mode

Type

String

Description

Indicates whether the list of machines will be processed for Suspicious Activity detection
Valid values:

  • INCLUDE - Only machines on the list will be processed for detection
  • EXCLUDE - Machines on the list will not be processed for detection

Parameter

list

Type

String Array

Description

List of machines to be included or excluded for detection