Topic
3 replies Latest Post - ‏2013-02-27T06:23:08Z by SystemAdmin
SystemAdmin
SystemAdmin
184 Posts
ACCEPTED ANSWER

Pinned topic Key Security concerns within Cyber-Ark

‏2013-02-11T12:14:05Z |
Hi, there are hundreds of "action codes" within Cyber-Ark, and without knowing the product inside-out, i wonder which ones are key from a Security investigation standpoint?

For instance, is "Clear Safe History" or "Clear User History" evidence of a cover-up by a rogue admin?
"Unauthorized Station" sounds key, but is it really that important outside of Cyber-Ark.

I could raise a ticket with Cyber-Ark, but wonder whether other QRadar users have already gone this route?

Thanks, Tony-------Posted BY Tony White
Updated on 2013-02-27T06:23:08Z at 2013-02-27T06:23:08Z by SystemAdmin
  • SystemAdmin
    SystemAdmin
    184 Posts
    ACCEPTED ANSWER

    Re: really depends on the user

    ‏2013-02-12T15:05:19Z  in response to SystemAdmin
    really depends on the user doing it. There are quite a few of built in users in C-Ark that have their actions logged and it creates quite a bit of noise. if you can exclude those users from the 'clear' actions, then you have your rogue admin.
    un-auth station is usually a lock out or if you are doing 'geographic security' (or login restrictions by IP) then that could be important as someone is either locked out or attempting a login from a bad location/brute force.
    Posted By Mike Calvi
  • SystemAdmin
    SystemAdmin
    184 Posts
    ACCEPTED ANSWER

    Re: Hi Mike, "exclude those users

    ‏2013-02-25T11:05:28Z  in response to SystemAdmin
    Hi Mike, "exclude those users from the 'clear' actions". Is this something that might upset those who manager Cyber-Ark? Do they need that level of logging? Do you know the list of "built-in users" please?

    Many thanks, Tony
    Posted By Tony White
  • SystemAdmin
    SystemAdmin
    184 Posts
    ACCEPTED ANSWER

    Re: Your CArk admins should be

    ‏2013-02-27T06:23:08Z  in response to SystemAdmin
    Your CArk admins should be able to filter what they send to Q1 in the CArk software. We worked with our Cark admins (really the two engineers on Cark and q1 since we run both) and determined what we wanted logged. The event codes are in the CArk docs.

    As far as if they are upset or whether they need that level, its really up to your company/admins. The builtin users are install dependent (named after the components in your install) though some are listed below.

    Administrator
    Backup
    DR
    cpm_*
    psm_*
    master
    Posted By Mike Calvi