Collect CyberArk PAM logs

This parser code first extracts fields from CyberArk Privileged Access Manager (PAM) syslog messages using regular expressions. Then, it maps the extracted fields to a unified data model (UDM), enriching the data with additional context and standardizing the event type based on specific criteria.

Before you begin

• Ensure that you have a Google Security Operations instance.
• Ensure that you are using Windows 2016 or later, or a Linux host with systemd.
• If running behind a proxy, ensure firewall ports are open.

Get Google SecOps ingestion authentication file

1. Sign in to the Google SecOps console.
2. Go to SIEM Settings > Collection Agents.
3. Download the Ingestion Authentication File.

Get Google SecOps customer ID

1. Sign in to the Google SecOps console.
2. Go to SIEM Settings > Profile.
3. Copy and save the Customer ID from the Organization Details section.

Install BindPlane Agent

1. For Windows installation, run the following script:
   msiexec /i "https://github.com/observIQ/bindplane-agent/releases/latest/download/observiq-otel-collector.msi" /quiet
2. For Linux installation, run the following script:
   sudo sh -c "$(curl -fsSlL https://github.com/observiq/bindplane-agent/releases/latest/download/install_unix.sh)" install_unix.sh
3. Additional installation options can be found in this installation guide.

Configure BindPlane Agent to ingest Syslog and send to Google SecOps

1. Access the machine where BindPlane is installed.

2. Edit the config.yaml file as follows:

   receivers:
       tcplog:
           # Replace the below port <54525> and IP <0.0.0.0> with your specific values
           listen_address: "0.0.0.0:54525" 
   
   exporters:
       chronicle/chronicle_w_labels:
           compression: gzip
           # Adjust the creds location below according the placement of the credentials file you downloaded
           creds: '{ json file for creds }'
           # Replace <customer_id> below with your actual ID that you copied
           customer_id: <customer_id>
           endpoint: malachiteingestion-pa.googleapis.com
           # You can apply ingestion labels below as preferred
           ingestion_labels:
           log_type: SYSLOG
           namespace: Cyberark_PAM
           raw_log_field: body
   service:
       pipelines:
           logs/source0__chronicle_w_labels-0:
               receivers:
                   - tcplog
               exporters:
                   - chronicle/chronicle_w_labels
   

3. Restart the BindPlane Agent to apply the changes:

   sudo systemctl restart bindplane
   

Configure Syslog Export for CyberArk Vault

1. Log in to the Vault server.
2. Open the configuration file dbparm.ini, located at: C:\Program Files (x86)\CyberArk\Vault\Server\dbparm.ini.

3. Add or modify the following parameters:

   SyslogServer=<syslog_server_ip>
   SyslogPort=<syslog_server_port>
   SyslogProtocol=<TCP or UDP>
   SyslogFormat=Syslog
   

4. Save the dbparm.ini file.

5. Restart the Vault Server:

   net stop CyberArkVault
   net start CyberArkVault
   

Configure Syslog Export in PVWA

1. Log in to the PVWA Server.
2. Open the Web.config file, located at: C:\inetpub\wwwroot\PasswordVault\

3. Add or modify the following keys:

   <add key="SyslogServer" value="<syslog_server_ip>" />
   <add key="SyslogPort" value="<syslog_server_port>" />
   <add key="SyslogProtocol" value="<TCP or UDP>" />
   <add key="SyslogFormat" value="Syslog" />
   

4. Save the changes to the Web.config file.

5. Restart the IIS service:

   iisreset
   

Configure Syslog Export in PTA

1. Access the PTA server using SSH.
2. Open the application.properties file, located at: /opt/cta/config/application.properties

3. Add or modify the following lines:

   syslog.server.ip=<syslog_server_ip>
   syslog.server.port=<syslog_server_port>
   syslog.protocol=<TCP or UDP>
   

4. Save the application.properties file.

5. Restart the PTA service to apply the changes:

   sudo service pta restart
   

UDM Mapping Table

Changes

2024-05-05

• Newly created parser.