CyberArk Vault

You can configure CyberArk Enterprise Password Vault (EPV) and Privileged Threat Analytics (PTA) to send syslog messages in CEF or LEEF format to Rapid7 InsightIDR.

This integration allows you to:

  • Perform in-depth analysis using multi-layer correlation between log data and alerts from PTA.
  • Identify suspicious privileged user activity using behavioral analysis.
  • Determine which incidents pose the greatest threat based on the score assigned to a particular threat.
  • View PTA alerts in your dashboards and reports, and in your broader InsightIDR detections and investigation workflow.

The guide is based on CyberArk EPV Version 9.95, CyberArk PTA Version 3.6

To start ingesting CyberArk events within InsightIDR:

  1. Configure Privileged Threat Analytics
  2. Configure CyberArk PTA in InsightIDR
  3. Configure Enterprise Password Vault
  4. Configure CyberArk Vault within InsightIDR

Configure Privileged Threat Analytics

When PTA detects an event, it sends a syslog record to InsightIDR in real time, in CEF/LEEF format. The Syslog integration is controlled by syslog_outbound parameter in the PTA systemparm.properties file, located in /opt/tomcat/diamond-resources/local/. Once a PTA alert has been sent to InsightIDR, it will appear in your dashboards, reports, and detections and investigation workflow.

To configure CyberArk PTA to send incidents to InsightIDR:

  1. Log on to PTA as root.
  2. Open /opt/tomcat/diamond-resources/local/systemparm.properties and add the following line:
1
syslog_outbound=[{"host": "<ip of InsightIDR Collector>", "port": <port of your choosing>, "format": "CEF", "protocol": "UDP", "siem":"InsightIDR"}]
  1. To send records to InsightIDR, do one of the following:
    • If you are sending records in CEF format, add the following line:
1
syslog_outbound=[{"host": "<ip of InsightIDR Collector>", "port": <port of your choosing>, "format": "CEF", "protocol": "UDP", "siem":"InsightIDR"}]
  • If you are sending records in LEEF format, add the following line:
1
syslog_outbound=[{"host": "<ip of InsightIDR Collector>", "port": <port of your choosing>, "format": "LEEF", "protocol": "UDP", "siem":"InsightIDR"}]
  1. Save the configuration file and close it.
  2. Restart PTA.

Configure InsightIDR to collect data from the event source

After you complete the prerequisite steps and configure the event source to send data, you must add the event source in InsightIDR.

To configure the new event source in InsightIDR:

  1. From the left menu, go to Data Collection and click Setup Event Source > Add Event Source.
  2. Do one of the following:
    • Search for CyberArk Vault in the event sources search bar.
    • In the Product Type filter, select Third Party Alerts.
  3. Select the CyberArk Vault event source tile.
  4. Choose your collector and select CyberArk as your event source. You can also name your event source if you want.
  5. Choose the timezone that matches the location of your event source logs.
  6. Choose Syslog as your data collection method.
  7. Enter the same port that you configured during the CyberArk PTA configuration and select UDP as your protocol.
  8. Click the Save button.

Configure Enterprise Password Vault

CyberArk EPV can send audit logs to InsightIDR through the Syslog protocol, giving you a complete, audit-ready view into privileged account activities from within InsightIDR.

These audit logs include privileged users, accounts, and safes activities, which are reported by the Vault to InsightIDR.

  1. Navigate to your CyberArk installation folders to locate the standard translator, which is located in C:\Program Files (x86)\PrivateArk\Server\Syslog by default.
  2. Copy the standard translator and rename it to Rapid7.xsl.
  3. In the same server installation folder (C:\Program Files (x86)\PrivateArk\Server), open DBPARM.ini, and add the following lines:
text
1
[SYSLOG]
2
SyslogServerIP=<ip of InsightIDR Collector>
3
SyslogServerProtocol=UDP
4
SyslogServerPort=<port of your choosing>
5
SyslogMessageCodeFilter=295,308,7,24,31,428,361,372,373,359,436,412,411,300,302,294,427,57,416,385,386,471,472
6
SyslogTranslatorFile=Syslog\Rapid7.xsl
7
UseLegacySyslogFormat=no
  1. Make any appropriate changes, then save the file and close it.
  2. Restart CyberArk Vault, and start the PrivateArk Server Service.

Configure CyberArk Vault within InsightIDR

  1. From your InsightIDR main dashboard, select Data Collection from the left hand menu.
  2. When the Data Collection page appears, click the Setup Event Source dropdown and choose Add Event Source.
  3. From the “Third Party Alerts” section, click the Custom Logs icon. The “Add Event Source” panel appears.
  4. Choose your collector and select CyberArk Vault as your event source. You can also name your event source if you want.
  5. Choose the timezone that matches the location of your event source logs.
  6. Choose Syslog as your collection method.
  7. Enter the same port that you configured in dbparm.ini for CyberArk Vault and select UDP as your protocol.
  8. Click the Save button.

You can access events sent by CyberArk by going to Log Search, and selecting the Third Party Alert log set.

Once CyberArk data starts flowing into InsightIDR, logs will be automatically structured for easy searching and visualization.

In InsightIDR Dashboards, you can easily visualize your privileged access security data.