CyberArk Privileged Identity Management Suit

McAfee Enterprise Security Manager
Data Source Configuration Guide
Data Source:
CyberArk Privileged Identity Management
Suite - CEF
October 1, 2014
CyberArk Privileged Identity Management Suit - CEF
Page 1 of 10
Important Note:
The information contained in this document is confidential and proprietary.
Please do not redistribute without permission.
CyberArk Privileged Identity Management Suit - CEF
Page 2 of 10
Table of Contents
1 Introduction
4 2 Prerequisites
4 3 Specific Data Source Configuration Details
3.1 CyberArk Privileged Identity Management Suite
3.2 McAfee Receiver Configuration
5 5 8 4 Data Source Event to McAfee Field Mappings
4.1 Log Sample
4.2 Mappings
9 9 9 5 Appendix A - Generic Syslog Configuration Details
10 6 Appendix B - Troubleshooting
10 CyberArk Privileged Identity Management Suit - CEF
Page 3 of 10
1 Introduction
This guide details how to configure CyberArk Privileged Identity Management Suite – CEF to
send syslog data in the proper format to the ESM.
2 Prerequisites
McAfee Enterprise Security Manager Version 9.2.0 and above.
In order to configure the CyberArk Privileged Identity Management Suite – CEF Syslog service,
appropriate administrative level access is required to perform the necessary changes
documented below.
CyberArk Privileged Identity Management Suit - CEF
Page 4 of 10
3 Specific Data Source Configuration Details
3.1
CyberArk Privileged Identity Management Suite
Syslog messages can be sent to multiple syslog servers in two different ways:
•
A single message can be sent to multiple servers by configuring a single XSLT file.
•
Multiple messages can be sent to multiple Syslog servers and formatted differently for
each server by configuring multiple XSLT files, formats and code-message lists. The
code-message lists must be matched, meaning they must contain the same number of
items in the same order.
1. In \PrivateArk\Server\DBParm.sample.ini, copy the SYSLOG section
2. In DBParm.ini, paste SYSLOG section at the bottom
CyberArk Privileged Identity Management Suit - CEF
Page 5 of 10
3. Rename the file to McAfee.xsl
4. The configuration parameters for SYSLOG are listed below for reference:
a. SyslogServerIP – The IP address(es) of the Syslog servers where messages will
be sent. Specify multiple values with commas.
b. SyslogServerProtocol – Specifies the Syslog protocol that will be used to send
audit logs. Specify either TCP or UDP. The default value is UDP.
c.
SyslogServerPort – The port used to connect to the Syslog server. The default
value is 514.
d. SyslogMessageCodeFilter – Defines which message codes will be sent from the
Vault to the SIEM application through Syslog protocol. You can specify message
numbers and/or ranges of numbers, separated by commas. Specify multiple values
with pipelines. By default, all message codes are sent for user and Safe activities.
For a list of messages and codes, refer to the Privileged Account Security
Reference Guide.
e. SyslogTranslatorFile – Specifies the XSL file used to parse CyberArk audit records
data into Syslog protocol. Specify multiple values with commas.
f.
DebugLevel – Determines the level of debug messages. Specify SYSLOG(2) to
include Syslog xml messages in the trace file.
g. UseLegacySyslogFormat - Controls the format of the syslog message, and defines
whether it will be sent in a newer syslog format (RFC 5424) or in a legacy format.
The default value is No, which enables working with the newer syslog format.
Specify multiple values with commas.
CyberArk Privileged Identity Management Suit - CEF
Page 6 of 10
5. Copy the relevant XSL translator file from the Syslog subfolder of the Server installation
folder to the location specified in the SyslogTranslatorFile parameter in DBParm.ini.
During Vault installation or upgrade, sample XSL files are copied to the
PrivateArk\Server\syslog folder.
6. Changes can be made to XSL translator file relevant to SIEM implementation.
7. Stop and Start Vault for changes to take effect.
CyberArk Privileged Identity Management Suit - CEF
Page 7 of 10
3.2
McAfee Receiver Configuration
After successfully logging into the McAfee ESM console the data source will need to be added to
a McAfee Receiver in the ESM hierarchy.
1.
2.
3.
4.
Select the Receiver you are applying the data source setting to.
Select the Receiver properties.
From the Receiver Properties listing, select “Data Sources”.
Select “Add Data Source”.
OR
1. Select the Receiver you are applying the data source setting to.
2. After selecting the Receiver, select the “Add Data Source” icon.
Data Source Screen Settings
1.
2.
3.
4.
5.
6.
7.
8.
9.
10.
11.
12.
Data Source Vendor – CyberArk
Data Source Model – Privileged Identity Management Suite - CEF
Data Format – Default
Data Retrieval – Default
Enabled: Parsing/Logging/SNMP Trap – <Defaults>
Name – Name of data source
IP Address/Hostname – The IP address and host name associated with the data source
device.
