CyberArk Privileged Threat Analytics
The JSA DSM for CyberArk Privileged Threat Analytics collects events from a CyberArk Privileged Threat Analytics device.
The following table describes the specifications for the CyberArk Privileged Threat Analytics DSM:
Specification |
Value |
---|---|
Manufacturer |
CyberArk |
DSM name |
CyberArk Privileged Threat Analytics |
RPM file name |
DSM-CyberArkPrivileged Threat Analytics-JSA_version-build_number .noarch.rpm |
Supported versions |
V3.1 |
Protocol |
Syslog |
Recorded event types |
Detected security events |
Automatically discovered? |
Yes |
Includes identity? |
No |
Includes custom properties? |
No |
More information |
CyberArk website (http://www.cyberark.com) |
To integrate CyberArk Privileged Threat Analytics with JSA, complete the following steps:
If automatic updates are not enabled, download and install the most recent version of the following RPMs from the Juniper Downloads onto your JSA console:
CyberArk Privileged Threat Analytics DSM RPM
DSMCommon RPM
Configure your CyberArk Privileged Threat Analytics device to send syslog events to JSA.
If JSA does not automatically detect the log source, add a CyberArk Privileged Threat Analytics log source on the JSA Console. The following table describes the parameters that require specific values for CyberArk Privileged Threat Analytics event collection:
Table 2: CyberArk Privileged Threat Analytics Log Source Parameters Parameter
Value
Log Source type
CyberArk Privileged Threat Analytics
Protocol Configuration
Syslog
Configuring CyberArk Privileged Threat Analytics to Communicate with JSA
To collect all events from CyberArk Privileged Threat Analytics, you must specify JSA as the syslog server and configure the syslog format. The CyberArk Privileged Threat Analytics device sends syslog events that are formatted as Log Event Extended Format (LEEF).
On the CyberArk Privileged Threat Analytics machine, go to the /opt/tomcat/diamond-resources/local/ directory, and open the systemparm.properties file in a text editor such as vi.
-
Uncomment the syslog_outbound property and then edit the following parameters:
Parameter
Value
Host
The host name or IP address of the JSA system.
Port
514
Protocol
UDP
Format
JSA
The following is an example of the syslog_outbound property:
syslog_outbound=[{"host": "SIEM_MACHINE_ADDRESS", "port": 514, "format": "QRadar", "protocol": "UDP"}]
The following is an example of the syslog_outbound property specifying multiple syslog recipients, separated by commas:
syslog_outbound=[{"host": "SIEM_MACHINE_ADDRESS", "port": 514, "format": "QRadar", "protocol": "UDP"} , {"host": "SIEM_MACHINE_ADDRESS1", "port": 514, "format": "QRadar", "protocol": "UDP"} , …]
Save the systemparm.properties configuration file, and then close it.
Restart CyberArk Privileged Threat Analytics.