IMPORTANT: No additional bug fixes or documentation updates
will be released for this version. For the latest information, see the
current release documentation.
CyberArk Privileged Access Security Recommended Monitor
editCyberArk Privileged Access Security Recommended Monitor
editIdentifies the occurrence of a CyberArk Privileged Access Security (PAS) non-error level audit event which is recommended for monitoring by the vendor. The event.code correlates to the CyberArk Vault Audit Action Code.
Rule type: query
Rule indices:
- filebeat-*
- logs-cyberarkpas.audit*
Severity: high
Risk score: 73
Runs every: 5m
Searches indices from: now-30m (Date Math format, see also Additional look-back time)
Maximum alerts per execution: 100
References:
- https://docs.cyberark.com/Product-Doc/OnlineHelp/PAS/Latest/en/Content/PASREF/Vault%20Audit%20Action%20Codes.htm?tocpath=Administration%7CReferences%7C_3#RecommendedActionCodesforMonitoring
Tags:
- Data Source: CyberArk PAS
- Use Case: Log Auditing
- Use Case: Threat Detection
- Tactic: Privilege Escalation
Version: 102
Rule authors:
- Elastic
Rule license: Elastic License v2
Investigation guide
edit## Triage and analysis This is a promotion rule for CyberArk events, which the vendor recommends should be monitored. Consult vendor documentation on interpreting specific events.
Rule query
editevent.dataset:cyberarkpas.audit and
event.code:(4 or 22 or 24 or 31 or 38 or 57 or 60 or 130 or 295 or 300 or 302 or
308 or 319 or 344 or 346 or 359 or 361 or 378 or 380 or 411) and
not event.type:error
Framework: MITRE ATT&CKTM
-
Tactic:
- Name: Privilege Escalation
- ID: TA0004
- Reference URL: https://attack.mitre.org/tactics/TA0004/
-
Technique:
- Name: Valid Accounts
- ID: T1078
- Reference URL: https://attack.mitre.org/techniques/T1078/
-
Tactic:
- Name: Initial Access
- ID: TA0001
- Reference URL: https://attack.mitre.org/tactics/TA0001/