CyberArk Password Vault
What is Discovered and Monitored
Protocol |
Information discovered |
Logs parsed |
Used for |
---|---|---|---|
Syslog (CEF formatted and others) |
|
CyberArk Safe Activity |
Security Monitoring and compliance |
Event Types
In ADMIN > Device Support > Event, search for "CyberArk-Vault" in the Device Type column to see the event types associated with this device.
Rules
In RESOURCE > Rules, search for "CyberArk":
- CyberArk Vault Blocked Failure
- CyberArk Vault CPM Password Disables
- CyberArk Vault Excessive Failed PSM Connections
- CyberArk Vault Excessive Impersonations
- CyberArk Vault Excessive PSM Keystroke Logging Failure
- CyberArk Vault Excessive PSM Session Monitoring Failure
- CyberArk Vault Excessive Password Release Failure
- CyberArk Vault File Operation Failure
- CyberArk Vault Object Content Validation Failure
- CyberArk Vault Unauthorized User Stations
- CyberArk Vault User History Clear
Reports
In RESOURCE > Reports, search for "CyberArk":
- CyberArk Blocked Operations
- CyberArk CPM Password Disables
- CyberArk CPM Password Retrieval
- CyberArk File Operation Failures
- CyberArk Impersonations
- CyberArk Object Content Validation Failures
- CyberArk PSM Monitoring Failures
- CyberArk Password Resets
- CyberArk Privileged Command Operations
- CyberArk Provider Password Retrieval
- CyberArk Trusted Network Area Updates
- CyberArk Unauthorized Stations
- CyberArk User History Clears
- CyberArk User/Group Modification Activity
- CyberArk Vault CPM Password Reconcilations
- CyberArk Vault CPM Password Verifications
- CyberArk Vault Configuration Changes
- CyberArk Vault Failed PSM connections
- CyberArk Vault Modification Activity
- CyberArk Vault PSM Keystore Logging Failures
- CyberArk Vault Password Changes from CPM
- CyberArk Vault Password Release Failures
- CyberArk Vault Successful PSM Connections
- Top CyberArk Event Types
- Top CyberArk Safes, Folders By Activity
- Top CyberArk Users By Activity
CyberArk Configuration for sending syslog in a specific format
- Open \PrivateArk\Server\DBParm.ini file and edit the SYSLOG section:
- SyslogServerIP – Specify FortiSIEM supervisor, workers and collectors separated by commas.
- SyslogServerProtocol – Set to the default value of UDP.
- SyslogServerPort – Set to the default value of 514.
- SyslogMessageCodeFilter – Set to the default range 0-999.
- SyslogTranslatorFile – Set to Syslog\FortiSIEM.xsl.
- UseLegacySyslogFormat - Set to the default value of No.
- Copy the relevant XSL translator file here to the Syslog subfolder specified in the SyslogTranslatorFile parameter in DBParm.ini.
- Stop and Start Vault (Central Server Administration) for the changes to take effect.
Make sure the syslog format is as follows.
<5>1 2016-02-02T17:24:42Z SJCDVVWCARK01 CYBERARK: Product="Vault";Version="9.20.0000";MessageID="295";Message="Retrieve password";Issuer="Administrator";Station="10.10.110.11";File="Root\snmpCommunity";
Safe="TestPasswords";Reason="Test";Severity="Info"
<30>Mar 22 20:13:42 VA461_1022 CyberArk AIM[2453]: APPAP097I Connection to the Vault has been restored <27>Mar 22 20:10:50 VA461_1022 CyberArk AIM[2453]: APPAP289E Connection to the Vault has failed. Further attempts to connect to the Vault will be avoided for [1] minutes. <27>Mar 24 23:41:58 VA461_1022 CyberArk AIM[2453]: APPAU002E Provider [Prov_VA461_1022] has failed to fetch password with query [Safe=TestPutta;Object=Telnet91] for application [FortiSIEM]. Fetch reason: [APPAP004E Password object matching query