LoFP / to tune this rule, add exceptions to exclude any event.code which should not trigger this rule.

Techniques

• T1078

Sample rules

CyberArk Privileged Access Security Error

• source: elastic
• technicques:
  • T1078

Description

Identifies the occurrence of a CyberArk Privileged Access Security (PAS) error level audit event. The event.code correlates to the CyberArk Vault Audit Action Code.

Detection logic

event.dataset:cyberarkpas.audit and event.type:error

CyberArk Privileged Access Security Recommended Monitor

• source: elastic
• technicques:
  • T1078

Description

Identifies the occurrence of a CyberArk Privileged Access Security (PAS) non-error level audit event which is recommended for monitoring by the vendor. The event.code correlates to the CyberArk Vault Audit Action Code.

Detection logic

event.dataset:cyberarkpas.audit and
  event.code:(4 or 22 or 24 or 31 or 38 or 57 or 60 or 130 or 295 or 300 or 302 or
              308 or 319 or 344 or 346 or 359 or 361 or 378 or 380 or 411) and
  not event.type:error