Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 4 Current »

About the Device

CyberArk Enterprise Password Vault, part of the CyberArk Privileged Account Security Solution, enables organizations to secure, manage and track the use of privileged credentials whether on premise or in the cloud, across operating systems, databases, applications, hypervisors, network devices and more. The product is built on the CyberArk Shared Technology Platform, delivering scalability, high availability and centralized management and reporting.

Device Information

 Entity

Particulars

Vendor Name

CyberArk

Product Name

Enterprise Password Vault (Now comes under Privileged Access Manager)

Type of Device

Hosted

Collection Method

Log Type

 Ingestion label

Preferred Logging Protocol - Format

Log Collection Method

Cyberark Privilege Cloud

 CYBERARK_PRIVILEGE_CLOUD

Syslog - CEF

CyberHub

Port Requirements

Source

Destination

Port

CyberArk Enterprise Password Vault (CyberArk EPV)

CyberHub

601 (TCP)

CyberArk Enterprise Password Vault (CyberArk Privilege Cloud)

CyberHub

6514 (TLS)

To facilitate secure communication and align with our best practice, we strongly encourage the use of Transport Layer Security (TLS) between your security devices and our Adaptive MxDR platform for event forwarding.

While we understand that TLS support may not be available on all devices, if your devices do support TLS communication, we recommend utilizing port 6514 for seamless integration.

In some cases, the upgraded version of the device might incorporate TLS support without prior notice. If you come across such a scenario or for further assistance in configuring TLS, we kindly ask you to reach out to your dedicated Adaptive MxDR Service Delivery Lead.

Device Configuration

To Configure CyberArk EPV to Collect Logs

Syslog messages can be sent to multiple syslog servers in two different ways:

Syslog messages can be sent to multiple syslog servers in two different ways:

  • Logs from the logfile are parsed using a single XSL file (Archsight.sample.XSL) and sent to multiple syslog destinations.

  • Logs from the logfile can be sent to different syslog destinations and formatted differently for each destination by configuring multiple XSL files, formats, and code message lists. It is not mandatory to keep the code message lists in the same order as mentioned; it is up to you to set the order to fetch the required activity logs according to codes.

  1. Login to the CyberArk EPV server directly or through RDP as an Administrator. 

  2. In <InstallDir>\PrivateArk\Server\DBParm.sample.ini, copy the SYSLOG section with all fields. The default install directory is C:\Program Files (x86) \PrivateArk\Server\DBPram.ini.

  3. In <InstallDir> \PrivateArk\Server\DBParm.sample.ini, paste the SYSLOG section at the bottom.

  4. The configuration parameters for SYSLOG are listed below:

a. SyslogServerIP – CyberHub IP Address. Specify multiple values with commas if needed.

b. SyslogServerProtocolTCP

c. SyslogServerPort601

d. SyslogMessageCodeFilter –We have to set it 0-999 to ensure all possible types of logs are sent over Syslog. Defines which message codes will be sent from the Vault to the SIEM application through Syslog protocol. You can specify message numbers and/or ranges of numbers, separated by commas. Specify multiple values with pipelines. By default, all message codes are sent for user and Safe activities. For a list of messages and codes, refer to the Privileged Account Security Reference Guide.

image-20240116-135617.png

e. SyslogTranslatorFile – Specifies the XSL file used to parse CyberArk audit records data into Syslog protocol. Specify multiple values with commas. We have to set it to <InstallDir>\PrivateArk\Server\Syslog\Arcsight.sample.xsl. This Translator file is installed at defined location by default with installation, please check with vendor if not present.

