Fortinet black logo

External Systems Configuration Guide

CyberArk Password Vault

CyberArk Password Vault

What is Discovered and Monitored

Protocol

Information discovered

Logs parsed

Used for

Syslog (CEF formatted and others)

CyberArk Safe Activity

Security Monitoring and compliance

Event Types

In ADMIN > Device Support > Event, search for "CyberArk-Vault" in the Device Type column to see the event types associated with this device.

Rules

In RESOURCE > Rules, search for "CyberArk":

  • CyberArk Vault Blocked Failure
  • CyberArk Vault CPM Password Disables
  • CyberArk Vault Excessive Failed PSM Connections
  • CyberArk Vault Excessive Impersonations
  • CyberArk Vault Excessive PSM Keystroke Logging Failure
  • CyberArk Vault Excessive PSM Session Monitoring Failure
  • CyberArk Vault Excessive Password Release Failure
  • CyberArk Vault File Operation Failure
  • CyberArk Vault Object Content Validation Failure
  • CyberArk Vault Unauthorized User Stations
  • CyberArk Vault User History Clear

Reports

In RESOURCE > Reports, search for "CyberArk":

  • CyberArk Blocked Operations
  • CyberArk CPM Password Disables
  • CyberArk CPM Password Retrieval
  • CyberArk File Operation Failures
  • CyberArk Impersonations
  • CyberArk Object Content Validation Failures
  • CyberArk PSM Monitoring Failures
  • CyberArk Password Resets
  • CyberArk Privileged Command Operations
  • CyberArk Provider Password Retrieval
  • CyberArk Trusted Network Area Updates
  • CyberArk Unauthorized Stations
  • CyberArk User History Clears
  • CyberArk User/Group Modification Activity
  • CyberArk Vault CPM Password Reconcilations
  • CyberArk Vault CPM Password Verifications
  • CyberArk Vault Configuration Changes
  • CyberArk Vault Failed PSM connections
  • CyberArk Vault Modification Activity
  • CyberArk Vault PSM Keystore Logging Failures
  • CyberArk Vault Password Changes from CPM
  • CyberArk Vault Password Release Failures
  • CyberArk Vault Successful PSM Connections
  • Top CyberArk Event Types
  • Top CyberArk Safes, Folders By Activity
  • Top CyberArk Users By Activity

CyberArk Configuration for sending syslog in a specific format

  1. Open \PrivateArk\Server\DBParm.ini file and edit the SYSLOG section:
    1. SyslogServerIP – Specify FortiSIEM supervisor, workers and collectors separated by commas.
    2. SyslogServerProtocol – Set to the default value of UDP.
    3. SyslogServerPort – Set to the default value of 514.
    4. SyslogMessageCodeFilter – Set to the default range 0-999.
    5. SyslogTranslatorFile – Set to Syslog\FortiSIEM.xsl.
    6. UseLegacySyslogFormat - Set to the default value of No.
  2. Copy the relevant XSL translator file here to the Syslog subfolder specified in the SyslogTranslatorFile parameter in DBParm.ini.
  3. Stop and Start Vault (Central Server Administration) for the changes to take effect.

Make sure the syslog format is as follows.

<5>1 2016-02-02T17:24:42Z SJCDVVWCARK01 CYBERARK: Product="Vault";Version="9.20.0000";MessageID="295";Message="Retrieve password";Issuer="Administrator";Station="10.10.110.11";File="Root\snmpCommunity";
Safe="TestPasswords";Reason="Test";Severity="Info"
<30>Mar 22 20:13:42 VA461_1022 CyberArk AIM[2453]: APPAP097I Connection to the Vault has been restored <27>Mar 22 20:10:50 VA461_1022 CyberArk AIM[2453]: APPAP289E Connection to the Vault has failed. Further attempts to connect to the Vault will be avoided for [1] minutes. <27>Mar 24 23:41:58 VA461_1022 CyberArk AIM[2453]: APPAU002E Provider [Prov_VA461_1022] has failed to fetch password with query [Safe=TestPutta;Object=Telnet91] for application [FortiSIEM]. Fetch reason: [APPAP004E Password object matching query

CyberArk Password Vault

What is Discovered and Monitored

Protocol

Information discovered

Logs parsed

Used for

Syslog (CEF formatted and others)

CyberArk Safe Activity

Security Monitoring and compliance

Event Types

In ADMIN > Device Support > Event, search for "CyberArk-Vault" in the Device Type column to see the event types associated with this device.

