|
| 1 | +--- |
| 2 | +id: cyberark-audit |
| 3 | +title: CyberArk Audit |
| 4 | +sidebar_label: CyberArk Audit |
| 5 | +description: The CyberArk Audit app for Sumo Logic provides insights into your organization's cybersecurity practices to strengthen security. |
| 6 | +--- |
| 7 | + |
| 8 | +import useBaseUrl from '@docusaurus/useBaseUrl'; |
| 9 | + |
| 10 | +<img src={useBaseUrl('img/send-data/cyberark.png')} alt="thumbnail icon" width="50"/> |
| 11 | + |
| 12 | +The Sumo Logic app for CyberArk Audit is a robhust tool that provides insights into your organization's cybersecurity practices. It helps IT and security teams monitor, analyze, and visualize audit trails of user activities, security events, and anomalies. By tracking data on security events, identity management, component usage, and administrative actions, the app delivers actionable intelligence to identify and mitigate security risks, ensuring compliance with regulations and internal policies. Customizable dashboards and detailed reporting enhance its ability to strengthen security. |
| 13 | + |
| 14 | +:::info |
| 15 | +This app includes [built-in monitors](#cyberark-audit-monitors). For details on creating custom monitors, refer to [Create monitors for CyberArk Audit app](#create-monitors-for-cyberark-audit-app). |
| 16 | +::: |
| 17 | + |
| 18 | +## Log types |
| 19 | + |
| 20 | +This app uses Sumo Logic’s [CyberArk Audit source](/docs/send-data/hosted-collectors/cloud-to-cloud-integration-framework/cyberark-audit-source/) to collect the audit logs from the CyberArk Audit platform. |
| 21 | + |
| 22 | +## Sample log messages |
| 23 | + |
| 24 | +<details> |
| 25 | +<summary>Audit Log</summary> |
| 26 | + |
| 27 | +```json |
| 28 | +{ |
| 29 | + "uuid": "c131ad7d-af67-4a80-907c-3f982ef5d3be", |
| 30 | + "tenantId": "9880566d-4831-4a33-9e11-f4958deae142", |
| 31 | + "timestamp": 1742370356027, |
| 32 | + "username": "PVWAGWUser", |
| 33 | + "applicationCode": "PAM", |
| 34 | + "auditCode": "PAM00088", |
| 35 | + "auditType": "Info", |
| 36 | + "action": "Set Password", |
| 37 | + "userId": "PVWAGWUser", |
| 38 | + "source": "PVWAAPP", |
| 39 | + "actionType": "Password", |
| 40 | + "component": "Vault", |
| 41 | + "serviceName": "Privilege Cloud", |
| 42 | + "accessMethod": null, |
| 43 | + "accountId": "", |
| 44 | + "target": "", |
| 45 | + "command": null, |
| 46 | + "sessionId": null, |
| 47 | + "message": "", |
| 48 | + "customData": { |
| 49 | + "PAM": { |
| 50 | + "new_target": "", |
| 51 | + "target": "" |
| 52 | + } |
| 53 | + }, |
| 54 | + "cloudProvider": null, |
| 55 | + "cloudWorkspacesAndRoles": [], |
| 56 | + "cloudIdentities": null, |
| 57 | + "cloudAssets": null, |
| 58 | + "safe": "", |
| 59 | + "accountName": "", |
| 60 | + "targetPlatform": "", |
| 61 | + "targetAccount": "", |
| 62 | + "identityType": null |
| 63 | +} |
| 64 | +``` |
| 65 | +</details> |
| 66 | + |
| 67 | +## Sample queries |
| 68 | + |
| 69 | +```sql title="Password Reset Events" |
| 70 | +_sourceCategory="Labs/CyberArkAudit" |
| 71 | +| json "uuid", "auditType", "serviceName", "actionType", "action", "identityType", "source", "auditCode", "timestamp", "tenantId", "username", "userId", "component", "message", "customData" as id, audit_type, service_name, action_type, action, identity_type, source, audit_code, timestamp, tenant_id, username, user_id, component, message, custom_data nodrop |
| 72 | + |
| 73 | +// global filters |
| 74 | +| where service_name matches "{{service_name}}" |
| 75 | +| where action_type matches "{{action_type}}" |
| 76 | +| where audit_type matches "{{audit_type}}" |
| 77 | +| where component matches "{{component}}" |
| 78 | +| where audit_code matches "{{audit_code}}" |
| 79 | +| where action matches "{{action}}" |
| 80 | +| where if ("{{identity_type}}" = "*", true, identity_type matches "{{identity_type}}") |
| 81 | + |
| 82 | +// panel logic |
| 83 | +| where toLowerCase(action_type) matches "password" AND toLowerCase(action) matches "set password" |
| 84 | +| count by id |
| 85 | +| count |
| 86 | +``` |
| 87 | + |
| 88 | +## Collection configuration and app installation |
| 89 | + |
| 90 | +import CollectionConfiguration from '../../reuse/apps/collection-configuration.md'; |
| 91 | + |
| 92 | +<CollectionConfiguration/> |
| 93 | + |
| 94 | +:::important |
| 95 | +Use the [Cloud-to-Cloud Integration for CyberArk Audit](/docs/send-data/hosted-collectors/cloud-to-cloud-integration-framework/cyberark-audit-source/) to create the source and use the same source category while installing the app. By following these steps, you can ensure that your CyberArk Audit app is properly integrated and configured to collect and analyze your CyberArk Audit data. |
| 96 | +::: |
| 97 | + |
| 98 | +### Create a new collector and install the app |
| 99 | + |
| 100 | +import AppCollectionOPtion1 from '../../reuse/apps/app-collection-option-1.md'; |
| 101 | + |
| 102 | +<AppCollectionOPtion1/> |
| 103 | + |
| 104 | +### Use an existing collector and install the app |
| 105 | + |
| 106 | +import AppCollectionOPtion2 from '../../reuse/apps/app-collection-option-2.md'; |
| 107 | + |
| 108 | +<AppCollectionOPtion2/> |
| 109 | + |
| 110 | +### Use an existing source and install the app |
