CyberArk Privileged Access Security Recommended Monitor

calendar Apr 10, 2026 · Data Source: CyberArk PAS Use Case: Log Auditing Use Case: Threat Detection Tactic: Privilege Escalation Resources: Investigation Guide  ·
Share on: linkedin copy

Identifies the occurrence of a CyberArk Privileged Access Security (PAS) non-error level audit event which is recommended for monitoring by the vendor. The event.code correlates to the CyberArk Vault Audit Action Code.

Elastic rule (View on GitHub)

 1[metadata]
 2creation_date = "2021/06/23"
 3integration = ["cyberarkpas"]
 4maturity = "production"
 5promotion = true
 6updated_date = "2026/04/10"
 7
 8[rule]
 9author = ["Elastic"]
10description = """
11Identifies the occurrence of a CyberArk Privileged Access Security (PAS) non-error level audit event which is
12recommended for monitoring by the vendor. The event.code correlates to the CyberArk Vault Audit Action Code.
13"""
14false_positives = ["To tune this rule, add exceptions to exclude any event.code which should not trigger this rule."]
15from = "now-30m"
16index = ["filebeat-*", "logs-cyberarkpas.audit*"]
17language = "kuery"
18license = "Elastic License v2"
19name = "CyberArk Privileged Access Security Recommended Monitor"
20note = """## Setup
21
22The CyberArk Privileged Access Security (PAS) Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.
23
24## Triage and analysis
25
26This is a promotion rule for CyberArk events, which the vendor recommends should be monitored.
27Consult vendor documentation on interpreting specific events.
28"""
29references = [
30    "https://docs.cyberark.com/Product-Doc/OnlineHelp/PAS/Latest/en/Content/PASREF/Vault%20Audit%20Action%20Codes.htm?tocpath=Administration%7CReferences%7C_____3#RecommendedActionCodesforMonitoring",
31]
32risk_score = 73
33rule_id = "c5f81243-56e0-47f9-b5bb-55a5ed89ba57"
34rule_name_override = "event.action"
35severity = "high"
36tags = [
37    "Data Source: CyberArk PAS",
38    "Use Case: Log Auditing",
39    "Use Case: Threat Detection",
40    "Tactic: Privilege Escalation",
41    "Resources: Investigation Guide",
42]
43timestamp_override = "event.ingested"
44type = "query"
45
46query = '''
47data_stream.dataset:cyberarkpas.audit and
48  event.code:(4 or 22 or 24 or 31 or 38 or 57 or 60 or 130 or 295 or 300 or 302 or
49              308 or 319 or 344 or 346 or 359 or 361 or 378 or 380 or 411) and
50  not event.type:error
51'''
52
53
54[[rule.threat]]
55framework = "MITRE ATT&CK"
56
57[[rule.threat.technique]]
58id = "T1078"
59name = "Valid Accounts"
60reference = "https://attack.mitre.org/techniques/T1078/"
61
62[rule.threat.tactic]
63id = "TA0004"
64name = "Privilege Escalation"
65reference = "https://attack.mitre.org/tactics/TA0004/"
66
67[[rule.threat]]
68framework = "MITRE ATT&CK"
69
70[rule.threat.tactic]
71id = "TA0001"
72name = "Initial Access"
73reference = "https://attack.mitre.org/tactics/TA0001/"
74
75[[rule.threat]]
76framework = "MITRE ATT&CK"
77
78[[rule.threat.technique]]
79id = "T1555"
80name = "Credentials from Password Stores"
81reference = "https://attack.mitre.org/techniques/T1555/"
82
83[rule.threat.tactic]
84id = "TA0006"
85name = "Credential Access"
86reference = "https://attack.mitre.org/tactics/TA0006/"
87
88[[rule.threat]]
89framework = "MITRE ATT&CK"
90
91[[rule.threat.technique]]
92id = "T1098"
93name = "Account Manipulation"
94reference = "https://attack.mitre.org/techniques/T1098/"
95
96[rule.threat.tactic]
97id = "TA0003"
98name = "Persistence"
99reference = "https://attack.mitre.org/tactics/TA0003/"

Setup

The CyberArk Privileged Access Security (PAS) Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.

Triage and analysis

This is a promotion rule for CyberArk events, which the vendor recommends should be monitored. Consult vendor documentation on interpreting specific events.

References

Related rules

to-top