CyberArk Privileged Access Security Recommended Monitor
Identifies the occurrence of a CyberArk Privileged Access Security (PAS) non-error level audit event which is recommended for monitoring by the vendor. The event.code correlates to the CyberArk Vault Audit Action Code.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2021/06/23"
3integration = ["cyberarkpas"]
4maturity = "production"
5min_stack_comments = "New fields added: required_fields, related_integrations, setup"
6min_stack_version = "8.3.0"
7updated_date = "2023/06/22"
8promotion = true
9
10[rule]
11author = ["Elastic"]
12description = """
13Identifies the occurrence of a CyberArk Privileged Access Security (PAS) non-error level audit event which is
14recommended for monitoring by the vendor. The event.code correlates to the CyberArk Vault Audit Action Code.
15"""
16false_positives = ["To tune this rule, add exceptions to exclude any event.code which should not trigger this rule."]
17from = "now-30m"
18index = ["filebeat-*", "logs-cyberarkpas.audit*"]
19language = "kuery"
20license = "Elastic License v2"
21name = "CyberArk Privileged Access Security Recommended Monitor"
22note = """## Setup
23
24The CyberArk Privileged Access Security (PAS) Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.
25
26## Triage and analysis
27
28This is a promotion rule for CyberArk events, which the vendor recommends should be monitored.
29Consult vendor documentation on interpreting specific events.
30"""
31references = [
32 "https://docs.cyberark.com/Product-Doc/OnlineHelp/PAS/Latest/en/Content/PASREF/Vault%20Audit%20Action%20Codes.htm?tocpath=Administration%7CReferences%7C_____3#RecommendedActionCodesforMonitoring",
33]
34risk_score = 73
35rule_id = "c5f81243-56e0-47f9-b5bb-55a5ed89ba57"
36rule_name_override = "event.action"
37severity = "high"
38tags = ["Data Source: CyberArk PAS", "Use Case: Log Auditing", "Use Case: Threat Detection", "Tactic: Privilege Escalation"]
39timestamp_override = "event.ingested"
40type = "query"
41
42query = '''
43event.dataset:cyberarkpas.audit and
44 event.code:(4 or 22 or 24 or 31 or 38 or 57 or 60 or 130 or 295 or 300 or 302 or
45 308 or 319 or 344 or 346 or 359 or 361 or 378 or 380 or 411) and
46 not event.type:error
47'''
48
49
50[[rule.threat]]
51framework = "MITRE ATT&CK"
52[[rule.threat.technique]]
53id = "T1078"
54name = "Valid Accounts"
55reference = "https://attack.mitre.org/techniques/T1078/"
56
57
58[rule.threat.tactic]
59id = "TA0004"
60name = "Privilege Escalation"
61reference = "https://attack.mitre.org/tactics/TA0004/"
62[[rule.threat]]
63framework = "MITRE ATT&CK"
64
65[rule.threat.tactic]
66id = "TA0001"
67name = "Initial Access"
68reference = "https://attack.mitre.org/tactics/TA0001/"
Setup
The CyberArk Privileged Access Security (PAS) Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.
Triage and analysis
This is a promotion rule for CyberArk events, which the vendor recommends should be monitored. Consult vendor documentation on interpreting specific events.
References
Related rules
- CyberArk Privileged Access Security Error
- Forwarded Google Workspace Security Alert
- Service Creation via Local Kerberos Authentication
- Agent Spoofing - Mismatched Agent ID
- Agent Spoofing - Multiple Hosts Using Same Agent