Implementing Privileged Session Monitoring
When to Use
- Deploying or configuring session recording for all privileged access to critical servers and databases
- Meeting compliance requirements (PCI-DSS 10.2, SOX, HIPAA, ISO 27001) that mandate privileged activity monitoring
- Investigating an incident where an administrator or third-party vendor may have performed unauthorized actions
- Implementing real-time alerting for high-risk commands executed during privileged sessions
- Establishing a forensic audit trail of all administrative actions on production infrastructure
Do not use for monitoring standard user sessions or endpoint activity; use EDR/UBA solutions for general user behavior monitoring. Privileged session monitoring focuses specifically on elevated-access sessions.
Prerequisites
- CyberArk PAM Self-Hosted or Privilege Cloud deployment with Digital Vault configured
- CyberArk Privileged Session Manager (PSM) or PSM for SSH (PSMP) installed on a hardened Windows/Linux jump server
- Network architecture where all privileged access is routed through the PSM proxy (no direct RDP/SSH to targets)
- PVWA (Password Vault Web Access) deployed and accessible for session review
- Active Directory integration for authenticating PAM users
- Sufficient storage for session recordings (estimate: 50-250 KB per minute for RDP, 5-20 KB per minute for SSH)
- Alternatively for open-source: Teleport, Apache Guacamole with session recording, or
script/ttyrecfor Linux
Workflow
Step 1: Architecture — Route All Privileged Access Through PSM
Ensure no direct privileged access bypasses the recording proxy:
Architecture Overview:
Admin User ──> PVWA (Web Portal) ──> PSM (Jump Server) ──> Target Server
│ │ │
│ Credentials never │ Session is │
│ exposed to admin │ recorded and │
│ │ stored in Vault │
└── MFA + AD Auth ──────────────────> │ │
└── RDP/SSH proxy ──>│
Network Controls:
- Firewall: DENY direct RDP (3389) and SSH (22) to target servers from user networks
- Firewall: ALLOW RDP/SSH to target servers ONLY from PSM server IPs
- Firewall: ALLOW PVWA access (443) from admin user networks
- PSM server: Hardened, no internet access, local admin access restricted
Step 2: Configure PSM Connection Components
Define how PSM connects to target systems. In the PVWA administration console:
PVWA > Administration > Configuration > Connection Components
For Windows RDP targets:
Connection Component: PSM-RDP
Protocol: RDP
Client Application: mstsc.exe
Recording Settings:
Record Sessions: Yes
Recording Format: AVI (video) + Keystrokes (text)
Record Windows Titles: Yes
For Linux SSH targets:
Connection Component: PSM-SSH
Protocol: SSH
Client Application: PSM-SecureCRT or PSM-Putty
Recording Settings:
Record Sessions: Yes
Recording Format: AVI + Text commands
Record Unix Commands: Yes
For Database targets (SQL Server Management Studio):
Connection Component: PSM-SSMS
Protocol: Custom
Client Application: SSMS.exe
Recording Settings:
Record Sessions: Yes
Record SQL Queries: Yes (via keystroke logging)
Step 3: Configure Session Recording Policies
Define recording rules based on risk level and compliance requirements:
PVWA > Administration > Platform Management > [Platform] > Session Management
Session Recording Settings:
Enable Session Recording: Yes
Recording Type: Record and Save (not just Monitor)
Keystroke Logging:
Enable Transcript: Yes
Enable Window Events: Yes
Storage:
Recordings Storage Location: Vault (encrypted, tamper-proof)
Retention Period: 90 days (adjust per compliance requirement)
PCI-DSS: Retain for 1 year, available for 3 months
SOX: Retain for 7 years
HIPAA: Retain for 6 years
Compression:
Enable Recording Compression: Yes
Compression Level: Medium (balance storage vs. quality)
For granular control, configure per-safe recording policies:
Safe: Production-Servers-Admin
Record all sessions: Yes
Safe: Development-Servers
Record all sessions: No (optional for non-production)
Safe: Third-Party-Vendor-Access
Record all sessions: Yes
Enable real-time monitoring: Yes
Require dual authorization: Yes
Step 4: Enable Real-Time Session Monitoring
Configure live session monitoring for SOC analysts:
PVWA > Monitoring > Privileged Session Monitoring
Live Monitoring Dashboard:
- Active Sessions: Shows all current privileged sessions in real-time
- Session Details: User, target, duration, risk score
- Actions Available:
- Watch: View the session in real-time (read-only)
- Suspend: Temporarily freeze the session
- Terminate: Immediately end the session
Configure monitoring alerts in CyberArk Privileged Threat Analytics (PTA):
PTA > Configuration > Security Events
Rule: High-Risk Command Detected
Trigger: Unix command matches pattern
Patterns:
- rm -rf /
- chmod 777
- iptables -F
- useradd
- passwd root
- dd if=/dev/
- wget http* | sh
- curl * | bash
- nc -e /bin/sh
- python -c 'import socket,subprocess'
Action: Alert SOC + Flag session as high-risk
Rule: Credential Access Attempt
Trigger: Windows process matches
Patterns:
- mimikatz.exe
- procdump.exe targeting lsass
- ntdsutil.exe
- secretsdump
Action: Terminate session + Alert SOC + Lock account
