×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
warlock003
Engager
Member since: ‎10-23-2020
‎10-24-2020
Community Statistics
Posts 2
Solutions 0
Karma Given 0
Karma Received 1
Member Since ‎10-23-2020
View All

Re: Splunk Cloud Version: 7.2.10.2 CyberArk Vault ...

by in Getting Data In
‎10-23-2020 07:46 PM
1 Karma
‎10-23-2020 07:46 PM
1 Karma
So this is a NICE extremely nice dashboard but I don't think my enterprise will let me download this unless it comes from like Splunk or CyberArk aka from a trusted sender trusted host etc. I / we could retype everything very time consuming and would have to ask the author's permission. Basically I cant import "internet code into a fortune 100 company. I need a dash board as well. the CyberArk one is like well people laugh at the CyberArk health monitor. CyberArk being a TIER ZERO application should really have some better monitoring and dashboards especially when its at a more important level than A/D Federation etc. I was sent this a few hours ago thank you to the senders its an amazing product but I don't think I can import internet code ... https://github.com/jcreameriii/PAS-APM-Dashboard-Package-for-Splunk     Hi Kennet I'm a CyberArk CDE / SME - So The Vault being a bastion host does not respond to ping etc. it can open ports when the communication is initiated from within the vault. The vault can send SNMP traps thru an agent which is configured in 2 places and they share a private and public key sort of "trust" called a CRED file (this is how all of the CyberArk components "trust" and communicate. The Vault can send SNP traps to say the CPM server from thier the CPM server (not as hardened ) can have a snmp relay and send that to syslog - Splunk solar winds on and on. NOW for Syslog CyberArk uses a translator file located in the Vaults server folder. It usta be the Arcsight translator file but now it it the Splunk translator file. this will "translate" or transform the CyberArk Vault events into CEF. where my Splunk but not Siem knowledge get a bit grey is I believe I need to have the "Source Type" configured by my Splunk admins. I see F5 I see Cisco I see Hadoop I see all kinds of devices in my companies source type but I do not see CyberArk, read this artcle - good article and reverse engineer it and or check your Splunk systems to see if your getting *.monitor from your vaults (good starting Point) So after typing this I realized my question "Do I need my Splunk admins to create CyberArk source Type or is tis what the Splunk CyberArk add on configures/enables ?) contact me with any other idea and or CyberArk questions. Re: Ed ... View more

Splunk Cloud Version: 7.2.10.2 CyberArk Vault Acti...

by in Getting Data In
‎10-23-2020 08:01 AM
‎10-23-2020 08:01 AM
Splunk Cloud Version:7.2.10.2 Splunk CyberArk Vault Action Codes question Thank you for helping me! - Example sample queries. I am looking to query our Splunk cloud for the vault action codes example logon or retrieve password or use password - what would the sample Splunk query be?. I can see traffic from our HA pair usually via the active nodes IP - We have the Splunk translator file enabled in DB PARM. Do I need the CyberArk add on for Splunk? OR the other way for the Splunk system Do I need the CyberArk add on for Splunk ? I'm not new to SIEM I ha worked with parsers and QRADAR etc. Thanks for your help! Please let me recap: I'm looking for a sample Splunk query to extract vault action codes I'm looking for a sample Splunk query to extract services like DR stopped Does anyone have a dashboard they can recommend Splunk dashboard Thank you genuinely Eddie ... View more
Labels
Contact Me
Online Status
Offline
Date Last Visited
‎10-24-2020 07:36 AM
Karma from
View All