Skip to content

CyberArk🔗

The following instructions are for configuring CyberArk to facilitate log ingestion into Secureworks® Taegis™ XDR.

XDR normalizes logs from the following CyberArk products:

  • Privileged Threat Analytics (PTA)
  • Vault

Connectivity Requirements🔗

Source Destination Port/Protocol
CyberArk Taegis™ XDR Collector (mgmt IP) TCP/601

Data Provided from Integration🔗

Normalized Data Out-of-the-Box Detections Vendor-Specific Detections
CyberArk CloudAudit Auth Thirdparty

Note

XDR detectors are not guaranteed to be triggered, even if a data source's logs are normalized to a schema associated with a given detector. However, you can create Custom Alert Rules to generate alerts based on normalized data from a data source.

Configure the CyberArk Platform🔗

Configure Log Forwarding for Privileged Threat Analytics (PTA)🔗

Follow the instructions in the CyberArk documentation to configure log forwarding.

Enter the following information:

Option Required Value
siem Taegis
format CEF
host XDR Collector (mgmt IP)
port 601
protocol TCP
syslogType RFC3164

Configure Log Forwarding for Vault🔗

Follow the instructions in the CyberArk documentation to configure log forwarding.

  1. Create an XSL Translator File using this sample to generate Syslog output in the CEF format.

  2. Enter the following information in the DBPARM.ini file.

    Option Required Value
    SyslogServerIP XDR Collector (mgmt IP)
    SyslogServerPort 601
    SyslogServerProtocol TCP
    SyslogMessageCodeFilter Recommended Action Codes for Monitoring
    SyslogTranslatorFile The XSL Translator File created in Step 1 above
    SyslogProcessingTasks Current Value
    SyslogMessageProcessingLimit Current Value
    SyslogServerMessageLimit Current Value
    SyslogLimitNotificationFrequency Current Value

Example Query Language Searches🔗

To search for PTA events from the last 24 hours:

`FROM thirdparty WHERE sensor_type = 'CyberArk' and EARLIEST=-24h`

To search for cloudaudit events:

`FROM cloudaudit WHERE sensor_type = 'CyberArk'`

To search for auth events associated with a specific user:

`FROM auth WHERE sensor_type='CyberArk' AND source_user_name = 'foo'`

Event Details🔗

CyberArk PTA Event Details

CyberArk Vault Event Details

Sample Logs🔗

PTA🔗

    Oct 23 03:18:20 10.10.10.10 Oct 22 22:18:20 10.10.10.10 CEF:0|CyberArk|PTA|12.0|23|Privileged access to the Vault during irregular hours|2|suser=user(Vault user) shost=None src=None duser=user@domain.com dhost=host.domain.com dst=10.10.10.11 cs1Label=ExtraData cs1=None cs2Label=EventID cs2=6354b27bc2dc3bbcd4e0ffff deviceCustomDate1Label=DetectionDate deviceCustomDate1=1666495099000 cs3Label=PTALink cs3=https://cyberark.domain.com:443/PasswordVault/v10/pta/events/1234567890cccc cs4Label=ExternalLink cs4=None

Vault🔗

    Oct 21 21:00:27 10.1.2.3 Oct 21 17:00:27 ADEVICE CEF:0|Cyber-Ark|Vault|12.1.0000|7|Logon|5|act=Logon suser=user@domain.com fname= dvc=10.1.2.4 shost=10.10.2.2 dhost= duser= externalId= app= reason= cs1Label=""Affected User Name"" cs1= cs2Label=""Safe Name"" cs2= cs3Label=""Device Type"" cs3= cs4Label=""Database"" cs4= cs5Label=""Other info"" cs5=10.1.2.4 cn1Label=""Request Id"" cn1= cn2Label=""Ticket Id"" cn2=  msg=