CyberArk CEF Configuration Guide

Summary:

The provided information appears to be part of a structured log entry from an IT or cybersecurity system, specifically designed for monitoring and managing network-related events such as those involving user accounts, security settings, and data integrity in systems like Cyber-Ark Digital Vault Connector and ArcSight. Below is a breakdown of the key components of this log entry: 1. **Preparation of metadata for backup has begun**: This indicates that a process to back up metadata from various network elements or applications has started. Metadata typically includes information about user accounts, permissions, and other settings relevant to system security and management. 2. **Update user safe options – unauthorized (User log) and (Safe log)**: This entry suggests there were unauthorized attempts to modify the settings related to user safes, with logs reflecting such actions under both user and safe logs. Unauthorized changes could be indicative of potential internal threats or security breaches. 3. **LDAP Synchronization start and end**: This indicates a synchronization process between the system and an LDAP server for directory information, showing its initiation and completion. LDAP (Lightweight Directory Access Protocol) is commonly used to manage naming or identifying information in large distributed systems. 4. **Add Rule – unauthorized (User log) and (Safe log)**: There were attempts to add new rules that went unauthorized, which are recorded under both user and safe logs. This suggests a possible violation of access controls. 5. **Restore Metadata – Successful**: The attempt to restore metadata was successful without encountering major issues. 6. **Update Directory Map – Successful and unauthorized**: Updates to the directory map were partially successful, with some parts involving unauthorized access. 7. **Add Directory Map – Successful and unauthorized**: New directory maps were added successfully but part of this process involved unauthorized actions. 8. **Update External User - Synchronize from LDAP – Successful and Update External Group - Synchronize from LDAP - Successful**: The synchronization of external user and group information from an LDAP server was successful, indicating data consistency achieved through automated processes. 9. **Add/Update Group – Successful and unauthorized operations**: Managing groups involved both successful actions and parts that were unauthorized. 10. **Add Group Member – unauthorized and Remove Group Member – Successful**: Attempts to add members to groups were unauthorized, whereas removal processes succeeded without issue. 11. **Rebuild database tables start and end**: Indicates the initiation and completion of a process to rebuild certain database tables, which is crucial for maintaining data integrity and system performance. 12. **Delete Group – unauthorized and Successful**: Deletion operations on groups were partially successful due to unauthorized access issues. 13. **List Group Members - unauthorized**: Attempts to list group members were logged as unauthorized actions. 14. **Remove Owner – Successful**: The process of removing an owner was successfully completed without complications. 15. **Check Safe integrity operations were both successful and reserved**: This indicates that checks for the integrity of safes were partially successful, with some aspects being reserved or planned but not yet executed. 16. **Delete External User - Synchronize from LDAP – Successful and Delete External Group - Synchronize from LDAP - Successful**: Deletion processes for external users and groups synchronized from an LDAP server were completed successfully without issues. 17. **Add Rule – Successful and Delete Rule – Successful**: Adding and then deleting rules showed successful actions in rule management, which is crucial for maintaining the effectiveness of access controls. 18. **Read e-mail key – Successful and Delete e-mail key – Successful**: Operations related to reading and deleting email keys were successfully completed without encountering issues. The final entry "The sequence ends with "U"**, likely represents a placeholder or an unfinished action, which is not specified in the provided details. This could be due to various reasons such as partial implementation, ongoing processes, or system limitations. Overall, this log entry provides detailed information about multiple aspects of network management and security operations, highlighting both successful and unsuccessful actions along with their implications for overall system integrity and control.

