Collect CyberArk EPM logs

Supported in:

This parser code transforms CyberArk EPM log data into a unified data model (UDM). It iterates through each event in the log, maps relevant fields to their corresponding UDM fields, handles specific data structures like "exposedUsers", and enriches the output with static vendor and product information.

Before you begin

  • Ensure that you have a Google Security Operations instance.
  • Ensure that you are using Windows 2016 or later, or a Linux host with systemd.
  • If running behind a proxy, ensure firewall ports are open.
  • Ensure that you have privileged access to the EPM Server Management Console.

Get Google SecOps ingestion authentication file

  1. Sign in to the Google SecOps console.
  2. Go to SIEM Settings > Collection Agents.
  3. Download the Ingestion Authentication File.

Get Google SecOps customer ID

  1. Sign in to the Google SecOps console.
  2. Go to SIEM Settings > Profile.
  3. Copy and save the Customer ID from the Organization Details section.

Install BindPlane Agent

  1. For Windows installation, run the following script:
    msiexec /i "https://github.com/observIQ/bindplane-agent/releases/latest/download/observiq-otel-collector.msi" /quiet
  2. For Linux installation, run the following script:
    sudo sh -c "$(curl -fsSlL https://github.com/observiq/bindplane-agent/releases/latest/download/install_unix.sh)" install_unix.sh
  3. Additional installation options can be found in this installation guide.

Configure BindPlane Agent to ingest Syslog and send to Google SecOps

  1. Access the machine where BindPlane is installed.

  2. Edit the config.yaml file as follows:

    receivers:
    tcplog:
        # Replace the below port <54525> and IP <0.0.0.0> with your specific values
        listen_address: "0.0.0.0:54525" 

exporters:
    chronicle/chronicle_w_labels:
        compression: gzip
        # Adjust the creds location below according the placement of the credentials file you downloaded
        creds: '{ json file for creds }'
        # Replace <customer_id> below with your actual ID that you copied
        customer_id: <customer_id>
        endpoint: malachiteingestion-pa.googleapis.com
        # You can apply ingestion labels below as preferred
        ingestion_labels:
        log_type: SYSLOG
        namespace: Cyberark_EPM
        raw_log_field: body
service:
    pipelines:
        logs/source0__chronicle_w_labels-0:
            receivers:
                - tcplog
            exporters:
                - chronicle/chronicle_w_labels

  3. Restart the BindPlane Agent to apply the changes:

    sudo systemctl restart bindplane

Configure Third-Party Event Forwarding in EPM

  1. Sign in to the EPM Server Management console.
  2. Go to Advanced > Server Configuration.
  3. In the Event Listeners section, locate the Third-party Listeners setting.
  4. Set the value to On to activate third-party listeners.
  5. Configure Syslog listener by providing the following details:
    • Syslog Server IP: enter the IP address of the syslog server (Bindplane).
    • Syslog Port: specify the port number of the syslog server (Bindplane).
    • Protocol: choose the protocol configured in the syslog server (TCP or UDP).
    • Format: select Syslog as the format for the logs.
  6. Click Save.

UDM Mapping Table

Log Field UDM Mapping Logic
agentId principal.asset.asset_id Concatenates "agentId:" with the value of the agentId field.
computerName principal.hostname Directly maps the computerName field.
displayName metadata.description Directly maps the displayName field.
eventType metadata.product_event_type Directly maps the eventType field.
exposedUsers.[].accountName target.user.attribute.labels Creates a label with key "accountName_[index]" and value from exposedUsers.[index].accountName.
exposedUsers.[].domain target.user.attribute.labels Creates a label with key "domain_[index]" and value from exposedUsers.[index].domain.
exposedUsers.[].username target.user.attribute.labels Creates a label with key "username_[index]" and value from exposedUsers.[index].username.
filePath target.file.full_path Directly maps the filePath field.
hash target.file.sha1 Directly maps the hash field.
operatingSystemType principal.platform Maps "Windows" to "WINDOWS" if the operatingSystemType field is "Windows".
policyName security_result.rule_name Directly maps the policyName field.
processCommandLine target.process.command_line Directly maps the processCommandLine field.
publisher additional.fields Creates a field with key "Publisher" and string_value from the publisher field.
sourceProcessCommandLine target.process.parent_process.command_line Directly maps the sourceProcessCommandLine field.
sourceProcessHash target.process.parent_process.file.sha1 Directly maps the sourceProcessHash field.
sourceProcessSigner additional.fields Creates a field with key "sourceProcessSigner" and string_value from the sourceProcessSigner field.
threatProtectionAction security_result.action_details Directly maps the threatProtectionAction field.
metadata.event_timestamp Sets the event timestamp to the log entry's create_time.
metadata.event_type Hardcoded to "STATUS_UPDATE".
metadata.log_type Hardcoded to "CYBERARK_EPM".
metadata.product_name Hardcoded to "EPM".
metadata.vendor_name Hardcoded to "CYBERARK".
security_result.alert_state Hardcoded to "ALERTING".
userName principal.user.userid Directly maps the userName field.

Changes

2023-08-22

  • Newly created parser