Transcription
CyberArk VaultDeployment GuideDate Published: 8/9/2021
Securonix Proprietary StatementThis material constitutes proprietary and trade secret information of Securonix, and shall not be disclosed to anythird party, nor used by the recipient except under the terms and conditions prescribed by Securonix.The trademarks, service marks, and logos of Securonix and others used herein are the property of Securonix or theirrespective owners.Securonix Copyright StatementThis material is also protected by Federal Copyright Law and is not to be copied or reproduced in any form, using anymedium, without the prior written authorization of Securonix.However, Securonix allows the printing of the Adobe Acrobat PDF files for the purposes of client training andreference.Information in this document is subject to change without notice. The software described in this document isfurnished under a license agreement or nondisclosure agreement. The software may be used or copied only inaccordance with the terms of those agreements. Nothing herein should be construed as constituting an additionalwarranty. Securonix shall not be liable for technical or editorial errors or omissions contained herein. No part of thispublication may be reproduced, stored in a retrieval system, or transmitted in any form or any means electronic ormechanical, including photocopying and recording for any purpose other than the purchaser's internal use withoutthe written permission of Securonix.Copyright 2021 Securonix. All rights reserved.Contact InformationSecuronix5080 Spectrum Drive, Suite 950WAddison, TX 75001(855) 732-6649SNYPR Deployment Guide2
Table of ContentsIntroduction4About CyberArk Vault4Supported Collection MethodFormatFunctionality444CyberArk Vault ConfigurationConfigure Syslog for CyberArk VaultConfiguration in SNYPRVerify the JobResourcesSNYPR Deployment Guide451116163
IntroductionIntroductionThis Deployment Guide provides information on how to configure CyberArk Vault tosend security logs to SNYPR.About CyberArk VaultCyberArk provides solutions to protect privileged credentials by securing, rotating,and monitoring their usage. CyberArk Vault also provides a way for clients to respondto potential attacks that involve sensitive credentials.Supported Collection MethodThe collection method is Syslog.FormatThe format is CEF.FunctionalityIn SNYPR, resource groups (datasources) are categorized by functionality. Thefunctionality determines what content is available when you import the datasource.For more information about Device Categorization, see the Data Dictionary.The functionality of CyberArk Vault is Access / Privileged User.CyberArk Vault ConfigurationComplete the following steps to configure CyberArk Vault to export events to SNYPR.SNYPR Deployment Guide4
CyberArk Vault ConfigurationConfigure Syslog for CyberArk VaultThe system logger of the Vault must be configured to send logging data to the PrivacyThreshold Analysis (PTA) machine for real-time data analysis.To configure syslog on the Vault Machine (until vault v10.4)1. From the installation package, copy PTA.xsl to the syslog subdirectory of the Vaultinstallation folder.By default the subdirectory is: C:\Program Files (x86)\PrivateArk\Server\Syslog,2. In the C:\Program Files (x86)\PrivateArk\Server folder, open dbparm.ini and addthe following lines:[SYSLOG]SyslogTranslatorFile Syslog\PTA.xslSyslogServerPort port number SyslogServerIP server IP SyslogServerProtocol TCPSyslogMessageCodeFilter 0,302,294,427UseLegacySyslogFormat NoSpecify the following information:Parameter NameDefine or SelectSyslogServerIPThe IP address(es) of the PTA machine where messageswill be sent.SNYPR Deployment Guide5
CyberArk Vault ConfigurationParameter NameDefine or SelectSyslogServerPortThe port number through which the syslog will be sent.Specify 514 to send syslogs to the default PTA port.SyslogServerProtocolThe protocol used to transfer the syslog records. Specify:tcp or udp. (TCP)Note : PTA does not support SSL protocolSNYPR Deployment Guide6
CyberArk Vault ConfigurationParameter NameDefine or SelectDefines which message codes will be sent from the VaultMachine to PTA through Syslog protocol. You can specifymessage numbers, separated by commas. You can alsospecify a range of numbers using ‘-‘.Message codes are sent for the following events:SyslogMessageCodeFilterSNYPR Deployment GuideCodeActivity7Logon24CPM ChangePassword31CPM ReconcilePassword295Retrieve Password308Use Password428Retrieve SSH keys361SSH Command372Terminated PSMSession373Terminated PSMSession Failed359SQL Command436SCP Command412PSM KeystrokesLogging411PSM Window Titles7
