CyberArk
The following instructions are for configuring CyberArk to facilitate log ingestion into Secureworks® Taegis™ XDR.
XDR normalizes logs from the following CyberArk products:
- Privileged Threat Analytics (PTA)
- Vault
Connectivity Requirements ⫘
Source | Destination | Port/Protocol |
---|---|---|
CyberArk | Taegis™ XDR Collector (mgmt IP) | TCP/601 |
Data Provided from Integration ⫘
Auth | CloudAudit | DNS | HTTP | Netflow | NIDS | Process | Thirdparty | |
---|---|---|---|---|---|---|---|---|
CyberArk | D | Y | V |
Y = Normalized | D = Out-of-the-Box Detections | V = Vendor-Specific Detections
Note
XDR detectors are not guaranteed to be triggered, even if a data source's logs are normalized to a schema associated with a given detector. However, you can create Custom Alert Rules to generate alerts based on normalized data from a data source.
Configure the CyberArk Platform ⫘
Configure Log Forwarding for Privileged Threat Analytics (PTA) ⫘
Follow the instructions in the CyberArk documentation to configure log forwarding.
Enter the following information:
Option | Required Value |
---|---|
siem | Taegis |
format | CEF |
host | XDR Collector (mgmt IP) |
port | 601 |
protocol | TCP |
syslogType | RFC3164 |
Configure Log Forwarding for Vault ⫘
Follow the instructions in the CyberArk documentation to configure log forwarding.
-
Create an XSL Translator File using this sample to generate Syslog output in the CEF format.
-
Enter the following information in the DBPARM.ini file.
Option | Required Value |
---|---|
SyslogServerIP | XDR Collector (mgmt IP) |
SyslogServerPort | 601 |
SyslogServerProtocol | TCP |
SyslogMessageCodeFilter | Recommended Action Codes for Monitoring |
SyslogTranslatorFile | The XSL Translator File created in Step 1 above |
SyslogProcessingTasks | Current Value |
SyslogMessageProcessingLimit | Current Value |
SyslogServerMessageLimit | Current Value |
SyslogLimitNotificationFrequency | Current Value |
Example Query Language Searches ⫘
To search for PTA events from the last 24 hours:
FROM thirdparty WHERE sensor_type = 'CyberArk' and EARLIEST=-24h
To search for cloudaudit
events:
FROM cloudaudit WHERE sensor_type = 'CyberArk'
To search for auth
events associated with a specific user:
FROM auth WHERE sensor_type='CyberArk' AND source_user_name = 'foo'
Event Details ⫘
CyberArk PTA Event Details
CyberArk Vault Event Details
Sample Logs ⫘
PTA ⫘
Oct 23 03:18:20 10.10.10.10 Oct 22 22:18:20 10.10.10.10 CEF:0|CyberArk|PTA|12.0|23|Privileged access to the Vault during irregular hours|2|suser=user(Vault user) shost=None src=None duser=user@domain.com dhost=host.domain.com dst=10.10.10.11 cs1Label=ExtraData cs1=None cs2Label=EventID cs2=6354b27bc2dc3bbcd4e0ffff deviceCustomDate1Label=DetectionDate deviceCustomDate1=1666495099000 cs3Label=PTALink cs3=https://cyberark.domain.com:443/PasswordVault/v10/pta/events/1234567890cccc cs4Label=ExternalLink cs4=None
Vault ⫘
Oct 21 21:00:27 10.1.2.3 Oct 21 17:00:27 ADEVICE CEF:0|Cyber-Ark|Vault|12.1.0000|7|Logon|5|act=Logon suser=user@domain.com fname= dvc=10.1.2.4 shost=10.10.2.2 dhost= duser= externalId= app= reason= cs1Label=""Affected User Name"" cs1= cs2Label=""Safe Name"" cs2= cs3Label=""Device Type"" cs3= cs4Label=""Database"" cs4= cs5Label=""Other info"" cs5=10.1.2.4 cn1Label=""Request Id"" cn1= cn2Label=""Ticket Id"" cn2= msg=