SIEM

The CyberArk Identity Security Information and Event Management (SIEM) integration for Splunk includes the following versions (available in the Admin Portal Downloads section):

  • CyberArk Identity Add-on for Splunk v1

    In this version of the Splunk Add-on, a syslog writer application is required for data collection. The syslog writer retrieves CyberArk Identity or User Behavior Analytics (UBA) events using REST APIs and writes those events to the syslog. The Splunk Add-on, or other SEIM integration, then uses the syslog as a data source. Two syslog writer applications are available from the Admin Portal > Downloads page: CyberArk Syslog Writer and the CyberArk Identity Threat Intelligence Syslog Writer. The CyberArk Syslog Writer captures events from CyberArk Identity, while CyberArk Identity Threat Intelligence Syslog Writer captures events from User Behavior Analytics.

    The following guide describes how to configure the OAuth app and the SIEM user on a CyberArk tenant, install a docker app that retrieves CyberArk Identity or User Behavior Analytics event logs, and provides guidelines for setting up the Splunk Add-on for CyberArk Identity.

    The SIEM integration guide provides information on both the CyberArk Syslog Writer and the CyberArk Identity Threat Intelligence Syslog Writer. The CyberArk Syslog Writer is only used with the Splunk Add-on v1. The CyberArk Identity Threat Intelligence Syslog Writer can be used with the Splunk Add-on v1 or other SIEM integrations, such as Qradar.

    Click the following link for details:

    SIEM integration guide

  • Splunk Add-on for CyberArk Identity v2

    In this version of the Splunk Add-on, the Syslog Writer is not required. Data collection uses CyberArk Identity Rest APIs. This version also includes a Security Overview dashboard (see View the Security Overview Dashboard), which provides a consolidated view of denied multi-factor authentication attempts. For installation and configuration information, see Splunk Add-on for CyberArk Identity v2 Integration.

You can run Splunk Add-on for CyberArk Identity v2 with an earlier version, however, there is no direct migration path from version 1 to version 2. If you are running an older version of the Splunk Add-on (version: 1.0.1) and you want to update your version, you need to install version 2 of the Splunk Add-on for CyberArk Identity and configure the inputs.

Splunk Add-on for CyberArk Identity v2 Integration

Using CyberArk Identity REST APIs, the Splunk Add-on for CyberArk Identity v2 allows a Splunk administrator to collect event data from CyberArk Identity. The Splunk Add-on collects data such as additions, updates, deletions, and actions for CyberArk Identity tenant-related events. An event might include data for the following:

  • When a server changed state (for example, when a server is added)

  • When an action succeeded or failed (for example, password rotation)

  • Events that occurred within a specific period of time (for example, all the servers accessed by a specific user in the last month)

This topic includes information on how to add the Splunk Add-on for CyberArk Identity v2 to Splunk to start collecting event data. The installation and configuration steps include the following:

Even though the filename in CyberArk Identity Admin Portal > Downloads is referenced as Splunk Add-on for CyberArk Identity v2, the Splunk Add-on is displayed as Idaptive Identity Services Add-on for Splunk in the Splunk Enterprise User Interface.

Source Type

For details related to data source, source type, event types, and tags assigned in Splunk, see the following:

Source

Type

Description

Redrock/query API IIS events

 

sourcetype eventtype Tags
iis:events idaptive_events --
-- idaptive_authentication

authentication

Add the OAuth2 Client application and set up a SIEM user

The following procedures describe how to set up a SIEM user and configure the OAuth2 Client application in the CyberArk Identity Admin Portal. You must have a valid CyberArk Identity account (SIEM user) assigned to a role with enough permissions to read event data from CyberArk Identity using OAuth.

Step 1: Add and configure the OAuth2 Client App in the Admin Portal

  1. In the Admin Portal, select Apps > Web Apps, then click Add Web Apps.

    The Add Web Apps screen appears.

  2. Click Custom.

  3. On the Custom tab, next to the OAuth2 Client application, click Add.
  4. In the Add Web App screen, click Yes to add the application.

    Admin Portal adds the application.

  5. Click Close to exit the Application Catalog.

    The application that you just added opens to the Settings page.

