Collect CyberArk Privileged Threat Analytics logs

Supported in:

Google secops SIEM

This document explains how to ingest CyberArk Privileged Threat Analytics logs to Google Security Operations using Bindplane. CyberArk Privileged Threat Analytics (PTA) is a security solution that detects and responds to malicious activities involving privileged accounts. It uses advanced analytics and machine learning to monitor, analyze, and flag abnormal behaviors that may indicate potential insider threats or compromised credentials.

Before you begin

Make sure you have the following prerequisites:

A Google SecOps instance.
A Windows 2016 or later or Linux host with systemd.
If running behind a proxy, ensure firewall ports are open per the Bindplane agent requirements.
Privileged access to the CyberArk Privileged Threat Analytics server.

Get Google SecOps ingestion authentication file

Sign in to the Google SecOps console.
Go to SIEM Settings > Collection Agents.
Download the Ingestion Authentication File.
- Save the file securely on the system where Bindplane will be installed.

Get Google SecOps customer ID

Sign in to the Google SecOps console.
Go to SIEM Settings > Profile.
Copy and save the Customer IDfrom the Organization Detailssection.

Install the Bindplane agent

Install the Bindplane agent on your Windows or Linux operating system according to the following instructions.

Windows installation

Open the Command Promptor PowerShellas an administrator.

Run the following command:

  msiexec 
  
 / 
 i 
  
 "https://github.com/observIQ/bindplane-agent/releases/latest/download/observiq-otel-collector.msi" 
  
 / 
 quiet

Linux installation

Open a terminal with root or sudo privileges.

Run the following command:

 sudo  
sh  
-c  
 " 
 $( 
curl  
-fsSlL  
https://github.com/observiq/bindplane-agent/releases/latest/download/install_unix.sh ) 
 " 
  
install_unix.sh

Additional installation resources

For additional installation options, consult this installation guide .

Configure the Bindplane agent to ingest syslog and send to Google SecOps

Access the configuration file:
- Locate the config.yaml file. Typically, it's in the /opt/observiq-otel-collector/ directory on Linux or in the installation directory on Windows.
- Open the file using a text editor (for example, nano , vi , or Notepad).

Edit the config.yaml file as follows:

  receivers 
 : 
  
 tcplog 
 : 
  
 listen_address 
 : 
  
 "0.0.0.0:514" 
 exporters 
 : 
  
 chronicle/cyberark_pta 
 : 
  
 compression 
 : 
  
 gzip 
  
 creds_file_path 
 : 
  
 '/path/to/ingestion-authentication-file.json' 
  
 customer_id 
 : 
  
 '<CUSTOMER_ID>' 
  
 endpoint 
 : 
  
< ENDPOINT 
>  
 log_type 
 : 
  
 'CYBERARK_PTA' 
  
 raw_log_field 
 : 
  
 body 
  
 ingestion_labels 
 : 
 service 
 : 
  
 pipelines 
 : 
  
 logs/cyberark_pta_to_chronicle 
 : 
  
 receivers 
 : 
  
 - 
  
 tcplog 
  
 exporters 
 : 
  
 - 
  
 chronicle/cyberark_pta

Replace the port and IP address as required in your infrastructure.
Replace <CUSTOMER_ID> with the actual customer ID.
Replace the <ENDPOINT> value with your regional endpoint:
- United States: malachiteingestion-pa.googleapis.com
- Europe: europe-malachiteingestion-pa.googleapis.com
- Asia: asia-southeast1-malachiteingestion-pa.googleapis.com
Note: For the complete list of regional endpoints, see Regional Endpoints documentation .
Update /path/to/ingestion-authentication-file.json to the file path where the authentication file was saved.

Restart the Bindplane agent to apply the changes

To restart the Bindplane agent in Linux, run the following command:

 sudo  
systemctl  
restart  
observiq-otel-collector

To restart the Bindplane agent in Windows, you can either use the Servicesconsole or enter the following command:
```
 net stop observiq-otel-collector && net start observiq-otel-collector 
```

Configure CyberArk Privileged Threat Analytics syslog forwarding

Sign in to the Privileged Threat Analyticsserver.
Run the DEFAULTPARMcommand to open the default systemparm.properties file.
Copy the line containing the syslog_outbound property and exit the systemparm.properties file.
Run the LOCALPARMcommand to open the local systemparm.properties file.
Press i on the keyboard to edit the file.
In the systemparm.properties file, uncomment the syslog_outbound property.
Paste the line that you copied and edit the parameters according to the following example:
```
 syslog_outbound=[{"siem": "Chronicle", "format": "CEF", "host": "BINDPLANE_IP", "port": BINDPLANE_PORT, "protocol": "TCP"}] 
```
- Replace BINDPLANE_IP with the IP address of the Bindplane agent host.
- Replace BINDPLANE_PORT with the port number configured in the Bindplane agent (for example, 514 ).
Save the configuration file and close it.
Restart the Privileged Threat Analyticsserver to apply the changes.

For more information, see the CyberArk Privileged Threat Analytics documentation .

UDM mapping table

Log field	UDM mapping	Logic
`src`	`principal.ip`	Direct mapping from `src` field.
`dst`	`target.ip`	Direct mapping from `dst` field.
`suser`	`principal.user.userid`	Direct mapping from `suser` field.
`duser`	`target.user.userid`	Direct mapping from `duser` field.
`cs1`	`security_result.description`	Direct mapping from `cs1` field (reason).
`cs2`	`additional.fields`	Direct mapping from `cs2` field (station).
`act`	`security_result.action_details`	Direct mapping from `act` field (action taken).
`cat`	`metadata.product_event_type`	Direct mapping from `cat` field (event category).
`severity`	`security_result.severity`	Mapped from CEF severity value.
`deviceCustomDate1`	`metadata.event_timestamp`	Parsed from `deviceCustomDate1` field.
	`metadata.vendor_name`	Set to `CyberArk` .
	`metadata.product_name`	Set to `Privileged Threat Analytics` .
	`metadata.log_type`	Set to `CYBERARK_PTA` .

Need more help? Get answers from Community members and Google SecOps professionals.