Getting Data In

Splunk Cloud Version: 7.2.10.2 CyberArk Vault Action Codes

warlock003
Engager

Splunk Cloud

Version:7.2.10.2

Splunk CyberArk Vault Action Codes question Thank you for helping me! - Example sample queries. I am looking to query our Splunk cloud for the vault action codes example logon or retrieve password or use password - what would the sample Splunk query be?. I can see traffic from our HA pair usually via the active nodes IP - We have the Splunk translator file enabled in DB PARM.

Do I need the CyberArk add on for Splunk?

OR the other way for the Splunk system

Do I need the CyberArk add on for Splunk ?

I'm not new to SIEM I ha worked with parsers and QRADAR etc. Thanks for your help!

Please let me recap:

  1. I'm looking for a sample Splunk query to extract vault action codes
  2. I'm looking for a sample Splunk query to extract services like DR stopped
  3. Does anyone have a dashboard they can recommend Splunk dashboard

Thank you genuinely Eddie

Labels (3)
0 Karma

kennetkline
Path Finder

@warlock003   I am very strong with Splunk SPL;  among various scripting languages perl/powershell.

The observation I made on the scripts as run;  I can definitely see some value in what is there.  I would need to do more digging; but there is data that you may already be collecting via Windows TA (services/processes).  This could then be baked into an ITSI  dashboard.

As to just bringing into the scripts.  We put all aspects Splunk Config under version control (internal GIT server), nightly commits.  We also have established pull mechanism.  I could see the two scripts to be added as inputs on a clone of the Windows TA app in a serverclass for the CyberArk servers.  You then have ability to Centrally control the scripts as deployed run; 

I will definitely keep comms open as work through my various aspects of Privilege Management Dashboard I need to create in conjunction with CyberArk Data Sources (after I have a change to analysis the logging data) in the coming weeks/months.  I will keep these questions in mind as we deploy.

0 Karma

kennetkline
Path Finder

Bookmarking this Topic,  

I am scheduled to get delivery of a CyberArk Vault to be created for my staff this week coming.  I need to confirm how effective our CyberArk Integration is as to safe actions.

We will be doing a series of test to confirm the extent of logging (as to cyberark, vaults, and credential edit/use/delete/modify)  going to try and assess end to end.

I do have tasks to see what dashboards will need developed.   I assume we need CyberArk Addon (I think we have loaded as we need to have transforms / props.  Not sure if there is custom action codes as you stated that need to be looked up to be meaningful.  I will need a couple of hours to dig through and analyze schema in verbose mode.

I will post feedback as I find, if somebody doesn't otherwise comeback first with some knowledge to share.

0 Karma

warlock003
Engager

So this is a NICE extremely nice dashboard but I don't think my enterprise will let me download this unless it comes from like Splunk or CyberArk aka from a trusted sender trusted host etc. I / we could retype everything very time consuming and would have to ask the author's permission. Basically I cant import "internet code into a fortune 100 company. I need a dash board as well. the CyberArk one is like well people laugh at the CyberArk health monitor. CyberArk being a TIER ZERO application should really have some better monitoring and dashboards especially when its at a more important level than A/D Federation etc.

I was sent this a few hours ago thank you to the senders its an amazing product but I don't think I can import internet code ...

https://github.com/jcreameriii/PAS-APM-Dashboard-Package-for-Splunk

 

 

Hi Kennet I'm a CyberArk CDE / SME - So The Vault being a bastion host does not respond to ping etc. it can open ports when the communication is initiated from within the vault. The vault can send SNMP traps thru an agent which is configured in 2 places and they share a private and public key sort of "trust" called a CRED file (this is how all of the CyberArk components "trust" and communicate. The Vault can send SNP traps to say the CPM server from thier the CPM server (not as hardened ) can have a snmp relay and send that to syslog - Splunk solar winds on and on. NOW for Syslog CyberArk uses a translator file located in the Vaults server folder. It usta be the Arcsight translator file but now it it the Splunk translator file. this will "translate" or transform the CyberArk Vault events into CEF. where my Splunk but not Siem knowledge get a bit grey is I believe I need to have the "Source Type" configured by my Splunk admins. I see F5 I see Cisco I see Hadoop I see all kinds of devices in my companies source type but I do not see CyberArk, read this artcle - good article and reverse engineer it and or check your Splunk systems to see if your getting *.monitor from your vaults (good starting Point) So after typing this I realized my question "Do I need my Splunk admins to create CyberArk source Type or is tis what the Splunk CyberArk add on configures/enables ?) contact me with any other idea and or CyberArk questions. Re: Ed

Get Updates on the Splunk Community!

How to Monitor Google Kubernetes Engine (GKE)

We’ve looked at how to integrate Kubernetes environments with Splunk Observability Cloud, but what about ...

Index This | How can you make 45 using only 4?

October 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...

Splunk Education Goes to Washington | Splunk GovSummit 2024

If you’re in the Washington, D.C. area, this is your opportunity to take your career and Splunk skills to the ...