USM Appliance™

CyberArk Enterprise Password Vault

When you configure CyberArk Enterprise Password Vault to send log data to USM Appliance, you can use the CyberArk Enterprise Password Vault plugin to translate raw log data into normalized events for analysis. The table below provides some basic information for the plugin.

Plugin Information
Device Details
Vendor CyberArk
Device Type Data Protection
Connection Type Syslog
Data Source Name cyberark
Data Source ID 1791

Integrating CyberArk Enterprise Password Vault

Before you configure the CyberArk Enterprise Password Vault integration, you must have the IP Address of the USM Appliance Sensor.

To configure CyberArk Enterprise Password Vault to send Syslog messages (in CEF format ) to USM Appliance

  1. In the DBParm.ini file, configure the following parameters:
    • SyslogServerIP ─ The IP address of the USM Appliance Sensor.
    • SyslogServerPort ─ The UDP port used to connect to the USM Appliance Sensor. The default value is 514.
    • SyslogMessageCodeFilter ─ Specifies which message codes will be sent from the Vault to the USM Appliance Sensor through the Syslog protocol. You can specify message numbers, ranges of numbers (separated by commas), or both. For example, to specify messages 1,2,3,30, and 5-10, you would specify the following value: 1,2,3,5-10, 30. By default, all message codes are sent for User and Safe activities.
    • SyslogTranslatorFile ─ Specifies the XSL file used to parse CyberArk audit records data into the Syslog protocol. The Syslog subfolder in the CyberArk Server installation folder contains sample XSL translator files.
  2. Copy the Arcsight.sample.xsl XSL translator file from the Syslog subfolder of the CyberArk Server installation folder to the location specified in the SyslogTranslatorFile parameter in the DBParm.ini file.

Plugin Enablement

For plugin enablement information, see Enable Plugins.

Additional Resources and Troubleshooting

https://www.cyberark.com/products/privileged-account-security-solution/enterprise-password-vault/

https://community.softwaregrp.com/dcvta86296/attachments/dcvta86296/interact-discussions/38/1/Cyber%20Ark%20CEF%20Configuration%20guide%20071309.pdf

For troubleshooting, see the vendor documentation.