Connect this data source on your own, using the Hunters platform.
TL;DR
Supported data types | 3rd party detection | Hunters detection | IOC search | Search | Table name | Log format | Collection method |
---|---|---|---|---|---|---|---|
CyberArk Privileged Access Security Logs | ✅ | ✅ | cyberark_privileged_access_security | CEF | S3 |
Overview
CyberArk is a cybersecurity company that specializes in privileged access management (PAM) solutions. Privileged access refers to the elevated permissions and credentials that grant users or applications extensive control over critical systems and sensitive data within an organization. CyberArk's solutions focus on securing and managing these privileged accounts to prevent unauthorized access, misuse, or abuse.
Supported data types
CyberArk Privileged Access Security Logs
Table name: cyberark_privileged_access_security
CyberArk Privileged Access Security Logs provide detailed information about privileged account activity and events within an organization's IT environment.
The supported products are:
Privileged Threat Analytics (PTA)
On-Demand Privileges Manager (OPM)
Send data to Hunters
Hunters supports the ingestion of CyberArk logs via an intermediary AWS S3 bucket.
To connect CyberArk logs:
Export your logs from CyberArk to an AWS S3 bucket.
Once the export is completed and the logs are collected to S3, follow the steps in this section.
Expected format
Logs are expected in CEF format.
2023-01-01T00:01:51Z PRODVAULT CEF:0|Cyber-Ark|Vault|6.0.0430|38|Failure: CPM Verify Password Failed|7|act=CPM Verify Password Failed duser=PasswordManager fname=Root\S-1-5-21-1147481723-1708746877-4547331-38808 src=10.7.3.171 cs1Label="Affected User Name" cs1= cs2Label="Safe Name" cs2=Windows PCAdmin Accounts cs3Label="Location" cs3= cs4Label="Property Name" cs4= cs5Label="Target User Name" cs5= cn1Label="Request Id" cn1= msg=Failure. Failure Description: CACPM344E Verifying Password Safe: Windows PCAdmin Accounts, Folder: Root, Object: S-1-5-21-1147481723-1708746877-4547331-38808 failed (try #368). Code: 2101, Error: Error in verifypass to user IT28326D1L.hmcorp.local\pcadmin on domain IT28326D1L.hmcorp.local(\\IT28326D1L.HMCORP.LOCAL). Reason: No network provider accepted the given network path. (winRc\=1203). , address\=IT28326D1L.hmcorp.local;retriescount\=368;username\=pcadmin;, Failure: CPM Verify Password Failed