IMPORTANT: No additional bug fixes or documentation updates
will be released for this version. For the latest information, see the
current release documentation.
CyberArk Privileged Access Security Recommended Monitor
editCyberArk Privileged Access Security Recommended Monitor
editIdentifies the occurrence of a CyberArk Privileged Access Security (PAS) non-error level audit event which is recommended for monitoring by the vendor. The event.code correlates to the CyberArk Vault Audit Action Code.
Rule type: query
Rule indices:
- filebeat-*
- logs-cyberarkpas.audit*
Severity: high
Risk score: 73
Runs every: 5 minutes
Searches indices from: now-30m (Date Math format, see also Additional look-back time
)
Maximum alerts per execution: 100
References:
- https://docs.cyberark.com/Product-Doc/OnlineHelp/PAS/Latest/en/Content/PASREF/Vault%20Audit%20Action%20Codes.htm?tocpath=Administration%7CReferences%7C_3#RecommendedActionCodesforMonitoring
Tags:
- Elastic
- cyberarkpas
- SecOps
- Log Auditing
- Threat Detection
- Privilege Escalation
Version: 3 (version history)
Added (Elastic Stack release): 7.14.0
Last modified (Elastic Stack release): 8.4.0
Rule authors: Elastic
Rule license: Elastic License v2
Potential false positives
editTo tune this rule, add exceptions to exclude any event.code which should not trigger this rule.
Investigation guide
edit## Triage and analysis This is a promotion rule for CyberArk events, which the vendor recommends should be monitored. Consult vendor documentation on interpreting specific events.
Rule query
editevent.dataset:cyberarkpas.audit and event.code:(4 or 22 or 24 or 31 or 38 or 57 or 60 or 130 or 295 or 300 or 302 or 308 or 319 or 344 or 346 or 359 or 361 or 378 or 380 or 411) and not event.type:error
Threat mapping
editFramework: MITRE ATT&CKTM
-
Tactic:
- Name: Privilege Escalation
- ID: TA0004
- Reference URL: https://attack.mitre.org/tactics/TA0004/
-
Technique:
- Name: Valid Accounts
- ID: T1078
- Reference URL: https://attack.mitre.org/techniques/T1078/
-
Tactic:
- Name: Initial Access
- ID: TA0001
- Reference URL: https://attack.mitre.org/tactics/TA0001/
Rule version history
edit- Version 3 (8.4.0 release)
-
- Formatting only