Skip to main content

CyberArk Enterprise Password Vault

This pack contains modeling & parsing rules for CyberArk Enterprise Password Vault (EPV) audit event logs.

CyberArk Enterprise Password Vault

This pack includes Cortex XSIAM content.

Configuration on Server Side

This section describes the steps required to configure Syslog forwarding of vault audit logs, such as user activity and safe activity events, from CyberArk EPV to Cortex XSIAM.

General Overview

The CyberArk vault event logs are generated in XML format.
In order to forward the logs via Syslog to Cortex XSIAM,
the XML event records must be converted to suitable CEF messages. This transformation from XML event records to CEF messages is done though a suitable XSL translator file. This XSL file should then be referenced from the Vault server DBParm.ini configuration file, along with other syslog settings, as described in the configuration steps below.

Configuration Steps

Set up the XSL Translator

  1. Navigate to the Syslog subfolder under the CyberArk Vault server installation folder (PrivateArk\Server\Syslog). This folder contains predefined XSL samples.
  2. Make a copy of the Arcsight.sample.xsl sample file, and rename it with a meaningful name, for example: XSIAM.xsl.
  3. To include the events' timestamps in the events that will be sent to Cortex XSIAM, open the copied XSL file for editing, and above the mapping section for cn1Label and cn1 fields, add the following section, which maps the IsoTimestamp XML field into the CEF message cs6 field and the constant string "IsoTimestamp" to the cs6Label field:
    XML cs6Label=IsoTimestamp cs6=<xsl:call-template name="string-replace"> <xsl:with-param name="from" select="'='" /> <xsl:with-param name="to" select="'\='" /> <xsl:with-param name="string" select="IsoTimestamp" /> </xsl:call-template>
    See the following screenshot for an example of the updated XSL file:
    xsl_with_timestamp_mapping
  4. Save the changes.

Set up the Syslog Configuration

  1. Navigate to the Conf subfolder under the CyberArk Vault server installation folder (PrivateArk\Server\Conf).

  2. Copy the [SYSLOG] section from the DBParm.sample.ini sample file, and paste it at the bottom of the DBParm.ini file.

  3. Set the following parameters under the copied [SYSLOG] section in the DBParm.ini file

    Parameter Description
    SyslogServerIP IP address of the Cortex XSIAM Broker VM Syslog Server.
    SyslogServerPort Target port that the Cortex XSIAM Broker VM Syslog Server is listening on for receiving Syslog messages from Cyber-Ark.
    SyslogServerProtocol The protocol that will be used to forward the Syslog messages to Cortex XSIAM: UDP (the default setting), TCP or TLS (Note: for TLS, additional settings are required for configuring certificates, see Configure encrypted and non-encrypted protocols).
    SyslogMessageCodeFilter Range or list of requested message codes that should be sent to Cortex XSIAM through the syslog protocol. See Vault Audit Action Codes for the complete list of vault events message codes. By default, all message codes are sent for user and safe activities. For including all Vault events, define the following range: 0-999.
    SyslogTranslatorFile Specify the relative path in the Cyber-Ark Vault server installation folder (PrivateArk\Server) to the relevant XLS translator file (see Set up the XSL Translator section above). For example: Syslog\XSIAM.xsl.
    UseLegacySyslogFormat Controls whether the syslog messages should be sent in the old legacy syslog format (Yes), or in the newer modern RFC 5424 format (No). For Cortex XSIAM set this parameter with the default value of No.
    SendMonitoringMessage Controls whether the Syslog messages that are sent to Cortex XSIAM should include periodic server* system monitoring* events as well (in addition to audit events). For Cortex XSIAM set this parameter with the default value of no.

    See DBPARM.ini file parameters for a complete list of the possible DBPARM.ini file syslog parameters.

    Below is a sample [SYSLOG] configuration section for the DBParm.ini file:

    BASH [SYSLOG] SyslogServerIP=192.168.1.123 SyslogServerPort=514 SyslogServerProtocol=UDP SyslogMessageCodeFilter=0-999 SyslogTranslatorFile=Syslog\XSIAM.xsl UseLegacySyslogFormat=No SendMonitoringMessage=no

  4. Restart the Vault server to apply the configuration changes.

Remarks

CyberArk Vault supports additional syslog configuration settings such as forwarding audit events to multiple syslog servers, each server with it's own unique set of syslog parameters. For additional details, refer to the CyberArk Vault documentation.

Collect Events from Vendor

In order to use the collector, use the Broker VM option.

Broker VM

To create or configure the Broker VM, use the information described here.

  1. Navigate to Settings > Configuration > Data Broker > Broker VMs.
  2. Go to the apps tab and add the Syslog app. If it already exists, click the Syslog app and then click Configure.
  3. Click Add New.
  4. Set the following parameters for the Syslog configuration:
    | Parameter | Value
    | :--- | :---
    | Protocol | Should be aligned with the protocol defined in the SyslogServerProtocol parameter in the [SYSLOG] section of the DBParm.ini configuration file on the CyberArk Vault server (see Set up the Syslog Configuration).
    | Port | Should be aligned with the protocol defined in the SyslogServerPort parameter in the [SYSLOG] section of the DBParm.ini configuration file on the CyberArk Vault server (see Set up the Syslog Configuration).
    | Format | Select CEF.
    | Vendor | Select Auto-Detect (Would be determined automatically from the CEF header Vendor field).
    | Product | Select Auto-Detect (Would be determined automatically from the CEF header Product field).

PUBLISHER

PLATFORMS

Cortex XSIAM

INFO

CertificationRead more
Supported ByCortex
CreatedAugust 7, 2023
Last ReleaseNovember 18, 2024

DISCLAIMER
Content packs are licensed by the Publisher identified above and subject to the Publisher’s own licensing terms. Palo Alto Networks is not liable for and does not warrant or support any content pack produced by a third-party Publisher, whether or not such packs are designated as “Palo Alto Networks-certified” or otherwise. For more information, see the Marketplace documentation.