CEF-Based Format Definition

The following table describes the CEF-based format of the syslog records sent by PTA.

Field

Description

Specified value

Prefix fields

CEF:[number]

The CEF header and version.
The version number identifies the version of the CEF format.

CEF:0

Device Vendor, Device Product, Device Version

Information about the device sending the message. For PTA, the Device Vendor is CyberArk, and the Device Product is PTA.

CyberArk, PTA, 13.0

Event Type

A unique ID that identifies the event that is reported.

{21-55}

Event Name

A description of the reported event type.

{Suspected credentials theft, Unmanaged privileged account, Privileged access during irregular hours, etc…}

 

For a complete list of PTA detections, indicators of compromise and their descriptions, see What Detections Does PTA Report?.

Severity

A numeric value that indicates the severity of the event.

1 is the lowest event severity
10 is the highest event severity

{1,2,3,4,5,6,7,8,9,10}

Extension fields

suser

Source User Name

Any user

shost

Source host name

Any host

src

Source IP address

Any IP

duser

Destination user name

Any user

dhost

Destination host address

Any host

dst

Destination IP address

Any IP

cs1Label

The label of the  Extra Data field

“ExtraData”

cs1

Additional information which is relevant for the reported security event

For example, SPN and Session

cs2Label

The label of the Security Event ID field

“EventID”

cs2

The ID of the reported security event

52b06812ec3500ed864c461e

deviceCustomDate1Label

The label of the detectionDate field

“DetectionDate”

deviceCustomDate1

The system time when PTA identified the security event

1388577900000

cs3Label

The label of the link field

“PTALink”

cs3

The HTTPS link to the Security Events page in PVWA.

https://10.1.1.1./PasswordVault/v10/pta/events

cs4Label

The label of the external link field

“ExternalLink”

cs4

An HTTPS link to other CyberArk or third party products that can add more information to the security event.

Note: Due to a CEF limitation, if the link includes the equals sign (=), the link will be broken. To view the link, copy the relevant URL and remove the backslash (\) before the equals sign (=).

http://...

cs5Label

The label of the suspicious session activity

"SuspiciousSessionActivity"

cs5

The command describing the suspicious session activity

The command, for example, DeleteDB
 
  • suser, shost, src, duser, dhost and dst fields may contain a single value or a list of values. If the field contains a list of values, these values will be separated by a comma, and if they are larger than 1024, data will be omitted and “etc..” will be added to the end.
  • dhost and dst fields could be a single host or a database instance. If it is a database instance, the dhost destination will be in the format <machine:instance>.
  • When the src, dst, duser, suser or cs1 field has no value, the field is sent with the value None.

The following example shows syslog output generated by PTA:

 

CEF:0|CyberArk|PTA|13.0|1|Suspected credentials theft|8|suser=mike2@prod1.domain.com shost=prod1.domain.com src=1.1.1.1 duser=andy@dev1.domain.com dhost=dev1.domain.com dst=2.2.2.2 cs1Label=ExtraData cs1=None cs2Label=EventID cs2=52b06812ec3500ed864c461e deviceCustomDate1Label=detectionDate deviceCustomDate1=1388577900000 cs3Label=PTAlink cs3=https://1.1.1.1/incidents/52b06812ec3500ed864c461e cs4Label=ExternalLink cs4=None