AlienVault® USM Anywhere™

CyberArk Enterprise Password Vault

When you configure CyberArk Enterprise Password Vault to send log data to USM Anywhere, you can use the CyberArk Enterprise Password Vault plugin to translate raw log data into normalized events for analysis. The table below provides some basic information for the plugin:

Plugin Information
Device Details
Vendor CyberArk
Device Type Data Protection
Connection Type Syslog

Integrating CyberArk Enterprise Password Vault

Before you configure the CyberArk Enterprise Password Vault integration, you must have the IP Address of the USM Anywhere Sensor.

To configure CyberArk Enterprise Password Vault to send Syslog messages (in CEF format ) to USM Anywhere

  1. In the DBParm.ini file, configure the following parameters:
    • SyslogServerIP ─ The IP address of the USM Anywhere Sensor.
    • SyslogServerPort ─ The UDP port used to connect to the USM Anywhere Sensor. The default value is 514.
    • SyslogMessageCodeFilter ─ Specifies which message codes will be sent from the Vault to the USM Anywhere Sensor through the Syslog protocol. You can specify message numbers, ranges of numbers (separated by commas), or both. For example, to specify messages 1,2,3,30, and 5-10, you would specify the following value: 1,2,3,5-10, 30. By default, all message codes are sent for User and Safe activities.
    • SyslogTranslatorFile ─ Specifies the XSL file used to parse CyberArk audit records data into the Syslog protocol. The Syslog subfolder in the CyberArk Server installation folder contains sample XSL translator files.
  2. Copy the Arcsight.sample.xsl XSL translator file from the Syslog subfolder of the CyberArk Server installation folder to the location specified in the SyslogTranslatorFile parameter in the DBParm.ini file.

Plugin Enablement

The CyberArk Enterprise Password Vault plugin automatically processes all messages when the raw message contains "Cyber-Ark|Vault".

Available Plugin Fields

The following plugin fields are important attributes extracted from the syslog message. The USM Anywhere reports use these fields, and you can also reference them when creating custom reports. In addition to reporting, the USM Anywhere correlation rules make use of these fields.

  • audit_reason
  • customfield_1
  • customfield_4
  • customheader_0
  • customheader_1
  • customheader_3
  • customheader_4
  • destination_hostname
  • destination_username
  • device_custom_number_1
  • device_custom_number_1_label
  • device_custom_number_2_label
  • event_action
  • event_description
  • event_name
  • event_severity
  • file_name
  • plugin_device
  • plugin_device_type
  • rep_device_address
  • rep_device_rule_id
  • rep_device_type
  • rep_device_vendor
  • rep_device_version
  • source_hostname
  • source_username

Additional Resources and Troubleshooting

For troubleshooting, see the vendor documentation.