Details:

The document titled "CEF Connector Configuration Guide" for Cyber-Ark Software's Privileged Identity Management Suite v5.0, Inter-Business Vault v5.0, and Sensitive Document Vault Suite v5.0 outlines procedures for configuring the Cyber-Ark Digital Vault Connector for syslog event collection. Supported on Windows platforms with device versions up to v5.0, this connector is designed to meet various security regulations such as PCI, NERC, FERC, SOX, HIPAA, and GLB through its robust security layers including encryption with AES-256 and multiple authentication mechanisms. The Cyber-Ark Digital Vault serves as a secure storage solution for credentials and sensitive information within an enterprise environment. It includes the Privileged Identity Management (PIM) Suite, Inter-Business Vault (IBV), and Sensitive Document Vault (SDV) products which together aim to secure privileged identities, audit access controls, manage shared and administrative passwords across various IT assets, and protect highly sensitive documents from unauthorized access. The vault can be deployed as software or hardware appliance depending on the organizational needs. PIM (Privileged Identity Management) is a system designed to manage and secure privileged accounts, files, and applications within enterprises. It features patented Digital Vault® Technology, which centralizes security measures such as recording sessions, monitoring activities, creating a secure environment for sensitive information, and ensuring compliance with regulations. PIM helps streamline updates, enhance maintenance, and maintain high levels of security across all types of privileged accounts. Cyber-Ark's Inter-Business Vault® (IBV) is a B2B Managed File Transfer, Integration, and Collaboration solution that enables enterprises to manage critical business processes with Business Partners, Customers, and Service Providers efficiently. It ensures secure transfer and handling of sensitive information across various organizations. The Sensitive Document Vault (SDV) by Cyber-Ark serves as a secure repository for an organization's most confidential information, providing a platform for sharing these documents while maintaining their confidentiality and security. ArcSight Technical Note provides a method to integrate with Cyber-Ark Digital Vault to send audit logs through the Syslog protocol to an enterprise SIEM (Security Information and Event Management) solution provided by ArcSight. This integration allows for the transfer of detailed audit information about user activities within the vault, including those in Safes, to the ArcSight application via the Syslog protocol. To configure this SIEM integration: 1. The configuration file DBParm.ini should be edited with parameters such as SyslogServerIP (the IP address of the Syslog server), SyslogServerPort (UDP port 514 by default), and SyslogMessageCodeFilter, which defines which message codes will be sent for user and Safe activities. 2. A specific XSL file named SyslogTranslatorFile is used to parse Cyber-Ark audit records into a format compatible with the Syslog protocol. This file resides in the Syslog subfolder of the server's installation folder. This document appears to be a technical note for configuring ArcSight, a security information and event management (SIEM) tool. The task involves setting up an XSL translator file for the Syslog module of ArcSight. Here's a summary of the steps outlined in the document: 1. **Locate the XSL Translator File:**

• The file named "Arcsight.sample.xsl" should be found in the "Syslog" subfolder within the server installation folder.

2. **Copy the File:**

• Move the "Arcsight.sample.xsl" file to the location specified by the "SyslogTranslatorFile" parameter in the DBParm.ini configuration file.

3. **Configure Parameters in DBParm.ini:**

• Ensure that the SyslogTranslatorFile parameter points to the correct path where the XSL translator file is placed.

4. **Assigned Event IDs and Descriptions:**

• The document lists various event ID numbers along with their descriptions, which are crucial for understanding what each log entry represents in the ArcSight system:

• 0: Delete Directory Map – unauthorized (User log)

• 1: Delete Directory Map – unauthorized (Safe log)

• 2: Add External User - Successful

• 3 to 9: Various unauthorized access and audit events

• 10 to 17: Unauthorized updates related to network areas and shares

• 18 to 21: Events involving gateway connections and impersonation.

This technical note is part of a series, each numbered document presumably containing more detailed information or specific instructions related to different aspects of the ArcSight system configuration and event handling. This document appears to be a list of event codes and their descriptions related to an unspecified system or application, likely within an enterprise environment. The events are numbered from 22 to 75, with each entry detailing an action that resulted in some form of unauthorized access or failure. Some examples include attempting to verify a password (event 22), failing to change a password (event 31 and 60), renaming safe or user accounts (events 34, 35, 64, and 66), adding/updating owners (events 28 and 29), and unauthorized access attempts on safes or files (from events 25 to 47). Several entries are related to password management (CPM Verify Password, Change Password, Reconcile Password) and include failure states. There are also actions related to file operations such as storing, retrieving, deleting files, which are marked as unauthorized except for successful outcomes or specific successes like creating a new file version (event 62). Notable events not listed here include updating trusted network areas (61), adding locations with partial success or failure (70, 72, and 74), and taking quota ownership. The document ends with two entries that are seemingly incomplete: "Take Quota Ownershi" and the last entry number 75 is cut off and not fully visible, suggesting it might be another action related to quotas or possibly a placeholder for future actions. The technical note at the end (ArcSight Technical Note – Contains Confidential and Proprietary Information) suggests that these event codes are part of an internal system used by the organization, emphasizing their importance in maintaining security and data integrity within the enterprise environment. This document outlines a series of actions and their outcomes in a secure environment, likely related to information management or compliance within an organization. The entries are categorized by the specific action taken followed by its status or outcome. Key actions include updating user settings, managing ownership and permissions, handling file requests, and dealing with system limitations or unauthorized attempts.

• **76-83**: Several actions (Take Quota Ownership, Rename/Move Location, Clear User History) are marked as "unauthorized" in the logs; however, subsequent attempts were successful for some of these actions. For instance, while the initial attempts to take quota ownership or move locations might be unauthorized, subsequent successful steps suggest a progression that could involve proper authorization and adherence to protocol.

• **84**: CPM Auto Detection Update Password - Indicates an update in password security settings following auto detection within the system.

• **85-91**: Updates on network areas are marked as unauthorized for user logs but are successful when attempted directly, suggesting that these actions require specific permissions or need to be confirmed through another method not logged initially.

• **94**: Backup Safe - Initiates a backup of data within the system, highlighting its importance and integrity management procedures.

• **95**: Restore Safe - Successful restoration from a previously backed-up state, demonstrating continuity and recovery capabilities.

• **100-101**: Open File actions are unauthorized in both logs (user and safe) unless explicitly successful or when authorized by another method not logged initially.

• **102-105**: Logon failures due to time limit restrictions, user expiration, or disabling indicate strict security protocols regarding access controls.

• **108-110**: Requests related to opening a safe for writing or reading are handled with varying degrees of success and authorization requirements.

• **114-115**: Indicates confirmations required before accessing certain requests like opening a safe, which need explicit user action under specific conditions.

• **116-119**: Rejections of request to open or retrieve files indicate strict policies against unauthorized access and compliance with data handling regulations.

• **120-123**: Actions related to adding locations, moving files (with source and target file successful moves), renaming files, and undelete operations are logged as successful, demonstrating operational efficiency in managing digital assets.

Overall, the document provides a detailed snapshot of user interactions with a secure system, detailing actions taken and their outcomes, including unauthorized attempts and the subsequent resolutions that ensure data security and compliance with organizational policies. The provided entries are logs from a system, likely related to file management and security settings within a software or digital environment. Each entry is prefixed with a number followed by a brief description of the action taken:

• **Rename File – Successful** (indicating success in renaming a file)

• **Unlock File - Successful** (successful unlocking of a file)

• **Hide Open Safe Request - Successful** (successful request to hide an open safe)

• **Hide Get File Request - Successful** (successful request to hide the retrieval of a file)

• **CPM Auto Detection Archive Password** (action related to auto detection or archive password for CPM)

• **CPM Disable Password** (action involving disabling a password for CPM)

• **Update Safe failed – requested security higher than available** (attempt to update safe failed due to insufficient security level)

• **Add Safe Event – unauthorized (User log/Safe log)** (unauthorized action in adding an event to the safe log or user log)

• **Get Safe Events List – unauthorized (User log/Safe log)** (listing events from a safe was attempted but not authorized for the user or safe)

