Cyber-Ark Privileged Session Manager 7.1 Action 2012

Summary:

The "Action Connector Configuration Guide" is a document for informational use only, advising users to report errors to HP. It pertains to Cyber-Ark's Privileged Identity Management (PIM) 7.1, designed for integration with ArcSight Event Security Module (ESM). This guide covers configuring PIM and PSM actions for ESM, enhancing security by monitoring privileged account usage across various platforms. The document explains how to configure the system, including specific event IDs in Cyber-Ark's dbparm.ini file, sending these events to ArcSight using an Action Connector, and installing a content package in ArcSight ESM. It provides detailed instructions for verifying successful integration, such as configuring a target and using integration commands to monitor live sessions or view recordings.

Details:

The "Action Connector Configuration Guide" is a document intended for informational use only, with information subject to change without notice. It advises reporting errors to HP. HP disclaims any liability related to the content of this document. The guide pertains to Cyber-Ark's Privileged Identity and Session Management Suites version 7.1, specifically designed for integration with ArcSight ESM (version 5.0.1.6642.2 and later). It supports versions 6.0 and above of both Cyber-Ark PSM and PIM. The guide covers configuring the Privileged Identity Management (PIM) and Privileged Session Management (PSM) actions for ArcSight ESM, providing support information for issues outside the ArcSight team's capabilities, directing inquiries to Cyber-Ark Support with contact details provided. The passage discusses how integrating Cyber-Ark's Privileged Identity Management (PIM) with HP ArcSight Event Manager (ESM) enhances security by monitoring and tracking privileged account usage across various platforms including on-premise, off-premise, and cloud environments. This integration allows organizations to gain visibility into who is using privileged credentials, when they are used, and what activities they perform. Through this integration, Cyber-Ark's PIM solution provides capabilities to monitor and track every privileged account in an organization, enabling it to answer questions about the usage of such accounts. Without Cyber-Ark, this information would be anonymous within ArcSight ESM. The addition of Privileged Session Manager extends these capabilities by allowing real-time or playback recording session viewing during privileged credential usages, facilitating quicker forensic analysis and change management reviews. The integration sends audit information to HP/ArcSight for a unified view of all privileged activity. When a user checks out an Administrator ID from Cyber-Ark's PIM solution for performing tasks like clearing the native Windows audit log, this action is reflected in ArcSight ESM with details about the exact person who used that credential. This enhanced accountability and visibility are achieved through correlation or forwarding via Common Event Format (CEF). For more detailed information on data flow from Cyber-Ark to HP/ArcSight for analysis, correlation, alerting, and notification, refer to the Common Event Format Configuration Guide specifically tailored for Cyber-Ark’s Privileged Identity Management – Enterprise Password Vault. The document explains how to extend Cyber-Ark's Privileged Session Management Suite (PSM) capabilities after initial integration. PSM complements the PIM suite and helps organizations isolate, control, and monitor privileged sessions for various targets such as Operating Systems, Databases, Network Devices, Websites, Applications, etc. It can also monitor personal or non-managed privileged accounts and provide secure remote access to third parties without disclosing credentials. Organizations have options to record sessions visually and/or via keystroke captures according to policy, including or excluding users and groups. PSM allows live session monitoring and integrates with HP/ArcSight Event Security Module (ESM). This integration enables events like PSM Connect to be sent to ESM for real-time viewing, interaction, or termination based on role within the PIM solution. The document also mentions that integrating Cyber-Ark's Privileged Identity and Session Management suites with ArcSight ESM allows privileged activity to be correlated, alerted on, and viewed in real time or as a recorded playback from within the ESM console. PSM Upload records can answer questions about sessions by being acted upon in ESM, providing detailed information for analysis. This summary outlines how to configure and integrate Cyber-Ark's Privileged Identity Management - Enterprise Password Vault with ArcSight for event monitoring and session viewing. Key steps include configuring specific event IDs in the Cyber-Ark dbparm.ini file, ensuring these events are sent to ArcSight. The integration utilizes an Action Connector through ArcSight that allows immediate access to live privileged sessions or analyzes previously recorded sessions. Detailed instructions for installing a content package in ArcSight ESM are provided, including logging into the console, navigating to the Packages tab, importing and installing the bundle file with progress tracking displayed during each step of the process. This document outlines how to verify successful installation of a specific integration package for ArcSight Event Management System (ESM). To do this, navigate through the Navigator panel's Resources tab and Integration Commands dropdown menu. Locate the ArcSight Partner Sample Content folder and open the Cyber-Ark Session Monitoring group. The included commands are: 1. Configuring a Target:

• Navigate to the Resources tab of the Navigator panel, select Integration Commands from the drop-down menu, then go to the Targets tab.

• Open the ArcSight Partner Sample Content folder and the Cyber-Ark Session Monitoring group.

• Double click on the target to configure it: replace its IP address (currently set as 1.1.1.1) with that of your Cyber-Ark Password Vault Web Access (PVWA) device.

2. Using an Integration Command:

• To monitor live sessions, right-click on relevant events in active channels or other viewers and select "Cyber-Ark Session Monitoring" from the integration commands menu.

• From the ESM console, you can view, interact with, or terminate privileged sessions by selecting the appropriate command based on your needs. You may also choose to view session recordings, either directly or after downloading them.

For detailed information and additional support, refer to the ArcSight ESM Admin Guide.