Rules

In RESOURCE > Rules, search for "CyberArk":

  • CyberArk Vault Blocked Failure
  • CyberArk Vault CPM Password Disables
  • CyberArk Vault Excessive Failed PSM Connections
  • CyberArk Vault Excessive Impersonations
  • CyberArk Vault Excessive PSM Keystroke Logging Failure
  • CyberArk Vault Excessive PSM Session Monitoring Failure
  • CyberArk Vault Excessive Password Release Failure
  • CyberArk Vault File Operation Failure
  • CyberArk Vault Object Content Validation Failure
  • CyberArk Vault Unauthorized User Stations
  • CyberArk Vault User History Clear

Reports

In RESOURCE > Reports, search for "CyberArk":

  • CyberArk Blocked Operations
  • CyberArk CPM Password Disables
  • CyberArk CPM Password Retrieval
  • CyberArk File Operation Failures
  • CyberArk Impersonations
  • CyberArk Object Content Validation Failures
  • CyberArk PSM Monitoring Failures
  • CyberArk Password Resets
  • CyberArk Privileged Command Operations
  • CyberArk Provider Password Retrieval
  • CyberArk Trusted Network Area Updates
  • CyberArk Unauthorized Stations
  • CyberArk User History Clears
  • CyberArk User/Group Modification Activity
  • CyberArk Vault CPM Password Reconcilations
  • CyberArk Vault CPM Password Verifications
  • CyberArk Vault Configuration Changes
  • CyberArk Vault Failed PSM connections
  • CyberArk Vault Modification Activity
  • CyberArk Vault PSM Keystore Logging Failures
  • CyberArk Vault Password Changes from CPM
  • CyberArk Vault Password Release Failures
  • CyberArk Vault Successful PSM Connections
  • Top CyberArk Event Types
  • Top CyberArk Safes, Folders By Activity
  • Top CyberArk Users By Activity

CyberArk Configuration for sending syslog in a specific format

  1. Open \PrivateArk\Server\DBParm.ini file and edit the SYSLOG section:
    1. SyslogServerIP – Specify FortiSIEM supervisor, workers and collectors separated by commas.
    2. SyslogServerProtocol – Set to the default value of UDP.
    3. SyslogServerPort – Set to the default value of 514.
    4. SyslogMessageCodeFilter – Set to the default range 0-999.
    5. SyslogTranslatorFile – Set to Syslog\FortiSIEM.xsl.
    6. UseLegacySyslogFormat - Set to the default value of No.
  2. Copy the relevant XSL translator file here to the Syslog subfolder specified in the SyslogTranslatorFile parameter in DBParm.ini.
  3. Stop and Start Vault (Central Server Administration) for the changes to take effect.

Make sure the syslog format is as follows.

<5>1 2016-02-02T17:24:42Z SJCDVVWCARK01 CYBERARK: Product="Vault";Version="9.20.0000";MessageID="295";Message="Retrieve password";Issuer="Administrator";Station="10.10.110.11";File="Root\snmpCommunity";
Safe="TestPasswords";Reason="Test";Severity="Info"
<30>Mar 22 20:13:42 VA461_1022 CyberArk AIM[2453]: APPAP097I Connection to the Vault has been restored <27>Mar 22 20:10:50 VA461_1022 CyberArk AIM[2453]: APPAP289E Connection to the Vault has failed. Further attempts to connect to the Vault will be avoided for [1] minutes. <27>Mar 24 23:41:58 VA461_1022 CyberArk AIM[2453]: APPAU002E Provider [Prov_VA461_1022] has failed to fetch password with query [Safe=TestPutta;Object=Telnet91] for application [FortiSIEM]. Fetch reason: [APPAP004E Password object matching query