CEF Connector Configuration Guide

This document is provided for informational purposes only, and the information herein is subject to change
without notice. Please report any errors herein to HP. HP does not provide any warranties covering this
information and specifically disclaims any liability in connection with this document.

Certified CEF:

The event format complies with the requirements of the HP ArcSight Common Event Format. The HP
ArcSight CEF connector will be able to process the events correctly and the events will be available for use
within HP’s ArcSight product. In addition, the event content has been deemed to be in accordance with
standard SmartConnector requirements. The events will be sufficiently categorized to be used in correlation
rules, reports and dashboards as a proof-of-concept (POC) of the joint solution

Privileged Identity Management – Enterprise Password Vault v7.1

June 25, 2012

Revision History
Date Description

06/25/2012 First edition of this Configuration Guide.

07/10/2012 v7.1 Certified by HP Enterprise Security

CEF Connector Support Information when an issue is outside of the ArcSight team’s ability

In some cases the ArcSight customer service team is unable to help with issues that lie within the
configuration itself in which case, the certified vendor should be contacted for assistance:

Cyber-Ark Support
Phone – 1-888-808-9005
Website: https://www.cyber-ark.com/password-vault-support

Instructions – If you have any questions, feel free to reach out to our support team directly at
Support.US@Cyber-Ark.com (US) or support@cyber-ark.com (Non-US).You can also call us at 1-888-
808-9005 (US) or 972-3-9180011 (Non-US)
Cyber-Ark’s Enterprise Password Vault Configuration Guide
This guide provides information for configuring the Cyber-Ark Solutions for syslog event collection. This Connector is
supported on Windows, Linux, and Solaris platforms. Device versions 6.0 and above are supported.

Overview

Cyber-Ark® Software is a global information security company that specializes in protecting and managing privileged
users, applications and sensitive information to improve compliance, productivity and protect organizations against
insider threats and advanced external threats. With its award-winning Privileged Identity Management, Sensitive
Information Management and Privileged Session Management Suites, organizations can more effectively manage
and govern data center access and activities, whether on-premise, off-premise or in the cloud, while demonstrating
returns on security investments.

In regards to HP ArcSight Integration, Cyber-Ark’s Privileged Identity Management solution provides the capability to
monitor and track the usage of every privileged account in an organization. It allows organizations the capability to
answer the question of who is using privileged credentials, when and why. With the addition of the Privileged
Session Manager, organizations can then extend this functionality to answer the question of what is occurring during
the usages of these privileged credentials. This audit information plus much more regulatory data required for
determining access controls, etc. can be forwarded to your HP ArcSight Implementation to provide one unified view
for all privileged activity. For example, when a user checks out an Administrator id from our PIM solution and
connects to that Windows Server and performs some type of privileged activity including clearing the native windows
audit log, an event will usually show in ESM that Administrator cleared the log. Here is where Cyber-Ark comes in.
We provide the accountability through correlation or just simple CEF forwarding that will allow you to see the exact
person that used that credential within the same console. Furthermore, you could create correlation rules, possible
active remediation rules, session management viewing, and/or dashboards from within ESM. This will ultimately
provide an organization with one unified approach for alerting and notification for lighting fast forensics and change
management capabilities.

Configuration
In regards to configuration within the Cyber-Ark Solutions, a simple configuration change needs to be made to the
Digital Vault server. Included out of the box is a xsl parser for HP/Arcsight CEF. On the Vault server, you will simply
point to the IP Address(s) of your HP ArcSight implementation and define the Port you are sending over (514 UDP is
default but can be modified to TCP. Lastly you will configure the event ids that you want to send from the Cyber-Ark
solution to HP ArcSight. Included with this document are the available events that can be sent. Over 300 events can
be configured. Below is a screenshot of the configuration in the Cyber-Ark solution. A restart of the Vault server is
required once configured. You also have the option of sending to an ArcSight CEF Smart Connector which can then
forward on to ESM.
Screen Shot
Included below are screenshots illustrating various connections into the Cyber-Ark PIM solution including retrieval of credentials for
Windows, Unix and Databases. Dashboard examples are also illustrated below.
Events
Attached in the pdf below are the available Action Codes (Event IDs) that can be forwarded through CEF.

Cyber-Ark Event
Codes
Device Event Mapping to ArcSight Data Fields
Information contained within vendor-specific event definitions is sent to the ArcSight Smart Connector, then mapped
to an ArcSight data field.

The following table lists the mappings from ArcSight data fields to the supported vendor-specific event definitions.

Cyber-Ark Connector Field Mappings

Vendor-Specific Event Definition ArcSight Event Data Field

Action act

Issuer suser

File Name fname

Gateway Station dvc

If its PSM Connect and Disconnect event, we will show SrcHost shost
value, otherwise we will show Station value (msg id 300 or 301)

If its PSM Connect and Disconnect event, we will show DstHost dhost
value. For transparent connection event, we will show Remote
Machine value from the PVWA. (msg id 295) Otherwise, we will
show Address value from the file categories

If its PSM Connect and Disconnect event, we will show User duser
value. If it is not PSM, we check if the Target user field is not
empty. If so, we show his value. Otherwise, we show the
username value from the file categories

SessionID externalId

Protocol app

Command –Extra Details reason

Source User cs1Label – Affected User Name

Safe Name cs2Label

Device Type cs3Label

Database cs4Label

Location\Category\GatewayStation cs5Label

RequestID cn1Label

TicketID – Reason cn2Label

Reason msg