CyberArk Privileged Access Security

Collect logs from CyberArk Privileged Access Security with Elastic Agent.

What is an Elastic integration?
Version
2.22.0 (View all)
Compatible Kibana version(s)
8.13.0 or higher
Supported Serverless project types

What's this?
Security
Observability
Subscription level
What's this?
Basic
Level of support
What's this?
Elastic

The CyberArk Privileged Access Security integration collects audit logs from CyberArk's Vault server.

Audit

The audit dataset receives Vault Audit logs for User and Safe activities over the syslog protocol.

Vault Configuration

Follow the steps under Security Information and Event Management (SIEM) Applications documentation to setup the integration:

  • Copy the elastic-json-v1.0.xsl XSL Translator file to the Server\Syslog folder.

  • Sample syslog configuration for DBPARM.ini:

[SYSLOG]
UseLegacySyslogFormat=No
SyslogTranslatorFile=Syslog\elastic-json-v1.0.xsl
SyslogServerIP=<INSERT FILEBEAT IP HERE>
SyslogServerPort=<INSERT FILEBEAT PORT HERE>
SyslogServerProtocol=TCP

For proper timestamping of events, it's recommended to use the newer RFC5424 Syslog format (UseLegacySyslogFormat=No). To avoid event loss, use TCP or TLS protocols instead of UDP.

Example event

An example event for audit looks as following:

{
    "@timestamp": "2021-03-04T17:27:14.000Z",
    "agent": {
        "ephemeral_id": "2e1e0d3f-9ac4-4f6a-816b-2b2b7400148a",
        "id": "5607d6f4-6e45-4c33-a087-2e07de5f0082",
        "name": "docker-fleet-agent",
        "type": "filebeat",
        "version": "8.9.1"
    },
    "cyberarkpas": {
        "audit": {
            "action": "Logon",
            "desc": "Logon",
            "iso_timestamp": "2021-03-04T17:27:14Z",
            "issuer": "PVWAGWUser",
            "message": "Logon",
            "rfc5424": true,
            "severity": "Info",
            "station": "10.0.1.20",
            "timestamp": "Mar 04 09:27:14"
        }
    },
    "data_stream": {
        "dataset": "cyberarkpas.audit",
        "namespace": "ep",
        "type": "logs"
    },
    "ecs": {
        "version": "8.11.0"
    },
    "elastic_agent": {
        "id": "5607d6f4-6e45-4c33-a087-2e07de5f0082",
        "snapshot": false,
        "version": "8.9.1"
    },
    "event": {
        "action": "authentication_success",
        "agent_id_status": "verified",
        "category": [
            "authentication",
            "session"
        ],
        "code": "7",
        "dataset": "cyberarkpas.audit",
        "ingested": "2023-08-29T14:16:49Z",
        "kind": "event",
        "outcome": "success",
        "severity": 2,
        "timezone": "+00:00",
        "type": [
            "start"
        ]
    },
    "host": {
        "name": "VAULT"
    },
    "input": {
        "type": "tcp"
    },
    "log": {
        "source": {
            "address": "172.21.0.4:38370"
        },
        "syslog": {
            "priority": 5
        }
    },
    "observer": {
        "hostname": "VAULT",
        "product": "Vault",
        "vendor": "Cyber-Ark",
        "version": "11.7.0000"
    },
    "related": {
        "ip": [
            "10.0.1.20"
        ],
        "user": [
            "PVWAGWUser"
        ]
    },
    "source": {
        "address": "10.0.1.20",
        "ip": "10.0.1.20"
    },
    "tags": [
        "cyberarkpas-audit",
        "forwarded"
    ],
    "user": {
        "name": "PVWAGWUser"
    }
}