CyberArk Vault ConfigurationParameter NameDefine or SelectCodeActivity300PSM Connect302PSM Disconnect294Store Password427Store SSH KeySyslogTranslatorFileSpecifies the XSL file used to parse Vault records datainto Syslog protocol.UseLegacySyslogFormatControls the format of the syslog message, and defineswhether it will be sent in a newer syslog format (RFC5424) or in a legacy format. Required value: No. Thisenables the Vault to work with the newer syslog format.3. To forward Vault syslog to multiple machines (for instance, to your SIEM solutionas well as to PTA), you can specify multiple valus for the following parameters andseparate each value to with a comma:Note:lllThis requires CyberArk Vault version 7.2.5 or higher.All destinations must use the same port and protocol, which are specified in theSyslogServerPort an SyslogServerProtocol fields.The specified values will apply to all destinations configured in SyslogServerIP,using the translator files specified in SyslogTranslatorFile.SNYPR Deployment Guide8
CyberArk Vault ConfigurationParameter ltiple valueswith a comma,and separatesets of multiplevalues with apipe-line, asshown in theexample below.The following example shows how to send different syslog messages to multiplesyslog servers.[SYSLOG]SysLogTranslatorFile Syslog\PTA.xslSyslogServerPort port number SysLogServerIP 1.1.1.1,1.1.2.2,1.1.3.3SyslogServerProtocol TCPUseLegacySyslogFormat Yes,Yes,NoSyslogMessageCodeFilter 7,8,295 295296 0,302,294,4274. Save and close the file.5. Restart the vault.SNYPR Deployment Guide9
CyberArk Vault ConfigurationTo configure syslog on the Vault Machine (from vault v10.5)1. Copy the PTA syslog parameters from dbparm.sample.ini file to dbparm.iniconfiguration file:[SYSLOG]SyslogTranslatorFile Syslog\PTA.xslSyslogServerPort port number SyslogServerIP server IP SyslogServerProtocol TCPSyslogMessageCodeFilter 0,302,294,427,471UseLegacySyslogFormat No2. To forward Vault syslog to multiple machines (for instance, to your SIEM solutionas well as to PTA), you can specify multiple values for the following parameters andseparate each value with a comma:All destinations must use the same port and protocol, which are specified in theSyslogServerPort and SyslogServerProtocol fields.The specified values will apply to all destinations configured in SyslogServerIP,using the translator files specified in eFilterSNYPR Deployment GuideSeparate multiple values with a comma,and separate sets of multiple values with apipe-line, as shown in the example below.10
Configuration in SNYPRThe following example shows how to send different syslog messages to multiplesyslog servers.[SYSLOG]SysLogTranslatorFile Syslog\PTA.xslSyslogServerPort port number SysLogServerIP 1.1.1.1,1.1.2.2,1.1.3.3SyslogServerProtocol TCPUseLegacySyslogFormat Yes,Yes,NoSyslogMessageCodeFilter 7,8,295 295296 0,302,294,427,4713. Save and close the file.4. Restart the vault.Verify Logs on Remote Ingestion Node (RIN)On Remote Ingester Node, verify if we are receiving logs using the following command:tcpdump -i eth0 tcp port 3514 -v -AConfiguration in SNYPRTo configure CyberArk- Vault in SNYPR, complete the following steps:1. Login to SNYPR.2. Navigate to Menu Add Data Activity.3. Click Add Data for Existing Device Type.SNYPR Deployment Guide11
Configuration in SNYPR4. Click the Vendor drop-down and select the following information:lVendors: CyberArklDevice Type: CyberArk Enterprise Password VaultlCollection Method: Syslog (CEF)5. Choose an ingester from the drop-down list.SNYPR Deployment Guide12
Configuration in SNYPR6. Click to add a filter.7. Provide a unique name for the filter.8. Enter the following syslog filter in the Filter expression box:{host("10.0.0.1");};9. Complete the following information in the Device Information section:a. Datasource Name: CyberArk Vaultb. Specify timezone for activity logs: Click the drop-down and select a timezonefor the logs.10. Click Get Preview on the top right of the screen to view the data.11. Click Save & Next until you reach step 4: Identity Attribution.12. Click Add New Correlation Rule.SNYPR Deployment Guide13
Configuration in SNYPR13. Enter a descriptive name for the correlation rule.14. Provide the following parameters to create a correlation rule:SNYPR Deployment Guide14
Configuration in SNYPRlUser xample: User Attribute: firstname Operation: None Condition: And Separator: . (period) User Attribute: lastname Operation: None Condition:And. This correlation rule will correlate users to activity accounts with theformat: firstname.lastname.15. Scroll to the bottom of the screen and click Save.16. Click Save & Next.17. Select Do you want to run job Once? in the Job Scheduling Information section.18. Click Save & Run.You will be automatically be directed to the Job Monitor screen.SNYPR Deployment Guide15
ResourcesVerify the JobUpon a successful import, the event data will be available for searching in Spotter. Tosearch events in Spotter, complete the following steps:1. Navigate to Menu Security Center Spotter.2. Verify that the datasource you ingested is listed under the Available Datasourcessection.ResourcesIf you need additional information, the following resources are available:SNYPR Deployment Guide16
orward-syslogMessages.htmSNYPR Deployment Guide17
Password 31 CPMReconcile Password 295 RetrievePassword 308 UsePassword 428 RetrieveSSHkeys 361 SSHCommand 372 TerminatedPSM Session 373 . CyberArk Vault Deployment Guide Author: Securonix Documentation Created Date:
