CyberArk Privileged Access Security Error
Identifies the occurrence of a CyberArk Privileged Access Security (PAS) error level audit event. The event.code correlates to the CyberArk Vault Audit Action Code.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2021/06/23"
3integration = ["cyberarkpas"]
4maturity = "production"
5promotion = true
6updated_date = "2025/01/15"
7
8[rule]
9author = ["Elastic"]
10description = """
11Identifies the occurrence of a CyberArk Privileged Access Security (PAS) error level audit event. The event.code
12correlates to the CyberArk Vault Audit Action Code.
13"""
14false_positives = ["To tune this rule, add exceptions to exclude any event.code which should not trigger this rule."]
15from = "now-30m"
16index = ["filebeat-*", "logs-cyberarkpas.audit*"]
17language = "kuery"
18license = "Elastic License v2"
19name = "CyberArk Privileged Access Security Error"
20note = """## Setup
21
22The CyberArk Privileged Access Security (PAS) Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.
23
24## Triage and analysis
25
26This is a promotion rule for CyberArk error events, which are alertable events per the vendor.
27Consult vendor documentation on interpreting specific events.
28"""
29references = [
30 "https://docs.cyberark.com/Product-Doc/OnlineHelp/PAS/Latest/en/Content/PASREF/Vault%20Audit%20Action%20Codes.htm?tocpath=Administration%7CReferences%7C_____3",
31]
32risk_score = 73
33rule_id = "3f0e5410-a4bf-4e8c-bcfc-79d67a285c54"
34rule_name_override = "event.action"
35severity = "high"
36tags = [
37 "Data Source: CyberArk PAS",
38 "Use Case: Log Auditing",
39 "Use Case: Threat Detection",
40 "Tactic: Privilege Escalation",
41 "Resources: Investigation Guide",
42]
43timestamp_override = "event.ingested"
44type = "query"
45
46query = '''
47event.dataset:cyberarkpas.audit and event.type:error
48'''
49
50
51[[rule.threat]]
52framework = "MITRE ATT&CK"
53[[rule.threat.technique]]
54id = "T1078"
55name = "Valid Accounts"
56reference = "https://attack.mitre.org/techniques/T1078/"
57
58
59[rule.threat.tactic]
60id = "TA0004"
61name = "Privilege Escalation"
62reference = "https://attack.mitre.org/tactics/TA0004/"
63[[rule.threat]]
64framework = "MITRE ATT&CK"
65
66[rule.threat.tactic]
67id = "TA0001"
68name = "Initial Access"
69reference = "https://attack.mitre.org/tactics/TA0001/"
toml
Setup
The CyberArk Privileged Access Security (PAS) Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.
Triage and analysis
This is a promotion rule for CyberArk error events, which are alertable events per the vendor. Consult vendor documentation on interpreting specific events.
References
Related rules
- CyberArk Privileged Access Security Recommended Monitor
- AWS RDS DB Instance or Cluster Password Modified
- AWS SQS Queue Purge
- AWS SSM `SendCommand` Execution by Rare User
- AWS STS Role Chaining