<InstallDir> \PrivateArk\Server\Syslog\Arcsight.sample.xsl is the default installation file which should not be changed and must be used in the above SyslogTranslatorFile configuration.

f. SyslogSendBOMPrefix - Description Whether or not the BOM (Byte Order Mark) prefix will be sent at the beginning of SYSLOG messages. Acceptable Values Yes/No. Recommended Default Value is No.

g. UseLegacySyslogFormat - Set as No. (Defines whether it will be sent in a newer syslog format (RFC 5424) or in a legacy format. We expect logs in newer syslog format)

  1. DebugLevel: Determines the level of debug messages. Specify below values to include all possible logs as standard: PE(1,2,3,4,5,6,7,8,9,10,13),PERF(1,2,3,4),SYSLOG(1,2),UI(8),LDAP(14,15)
    Example: DebugLevel=PE(1,2,3,4,5,6,7,8,9,10,13),PERF(1,2,3,4),SYSLOG(1,2),UI(8),LDAP(14,15)

image-20240116-135642-20240725-113612.png
  1. Please ensure that you keep Windows Firewall Turned ON to let CyberArk server communicate with firewall and make rules to allow logs to be sent over Syslog on designated port which is TCP/601 by default and CyberHub IP.

  2. Create a rule in same file to allow communication to Syslog Port on CyberHub. Port should be 601. The following configuration must be done at: C:\Program Files(x86)\PrivateArk\Server\DBPram.ini.

image-20240116-135705-20240725-114115.png

CyberArk Client Side Configuration (Step-8) Only

  1. Additionally, we can control the type of logs we want to read by manually configuring the event types in PrivateArk Client.

a. PrivateArk Client >Tools > Options > Advanced > Log Configuration. For this modification, one must be logged in with Administrator Account. Recommendation is to select all 15 options starting from General Events to Detailed Communication Events.

image-20240116-140155.png
  1. Login to the CyberArk EPV server directly or through RDP and open the Private Ark Server console as an Administrator. Stop and Start the Vault server for changes to take effect.

To configure CyberArk Privilege Cloud to collect logs 

Privilege Cloud can integrate with SIEM applications to send audit logs through the syslog protocol. Before you can connect to SIEM, you must first deploy the Secure Tunnel for SIEM component.

To configure Secure Tunnel v3.0 or higher

  1. Pre-requisites and considerations before installing secure tunnel:

a. The name of the Connector client machine ID must be unique across domains. Only the machine host name is used to generate the tunnel ID and therefore it must be unique, even if the machines are deployed in multiple domains.

b. Secure Tunnel uses port 50000 by default. Check that this port is free for use. 
For more details, please refer device documentation: Deploy Secure Tunnel

  1. Ensure that the Connector client machine ID is unique, even when the machines are deployed in multiple domains. 

  2. Download the Secure Tunnel zip file by logging into the CyberArk Support Vault, and then unzip the package.

  3. Double-click the Secure Tunnel installation executable file to run the Secure Tunnel installation wizard.

  4. In Select Installation Folder, enter the location of the installation folder, and then click Install.

  5. In Ready to Install, click Finish.

When the installation is complete the configuration tool is launched.

If you have already installed secure tunnel prior, then you can open the configuration tool either from the desktop shortcut or from the installation folder at any time.

  1. In Authenticate to Privilege Cloud, enter the credentials provided to you by CyberArk support.

  2. In Configure on-premise components, add the components that you want to connect through the secure tunnel, and then click Configure Components.
    Enter the following information:

  • Component Type: SIEM

  • Host Address: CyberHub IP Address

  • Destination Port: 6514

  • Remote Port: The port used by the CyberArk to interface with your Secure Tunnel. Click Advanced to display this column. The Remote Port is provided to you by CyberArk support. Each interface has a default port. For multiple instances the ports are numbered sequentially. Default port is 1468. If other SIEM or service is using this port you can use choose port in incremental order.

  • Access through Secure Tunnels: You can configure which Secure Tunnels, your servers will access through, even if these Secure Tunnels are running on a different machine.

SIEM Integration:

Provide the following information to CyberArk support:

  • SIEM server IP: <CyberHub_IP>

  • SIEM server Port: 6514 

  • SIEM Server Protocol:  TLS

  • SIEM Type: ArcSight

  • TLS certificates: Contact Accenture device onboarding Team

For more details refer to the following link: Connect to SIEM

Integration Parameters

Parameters required from customer for Integration.

Property

Default Value

Description

IP Address

CyberArk Enterprise Password Vault IP address

Hostname or IP address of the device which forwards logs to the CyberHub

  • No labels