CyberArk

  • Updated on Jan 27, 2025
  • Published on May 15, 2023
Self Service Ingestion

Connect this data source on your own, using the Hunters platform.

TL;DR

Supported data types

3rd party detection

Hunters detection

IOC search

Search

Table name

Log format

Collection method

CyberArk Privileged Access Security Logs

✅

✅

cyberark_privileged_access_security

CEF

S3

Overview

imageCyberArk is a cybersecurity company that specializes in privileged access management (PAM) solutions. Privileged access refers to the elevated permissions and credentials that grant users or applications extensive control over critical systems and sensitive data within an organization. CyberArk's solutions focus on securing and managing these privileged accounts to prevent unauthorized access, misuse, or abuse.

Supported data types

CyberArk Privileged Access Security Logs

Table name: cyberark_privileged_access_security

CyberArk Privileged Access Security Logs provide detailed information about privileged account activity and events within an organization's IT environment.
The supported products are:

  • Privileged Threat Analytics (PTA)

  • On-Demand Privileges Manager (OPM)

Send data to Hunters

Hunters supports the ingestion of CyberArk logs via an intermediary AWS S3 bucket.

To connect CyberArk logs:

  1. Export your logs from CyberArk to an AWS S3 bucket.

  2. Once the export is completed and the logs are collected to S3, follow the steps in this section.

Expected format

Logs are expected in CEF format.

2023-01-01T00:01:51Z PRODVAULT CEF:0|Cyber-Ark|Vault|6.0.0430|38|Failure: CPM Verify Password Failed|7|act=CPM Verify Password Failed duser=PasswordManager fname=Root\S-1-5-21-1147481723-1708746877-4547331-38808 src=10.7.3.171 cs1Label="Affected User Name" cs1= cs2Label="Safe Name" cs2=Windows PCAdmin Accounts cs3Label="Location" cs3= cs4Label="Property Name" cs4= cs5Label="Target User Name" cs5= cn1Label="Request Id" cn1= msg=Failure. Failure Description: CACPM344E Verifying Password Safe: Windows PCAdmin Accounts, Folder: Root, Object: S-1-5-21-1147481723-1708746877-4547331-38808 failed (try #368). Code: 2101, Error: Error in verifypass to user IT28326D1L.hmcorp.local\pcadmin on domain IT28326D1L.hmcorp.local(\\IT28326D1L.HMCORP.LOCAL). Reason: No network provider accepted the given network path. (winRc\=1203). , address\=IT28326D1L.hmcorp.local;retriescount\=368;username\=pcadmin;, Failure: CPM Verify Password Failed