Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

Version 1 Next »

About the Device

CyberArk Enterprise Password Vault, part of the CyberArk Privileged Account Security Solution, enables organizations to secure, manage and track the use of privileged credentials whether on premise or in the cloud, across operating systems, databases, applications, hypervisors, network devices and more. The product is built on the CyberArk Shared Technology Platform, delivering scalability, high availability and centralized management and reporting.

Device Information

 Entity

Particulars

Vendor Name

CyberArk

Product Name

Enterprise Password Vault (Now comes under Privileged Access Manager )

Type of Device

Hosted

Collection Method

Log Type

 Ingestion label

Preferred Logging Protocol - Format

Log Collection Method

Cyberark Privilege Cloud

 CYBERARK_PRIVILEGE_CLOUD

Syslog - CEF

CyberHub

Port Requirements

Source

Destination

Port

CyberArk Enterprise Password Vault

CyberHub

6514 (TLS)

Device Configuration

To Configure CyberArk EPV to Collect Logs

Syslog messages can be sent to multiple syslog servers in two different ways:

A single message can be sent to multiple servers by configuring a single XSLT file.

Multiple messages can be sent to different Syslog servers and formatted differently for each server by configuring multiple XSLT files, formats and code message lists. The code-message lists must be matched, meaning they must contain the same number of items in the same order.

  1. In PrivateArk\Server\DBParm.sample.ini, copy the SYSLOG section with all fields.

  2. In PrivateArk\Server\DBParm.sample.ini, paste SYSLOG section at the bottom.

  3. The configuration parameters for SYSLOG are listed below:

    1.  SyslogServerIP - The IP address (es) of the Syslog servers where messages will be sent. We will explicitly specify IP of CyberHub. Specify multiple values with commas if needed.

    2. SyslogServerProtocol - Specifies the Syslog protocol that will be used to send audit logs. The default value is UDP. This works with TCP as well.

    3.  SyslogServerPort - The port used to connect to the Syslog server. The default value is 514. Customer may change it according to environment.

    4. SyslogMessageCodeFilter - We have to set it 0-999 to ensure all possible types of logs are sent over Syslog. Defines which message codes will be sent from the Vault to the SIEM application through Syslog protocol. You can specify message numbers and/or ranges of numbers, separated by commas. Specify multiple values with pipelines. By default, all message codes are sent for user and Safe activities. For a list of messages and codes, refer to the Privileged Account Security Reference Guide.

      image-20240116-135617.png

    5. SyslogTranslatorFile: Specifies the XSL file used to parse CyberArk audit records data into Syslog protocol. Specify multiple values with commas. We have to set it to C:\Program Files (x86)\PrivateArk\Server\Syslog\Arcsight.sample.xsl. This Translator file is installed at defined location by default with installation, please check with vendor if not present.

    6. SyslogSendBOMPrefix: Description Whether or not the BOM (Byte Order Mark) prefix will be sent at the beginning of SYSLOG messages. Acceptable Values Yes/No. Recommended Default Value has to be set as No.

    7. UseLegacySyslogFormat: Set it as No. (Defines whether it will be sent in a newer syslog format (RFC 5424) or in a legacy format. We expect logs in newer syslog format.)

  4. DebugLevel: Determines the level of debug messages. Specify below values to include all possible logs as standard: PE(1,2,3,4,5,6,7,8,9,10,13),PERF(1,2,3,4),SYSLOG(1,2),UI(8),LDAP(14,15)
    Example: DebugLevel=PE(1,2,3,4,5,6,7,8,9,10,13),PERF(1,2,3,4),SYSLOG(1,2),UI(8),LDAP(14,15)

image-20240116-135642.png

  1. Please ensure that you keep Windows Firewall Turned ON to let CyberArk server communicate with firewall and make rules to allow logs to be sent over Syslog on designated port which is UDP/514 by default and CyberHub IP.

  2. Create a rule in same file to allow communication to Syslog Port on CyberHub. Default is UDP 514

image-20240116-135705.png

To configure CyberArk Client Side

Additionally, we can control the type of logs we want to read by manually configuring the event types in PrivateArk Client.

a. PrivateArk Client >Tools > Options > Advanced > Log Configuration. For this modification, one must be logged in with Administrator Account. Recommendation is to select all 15 options starting from General Events to Detailed Communication Events.

image-20240116-140155.png

  1. Stop and Start Vault for changes to take effect.

To configure CyberArk Privilege Cloud to collect logs 

Privilege Cloud can integrate with SIEM applications to send audit logs through the syslog protocol. Before you can connect to SIEM, you must first deploy the Secure Tunnel for SIEM component.