Syslog Relay – None
Mask – 32
Require Syslog TLS – Enable to require the Receiver to communicate over TLS.
Support Generic Syslogs – Do nothing
Time Zone – Time zone of data being sent.
Note – Refer to Appendix A for details on the Data Source Screen options
CyberArk Privileged Identity Management Suit - CEF
Page 8 of 10
4 Data Source Event to McAfee Field Mappings
4.1
Log Sample
The following is a sample log from a CyberArk Privileged Identity Management Suite – CEF
device:
Dec 14 09:49:33 PRODVAULT CEF:0|Cyber-‐Ark|Vault|6.0.0430|38|Failure: CPM Verify Password Failed|7|act=CPM Verify Password Failed duser=PasswordManager fname=Root\S-‐1-‐5-‐21-‐1147481723-‐1708746877-‐4547331-‐38808 src=10.7.3.171 cs1Label="Affected User Name" cs1= cs2Label="Safe Name" cs2=Windows PCAdmin Accounts cs3Label="Location" cs3= cs4Label="Property Name" cs4= cs5Label="Target User Name" cs5= cn1Label="Request Id" cn1= msg=Failure. Failure Description: CACPM344E Verifying Password Safe: Windows PCAdmin Accounts, Folder: Root, Object: S-‐1-‐5-‐21-‐1147481723-‐1708746877-‐4547331-‐38808 failed (try #368). Code: 2101, Error: Error in verifypass to user IT28326D1L.hmcorp.local\pcadmin on domain IT28326D1L.hmcorp.local(\\IT28326D1L.HMCORP.LOCAL). Reason: No network provider accepted the given network path. (winRc\=1203). , address\=IT28326D1L.hmcorp.local;retriescount\=368;username\=pcadmin;, Failure: CPM Verify Password Failed 4.2
Mappings
The table below shows the mappings between the data source and McAfee ESM fields.
Log Fields
McAfee ESM Fields
fname
Filename.Filename
cs4_Database
Database_Name.Database_Name
dhost
Destination_Hostname.Destination_Hostname
spriv
Priviledged_User.Priviledged_User
externalId
Instance_GUID.Instance_GUID
cs1_Affected_User_Name
Destination_UserID.Destination_UserID
app
protocol
app
application
duser
dst_username
suser
src_username
cs2_Safe_Name
objectname
dvc
src_ip
shost
src_ip
src
src_ip
CyberArk Privileged Identity Management Suit - CEF
Page 9 of 10
5 Appendix A - Generic Syslog Configuration Details
Once you select the option to add a data source, you are taken to the “Add Data Source” menu. The
general options for adding a data source are shown. As you select different options, additional
parameters may show. Each of these parameters will be examined in more detail.
1. Use System Profiles – System Profiles are a way to use settings that are repetitive in nature,
without having to enter the information each time. An example is WMI credentials, which are
necessary to retrieve Windows Event Logs if WMI is the chosen mechanism.
2. Data Source Vendor – List of all supported vendors.
3. Data Source Model – List of supported products for a vendor.
4. Data Format – “Data Format” is the format the data is in. Options are “Default”, “CEF”, and
“MEF”.
Note – If you choose CEF it will enable the generic rule for CEF and may not parse
data source-specific details.
5. Data Retrieval – “Data Retrieval” allows you to select how the Receiver is going to collect the
data. Default is over syslog.
6. Enabled: Parsing/Logging/SNMP Trap – Enables parsing of the data source, logging of the
data source, and reception of SNMP traps from the data source. If no option is checked, the
settings are saved to the ESM, but not written to the Receiver or utilized. Default is to select
“Parsing”.
7. Name – This is the name that will appear in the Logical Device Groupings tree and the filter
lists.
8. IP Address/Hostname – The IP address and host name associated with the data source
device.
9. Syslog Relay – “Syslog Relay” allows data to be collected via relays and bucketed to the
correct data source. Enable syslog relay on relay sources such as Syslog-NG.
10. Mask – Enables you to apply a mask to an IP address so that a range of IP addresses can
be accepted.
11. Require Syslog TLS – Enable to require the receiver to communicate over TLS.
12. Support Generic Syslog – “Generic Syslog” allows users to select “Parse generic syslog” or
“Log ‘unknown syslog event”. Both these options will create an alert for an auto-learned
syslog event if there is no parsing rule.
13. Time Zone - If syslog events are sent in a time zone other than GMT, you need to set the
time zone of the data source so the date on the events can be set accordingly.
14. Interface – Opens the receiver interface settings to associate ports with streams of
information.
15. Advanced – Opens advanced settings for the data source.
6 Appendix B - Troubleshooting
•
•
If a data source is not receiving events, verify that the data source settings have been written out
and that policy has been rolled out to the Receiver.
If you see errors saying events are being discarded because the “Last Time” value is more than
one hour in the future, or the values are incorrect, you may need to adjust the “Time Zone”
setting.
CyberArk Privileged Identity Management Suit - CEF
Page 10 of 10

Download Report