  6. In the Settings > Application ID field, type oauthsiem.

  7. In Tokens > Auth methods, click Client Creds, and then click Save.

  8. In Scope > Scope definitions click Add to add a new scope. Then in Scope definitions configure the following:

    • In the Name field, type siem.

    • In the Allowed REST APIs section, click Add, and enter Redrock/query.*

    • Click Save.

Step 2: Create a SIEM user and a service account role

  1. In the Admin Portal, select Core Services > Users and click Add User.

  2. In Create CyberArk Cloud Directory User, configure the following fields specifically for the Splunk Add-on integration (you can configure other settings according to your implementation):

    • Login Name—enter siemuser.

    • Status—select IsOAuth confidential client (this also automatically selects Password never expires and Is Service User)

  3. In the Admin Portal, select Core Services > Roles and click Add Role.

  4. Configure the following for the Splunk Add-on integration in the Roles page:

    Role page Configuration
    Description
    • In the Name field, enter service account as the Role name.

    • Click Save.

    Members
    • In the list of Roles, click the service account role from the list of Roles.

    • Select the Members page.

    • Click Add and then search for siemuser (the name you created earlier).

    • Select siemuser.

    • Click Add, and then click Save.

    Administrative Rights
    • Click Add, and in Add Rights select Read Only System Administration.

    • Click Add and then click Save.

    Assigned Applications
    • Click Add.

    • In Add Applications, select the OAuth2 Client you added earlier.

    • Click Add and then click Save.

Verify the Admin Portal settings

Once the steps above are complete, check the following settings:

Admin Portal page Verify Configuration
Core Services > Users > Account
  • Verify the siemuser source column indicates the user is a CyberArk Cloud Directory user.

  • Click the siemuser and make sure the Account Status settings indicate the following:

Core Services > Users > Roles

Verify that the Role with the name service account is listed for the siemuser account and has the Read Only System Administration right.

Apps > Web Apps > OAuth2 Client

Verify that the Permissions page displays the service account Role in the Name column and that the Run and Automatically Deploy permissions are selected.

Install Splunk Add-on for CyberArk Identity

For Splunk Enterprise system requirements, see the following: https://docs.splunk.com/Documentation/Splunk/8.1.0/Installation/Systemrequirements

Use the table below to determine where and how to install the Splunk Add-on for CyberArk Identity in a distributed deployment of Splunk Enterprise.

Splunk Instance Type

Supported

Required

Additional Information

Heavy Forwarder Yes Yes  

Universal Forwarder

No No  
Indexer Yes No In case of an indexer cluster, install the Splunk add-on only on heavy forwarder to avoid duplicate data collection.
Search Head or Search Head cluster Yes Yes The Splunk add-on has a dashboard and various search time field extractions.

To install the Splunk Add-on for CyberArk Identity

The Splunk Add-on for CyberArk Identity v2 file is available from the CyberArk Identity Admin Portal > Downloads page. The following steps describe how to install the Splunk Add-on for CyberArk Identity v2 file.

  1. In Admin Portal > Downloads > SIEM Integrations, click Download next to Splunk Add-on for CyberArk Identity v2.

  2. Open Splunk Enterprise in a browser.

  3. From the Splunk Web home screen, select Manage Apps > Install app from file.

  4. Browse to locate the file and upload the Splunk Add-on for CyberArk Identity file: cyberark-identity-services-add-on-for-splunk_2.tgz

    You may be prompted to restart the server. After the server is restarted, you can create a new input for Splunk Add-on for CyberArk Identity.

Once installed, you will see Idaptive Identity Services Add-on for Splunk in the left navigation bar in the Splunk Web home screen.

Configure Splunk Add-on for CyberArk Identity

To configure the Splunk Add-on for CyberArk Identity, select Idaptive Identity Services Add-on for Splunk from the left navigation bar in the Splunk Web home screen. You can then configure the following optional and required services:

To add a new input for data collection

  1. Select Idaptive Identity Services Add-on for Splunk from the left navigation bar in the Splunk Web home screen.

  2. Select the Inputs tab and click Create New Input to add a new input.

  3. Enter the following information:

    Field

    Description

    Name Enter a name to identify the data source. For example, event_logs.
    Interval Enter the interval in seconds, typically 300 seconds, to use for data collection.
    Index Enter the Splunk index where you want the data to be written.
    Tenant URL Enter the URL of your CyberArk Identity tenant. For example, https://example.my.idaptive.app.
    Select Event Types

    Select event types for data collection. You can use this field or enter the event types manually using the Enter Event Types field below.

