IMPORTANT: No additional bug fixes or documentation updates
will be released for this version. For the latest information, see the
current release documentation.
CyberArk Privileged Access Security Recommended Monitor
editCyberArk Privileged Access Security Recommended Monitor
editIdentifies the occurrence of a CyberArk Privileged Access Security (PAS) non-error level audit event which is recommended for monitoring by the vendor. The event.code correlates to the CyberArk Vault Audit Action Code.
Rule type: query
Rule indices:
- filebeat-*
- logs-cyberarkpas.audit*
Severity: high
Risk score: 73
Runs every: 5m
Searches indices from: now-30m (Date Math format, see also Additional look-back time
)
Maximum alerts per execution: 100
References:
- https://docs.cyberark.com/Product-Doc/OnlineHelp/PAS/Latest/en/Content/PASREF/Vault%20Audit%20Action%20Codes.htm?tocpath=Administration%7CReferences%7C_3#RecommendedActionCodesforMonitoring
Tags:
- Elastic
- cyberarkpas
- SecOps
- Log Auditing
- Threat Detection
- Privilege Escalation
Version: 4
Rule authors:
- Elastic
Rule license: Elastic License v2
Investigation guide
edit## Setup The CyberArk Privileged Access Security (PAS) Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule. ## Triage and analysis This is a promotion rule for CyberArk events, which the vendor recommends should be monitored. Consult vendor documentation on interpreting specific events.
Rule query
editevent.dataset:cyberarkpas.audit and event.code:(4 or 22 or 24 or 31 or 38 or 57 or 60 or 130 or 295 or 300 or 302 or 308 or 319 or 344 or 346 or 359 or 361 or 378 or 380 or 411) and not event.type:error
Framework: MITRE ATT&CKTM
-
Tactic:
- Name: Privilege Escalation
- ID: TA0004
- Reference URL: https://attack.mitre.org/tactics/TA0004/
-
Technique:
- Name: Valid Accounts
- ID: T1078
- Reference URL: https://attack.mitre.org/techniques/T1078/
-
Tactic:
- Name: Initial Access
- ID: TA0001
- Reference URL: https://attack.mitre.org/tactics/TA0001/