Getting Started with Analytics

Analytics on the Delinea Platform empowers PAM (Privileged Access Management) owners to prevent, detect, and stop breaches by continually monitoring alerts across the organization to identify early signs of threats. By analyzing platform audit logs, the system provides predefined security monitoring based on events such as secret usages, login activities, session launches, and more.

The analytics engine establishes a behavioral baseline for each user and identifies deviations from regular patterns. This enables detection of suspicious behavior and authentication breaches in near-real-time.

Analytics covers platform events and Secret Server Cloud events (if fully integrated via Platform Upgrade Center). On-premises installations are not supported.

Step 1: Configure Alert Settings and Add Trusted IPs

Before the analytics engine can effectively identify anomalous behavior, you should configure your organization's trusted IP addresses. This prevents false positives from legitimate corporate network activity.

  1. Navigate to the Settings page.

  2. Under Identify protection, select Alert settings.

  3. Select the Threat tab.

  4. Click Edit to customize the alert parameters

  5. Add your organization's trusted IP addresses or CIDR ranges to the whitelist.

  6. Include all corporate office ranges, VPN exit points, and known remote work locations.

  7. Save changes to ensure alerts like User performed an activity from an abnormal location do not trigger for legitimate access.

Rationale

The analytics engine uses IP addresses to determine anomalous locations. By adding trusted IPs, you reduce noise from legitimate corporate activity while maintaining detection capability for actual threats.

Step 2: Define Crown Jewel Secrets

Crown Jewel secrets are your organization's most critical credentials that require enhanced monitoring. Access to these secrets will automatically generate alerts regardless of baseline behavior.

  1. Select Settings from the left navigation..

  2. Under Identify protection, select Alert settings.

  3. Select the Threat tab.

  4. Click Edit to customize the alert parameters

  5. Identify secrets containing your most sensitive credentials (domain admin, production database, cloud provider root accounts, etc.).

  6. Obtain the Secret IDs from Secret Server (visible in the secret's URL or details page).

  7. Add the Secret IDs to the Crown Jewel secrets configuration.

  8. Save the configuration.

Alert Behavior

The rule Access to crown jewel secrets triggers every time any user accesses a secret designated as a crown jewel, enabling immediate visibility into high-value credential usage.

Step 3: Review Generated Alerts

After initial configuration, allow the analytics engine time to establish baselines (minimum 10-14 days for most behavioral alerts). Then review the generated alerts to understand what the system tracks.

Select Threat Center from the left navigation to view the Alerts page.

You will encounter the following Alert types.

Category Alert Examples
Behavioral Alerts

Login on weekend, Abnormal location, Irregular session, Suspicious user agent, Inactive user performed action
Activity Spikes Abnormal spike in secrets view, session launches, file transfers, platform/SSC admin actions
Authentication Rapid brute force, Stealthy brute force, MFA bombing, Atypical travel, Login to disabled account
Secret Access Crown jewel access, User-rare secret access, Rare secret access in tenant, Suspicious platform action

Action Items

Review each alert type and resolve alerts as appropriate. Unresolved alerts contribute to user risk scores. Click the Alert Name to view details and investigation context.

Step 4: Create Risk-Based Identity Policies

The analytics feature calculates a risk score for each user (Low, Medium, High, Critical, or N/A). You can leverage these scores to enforce adaptive MFA (Multi-Factor Authentication) requirements based on user risk level.

  1. Select Access from the left navigation, then select Identity policies.

  2. Create a new policy or select an existing policy to modify.

  3. Select the Authentication tab.

  4. In the Authentication Rules section, click Edit, then Add Rule.

    Provide a descriptive Name (e.g., "High Risk Users - Enhanced MFA").

    Select or create an Authentication profile requiring stronger MFA. For Authentication conditions, specify the risk levels (e.g., High, Critical) that should trigger this rule.

    Click Add, then Save.

Recommended Policy

Create a policy requiring high/critical risk users to authenticate only from corporate IP ranges and complete MFA. This provides adaptive security that increases protection when risk is elevated without impacting normal users.

For Federated Users

Enable the Apply additional MFA after federation option and create a dedicated group for IdP-based identities to ensure risk-based controls apply to federated logins.

Step 5: Integrate with Security Operations via Webhooks

Analytics cases and alerts can be forwarded to SIEM (Security Information and Event Management) solutions via webhooks. This enables centralized security monitoring, correlation with other security events, and automated response workflows.

  1. Select Settings from the left navigation.

  2. Under General settings, select Webhooks.

  3. Select Create Webhook.

    Enter the Endpoint URL from your SIEM or SOAR platform.

    In the Triggers section, configure event types to include analytics alerts and cases.

    Click Save.

  4. Click Verify Webhook to test the connection.