• **CPM Release Password/Failed** (attempting to release a password related to CPM, with failure indicated in the case of CPMPassword failed)

• **Rename Folder – Successful (source folder name/target folder name)** (successful renaming or moving of folders from source to target names)

• **Delete Safe failed – general error/locked objects found** (failed deletion due to a general error or presence of locked objects in the safe)

• **Store Picture - Successful/Delete User Picture - Successful** (success in storing or deleting user pictures)

• **Update Safe – unauthorized (User log/Safe log)** (actions related to updating a safe were unauthorized for either user or safe logs)

• **Delete Safe – unauthorized (User log/Safe log)** (unauthorized attempts to delete from the safe, both in terms of user and safe logs)

• **Restore Safe - Unauthorized** (attempt to restore a safe was unauthorized)

• **Add Folder – unauthorized (User log/Safe log)** (failed attempt to add a folder due to lack of authorization for either user or safe logs)

• **Delete Folder – unauthorized (User log/Safe log)** (actions related to deleting folders were not authorized for the user or safe)

• **Backup Metadata – Unauthorized/Get License Information – Unauthorized** (metadata backup or license information retrieval was attempted but unauthorized)

• **Move/Rename Folder – unauthorized (User log/Safe log)** (moves or renames of folders were unauthorized for both user and safe logs)

• **Move File – unauthorized (User log/Safe log)** (actions to move files were unauthorized for the user or safe logs)

• **Undelete File – unauthorized (User log/Safe log)** (unauthorized attempts to undelete files from either user or safe logs)

• **Rename File – unauthorized (User log/Safe log)** (renaming files was unauthorized for both user and safe logs)

These entries suggest a range of activities involving file management, security settings, and authorization checks within a digital environment. The numbers likely represent unique identifiers or sequence numbers in the system's event logging, which could be used for debugging, auditing, or compliance purposes. This text appears to be a list of event codes or status updates related to an unspecified system or application, possibly in the realm of information security or enterprise management. The events are numbered from 171 to 224 and cover various actions such as adding users, updating user details, deleting folders, initiating backups, handling file operations, and managing directory maps. Key points from each event:

• **Unauthorized Actions**: Events 171 through 191 indicate unauthorized attempts or failed attempts at various tasks including adding/updating/deleting users, safes, folders, and attempting to get user details. These actions are marked as "unauthorized" in the logs.

• **Successful Actions**: Events 180, 182, 183, 184, 185, 187, 188, 190, 192, 193, 194, 204, 205, 206, 207, 208, 209, 210, 211, 212, 213, 214, 215, 216, 217, 218, 219, 220, 221, 222, and 223 indicate successful outcomes of the actions listed.

• **Failure Conditions**: Events 189, 195, 198, 204, 205, and others describe failures or errors in operations such as deletion of folders (due to unexpired files or locked files), validation/invalidation of object content, and certain file operations.

• **System Commands**: Actions like "Get User's Details" (178) becomes "Get Your User's Details" (179) after authorization, showing a change in the action required for access to personal user information.

