So for the Master Password use, I think I could check the palog. if I go to C:\users\administrator\roaming\cyberark\privateark and check palog, I see entries like: "user master is working with vault prod with x records per send"    As for the Backend Vault Built in Admin Use. That may be something we need to configure the Safe to send out notifications on use and you can trigger off of that email that is sent out.   for sssd.conf, (this is the one I know the least about) I am thinking I need to reach out to our unix/linux group and see if they have any monitoring on those files, and if they do not, we may be able to set something up like the solution for the backend vault built in admin use to send out an email when cyberark changes it. (But I am not 100% on this one.) ... View more

To be honest, I am not sure where to start on this.  This is my second week in this role.  The email from my boss said "If you have the cycles, below there are a list of use cases for creating alerts based on Privileged Access Management (PAM) logs.  Could you give it a go today and tomorrow to see if you can leverage Splunk to find queries that can be used as correlative rules to detect these use cases? Detection / Event Name Event Description Master Password Use The master password used to access the backend vault was used Backend Vault Built in Admin Use The built-in admin account on the backend vault was used Sssd.conf modified on linux server The sssd.conf file was modified on a linux server ... View more

LIke this?  | `tstats` count from datamodel=Authentication.Authentication by _time,Authentication.action span=10m | timechart minspan=10m useother=`useother` count by Authentication.action | `drop_dm_object_name("Authentication")` ... View more

I was told to base them on "Privileged Access Management (PAM) logs" ... View more