Target account deleted audit

book

Article ID: 223709

calendar_today

Updated On:

Products

CA Privileged Access Manager (PAM)

Issue/Introduction

Target account that was mysteriously removed from CA PAM.  Where/How can I tell who/what deleted the account? I've looked in session log and reports but can't find a way to determine this.  

Environment

Release : 3.4, 3.4.2.91

Component : PRIVILEGED ACCESS MANAGEMENT

Resolution

An account delete would display in the Administrative activities report.  This can be seen under Credentials > Reports > Run > Administrative Activities report.  The concern is the account delete happened longer ago than we expect, in which case the data would no longer be the database and your archive would need to be reviewed.  The report is subject to your purge policy and auditlog data.  If data can not be found, as this happened further back you would need to review your syslog server if you have this integrated with PAM.