CyberArk Privileged Threat Analytics
This pack includes Cortex XSIAM content.
This pack contains a beta Modeling Rule, which lets you process CyberArk PTA log fields to XDM fields.
Since the Modeling Rule is considered as beta, it might not contain some of the fields that are available from the logs.
We appreciate your feedback on the quality and usability of the Modeling Rule to help us identify issues, fix them, and continually improve.
Configuration on Server Side
You need to configure CyberArk Privileged Threat Analytics (PTA) to forward Syslog messages in CEF format.
Access your Cyberark PTA machine and follow these instructions Product Documentation:
- On the PTA machine, open the default systemparm.properties file using the DEFAULTPARM command.
- Copy the line containing the syslog_outbound property, and exit the file.
- Open the local systemparm.properties file using the LOCALPARM command.
- Press i to edit the file.
- Paste the line you copied, uncomment the syslog_outbound property and edit the parameters. Use the following as a guide.
- format - CEF.
- protocol - UDP.
- siem - Assign a name to your configuration.
- host - Write the dedicated hostname or IP address.
- port - Write the dedicated port number.
- syslogType - RFC5424.
Collect Events from Vendor
In order to use the collector, use the Broker VM option.
Broker VM
To create or configure the Broker VM, use the information described here.
You can configure the specific vendor and product for this instance.
Navigate to Settings → Configuration → Data Broker → Broker VMs.
Go to the Apps column under the Brokers tab and add the Syslog Collector app for the relevant broker instance. If the app already exists, hover over it and click Configure.
Click Add New for adding a new syslog data source.
When configuring the new syslog data source, set the following values:
Parameter Value VendorEnter cyberark. ProductEnter pta.
