
Summary
This rule identifies non-error level audit events for CyberArk Privileged Access Security (PAS) that are considered important for monitoring based on the vendor's recommendations. The rule queries the CyberArk PAS logs for specific event.codes, which correspond to the Vault Audit Action Codes defined by CyberArk. It excludes any events marked as errors to avoid irrelevant alerts. To tune this rule, exceptions may be added to prevent expected benign events from triggering alerts. The detection focuses on events related to privilege escalation and initial access. The rule integrates with CyberArk's Fleet and requires data from Filebeat or a similarly structured source to operate correctly. It has a high severity rating with a risk score of 73, indicating significant attention should be given to the detected events. Users are advised to consult the vendor documentation for a better understanding of event correlations and proper response strategies.
Categories
- Endpoint
- Cloud
- On-Premise
Data Sources
- Logon Session
- Application Log
- User Account
ATT&CK Techniques
- T1078
Created: 2021-06-23