Exported fields

Exported fields

FieldDescriptionType
@timestamp
Event timestamp.
date
cyberarkpas.audit.action
A description of the audit record.
keyword
cyberarkpas.audit.ca_properties.address
keyword
cyberarkpas.audit.ca_properties.cpm_disabled
keyword
cyberarkpas.audit.ca_properties.cpm_error_details
keyword
cyberarkpas.audit.ca_properties.cpm_status
keyword
cyberarkpas.audit.ca_properties.creation_method
keyword
cyberarkpas.audit.ca_properties.customer
keyword
cyberarkpas.audit.ca_properties.database
keyword
cyberarkpas.audit.ca_properties.device_type
keyword
cyberarkpas.audit.ca_properties.dual_account_status
keyword
cyberarkpas.audit.ca_properties.group_name
keyword
cyberarkpas.audit.ca_properties.in_process
keyword
cyberarkpas.audit.ca_properties.index
keyword
cyberarkpas.audit.ca_properties.last_fail_date
keyword
cyberarkpas.audit.ca_properties.last_success_change
keyword
cyberarkpas.audit.ca_properties.last_success_reconciliation
keyword
cyberarkpas.audit.ca_properties.last_success_verification
keyword
cyberarkpas.audit.ca_properties.last_task
keyword
cyberarkpas.audit.ca_properties.logon_domain
keyword
cyberarkpas.audit.ca_properties.other
flattened
cyberarkpas.audit.ca_properties.policy_id
keyword
cyberarkpas.audit.ca_properties.port
keyword
cyberarkpas.audit.ca_properties.privcloud
keyword
cyberarkpas.audit.ca_properties.reset_immediately
keyword
cyberarkpas.audit.ca_properties.retries_count
keyword
cyberarkpas.audit.ca_properties.sequence_id
keyword
cyberarkpas.audit.ca_properties.tags
keyword
cyberarkpas.audit.ca_properties.user_dn
keyword
cyberarkpas.audit.ca_properties.user_name
keyword
cyberarkpas.audit.ca_properties.virtual_username
keyword
cyberarkpas.audit.category
The category name (for category-related operations).
keyword
cyberarkpas.audit.desc
A static value that displays a description of the audit codes.
keyword
cyberarkpas.audit.extra_details.ad_process_id
keyword
cyberarkpas.audit.extra_details.ad_process_name
keyword
cyberarkpas.audit.extra_details.application_type
keyword
cyberarkpas.audit.extra_details.command
keyword
cyberarkpas.audit.extra_details.connection_component_id
keyword
cyberarkpas.audit.extra_details.dst_host
keyword
cyberarkpas.audit.extra_details.logon_account
keyword
cyberarkpas.audit.extra_details.managed_account
keyword
cyberarkpas.audit.extra_details.other
flattened
cyberarkpas.audit.extra_details.process_id
keyword
cyberarkpas.audit.extra_details.process_name
keyword
cyberarkpas.audit.extra_details.protocol
keyword
cyberarkpas.audit.extra_details.psmid
keyword
cyberarkpas.audit.extra_details.session_duration
keyword
cyberarkpas.audit.extra_details.session_id
keyword
cyberarkpas.audit.extra_details.src_host
keyword
cyberarkpas.audit.extra_details.username
keyword
cyberarkpas.audit.file
The name of the target file.
keyword
cyberarkpas.audit.gateway_station
The IP of the web application machine (PVWA).
ip
cyberarkpas.audit.hostname
The hostname, in upper case.
keyword
cyberarkpas.audit.iso_timestamp
The timestamp, in ISO Timestamp format (RFC 3339).
date
cyberarkpas.audit.issuer
The Vault user who wrote the audit. This is usually the user who performed the operation.
keyword
cyberarkpas.audit.location
The target Location (for Location operations).
keyword
cyberarkpas.audit.message
A description of the audit records (same information as in the Desc field).
keyword
cyberarkpas.audit.message_id
The code ID of the audit records.
keyword
cyberarkpas.audit.product
A static value that represents the product.
keyword
cyberarkpas.audit.pvwa_details
Specific details of the PVWA audit records.
flattened
cyberarkpas.audit.raw
Raw XML for the original audit record. Only present when XSLT file has debugging enabled.
keyword
cyberarkpas.audit.reason
The reason entered by the user.
text
cyberarkpas.audit.rfc5424
Whether the syslog format complies with RFC5424.
boolean
cyberarkpas.audit.safe
The name of the target Safe.
keyword
cyberarkpas.audit.severity
The severity of the audit records.
keyword
cyberarkpas.audit.source_user
The name of the Vault user who performed the operation.
keyword
cyberarkpas.audit.station
The IP from where the operation was performed. For PVWA sessions, this will be the real client machine IP.
ip
cyberarkpas.audit.target_user
The name of the Vault user on which the operation was performed.
keyword
cyberarkpas.audit.timestamp
The timestamp, in MMM DD HH:MM:SS format.
keyword
cyberarkpas.audit.vendor
A static value that represents the vendor.
keyword
cyberarkpas.audit.version
A static value that represents the version of the Vault.
keyword
data_stream.dataset
Data stream dataset.
constant_keyword
data_stream.namespace
Data stream namespace.
constant_keyword
data_stream.type
Data stream type.
constant_keyword
event.dataset
Event dataset
constant_keyword
event.module
Name of the module this data is coming from.
constant_keyword
input.type
Type of Filebeat input.
keyword
log.flags
Flags for the log file.
keyword
log.offset
Offset of the entry in the log file.
long
log.source.address
Source address from which the log event was read / sent from.
keyword

Changelog

VersionDetailsKibana version(s)

2.22.0

Enhancement View pull request
Allow @custom pipeline access to event.original without setting preserve_original_event.

8.13.0 or higher

2.21.0

Enhancement View pull request
Update the kibana constraint to ^8.13.0. Modified the field definitions to remove ECS fields made redundant by the ecs@mappings component template.

