Connect to SIEM
This topic describes how to integrate Privilege Cloud with Security Information and Event Management (SIEM) applications.
Overview
Privilege Cloud can integrate with SIEM applications to send audit logs through the Syslog protocol and create a complete audit picture of privileged account activities in the enterprise SIEM solution. These audit logs include user and Safe activities in Privilege Cloud, which are transferred by Privilege Cloud to SIEM applications, such as MicroFocus CyberRes ArcSight and NetWitness.
Before you can connect to SIEM, you must first deploy the Secure Tunnel, as described in Deploy Secure Tunnel.
Five Syslog servers can be connected to Privilege Cloud at one time. To learn more, see Deploy Secure Tunnel.
Supported protocols
Privilege Cloud can use any of the following protocols to send messages:
|
Type |
Protocol |
|---|---|
|
Encrypted protocols |
TLS (recommended) |
|
Non-encrypted protocols |
TCP |
Configure SIEM integration
To connect Privilege Cloud to your SIEM servers:
- If you are using TLS as a communication protocol, configure your SIEM server to use TLS 1.2 and check supported cipher suites:Supported cipher suites for encrypted communication between the CyberArk backend and SIEM integrations:
ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
ECDHE_RSA_WITH_AES_256_GCM_SHA384
ECDHE_RSA_WITH_AES_128_GCM_SHA256
DHE_RSA_WITH_AES_256_GCM_SHA384
DHE_RSA_WITH_AES_128_GCM_SHA256
- Ensure you have set up the Secure Tunnel and have configured it for SIEM according to the guidelines in Install and configure Secure Tunnel, note especially step 6.
-
Provide the following information to CyberArk support:
Parameter
Details
SIEM server FQDN
Array.
SIEM server port and protocol Protocol must be TCP/TLS. SIEM type Privilege Cloud supports the following out of the box:
- ArcSight
- McAfee ESM
- QRadar
- RFC5424Changes
- RSA enVision
- SyslogTranslator
If you are using a different SIEM, provide CyberArk support with the parser that you are using.
TLS certificates
For SIEM servers using TLS.
TLS certificates require a .pem file type extension.
Syslog audit codes
Privilege Cloud has a large number of action codes that can be used to monitor different behaviors. For general monitoring, we recommend monitoring the action codes listed in the table below.
| Code | Description |
|---|---|
|
4 |
User Authentication |
|
17 |
Add Safe (Unauthorized) |
|
22 |
CPM Verify Password |
|
24 |
CPM Change Password |
|
31 |
CPM Reconcile Password |
|
38 |
CPM Verify Password Failure |
|
57 |
CPM Change Password Failure |
|
60 |
CPM Reconcile Password Failure |
|
88 |
Set Password |
|
130 |
CPM Disable Password |
|
142, 145, 148, 149, 170 |
Delete Safe Failure |
|
183 |
Delete Safe |
|
185 |
Add Safe |
|
295 |
Retrieve Password |
|
300 |
PSM Connect |
|
301 |
PSM Connect Failure |
|
302 |
PSM Disconnect |
|
303 |
PSM Disconnect Failure |
|
306, 307 |
Use Password |
|
319 |
Retrieve Password (from Provider) |
|
344 |
Privileged Command Initiated |
|
346 |
Privileged Command Completed |
|
359 |
PSM SQL Command |
|
360 |
PSM SQL Command Failure |
|
361 |
PSM Keystrokes |
|
362 |
PSM Keystrokes Failure |
|
372 |
Terminate session |
|
373 |
Terminate session Failure |
|
374 |
Start Monitor session |
|
375 |
Start Monitor session Failure |
|
376 |
End Monitor session |
|
377 |
End Monitor session Failure |
|
378 |
PSM Secure Connect Session Start |
|
379 |
PSM secure Connect session start Failure |
|
380 |
PSM Secure Connect Session End |
|
381 |
PSM secure Connect session End Failure |
|
411 |
PSM Window Title |
|
412 |
PSM Windows Title Failure |
|
414 |
CPM Verify SSH Key |
|
416 |
CPM Rotate SSH Key |
|
418 |
CPM Reconcile SSH Key |
|
426 |
CPM Disable SSH Key |
|
434 |
CPM has deleted the public SSH key |
|
463 |
Agent successfully changed the password for account |
