Connect to SIEM

This topic describes how to integrate Privilege Cloud with Security Information and Event Management (SIEM) applications.

Overview

Privilege Cloud can integrate with SIEM applications to send audit logs through the Syslog protocol and create a complete audit picture of privileged account activities in the enterprise SIEM solution. These audit logs include user and Safe activities in Privilege Cloud, which are transferred by Privilege Cloud to SIEM applications, such as MicroFocus CyberRes ArcSight and NetWitness.

Before you can connect to SIEM, you must first deploy the Secure Tunnel, as described in Deploy Secure Tunnel.

Five Syslog servers can be connected to Privilege Cloud at one time. To learn more, see Deploy Secure Tunnel.

Supported protocols

Privilege Cloud can use any of the following protocols to send messages:

Type

Protocol

Encrypted protocols

TLS (recommended)

Non-encrypted protocols

TCP

Configure SIEM integration

To connect Privilege Cloud to your SIEM servers:

  1. If you are using TLS as a communication protocol, configure your SIEM server to use TLS 1.2 and check supported cipher suites:
  2. Ensure you have set up the Secure Tunnel and have configured it for SIEM according to the guidelines in Install and configure Secure Tunnel, note especially step 6.
  3. Provide the following information to CyberArk support:

    Parameter

    Details

    SIEM server FQDN

    Array.

    SIEM server port and protocol Protocol must be TCP/TLS.
    SIEM type

    Privilege Cloud supports the following out of the box:

    • ArcSight
    • McAfee ESM
    • QRadar
    • RFC5424Changes
    • RSA enVision
    • SyslogTranslator

    If you are using a different SIEM, provide CyberArk support with the parser that you are using.

    TLS certificates

    For SIEM servers using TLS.

    TLS certificates require a .pem file type extension.

Syslog audit codes

Privilege Cloud has a large number of action codes that can be used to monitor different behaviors. For general monitoring, we recommend monitoring the action codes listed in the table below.

Code Description

4

User Authentication

17

Add Safe (Unauthorized)

22

CPM Verify Password

24

CPM Change Password

31

CPM Reconcile Password

38

CPM Verify Password Failure

57

CPM Change Password Failure

60

CPM Reconcile Password Failure

88

Set Password

130

CPM Disable Password

142, 145, 148, 149, 170

Delete Safe Failure

183

Delete Safe

185

Add Safe

295

Retrieve Password

300

PSM Connect

301

PSM Connect Failure

302

PSM Disconnect

303

PSM Disconnect Failure

306, 307

Use Password

319

Retrieve Password (from Provider)

344

Privileged Command Initiated

346

Privileged Command Completed

359

PSM SQL Command

360

PSM SQL Command Failure

361

PSM Keystrokes

362

PSM Keystrokes Failure

372

Terminate session

373

Terminate session Failure

374

Start Monitor session

375

Start Monitor session Failure

376

End Monitor session

377

End Monitor session Failure

378

PSM Secure Connect Session Start

379

PSM secure Connect session start Failure

380

PSM Secure Connect Session End

381

PSM secure Connect session End Failure

411

PSM Window Title

412

PSM Windows Title Failure

414

CPM Verify SSH Key

416

CPM Rotate SSH Key

418

CPM Reconcile SSH Key

426

CPM Disable SSH Key

434

CPM has deleted the public SSH key

463

Agent successfully changed the password for account