Cyber-Ark Privileged Identity Management 7.1 CEF Configuration Guide

Summary:

The "CEF Connector Configuration Guide" is an informational document provided by HP for configuring Cyber-Ark Solutions to collect syslog events from various devices like Windows, Linux, and Solaris platforms supporting versions 6.0 and above. It explains how to set up integration with HP ArcSight for better monitoring and tracking of privileged activities. Key steps include configuring the Digital Vault Server, event configuration, specific event handling, and mapping detailed Cyber-Ark Events to HP ArcSight's data fields. The document also provides guidance on data display logic, including fallback mechanisms for user information if not available in specific fields.

Details:

The "CEF Connector Configuration Guide" is meant for informational purposes only and the content may change without prior notice. It advises reporting any errors to HP for correction. HP does not offer warranties or liability concerning this document. This guide is about Certified CEF, which means it follows specific requirements of the HP ArcSight Common Event Format (CEF). The events are well-categorized for use in correlation rules, reports, and dashboards within HP's ArcSight product as a proof-of-concept (POC) for their joint solution. The guide also includes support information: if the issue is not within the ArcSight team's ability to solve, contact Cyber-Ark Support via phone at 1-888-808-9005 or visit their website for assistance. The Enterprise Password Vault version 7.1 was certified by HP in June 2012 and has since been revised on July 10, 2012, marking its seventh revision. The guide is specifically designed for configuring Cyber-Ark Solutions to collect syslog events from various devices like Windows, Linux, and Solaris platforms, supporting versions 6.0 and above. The article talks about a cybersecurity company that helps protect and manage privileged users, applications, and sensitive information to improve compliance, productivity, and security against insider threats and external attacks. They have special software called Privileged Identity Management (PIM), Sensitive Information Management (SIM), and Privileged Session Management (PSM) suites. These help organizations monitor who is using important passwords or access rights, when they use them, and what exactly they are doing with them. They also work with HP ArcSight for better monitoring and tracking of privileged activities like logging into important servers and performing actions that require special permissions. This information can be sent to the HP ArcSight system so everyone has a clear view of all these activities in one place, making it easier for companies to manage their data security more effectively. The document outlines the configuration for integrating Cyber-Ark Solutions with HP ArcSight for fast forensics and change management capabilities. To set up this integration: 1. **Configuration of Digital Vault Server**:

• An xsl parser for HP/Arcsight CEF is included out of the box on the Vault server.

• Point to the IP Address(es) of your HP ArcSight implementation and define the port (default is 514 UDP, but can be changed to TCP).

• Configure event IDs that you want to send from the Cyber-Ark solution to HP ArcSight. Over 300 events can be configured.

• Screenshot included shows this configuration in the Cyber-Ark solution. A restart of the Vault server is required after setup.

• Optionally, data can be sent to an ArcSight CEF Smart Connector which forwards it to ESM (Enterprise Security Manager).

2. **Event Configuration**:

• Attached are Action Codes (Event IDs) that can be forwarded through CEF, enabling various events to be mapped to ArcSight Data Fields.

• Vendor-specific event definitions are sent to the ArcSight Smart Connector and then mapped to an ArcSight data field.

• A table provided lists the mappings from ArcSight data fields to supported vendor-specific event definitions.

3. **Specific Event Handling**:

• For PSM (Privileged Session Management) Connect and Disconnect events, relevant values such as SrcHost, DstHost, etc., are displayed based on the event type.

This setup aims to facilitate efficient forensics and change management by mapping detailed Cyber-Ark Events to HP ArcSight's data fields, enhancing visibility into system activities for better security posture and incident response capabilities. The text appears to be a description of how data is extracted and displayed in a system or application, possibly related to event logging or network management. Here's a summary of the key points:

• **Data Display Logic**:

1. **Address** value from file categories if it's not a PSM Connect and Disconnect event. 2. **User (duser)** value for PSM Connect and Disconnect events. 3. If there is no User or Target user field, the system will use **username** from file categories. 4. The displayed values include **SessionID**, **Protocol**, **Command – Extra Details**, **Source User cs1Label**, **Safe Name cs2LabelVendor-Specific**, **Event Definition ArcSight Event Data Field**, **Device Type cs3Label**, **Database cs4Label**, **Location\Category\GatewayStation cs5Label**, and **RequestID cn1Label**. 5. If a TicketID is available, it will be shown under the **Reason** field (cn2Label). 6. The displayed values are based on whether the event is related to PSM Connect and Disconnect or other events where relevant data fields are populated.

• **General Data Display Rules**:

• If no specific user information is available, fallback to using the username from file categories.

• This method ensures that essential details about each event are captured and displayed consistently across different types of logged events, providing a standardized way to view relevant data fields regardless of the type of event or its source.