Quick Start Security for CyberArk PAM
Thank you!
We got your information.
CyberArk PAM - Security Extension
CyberArk is a leading provider of Privileged Access Management (PAM) solutions. Privileged access refers to accounts with elevated permissions within an IT environment, such as administrator accounts, service accounts, or other privileged user accounts. CyberArk's PAM solutions help organizations secure, manage, and monitor privileged accounts and credentials to protect against cyber threats and insider misuse. This alert extension pack covers diferent security alerts scenarios.
Coralogix Extension For CyberArk PAM Includes:
Alerts - 13
Stay on top of CyberArk PAM key performance metrics. Keep everyone in the know with integration with Slack, PagerDuty and more.
Cyberark - No Logs From Cyberark
This rule detects if there are no logs for Cyberark in the customer account. Note- This alert should be deployed in relevant app & subsystem Impact Disabling logging is a tactic that adversaries might employ as part of various MITRE ATT&CK techniques to avoid detection, cover their tracks, or impede incident response investigations. Mitigation Address logging concerns to ensure comprehensive monitoring within the Coralogix SIEM system. MITRE Tactic: TA0005 MITRE Technique: T1562
Cyberark - Keystroke Logging Audit Failed
PSM can be enabled to record keystrokes, this alert indicates that setting for this connection component is enabled, but not working. Impact It can be part of defense evasion techniques that adversaries use to avoid detection throughout their compromise by disabling the logging. Mitigation The reason for error in audit logging should be investigated and corrected. MITRE Tactic : TA0005 MITRE Technique: T1562
Cyberark - Multiple Login Failures for a User in Connecting PSM
The Privileged Session Manager (PSM) is a CyberArk component that enables you to initiate, monitor, and record privileged sessions and usage of administrative and privileged accounts. This alert detects the PSM connection multiple PSM connect failures for a single user in short duration. Impact The multiple challenge/response attempts failures indicate the potential bruteforce attempt. Mitigation The reason for the multiple failed attempts should be investigated. Refer the document for more details about reasons for login failures https://cyberark.my.site.com/s/article/PSM-Error-The-privileged-session-could-not-be-established-securely-Contact-your-system-administrator MITRE Tactic : TA0006 MITRE Technique: T1110
Cyberark - Process Execution was Blocked
The alert triggers when a process execution was blocked as the maximum number of challenge/response failures was exceeded. Impact The multiple challenge/response attempts failures indicate the potential bruteforce attempt. Mitigation The reason for the multiple failed attempts should be investigated. MITRE Tactic : TA0006 MITRE Technique: T1110
Cyberark - External User Added
The alert triggers when a external user account is added to the vault. Impact Adding external users introduces security risks, as these users may not be subject to the same security policies, controls, and monitoring mechanisms as internal users. Improperly managed external access can lead to unauthorized data access, leakage, or compromise. Mitigation The external user addition activity must go under validation. If any unknown user is added to the vault it should be immediately removed and further investigation should be done. MITRE Tactic : TA0004 MITRE Technique: T1078
Cyberark - Trusted Network Areas Updated
Trusted Network Areas are the locations on the network from which a user can access the Vault. A Trusted Network Area prevents anyone from logging on to a user account from anywhere other than the specified locations. This alert detects the changes in trusted network areas like deletion/addition of the location for trust. Impact Trusted network areas allows the user to login to the vault from the specified locations hence if any unauthorized user get access to the vault they can addd their location to the trusted location to avoid the detection. Mitigation As it is very critical change this must go under validation. If any unusual location is added to the trusted network it should be immediately removed and further investigation should be done. MITRE Tactic : TA0005 MITRE Technique: T1562
Cyberark - Safe Ownership Expired
This alert detects when the user’s ownership on the Safe expires. Impact Once the ownership on the expires the owner wont be able to manage the safe which can impact the service availability. Mitigation The ownership should be extended as per the requirement. MITRE Tactic : TA0040 MITRE Technique: T1489
Cyberark - Changes made to Master Policy
The Master Policy offers a centralized overview of the security and compliance policy of privileged accounts in your organization while allowing you to configure compliance driven rules that are defined as the baseline for your enterprise. Impact As this policy is responsible to maintaining the security & compliance of the privileged account any unauthorized changes can hamper the visibility into the compliance of privileged users. Mitigation The activity should be validated to check if the changes were made are as per organization policy. MITRE Tactic : TA0005 MITRE Technique: T1562
Cyberark - SSH Key Deletion Detected
This alert detects when a ssh key deletion is successful or failed. Impact Any attempt to delete the ssh key by an unauthorized user might be an indicator of account compromise where the attacker is trying to revoke the access for other users. Mitigation The activity should be validated and investigated if the deletion is done by malicious actor. MITRE Tactic : TA0040 MITRE Technique: T1531
Cyberark - Administrator Account Used
This alert detects when Administrator account is used. This user appears on the highest level of the User hierarchy and has all possible permissions. Impact Use of Administrator account should be avoided for regular activities. It is recommended to assign specific roles as per requirement https://docs.cyberark.com/pam-self-hosted/13.0/en/Content/PASIMP/Predefined-Users-and-Groups.htm?tocpath=Administrator%7CUser%20Management%7C_____6 Mitigation This activity should be validated with the the user using the admin account. MITRE Tactic : TA0004 MITRE Technique: T1098
Cyberark - Unauthorized Password Change Attempted
This alert detects when password change attempt failed as the user is not authorized. Impact Any attempt of password change by an unauthorized user might be an indicator of privilege escalation where the attacker trying to get access to the other accounts. Mitigation This activity should be validated with the user trying to change the password of other account. MITRE Tactic : TA0004 MITRE Technique: T1098
Cyberark - Safe Deletion Detected
This alert detects when a safe deletion is successful or failed. Impact Any attempt to delete the safe by an unauthorized user might be an indicator of account compromise where the attacker is trying to revoke the access for other users. Mitigation The activity should be validated and investigated if the deletion is done by malicious actor. MITRE Tactic : TA0040 MITRE Technique: T1531
Cyberark - New User Created/Deleted
This alert detects when a new user added or deleted in cyberark portal. Impact Any unauthorized creation/deletion of a user in cyberark is indictor of account compromise. Where a malicious actor can create a user account for persistance. Also deletion of an user can leads to Denial of service attack. Mitigation As cyberark is a used for PAM so it is very necessary to validate the user addition /deletion activities. MITRE Tactic : TA0006 MITRE Technique: T1136
Integration
Learn more about Coralogix's out-of-the-box integration with CyberArk PAM in our documentation.