Collect CyberArk Privileged Threat Analytics logs

Supported in:

This document explains how to ingest CyberArk Privileged Threat Analytics logs to Google Security Operations using Bindplane. CyberArk Privileged Threat Analytics (PTA) is a security solution that detects and responds to malicious activities involving privileged accounts. It uses advanced analytics and machine learning to monitor, analyze, and flag abnormal behaviors that may indicate potential insider threats or compromised credentials.

Before you begin

Make sure you have the following prerequisites:

  • A Google SecOps instance.
  • A Windows 2016 or later or Linux host with systemd.
  • If running behind a proxy, ensure firewall ports are open per the Bindplane agent requirements.
  • Privileged access to the CyberArk Privileged Threat Analytics server.

Get Google SecOps ingestion authentication file

  1. Sign in to the Google SecOps console.
  2. Go to SIEM Settings > Collection Agents.
  3. Download the Ingestion Authentication File.
    • Save the file securely on the system where Bindplane will be installed.

Get Google SecOps customer ID

  1. Sign in to the Google SecOps console.
  2. Go to SIEM Settings > Profile.
  3. Copy and save the Customer ID from the Organization Details section.

Install the Bindplane agent

Install the Bindplane agent on your Windows or Linux operating system according to the following instructions.

Windows installation

  1. Open the Command Prompt or PowerShell as an administrator.

  2. Run the following command:

    msiexec /i "https://github.com/observIQ/bindplane-agent/releases/latest/download/observiq-otel-collector.msi" /quiet

Linux installation

  1. Open a terminal with root or sudo privileges.

  2. Run the following command:

    sudo sh -c "$(curl -fsSlL https://github.com/observiq/bindplane-agent/releases/latest/download/install_unix.sh)" install_unix.sh

Additional installation resources

For additional installation options, consult this installation guide.

Configure the Bindplane agent to ingest syslog and send to Google SecOps

  1. Access the configuration file:

    • Locate the config.yaml file. Typically, it's in the /opt/observiq-otel-collector/ directory on Linux or in the installation directory on Windows.
    • Open the file using a text editor (for example, nano, vi, or Notepad).

  2. Edit the config.yaml file as follows:

    receivers:
    tcplog:
        listen_address: "0.0.0.0:514"

exporters:
    chronicle/cyberark_pta:
        compression: gzip
        creds_file_path: '/path/to/ingestion-authentication-file.json'
        customer_id: '<CUSTOMER_ID>'
        endpoint: <ENDPOINT>
        log_type: 'CYBERARK_PTA'
        raw_log_field: body
        ingestion_labels:

service:
    pipelines:
        logs/cyberark_pta_to_chronicle:
            receivers:
                - tcplog
            exporters:
                - chronicle/cyberark_pta
  • Replace the port and IP address as required in your infrastructure.
  • Replace <CUSTOMER_ID> with the actual customer ID.

  • Replace the <ENDPOINT> value with your regional endpoint:

    • United States: malachiteingestion-pa.googleapis.com
    • Europe: europe-malachiteingestion-pa.googleapis.com
    • Asia: asia-southeast1-malachiteingestion-pa.googleapis.com

  • Update /path/to/ingestion-authentication-file.json to the file path where the authentication file was saved.

Restart the Bindplane agent to apply the changes

  1. To restart the Bindplane agent in Linux, run the following command:

    sudo systemctl restart observiq-otel-collector

  2. To restart the Bindplane agent in Windows, you can either use the Services console or enter the following command:

    net stop observiq-otel-collector && net start observiq-otel-collector

Configure CyberArk Privileged Threat Analytics syslog forwarding

  1. Sign in to the Privileged Threat Analytics server.
  2. Run the DEFAULTPARM command to open the default systemparm.properties file.
  3. Copy the line containing the syslog_outbound property and exit the systemparm.properties file.
  4. Run the LOCALPARM command to open the local systemparm.properties file.
  5. Press i on the keyboard to edit the file.
  6. In the systemparm.properties file, uncomment the syslog_outbound property.

  7. Paste the line that you copied and edit the parameters according to the following example:

    syslog_outbound=[{"siem": "Chronicle", "format": "CEF", "host": "BINDPLANE_IP", "port": BINDPLANE_PORT, "protocol": "TCP"}]
    • Replace BINDPLANE_IP with the IP address of the Bindplane agent host.
    • Replace BINDPLANE_PORT with the port number configured in the Bindplane agent (for example, 514).

  8. Save the configuration file and close it.

  9. Restart the Privileged Threat Analytics server to apply the changes.

For more information, see the CyberArk Privileged Threat Analytics documentation.

UDM mapping table

Log field UDM mapping Logic
src principal.ip Direct mapping from src field.
dst target.ip Direct mapping from dst field.
suser principal.user.userid Direct mapping from suser field.
duser target.user.userid Direct mapping from duser field.
cs1 security_result.description Direct mapping from cs1 field (reason).
cs2 additional.fields Direct mapping from cs2 field (station).
act security_result.action_details Direct mapping from act field (action taken).
cat metadata.product_event_type Direct mapping from cat field (event category).
severity security_result.severity Mapped from CEF severity value.
deviceCustomDate1 metadata.event_timestamp Parsed from deviceCustomDate1 field.
metadata.vendor_name Set to CyberArk.
metadata.product_name Set to Privileged Threat Analytics.
metadata.log_type Set to CYBERARK_PTA.

Need more help? Get answers from Community members and Google SecOps professionals.