    Examples of available event types:

    • MFA (Default)

      Selecting this retrieves events with an EventType such as Cloud.Core.MfaSummary*’

    • Applications

      Selecting this retrieves events with an EventType, such as Cloud.Saas.Application.*’

    • Login/Logout

      Selecting this retrieves events with an EventType, such as ‘Cloud.Core.Login*’ or ‘Cloud.Core.Logout*’

    • Configs

      Selecting this retrieves events with an EventType, such as ‘Cloud.Core.Configs.*

    • All

      Selecting this retrieves all event types.

    See the following for more information: https://docs.idaptive.com/Content/Analytics/Events/Events.htm

    Enter Event Types

    If you did not select event types in the field above (Select Event Types), you can use this field to enter event types manually that are needed in data collection. This input is case sensitive. Multiple values can be comma separated. For example, “Cloud.Core.LoginFail”

    Client Id

    Enter the user name of SIEM user that you configured in the CyberArk Identity Admin Portal. For example: siemuser@example

    The suffix must be included.

    Client Password Enter the password of the SIEM user that you configured in CyberArk Identity Admin Portal.
    OAuth App Id

    Enter the Application ID configured in the Oauth2 Client application in the CyberArk Identity Admin Portal. For example, oauthsiem.

    Scope

    Enter the name of scope configured in the Oauth2 Client application in the CyberArk Identity Admin Portal. For example, siem.

    Rollback

    Enter the number of hours before now to start collecting data. (Applied only when data collection starts for the first time for a new input.) The default value is 1. This starts data collection for events that occur from now – 1 hour onwards. For example, if this input field is configured for 11:00 a.m., data collection starts at 10:00 a.m. on the start date.

    Batch Size

    Enter the time window used for querying (in minutes) internally. The default value is 10. If rollback is 1 hour, internally the data is fetched in 6 batches/queries, as the batch size is set for 10 minutes. This is transparent to the end user. Sometimes, when the event data load is high, the query reads as a time out on the server. In this situation, bringing down the batch_size to 5 or 3 minutes may help.

  4. Click Add to complete the input configuration.

    If you have multiple tenant instances, you need to repeat these steps for each tenant instance.

To configure a proxy (optional)

  1. Select Idaptive Identity Services Add-on for Splunk from the left navigation bar in the Splunk Web home screen.

  2. Select the Configuration tab and click Proxy.

  3. Click Enable and then configure the Proxy parameters for your organization's proxy server. Once complete, click Save.

To change the log level in Logger (optional)

  1. Select Idaptive Identity Services Add-on for Splunk from the left navigation bar in the Splunk Web home screen.

  2. Select the Configuration tab and click Logging.

  3. Click Log level and select DEBUG to enable logging for the Splunk Add-on.
  4. Click Save.

Search IIS events

You can perform various adhoc analysis in addition to the IIS events in Splunk using Splunk's Search Processing Language (SPL). See the following table for examples:

Event

Search Command

Number of Failed Logins

sourcetype=”iis:events” EventType=”Cloud.Core.LoginFail” | stats count

Number of Self-service application launches

sourcetype=”iis:events” EventType=”Cloud.Saas.Application.SelfServiceAppLaunch” | stats count

View the Security Overview Dashboard

You can view metrics and charts related to denied MFA attempts in the Security Overview Dashboard. To make sure information regarding denied MFA attempts populate the dashboard, select the MFA event type when configuring Inputs (see To add a new input for data collection).

Troubleshoot Splunk Add-on for CyberArk Identity

To troubleshoot Splunk Add-on issues use the following search to find logs:

index =”_internal” source=”*idaptive*”

For example if the symptom is events are not showing in the search, the issue identified in the log might be one of the following:

Issue

Solution

Tenant URL is not accessible Copy the tenant URL from the input tab and try to open it in a browser. You should then be able to identify any mistakes in the URL.
Incorrect credentials for SIEM users Verify credentials for the SIEM user and update the input data.
Incorrect or insufficient configuration on Tenant Check your settings as described in this document to verify the tenant configuration.
Read time out error from server

Reduce batch_size by editing modular input.