Copyright © 2012 EMC Corporation. All Rights Reserved.
Cyber-Ark: Privileged Identity Management Suite,
Privileged Session Management Suite, and
Sensitive Information Management Suite
Last Modified: Wednesday, December 04, 2013 Event Source (Device) Product Information
Vendor Cyber-Ark
Event Source (Device) Privileged Identity Management Suite, Privileged Session Management Suite, and Sensitive Information Management Suite
Supported Versions 5.0 and 7.0
Supported Platforms Windows
Additional Downloads RSAenvision.xsl and CyberArk_RSAenvision.xsl RSA Product Information
Supported Version RSA enVision 4.0 and 4.1
Note: The support for Cyber-Ark 7.0 requires
RSA enVision 4.0 Service Pack 4 or later.
Event Source (Device) Type cyberark, 158
Collection Method Syslog
Event Source (Device) Class.Subclass Security.Access Control
Content 2.0 Table Access
This document contains the following information for the Cyber-Ark Privileged Identity Management Suite, Privileged Session Management Suite, and Sensitive Information Management Suite event sources: l Configuration Instructions l Release Notes 20131204-183327 l Release Notes 20131031-163922 l Release Notes 20131002-155915 l Release Notes 20120529-140644 l Release Notes 20120105-082058 l Release Notes 20111205-083318
Cyber-Ark Privileged Identity Management Suite, Privileged Session
Management Suite, and Sensitive Information Management Suite
Configuration Instructions
To configure Cyber-Ark Privileged Identity Management Suite, Privileged Session Management Suite, and Sensitive Information Management Suite:
1. Download the .xsl file from RSA SecurCare Online that matches on your version of Cyber-Ark. Save the file to a desired location in your Cyber-Ark server, which you will use in step
RSA Event Source
4.
l If you use Cyber-Ark 5.0, you must download the RSAenvision.xsl file.
l If you use Cyber-Ark 7.0, you must download the CyberArk_RSAenvision.xsl file. 2. Log on to the Cyber-Ark appliance with administrator credentials.
3. Open the Cyber-Ark installation folder.
4. In the dbparm.ini file, ensure that the following parameters are set: l SyslogServerIP=IP address
where IP address is the IP address of the RSA enVision server. l SyslogServerPort=514
l SyslogMessageCodeFilter=message codes
where message codes are the messages that will be sent from the Vault to the enVision platform through the Syslog protocol. By default, all message codes are sent for users and secure activities.
Note: Use commas to separate individual messages or ranges of messages, for example,
SyslogMessageCodeFilter=1,2,5-10.
l SyslogTranslatorFile=pathname
where pathname is the location of the .xsl file used to generate logs in syslog format and send to the enVision platform, for example, C:\Program
Files\privateark\server\RSAenVision.xsl. This is the location that you set in step 1. 5. To restart the Cyber-Ark service, follow the steps that match your version of Cyber-Ark:
a. From the desktop of the Vault Server, click the PrivateArk Server icon. l If you use Cyber-Ark 5.0, the Central Administration Console launches. l If you use Cyber-Ark 7.0, the Server Central Administrator launches. b. Click Stop/Start to restart the Cyber-Ark service.
2 Cyber-Ark: Privileged Identity Management Suite, Privileged Session Man-agement Suite, and Sensitive Information ManMan-agement Suite
Cyber-Ark Release Notes (20131204-183327)
New and Updated Messages
For complete details on new and changed messages, see the Event Source Update Help.
Cyber-Ark: Privileged Identity Management Suite, Privileged Session Man-agement Suite, and Sensitive Information ManMan-agement Suite
RSA Event Source
Cyber-Ark Release Notes (20131031-163922)
New and Updated Messages
For complete details on new and changed messages, see the Event Source Update Help.
4 Cyber-Ark: Privileged Identity Management Suite, Privileged Session Man-agement Suite, and Sensitive Information ManMan-agement Suite
Cyber-Ark Release Notes (20131002-155915)
New and Updated Messages
For complete details on new and changed messages, see the Event Source Update Help.
Cyber-Ark: Privileged Identity Management Suite, Privileged Session Man-agement Suite, and Sensitive Information ManMan-agement Suite
RSA Event Source
Cyber-Ark Release Notes (20120529-140644)
What’s New in This Release
RSA has added support for Cyber-Ark Privileged Identity Management Suite, Privileged Session Management Suite, and Sensitive Information Management Suite 7.0.
New and Updated Messages
For complete details on new and changed messages, see the Event Source Update Help.
Cyber-Ark Release Notes (20120105-082058)
What’s New in This Release
RSA updated Cyber-Ark Privileged Identity Management Suite, Privileged Session Management Suite, and Sensitive Information Management Suite to Content 2.0. This event source uses the Access table. Content 2.0 features new tables and improvements to the parsing of event data into variables in those new tables.
For rules and reports, note the following:
l For factory reports, as existing event sources are converted to Content 2.0, their device-specific reports are updated to work with the new content. In some cases, class-specific reports have replaced device-specific reports.
l Factory correlated rules have been modified to take advantage of the improved tables, variables and parsing.
l Custom rules, that involve event sources updated to work with Content 2.0, need to be rewritten. l Custom reports may not produce the same results as previously. For guidance on updating custom
reports, see the accompanying table documentation and the RSA enVision Content Inspection Tool guide.
Cyber-Ark Release Notes (20111205-083318)
New and Updated Messages
For complete details on new and changed messages, see the Event Source Update Help.
6 Cyber-Ark: Privileged Identity Management Suite, Privileged Session Man-agement Suite, and Sensitive Information ManMan-agement Suite