CyberArk Enterprise Password Vault

Owned by Miguel Lauriano
Last updated: Jul 29, 2024 by Aparna Rr
6 min read

About the Device

CyberArk Enterprise Password Vault, part of the CyberArk Privileged Account Security Solution, enables organizations to secure, manage and track the use of privileged credentials whether on premise or in the cloud, across operating systems, databases, applications, hypervisors, network devices and more. The product is built on the CyberArk Shared Technology Platform, delivering scalability, high availability and centralized management and reporting.

Device Information

 Entity

Particulars

 Entity

Particulars

Vendor Name

CyberArk

Product Name

Enterprise Password Vault (Now comes under Privileged Access Manager)

Type of Device

Hosted

Collection Method

Log Type

 Ingestion label

Preferred Logging Protocol - Format

Log Collection Method

Log Type

 Ingestion label

Preferred Logging Protocol - Format

Log Collection Method

Cyberark Privilege Cloud

 CYBERARK_PRIVILEGE_CLOUD

Syslog - CEF

CyberHub

Port Requirements

Source

Destination

Port

Source

Destination

Port

CyberArk Enterprise Password Vault (CyberArk EPV)

CyberHub

601 (TCP)

CyberArk Enterprise Password Vault (CyberArk Privilege Cloud)

CyberHub

6514 (TLS)

To facilitate secure communication and align with our best practice, we strongly encourage the use of Transport Layer Security (TLS) between your security devices and our Adaptive MxDR platform for event forwarding.

While we understand that TLS support may not be available on all devices, if your devices do support TLS communication, we recommend utilizing port 6514 for seamless integration.

In some cases, the upgraded version of the device might incorporate TLS support without prior notice. If you come across such a scenario or for further assistance in configuring TLS, we kindly ask you to reach out to your dedicated Adaptive MxDR Service Delivery Lead.

Device Configuration

To Configure CyberArk EPV to Collect Logs

Syslog messages can be sent to multiple syslog servers in two different ways:

  • Logs from the logfile are parsed using a single XSL file (Archsight.sample.XSL) and sent to multiple syslog destinations.

  • Logs from the logfile can be sent to different syslog destinations and formatted differently for each destination by configuring multiple XSL files, formats, and code message lists. It is not mandatory to keep the code message lists in the same order as mentioned; it is up to you to set the order to fetch the required activity logs according to codes.

  1. Login to the CyberArk EPV server directly or through RDP as an Administrator. 

  2. In <InstallDir>\PrivateArk\Server\DBParm.sample.ini, copy the SYSLOG section with all fields. The default install directory is C:\Program Files (x86) \PrivateArk\Server\DBPram.ini.

  3. In <InstallDir> \PrivateArk\Server\DBParm.sample.ini, paste the SYSLOG section at the bottom.

  4. The configuration parameters for SYSLOG are listed below:

a. SyslogServerIP – CyberHub IP Address. Specify multiple values with commas if needed.

b. SyslogServerProtocol – TCP

c. SyslogServerPort – 601

d. SyslogMessageCodeFilter –We have to set it 0-999 to ensure all possible types of logs are sent over Syslog. Defines which message codes will be sent from the Vault to the SIEM application through Syslog protocol. You can specify message numbers and/or ranges of numbers, separated by commas. Specify multiple values with pipelines. By default, all message codes are sent for user and Safe activities. For a list of messages and codes, refer to the Privileged Account Security Reference Guide.

image-20240116-135617.png

e. SyslogTranslatorFile – Specifies the XSL file used to parse CyberArk audit records data into Syslog protocol. Specify multiple values with commas. We have to set it to <InstallDir>\PrivateArk\Server\Syslog\Arcsight.sample.xsl. This Translator file is installed at defined location by default with installation, please check with vendor if not present.

<InstallDir> \PrivateArk\Server\Syslog\Arcsight.sample.xsl is the default installation file which should not be changed and must be used in the above SyslogTranslatorFile configuration.

f. SyslogSendBOMPrefix - Description Whether or not the BOM (Byte Order Mark) prefix will be sent at the beginning of SYSLOG messages. Acceptable Values Yes/No. Recommended Default Value is No.

g. UseLegacySyslogFormat - Set as No. (Defines whether it will be sent in a newer syslog format (RFC 5424) or in a legacy format. We expect logs in newer syslog format)

  1. DebugLevel: Determines the level of debug messages. Specify below values to include all possible logs as standard: PE(1,2,3,4,5,6,7,8,9,10,13),PERF(1,2,3,4),SYSLOG(1,2),UI(8),LDAP(14,15)
    Example: DebugLevel=PE(1,2,3,4,5,6,7,8,9,10,13),PERF(1,2,3,4),SYSLOG(1,2),UI(8),LDAP(14,15)

image-20240116-135642-20240725-113612.png

  1. Please ensure that you keep Windows Firewall Turned ON to let CyberArk server communicate with firewall and make rules to allow logs to be sent over Syslog on designated port which is TCP/601 by default and CyberHub IP.