8.13.0 or higher

2.20.0

Enhancement View pull request
Update manifest format version to v3.0.3.

8.7.1 or higher

2.19.3

Bug fix View pull request
Clean up null handling, formatting

8.7.1 or higher

2.19.2

Enhancement View pull request
Changed owners

8.7.1 or higher

2.19.1

Bug fix View pull request
Fix exclude_files pattern.

8.7.1 or higher

2.19.0

Enhancement View pull request
ECS version updated to 8.11.0.

8.7.1 or higher

2.18.0

Enhancement View pull request
Improve 'event.original' check to avoid errors if set.

8.7.1 or higher

2.17.0

Enhancement View pull request
Update the package format_version to 3.0.0.

8.7.1 or higher

2.16.0

Enhancement View pull request
Update package to ECS 8.10.0 and align ECS categorization fields.

8.7.1 or higher

2.15.0

Enhancement View pull request
Add tags.yml file so that integration's dashboards and saved searches are tagged with "Security Solution" and displayed in the Security Solution UI.

8.7.1 or higher

2.14.0

Enhancement View pull request
Update package-spec to 2.10.0.

8.7.1 or higher

2.13.0

Enhancement View pull request
Update package to ECS 8.9.0.

8.7.1 or higher

2.12.0

Enhancement View pull request
Convert visualizations to lens.

8.7.1 or higher

2.11.0

Enhancement View pull request
Update package to ECS 8.8.0.

7.16.0 or higher
8.0.0 or higher

2.10.0

Enhancement View pull request
Update package to ECS 8.7.0.

7.16.0 or higher
8.0.0 or higher

2.9.1

Enhancement View pull request
Added categories and/or subcategories.

7.16.0 or higher
8.0.0 or higher

2.9.0

Enhancement View pull request
Update package to ECS 8.6.0.

7.16.0 or higher
8.0.0 or higher

2.8.0

Enhancement View pull request
Add udp_options to the UDP input.

7.16.0 or higher
8.0.0 or higher

2.7.0

Enhancement View pull request
Update package to ECS 8.5.0.

7.16.0 or higher
8.0.0 or higher

2.6.2

Bug fix View pull request
Remove duplicate field.

7.16.0 or higher
8.0.0 or higher

2.6.1

Enhancement View pull request
Use ECS geo.location definition.

7.16.0 or higher
8.0.0 or higher

2.6.0

Enhancement View pull request
Update package to ECS 8.4.0

7.16.0 or higher
8.0.0 or higher

2.5.1

Enhancement View pull request
Update package name and description to align with standard wording

7.16.0 or higher
8.0.0 or higher

2.5.0

Enhancement View pull request
Update package to ECS 8.3.0.

7.16.0 or higher
8.0.0 or higher

2.4.2

Bug fix View pull request
Fix broken file paths configuration variable

7.16.0 or higher
8.0.0 or higher

2.4.1

Enhancement View pull request
Update to readme. added link to vendor documentation

2.4.0

Enhancement View pull request
Update to ECS 8.2

7.16.0 or higher
8.0.0 or higher

2.3.2

Bug fix View pull request
Fix error ingesting events with a single entry in the CAProperties field

7.16.0 or higher
8.0.0 or higher

2.3.1

Enhancement View pull request
Add documentation for multi-fields

Bug fix View pull request
Remove duplicated definition of event.dataset field.

2.3.0

Enhancement View pull request
Update to ECS 8.0

7.16.0 or higher
8.0.0 or higher

2.2.2

Bug fix View pull request
Regenerate test files using the new GeoIP database

7.16.0 or higher
8.0.0 or higher

2.2.1

Bug fix View pull request
Change test public IPs to the supported subset

2.2.0

Enhancement View pull request
Add 8.0.0 version constraint

7.16.0 or higher
8.0.0 or higher

2.1.4

Enhancement View pull request
Uniform with guidelines

7.16.0 or higher

2.1.3

Enhancement View pull request
Remove dash from title for consistency with brand.

2.1.2

Enhancement View pull request
Update Title and Description.

7.16.0 or higher

2.1.1

Bug fix View pull request
Fix logic that checks for the 'forwarded' tag

2.1.0

Enhancement View pull request
Update to ECS 1.12.0

2.0.0

Enhancement View pull request
make GA

1.2.3

Enhancement View pull request
Convert to generated ECS fields

7.14.0 or higher

1.2.2

Enhancement View pull request
update to ECS 1.11.0

1.2.1

Enhancement View pull request
Escape special characters in docs

1.2.0

Enhancement View pull request
Update integration description

1.1.0

Enhancement View pull request
Set "event.module" and "event.dataset"

7.14.0 or higher

1.0.1

Enhancement View pull request
updating ECS version and adding event.original options

1.0.0

Enhancement View pull request
initial release

7.13.0 or higher

On this page