Overview
This article explains how to ingest to Hunters your CyberArk Privileged Access Security Logs.
Ingestion to Hunters
For Hunters to integrate with your CyberArk Logs, the logs should be collect to a Storage Service (e.g. to an S3 bucket or Azure Blob Storage) shared with Hunters.
Example expected log:
Dec 14 09:49:33 PRODVAULT CEF:0|Cyber-Ark|Vault|6.0.0430|38|Failure: CPM Verify Password Failed|7|act=CPM Verify Password Failed duser=PasswordManager fname=Root\S-1-5-21-1147481723-1708746877-4547331-38808 src=10.7.3.171 cs1Label="Affected User Name" cs1= cs2Label="Safe Name" cs2=Windows PCAdmin Accounts cs3Label="Location" cs3= cs4Label="Property Name" cs4= cs5Label="Target User Name" cs5= cn1Label="Request Id" cn1= msg=Failure. Failure Description: CACPM344E Verifying Password Safe: Windows PCAdmin Accounts, Folder: Root, Object: S-1-5-21-1147481723-1708746877-4547331-38808 failed (try #368). Code: 2101, Error: Error in verifypass to user IT28326D1L.hmcorp.local\pcadmin on domain IT28326D1L.hmcorp.local(\\IT28326D1L.HMCORP.LOCAL). Reason: No network provider accepted the given network path. (winRc\=1203). , address\=IT28326D1L.hmcorp.local;retriescount\=368;username\=pcadmin;, Failure: CPM Verify Password Failed
CODE