CyberArk¶
About¶
Built for the dynamic enterprise, the CyberArk Identity Security Platform enables secure access for any identity — human or machine — to any resource or environment from anywhere, using any device.
Product Details¶
Vendor URL: One Identity | Unified Identity Security
Additional URLs:User Guide
Product Type: Identity and Access Management
Product Tier: Tier III
Integration Method: Syslog
Parser Details¶
Log Format: CEF:0/Syslog+json
Expected Normalization Rate: near 90%
Data Label: CYBERARK
UDM Fields (list of all UDM fields leveraged in the Parser):
| Log File Field | UDM Field |
|---|---|
| accessTargetName | target.hostname |
| agentId | principal.user.userid |
| applicationProtocol | network.application_protocol |
| ApplicationType | metadata.product_name |
| company | target.user.company_name |
| computerName | target.hostname |
| computerName | principal.hostname |
| deviceAction | metadata.product_event_type |
| deviceEventClassId | metadata.product_log_id |
| destinationHostName | target.hostname |
| destinationUserName | target.user.userid |
| deviceProduct | metadata.product_name |
| deviceVersion | metadata.product_version |
| displayName | target.user.copmany_name |
| eventType | additional.fields |
| EventName | security_result.description |
| EventType | metadata.product_event_type |
| externalId | additional_externalId.value.string_value |
| fileName | target.process.file.full_path |
| filePath | target.file.full_path |
| hash | target.file.sha1 |
| host | observer.hostname |
| host | principal.hostname |
| LastEventComputer | principal.hostname |
| LastEventFileName | target.asset.software |
| LastEventID | metadata.product_log_id |
| LastEventPackageName | target.asset.software |
| LastEventSourceType | arget.resource.resource_subtype |
| LastEventUserName | principal.user.userid |
| name | security_result.summary |
| owner | additional.fields |
| path | target.file.full_path |
| PolicyName | security_result.rule_name |
| prod_path | target.file.full_path |
| prod_version | metadata.product_version |
| Publisher | target.domain.tech.company_name |
| Reason | security_result.description |
| security_category | security_result.category |
| severity | security_result.severity |
| sha1 | principal.process.file.sha1 |
| sha256 | principal.process.file.sha256 |
| sourceAddress | principal.ip |
| sourceHostName | principal.hostname |
| sourceUserName | principal.user.userid |
| TotalEvents | additional_externalId.value.string_value |
| userName | target.user.employee_id |
Product Event Types¶
| Event | UDM Event Classification |
|---|---|
| STATUS_UPDATE | metadata.event_type |
| GENERIC_EVENT | metadata.event_type |
Log Sample¶
<13>1 2022-12-05T13:02:01.902+00:00 abcde12345 cyberark - - - {"host":"abcde12345","deviceCustomString4Label":"\"Database\"","type":"cyberark","deviceCustomString5":"","sourceUserName":"john.done@example.com","deviceCustomString1Label":"\"Affected User Name\"","path":"/nsm/hosts/cyberark/abc.log","deviceCustomString4":"","applicationProtocol":"RDP","sourceHostName":"10.1.1.1","externalId":"dba12345-12c0-123b-123d-abcdef123456","deviceCustomString2":"ABC-abc","deviceVendor":"Cyber-Ark","deviceCustomString3Label":"\"Device Type\"","severity":"5","deviceCustomString2Label":"\"Safe Name\"","syslog":"2022-12-05T13:02:01.521+00:00 2022-12-05T13:02:01Z ABCD1234","deviceCustomNumber1":"","@version":"1","deviceVersion":"12.2.0004","cefVersion":"0","@timestamp":"2022-12-05T13:02:01.902Z","deviceAction":"Window Title","deviceCustomString5Label":"\"Other info\"","Reason":"Test.exe, SQLtest.sql - ABCDEF12345.ABC_work (Example\\Test_Task (73))* - Microsoft SQL Server Management Studio (Administrator)","destinationHostName":"ABCDEF12345","deviceCustomNumber2Label":"\"Ticket Id\"","deviceEventClassId":"311","destinationUserName":"Test_Task","deviceCustomNumber2":"","deviceProduct":"Vault","fileName":"Root\\Operating System-LinuxDomain-Staging-theABCcompany.local-Test_Task","deviceCustomNumber1Label":"\"Request Id\"","deviceAddress":"","name":"Window Title","principal.user.userid":"Subhankar.Chakraborty.cw@carlyle.com","deviceCustomString1":"","deviceCustomString3":"Operating System"}
Sample Parsing¶
metadata.product_log_id = "311"
metadata.event_type = "STATUS_UPDATE"
metadata.vendor_name = "CyberArk"
metadata.product_name = "Vault"
metadata.product_version = "12.2.0004"
metadata.product_event_type = "Window Title"
additional.fields["externalId"] = "dba12345-12c0-123b-123d-abcdef123456"
principal.hostname = "10.1.1.1"
principal.user.userid = "john.done@example.com"
principal.asset.hostname = "10.1.1.1"
target.hostname = "ABCDEF12345"
target.user.userid = "Test_Task"
target.process.file.full_path = "Root\Operating System-LinuxDomain-Staging-theABCcompany.local-Test_Task"
target.file.full_path = "/nsm/hosts/cyberark/ABCD1234.log"
target.asset.hostname = "ABCDEF12345"
observer.hostname = "abcde12345"
security_result.summary = "Window Title"
security_result.description = "Test.exe, SQLtest.sql - ABCDEF12345.ABC_work (Example\Test_Task (73))* - Microsoft SQL Server Management Studio (Administrator)"
security_result.severity = "LOW"
network.application_protocol = "RDP"
Parser Alerting¶
This product currently does not have any Parser-based Alerting
Rules¶
Coming soon