  2. Create a rule in same file to allow communication to Syslog Port on CyberHub. Port should be 601. The following configuration must be done at: C:\Program Files(x86)\PrivateArk\Server\DBPram.ini.

CyberArk Client Side Configuration (Step-8) Only

  1. Additionally, we can control the type of logs we want to read by manually configuring the event types in PrivateArk Client.

a. PrivateArk Client >Tools > Options > Advanced > Log Configuration. For this modification, one must be logged in with Administrator Account. Recommendation is to select all 15 options starting from General Events to Detailed Communication Events.

  1. Login to the CyberArk EPV server directly or through RDP and open the Private Ark Server console as an Administrator. Stop and Start the Vault server for changes to take effect.

To configure CyberArk Privilege Cloud to collect logs 

Privilege Cloud can integrate with SIEM applications to send audit logs through the syslog protocol. Before you can connect to SIEM, you must first deploy the Secure Tunnel for SIEM component.

To configure Secure Tunnel v3.0 or higher

  1. Pre-requisites and considerations before installing secure tunnel:

a. The name of the Connector client machine ID must be unique across domains. Only the machine host name is used to generate the tunnel ID and therefore it must be unique, even if the machines are deployed in multiple domains.

b. Secure Tunnel uses port 50000 by default. Check that this port is free for use. 
For more details, please refer device documentation: Deploy Secure Tunnel

  1. Ensure that the Connector client machine ID is unique, even when the machines are deployed in multiple domains. 

  2. Download the Secure Tunnel zip file by logging into the CyberArk Support Vault, and then unzip the package.

  3. Double-click the Secure Tunnel installation executable file to run the Secure Tunnel installation wizard.

  4. In Select Installation Folder, enter the location of the installation folder, and then click Install.

  5. In Ready to Install, click Finish.

  1. In Authenticate to Privilege Cloud, enter the credentials provided to you by CyberArk support.

  2. In Configure on-premise components, add the components that you want to connect through the secure tunnel, and then click Configure Components.
    Enter the following information:

  • Component Type: SIEM

  • Host Address: CyberHub IP Address

  • Destination Port: 6514

  • Remote Port: The port used by the CyberArk to interface with your Secure Tunnel. Click Advanced to display this column. The Remote Port is provided to you by CyberArk support. Each interface has a default port. For multiple instances the ports are numbered sequentially. Default port is 1468. If other SIEM or service is using this port you can use choose port in incremental order.

  • Access through Secure Tunnels: You can configure which Secure Tunnels, your servers will access through, even if these Secure Tunnels are running on a different machine.

SIEM Integration:

Provide the following information to CyberArk support:

  • SIEM server IP: <CyberHub_IP>

  • SIEM server Port: 6514 

  • SIEM Server Protocol:  TLS

  • SIEM Type: ArcSight

  • TLS certificates: Contact Accenture device onboarding Team

Integration Parameters

Parameters required from customer for Integration.

Property

Default Value

Description

Property

Default Value

Description

IP Address

CyberArk Enterprise Password Vault IP address

Hostname or IP address of the device which forwards logs to the CyberHub

About Accenture:
Accenture is a leading global professional services company that helps the world’s leading businesses, governments and other organizations build their digital core, optimize their operations, accelerate revenue growth and enhance citizen services—creating tangible value at speed and scale. We are a talent and innovation led company with 738,000 people serving clients in more than 120 countries. Technology is at the core of change today, and we are one of the world’s leaders in helping drive that change, with strong ecosystem relationships. We combine our strength in technology with unmatched industry experience, functional expertise and global delivery capability. We are uniquely able to deliver tangible outcomes because of our broad range of services, solutions and assets across Strategy & Consulting, Technology, Operations, Industry X and Accenture Song. These capabilities, together with our culture of shared success and commitment to creating 360° value, enable us to help our clients succeed and build trusted, lasting relationships. We measure our success by the 360° value we create for our clients, each other, our shareholders, partners and communities. Visit us at www.accenture.com.

About Accenture Security
Accenture Security is a leading provider of end-to-end cybersecurity services, including advanced cyber defense, applied cybersecurity solutions and managed security operations. We bring security innovation, coupled with global scale and a worldwide delivery capability through our network of Advanced Technology and Intelligent Operations centers. Helped by our team of highly skilled professionals, we enable clients to innovate safely, build cyber resilience and grow with confidence. Follow us @AccentureSecure on Twitter or visit us at www.accenture.com/security.

Legal notice: Accenture, the Accenture logo, and other trademarks, service marks, and designs are registered or unregistered trademarks of Accenture and its subsidiaries in the United States and in foreign countries. All trademarks are properties of their respective owners. This document is intended for general informational purposes only and does not take into account the reader’s specific circumstances, and may not reflect the most current developments. Accenture disclaims, to the fullest extent permitted by applicable law, any and all liability for the accuracy and completeness of the information in this presentation and for any acts or omissions made based on such information. Accenture does not provide legal, regulatory, audit, or tax advice. Readers are responsible for obtaining such advice from their own legal counsel or other licensed professionals.