Hi, there are hundreds of "action codes" within Cyber-Ark, and without knowing the product inside-out, i wonder which ones are key from a Security investigation standpoint?
For instance, is "Clear Safe History" or "Clear User History" evidence of a cover-up by a rogue admin?
"Unauthorized Station" sounds key, but is it really that important outside of Cyber-Ark.
I could raise a ticket with Cyber-Ark, but wonder whether other QRadar users have already gone this route?
Thanks, Tony-------Posted BY Tony White
This topic has been locked.
3 replies Latest Post - 2013-02-27T06:23:08Z by SystemAdmin
Pinned topic Key Security concerns within Cyber-Ark
Answered question This question has been answered.
Unanswered question This question has not been answered yet.
Updated on 2013-02-27T06:23:08Z at 2013-02-27T06:23:08Z by SystemAdmin
Re: really depends on the user2013-02-12T15:05:19Z in response to SystemAdminreally depends on the user doing it. There are quite a few of built in users in C-Ark that have their actions logged and it creates quite a bit of noise. if you can exclude those users from the 'clear' actions, then you have your rogue admin.
un-auth station is usually a lock out or if you are doing 'geographic security' (or login restrictions by IP) then that could be important as someone is either locked out or attempting a login from a bad location/brute force.
Posted By Mike Calvi
Re: Hi Mike, "exclude those users2013-02-25T11:05:28Z in response to SystemAdminHi Mike, "exclude those users from the 'clear' actions". Is this something that might upset those who manager Cyber-Ark? Do they need that level of logging? Do you know the list of "built-in users" please?
Many thanks, Tony
Posted By Tony White
Re: Your CArk admins should be2013-02-27T06:23:08Z in response to SystemAdminYour CArk admins should be able to filter what they send to Q1 in the CArk software. We worked with our Cark admins (really the two engineers on Cark and q1 since we run both) and determined what we wanted logged. The event codes are in the CArk docs.
As far as if they are upset or whether they need that level, its really up to your company/admins. The builtin users are install dependent (named after the components in your install) though some are listed below.
Posted By Mike Calvi