| 111 | + |
| 112 | +import AppCollectionOPtion3 from '../../reuse/apps/app-collection-option-3.md'; |
| 113 | + |
| 114 | +<AppCollectionOPtion3/> |
| 115 | + |
| 116 | +## Viewing the CyberArk Audit dashboards |
| 117 | + |
| 118 | +import ViewDashboards from '../../reuse/apps/view-dashboards.md'; |
| 119 | + |
| 120 | +<ViewDashboards/> |
| 121 | + |
| 122 | +### Overview |
| 123 | + |
| 124 | +The **CyberArk Audit - Overview** dashboard provides a comprehensive view of audit data, helping teams assess cybersecurity events in your organization. It displays key metrics like total events to display the volume of audit activities, explore events through service names and action types to reveal system access patterns. By categorizing events by audit and identity types, you can get insights into different event categories and user behaviors. Trend analysis and event distribution by geography helps you to identify anomalies, while summaries of deleted events highlights the active and ghost IT activities. This dashboard is the central nervous system for operational monitoring and strategic cybersecurity decisions. <br/><img src='https://sumologic-app-data-v2.s3.us-east-1.amazonaws.com/dashboards/CyberArk-Audit/CyberArk+Audit+-+Overview.png' alt="CyberArk-Audit-Overview" /> |
| 125 | + |
| 126 | +### Security Overview |
| 127 | + |
| 128 | +The **CyberArk Audit - Security Overview** dashboard provides focuses on security metrics related to audit events for network administrators and cybersecurity teams. It highlights high-risk activities such as password resets, suspicious threats, and multi-factor authentication (MFA) events. The dashboard shows administrative events by location, noting activities from embargoed areas. It visualizes OAuth token generation trends to identify anomalies and secure access points. Summaries of password resets, administrative events, and login attempts help detect vulnerabilities and unauthorized access, enhancing cybersecurity defense. <br/><img src='https://sumologic-app-data-v2.s3.us-east-1.amazonaws.com/dashboards/CyberArk-Audit/CyberArk+Audit+-+Security+Overview.png' alt="CyberArk-Audit-Security-Overview" /> |
| 129 | + |
| 130 | +### Logins |
| 131 | + |
| 132 | +The **CyberArk Audit - Logins** dashboard provides an overview of user authentication activities, tracking successful and failed login trends. It visualizes successful logins by location and flags access from embargoed areas, emphasizing geopolitical access restrictions. For failed logins, the dashboard identifies locations and top users involved, highlighting potential account compromises. This dashboard helps security teams strengthen authentication and prevent unauthorized access, enhancing overall cybersecurity. <br/><img src='https://sumologic-app-data-v2.s3.us-east-1.amazonaws.com/dashboards/CyberArk-Audit/CyberArk+Audit+-+Logins.png' alt="CyberArk-Audit-Logins" /> |
| 133 | + |
| 134 | +## Create monitors for CyberArk Audit app |
| 135 | + |
| 136 | +import CreateMonitors from '../../reuse/apps/create-monitors.md'; |
| 137 | + |
| 138 | +<CreateMonitors/> |
| 139 | + |
| 140 | +### CyberArk Audit monitors |
| 141 | + |
| 142 | +| Name | Description | Trigger Type (Critical / Warning / MissingData) | Alert Condition | |
| 143 | +|:--|:--|:--|:--| |
| 144 | +| `CyberArk Audit - Events from Embargoed Locations` | This alert is triggered when CyberArk activity is detected from embargoed or restricted locations. This may indicate unauthorized access attempts from high-risk regions. | High | Count > 0 | |
| 145 | +| `CyberArk Audit - Excessive Password Resets` | This alert is triggered when an unusual high number of password resets occur within a short period. This could be a sign of compromised accounts or malicious insider activity. | High | Count > 5 | |
| 146 | +| `CyberArk Audit - Failed Login Attempts` | This alert is triggered when repeated failed login attempts are detected, indicating brute force attacks or unauthorized attempts to access privileged accounts. | Critical | Count > 0| |
| 147 | +| `CyberArk Audit - Multiple Failed Vault Access Attempts` | This alert notifies you when multiple failed attempts are made to access the CyberArk vault, signaling potential credential theft or unauthorized access attempts. | Critical | Count > 3| |
| 148 | +| `CyberArk Audit - OAuth Token Generation Events from Embargoed Locations` | This alert is triggered when OAuth tokens are generated from embargoed locations, which may indicate a potential security breach or misuse of privileged access. | High | Count > 0| |
| 149 | +| `CyberArk Audit - Threats Detected` | This alert is triggered when threats within CyberArk, such as unauthorized access, suspicious activity, or potential compromise of privileged credentials are detected. | Critical | Count > 0| |
| 150 | + |
| 151 | +## Upgrading the CyberArk Audit app (Optional) |
| 152 | + |
| 153 | +import AppUpdate from '../../reuse/apps/app-update.md'; |
| 154 | + |
| 155 | +<AppUpdate/> |
| 156 | + |
| 157 | +## Uninstalling the CyberArk Audit app (Optional) |
| 158 | + |
| 159 | +import AppUninstall from '../../reuse/apps/app-uninstall.md'; |
| 160 | + |
| 161 | +<AppUninstall/> |
0 commit comments