Rule: Unusual Session Duration
Trigger: Session duration exceeds 4 hours
Action: Alert SOC for review
Step 5: Configure Session Review Workflow
Set up the post-session review process for auditors:
PVWA > Recordings > Search and Review
Search Filters:
- Date range
- Target server
- User who initiated the session
- Safe name
- Session risk score (from PTA)
- Session duration
Review Workflow:
1. Auditor opens recorded session in PVWA HTML5 player
2. Video playback with timeline scrubbing
3. Keystroke transcript displayed alongside video
4. Window title log shows which applications were opened
5. Risk events are highlighted on the timeline with markers
6. Auditor marks session as: Reviewed-OK, Reviewed-Suspicious, or Requires-Investigation
Fast-Forward Features:
- Jump to keystrokes (skip idle time)
- Jump to risk events (flagged by PTA)
- Text search within keystroke transcript
- Filter by window title changes
Step 6: Open-Source Alternative — Teleport for Session Recording
For environments without CyberArk, Teleport provides session recording for SSH, RDP, and Kubernetes:
# /etc/teleport.yaml - Session recording configuration
teleport:
nodename: teleport-proxy.corp.internal
data_dir: /var/lib/teleport
auth_service:
enabled: yes
session_recording: "node-sync" # Record at the node level, sync to auth server
# Session recording storage (S3 for production)
audit_sessions_uri: "s3://teleport-session-recordings/sessions?region=us-east-1"
# Enhanced session recording (captures commands even in nested shells)
enhanced_recording:
enabled: true
command_events: true
network_events: true
disk_events: true
ssh_service:
enabled: yes
enhanced_recording:
enabled: true
proxy_service:
enabled: yes
web_listen_addr: 0.0.0.0:443
Query recorded sessions with tsh:
# List recorded sessions
tsh recordings ls --from=2026-03-15 --to=2026-03-19
# Play back a specific session
tsh play <session-id>
# Export session events as JSON (for SIEM ingestion)
tsh recordings export <session-id> --format=json > session_events.json
# Search for sessions containing specific commands
tsh recordings ls --query='command == "rm -rf"'
Step 7: Forward Session Metadata to SIEM
Send session events and alerts to the SIEM for correlation with other security data:
CyberArk PTA Integration:
SIEM Connector: Syslog (CEF format) or REST API
Target: Splunk, Microsoft Sentinel, QRadar, or Elastic
Events Forwarded:
- Session start/stop with user, target, and duration
- High-risk command detection alerts
- Session termination events
- Failed connection attempts
- Dual-authorization requests and approvals/denials
Syslog Configuration (PTA):
PTA > Configuration > SIEM Integration
Protocol: TCP + TLS
Destination: siem.corp.internal:6514
Format: CEF (Common Event Format)
Example CEF Event:
CEF:0|CyberArk|PTA|12.6|HighRiskCommand|High Risk Command Detected|8|
src=10.1.5.42 suser=admin1 dhost=prod-db-01 cs1=rm -rf /var/log
cs2=PSM-SSH cs3=Production-Servers-Admin
Key Concepts
| Term | Definition | |------|------------| | PSM (Privileged Session Manager) | CyberArk component that acts as a proxy/jump server, recording all privileged sessions in video and text format | | PSMP (PSM for SSH Proxy) | Linux-based PSM proxy specifically for SSH, SCP, and SFTP sessions | | Connection Component | CyberArk configuration that defines how PSM launches client applications (RDP, SSH, SSMS) to connect to target systems | | Privileged Threat Analytics (PTA) | CyberArk module that applies behavioral analytics and risk scoring to recorded sessions to detect anomalous activity | | Dual Authorization | Security control requiring two authorized users to approve a privileged session before it is established | | Session Isolation | Architecture principle where administrators never directly connect to targets; all access is proxied through the PAM system | | Keystroke Transcript | Text log of all keystrokes typed during a recorded session, searchable for audit and forensic purposes | | Vaulting | Storing privileged credentials in an encrypted digital vault so they are never exposed to the end user |
Verification
- [ ] All privileged access to production targets routes through PSM (direct RDP/SSH is blocked by firewall)
- [ ] Session recordings are being stored in the Vault with encryption and tamper protection
- [ ] Keystroke transcripts are captured and searchable for SSH and RDP sessions
- [ ] PTA rules trigger alerts for high-risk commands (test with a benign trigger pattern)
- [ ] Real-time monitoring dashboard shows active sessions with correct metadata
- [ ] Session recordings play back correctly in PVWA HTML5 player with timeline and transcript
- [ ] Storage estimates are validated and retention policies match compliance requirements
- [ ] Dual authorization is enforced for vendor and high-risk target access
- [ ] Session metadata and alerts are forwarding to SIEM and correlating correctly
- [ ] Auditors can search, review, and annotate sessions through the PVWA interface
- [ ] Terminated sessions leave a complete recording up to the point of termination