To configure Secure Tunnel v3.0 or higher

Prerequisite

a. The name of the Connector client machine ID must be unique across domains. Only the machine host name is used to generate the tunnel ID and therefore it must be unique, even if the machines are deployed in multiple domains.

b. Secure Tunnel uses port 50000 by default. Check that this port is free for use. 
For more details, please refer device documentation: Deploy Secure Tunnel

  1. Ensure that the Connector client machine ID is unique, even when the machines are deployed in multiple domains. 

  2. Download the Secure Tunnel zip file by logging into the CyberArk Support Vault, and then unzip the package.

  3. Double-click the Secure Tunnel installation executable file to run the Secure Tunnel installation wizard.

  4. On the Select Installation Folder page, enter the location of the installation folder, and then click Install.

  5. On the Ready to Install page, click Finish.

When the installation is complete the configuration tool is launched.

If you have already installed secure tunnel prior, then you can open the configuration tool either from the desktop shortcut or from the installation folder at any time.

  1. In Authenticate to Privilege Cloud page, enter the credentials provided to you by CyberArk support.

  2. In Configure on-premise components page, add the components that you want to connect through the secure tunnel, and then click Configure Components.
    Enter the following information:

  • Component Type: SIEM

  • Host Address: The hostname or IP address of component server. 

  • Destination Port: The port used for connecting the Secure Tunnel server to the component server. Click Advanced to display this column. Typically, the port used for the SIEM component is 1468. If you are using different port, edit this field for the relevant component. 

  • Remote Port: The port used by the CyberArk to interface with your Secure Tunnel. Click Advanced to display this column. The Remote Port is provided to you by CyberArk support. Each interface has a default port. For multiple instances the ports are numbered sequentially. Typically the port used for SIEM component is: 1468 (first SIEM instance), 1469, etc.

  • Access through Secure Tunnels: You can configure which Secure Tunnels, your servers will access through, even if these Secure Tunnels are running on a different machine.

SIEM Integration:

Privilege Cloud can use either TLS 1.2 or TCP protocol to send messages. Use the steps below to connect Privilege Cloud to your SIEM servers:

Provide the following information to CyberArk support:

  • SIEM server IP: <CyberHub_IP>

  • SIEM server Port: 6514 

  • SIEM Server Protocol:  TLS

  • SIEM Type: ArcSight

  • TLS certificates: Contact Accenture device onboarding Team

For more details refer to the following link: Connect to SIEM

Integration Parameters

Parameters required from customer for Integration.

Property

Default Value

Description

IP Address

CyberArk Enterprise Password Vault IP address

Hostname or IP address of the device which forwards logs to the CyberHub

  • No labels

About Accenture:
Accenture is a leading global professional services company that helps the world’s leading businesses, governments and other organizations build their digital core, optimize their operations, accelerate revenue growth and enhance citizen services—creating tangible value at speed and scale. We are a talent and innovation led company with 738,000 people serving clients in more than 120 countries. Technology is at the core of change today, and we are one of the world’s leaders in helping drive that change, with strong ecosystem relationships. We combine our strength in technology with unmatched industry experience, functional expertise and global delivery capability. We are uniquely able to deliver tangible outcomes because of our broad range of services, solutions and assets across Strategy & Consulting, Technology, Operations, Industry X and Accenture Song. These capabilities, together with our culture of shared success and commitment to creating 360° value, enable us to help our clients succeed and build trusted, lasting relationships. We measure our success by the 360° value we create for our clients, each other, our shareholders, partners and communities. Visit us at www.accenture.com.

About Accenture Security
Accenture Security is a leading provider of end-to-end cybersecurity services, including advanced cyber defense, applied cybersecurity solutions and managed security operations. We bring security innovation, coupled with global scale and a worldwide delivery capability through our network of Advanced Technology and Intelligent Operations centers. Helped by our team of highly skilled professionals, we enable clients to innovate safely, build cyber resilience and grow with confidence. Follow us @AccentureSecure on Twitter or visit us at www.accenture.com/security.

Legal notice: Accenture, the Accenture logo, and other trademarks, service marks, and designs are registered or unregistered trademarks of Accenture and its subsidiaries in the United States and in foreign countries. All trademarks are properties of their respective owners. This document is intended for general informational purposes only and does not take into account the reader’s specific circumstances, and may not reflect the most current developments. Accenture disclaims, to the fullest extent permitted by applicable law, any and all liability for the accuracy and completeness of the information in this presentation and for any acts or omissions made based on such information. Accenture does not provide legal, regulatory, audit, or tax advice. Readers are responsible for obtaining such advice from their own legal counsel or other licensed professionals.