The text is likely from an internal technical document or log system used within an organization, possibly for managing IT infrastructure, security settings, or data handling processes. The events are detailed with clear indications of success or failure, and some actions require explicit authorization beyond mere permissions. The text provided outlines a series of actions and status updates related to system operations, which seem to be part of an IT or security management process. Here is a summary of the events described in sequence: 1. Load phase ended (adata) - Indicates that some data loading operation has completed. 2. Object Content Status Pending - Indicates that there are objects whose content status is still pending. 3. Byte Level lock and unlock operations are unauthorized, recorded both for user logs and safe logs. 4. Backup Metadata – Started: Initiation of a backup process related to metadata. 5. Rules List – unauthorized (User log) and (Safe log): Unauthorized access or operation noted in the rules list logged under user and safe logs respectively. 6. Update Directory Map Detailed Information – Successful: Indicates that updating the directory map detailed information was successful. 7. Release Gateway Locks - Successful: The process to release locks on gateway components completed successfully. 8. Prepare Backup Metadata Started: Preparation of metadata for backup has begun. 9. Update user safe options – unauthorized (User log) and (Safe log): Unauthorized changes noted in the settings related to user safes logged under both user and safe logs. 10. LDAP Synchronization start and end: Indicates the beginning and completion of a synchronization process with an LDAP server. 11. Add Rule – unauthorized (User log) and (Safe log): Attempts to add new rules were unauthorized, recorded for both user and safe logs. 12. Restore Metadata – Successful: The operation to restore metadata was successful. 13. Update Directory Map – Successful and unauthorized: Updates to the directory map completed successfully but involved unauthorized access. 14. Add Directory Map – Successful and unauthorized: Attempts to add new directory maps were partially successful with some parts unauthorized. 15. Update External User - Synchronize from LDAP – Successful and Update External Group - Synchronize from LDAP - Successful: Updates of external user and group information from LDAP were successful. 16. Add/Update Group – Successful and unauthorized operations, showing mixed results in managing groups. 17. Add Group Member – unauthorized and Remove Group Member – Successful: Attempts to add members to groups were unauthorized while removal processes succeeded. 18. Rebuild database tables start and end: Indicates the initiation and completion of a process to rebuild certain database tables. 19. Delete Group – unauthorized and Successful: Deletion operations on groups encountered unauthorized access issues, with some parts completed successfully. 20. List Group Members - unauthorized: Attempts to list group members were logged as unauthorized actions. 21. Remove Owner – Successful: The process of removing an owner was successful. 22. Check Safe integrity operations were both successful and reserved (indicating potentially ongoing or planned integrity checks). 23. Delete External User - Synchronize from LDAP – Successful and Delete External Group - Synchronize from LDAP - Successful: Deletion processes for external users and groups synchronized from LDAP were completed successfully. 24. Add Rule – Successful and Delete Rule – Successful: Adding and then deleting rules showed successful actions in rule management. 25. Delete Rule – unauthorized (User log) and (Safe log): Attempts to delete rules encountered unauthorized access issues, logged under both user and safe logs. 26. Read e-mail key – Successful and Delete e-mail key – Successful: Operations related to reading and deleting email keys were successful. 27. The sequence ends with "U", likely indicating a placeholder for an unfinished or unspecified action. The document provides a summary of various events related to network management, including firewall updates, group member synchronization, password storage and retrieval, safe operations, and certificate revocation list data downloading. It also outlines the technical details for event interoperability between Cyber-Ark Digital Vault Connector and ArcSight, specifying how vendor-specific event definitions are mapped to ArcSight data fields. The provided information is a structured data string from ArcSight, which contains details about an event or request. Here's the breakdown of each field in the context of this example:

• **cs1 (Affected User Name)**: This appears to be a placeholder for the username or user identifier that has been affected by some action or event. In your specific case, it is represented as "cs1".

• **Safe cs2 (Safe Name)**: This refers to the name of a "safe" or storage location where assets are kept secure. The safe's name is provided as "cs2".

• **Location cs3 (Location)**: Indicates the physical or virtual location associated with the event, identified by "cs3".

• **Category cs4 (Property Name)**: This field denotes the category or type of property involved in the incident or request. It is denoted by "cs4".

• **TargetUser cs5 (Target User Name)**: The username or identifier of the target user associated with this event, as indicated by "cs5".

• **RequestId cn1 (Request Id)**: A unique identifier for a specific request being processed, noted by "cn1".

• **ExtraDetails msg**: This is additional information or context provided in a textual form that might include details about the incident or request. The exact content of this message varies and can be brief or detailed depending on the system's configuration.

This structured data format is typical for systems using ArcSight, which are often used for security monitoring and event management. Each field serves as a component in tracking and managing incidents, requests, and other related activities within the organization's IT infrastructure.