This rule detects if there are no logs in last 12 hrs for Cyberark in the customer account. Note- This alert should be deployed in relevant app & subsystem Impact Disabling logging is a tactic that adversaries might employ as part of various MITRE ATT&CK techniques to avoid detection, cover their tracks, or impede incident response investigations. Mitigation Address logging concerns to ensure comprehensive monitoring within the Coralogix SIEM system. MITRE Tactic: TA0005 MITRE Technique: T1562

PSM can be enabled to record keystrokes, this alert indicates that setting for this connection component is enabled, but not working. Impact It can be part of defense evasion techniques that adversaries use to avoid detection throughout their compromise by disabling the logging. Mitigation The reason for error in audit logging should be investigated and corrected. MITRE Tactic : TA0005 MITRE Technique: T1562

The Privileged Session Manager (PSM) is a CyberArk component that enables you to initiate, monitor, and record privileged sessions and usage of administrative and privileged accounts. This alert detects the PSM connection multiple PSM connect failures for a single user in short duration. Impact The multiple challenge/response attempts failures indicate the potential bruteforce attempt. Mitigation The reason for the multiple failed attempts should be investigated. Refer the document for more details about reasons for login failures https://cyberark.my.site.com/s/article/PSM-Error-The-privileged-session-could-not-be-established-securely-Contact-your-system-administrator MITRE Tactic : TA0006 MITRE Technique: T1110

The alert triggers when a process execution was blocked as the maximum number of challenge/response failures was exceeded. Impact The multiple challenge/response attempts failures indicate the potential bruteforce attempt. Mitigation The reason for the multiple failed attempts should be investigated. MITRE Tactic : TA0006 MITRE Technique: T1110

The alert triggers when a external user account is added to the vault. Impact Adding external users introduces security risks, as these users may not be subject to the same security policies, controls, and monitoring mechanisms as internal users. Improperly managed external access can lead to unauthorized data access, leakage, or compromise. Mitigation The external user addition activity must go under validation. If any unknown user is added to the vault it should be immediately removed and further investigation should be done. MITRE Tactic : TA0004 MITRE Technique: T1078

Trusted Network Areas are the locations on the network from which a user can access the Vault. A Trusted Network Area prevents anyone from logging on to a user account from anywhere other than the specified locations. This alert detects the changes in trusted network areas like deletion/addition of the location for trust. Impact Trusted network areas allows the user to login to the vault from the specified locations hence if any unauthorized user get access to the vault they can addd their location to the trusted location to avoid the detection. Mitigation As it is very critical change this must go under validation. If any unusual location is added to the trusted network it should be immediately removed and further investigation should be done. MITRE Tactic : TA0005 MITRE Technique: T1562

This alert detects when the user’s ownership on the Safe expires. Impact Once the ownership on the expires the owner wont be able to manage the safe which can impact the service availability. Mitigation The ownership should be extended as per the requirement. MITRE Tactic : TA0040 MITRE Technique: T1489

The Master Policy offers a centralized overview of the security and compliance policy of privileged accounts in your organization while allowing you to configure compliance driven rules that are defined as the baseline for your enterprise. Impact As this policy is responsible to maintaining the security & compliance of the privileged account any unauthorized changes can hamper the visibility into the compliance of privileged users. Mitigation The activity should be validated to check if the changes were made are as per organization policy. MITRE Tactic : TA0005 MITRE Technique: T1562

This alert detects when a ssh key deletion is successful or failed. Impact Any attempt to delete the ssh key by an unauthorized user might be an indicator of account compromise where the attacker is trying to revoke the access for other users. Mitigation The activity should be validated and investigated if the deletion is done by malicious actor. MITRE Tactic : TA0040 MITRE Technique: T1531

This alert detects when Administrator account is used. This user appears on the highest level of the User hierarchy and has all possible permissions. Impact Use of Administrator account should be avoided for regular activities. It is recommended to assign specific roles as per requirement https://docs.cyberark.com/pam-self-hosted/13.0/en/Content/PASIMP/Predefined-Users-and-Groups.htm?tocpath=Administrator%7CUser%20Management%7C_____6 Mitigation This activity should be validated with the the user using the admin account. MITRE Tactic : TA0004 MITRE Technique: T1098

This alert detects when password change attempt failed as the user is not authorized. Impact Any attempt of password change by an unauthorized user might be an indicator of privilege escalation where the attacker trying to get access to the other accounts. Mitigation This activity should be validated with the user trying to change the password of other account. MITRE Tactic : TA0004 MITRE Technique: T1098

This alert detects when a safe deletion is successful or failed. Impact Any attempt to delete the safe by an unauthorized user might be an indicator of account compromise where the attacker is trying to revoke the access for other users. Mitigation The activity should be validated and investigated if the deletion is done by malicious actor. MITRE Tactic : TA0040 MITRE Technique: T1531

This alert detects when a new user added or deleted in cyberark portal. Impact Any unauthorized creation/deletion of a user in cyberark is indictor of account compromise. Where a malicious actor can create a user account for persistance. Also deletion of an user can leads to Denial of service attack. Mitigation As cyberark is a used for PAM so it is very necessary to validate the user addition /deletion activities. MITRE Tactic : TA0006 MITRE Technique: T1136