CyberArk PAM¶
About¶
Keep your business and its most valuable assets secure. Preventing malicious account or credential access starts with comprehensive privileged access management.
Product Details¶
Vendor URL: CyberArk | Privileged Access Manager
Additional URLs:
Product Type: Identity and Access Management
Product Tier: Tier II
Integration Method: Syslog
Parser Details¶
Log Format: CEF:0/KV
Expected Normalization Rate: near 90%
Data Label: CYBERARK_PAM
UDM Fields (list of all UDM fields leveraged in the Parser):
| Log File Field | UDM Event Classification |
|---|---|
| action | metadata.product_event_type |
| cn1 | principal.labels["cn1Label"] |
| cn2 | principal.labels["cn2Label"] |
| cs1 | principal.labels["cs1Label"] |
| cs2 | principal.labels["cs2Label"] |
| cs3 | principal.labels["cs3Label"] |
| cs4 | principal.labels["cs4Label"] |
| cs5 | principal.labels["cs5Label"] |
| dhost | target.hostname |
| duser | target.user.userid |
| fname | target.file.names |
| hostname | observer.hostname |
| product_name | metadata.product_name |
| shost | principal.ip |
| shost | src.hostname |
| suser | principal.user.userid |
| vendor_name | metadata.vendor_name |
| version | metadata.product_version |
Product Event Types¶
| Event | UDM Event Classification |
|---|---|
| GENERIC_EVENT | metadata.event_type |
Log Sample¶
<5>1 2023-07-28T05:01:01Z server01 CEF:0|Cyber-Ark|Vault|12.2.0008|59|Clear Safe History|5|act=Clear Safe History suser=exampleuser fname= dvc= shost=0.0.0.0 dhost= duser= externalId= app= reason= cs1Label="Affected User Name" cs1= cs2Label="Safe Name" cs2=PasswordManagerTemp cs3Label="Device Type" cs3= cs4Label="Database" cs4= cs5Label="Other info" cs5= cn1Label="Request Id" cn1= cn2Label="Ticket Id" cn2= msg=
Sample Parsing¶
metadata.event_type = GENERIC_EVENT
metadata.vendor_name = "Cyber-Ark"
metadata.product_name = "Vault"
metadata.product_version = "12.2.0008"
metadata.product_event_type = "Clear Safe History"
observer.hostname = "server01"
principal.user.userid = "exampleuser"
principal.ip = "0.0.0.0"
principal.labels["Safe Name"] = "PasswordManagerTemp"
src.hostname = "0.0.0.0"
Parser Alerting¶
This product currently does not have any Parser-based Alerting