CyberArk PAM Integration
Overview
CyberArk provides privileged access management with session recording and credential vaulting. KYRA MDR collects CyberArk audit logs via syslog or REST API for monitoring privileged access.
Prerequisites
- A KYRA MDR Collector installed and running
- CyberArk Privileged Access Security suite deployed
- CyberArk Vault with syslog or SIEM integration configured
- Administrative access to the CyberArk PVWA
Configuration
Configure CyberArk syslog integration:
- Log in to the CyberArk PVWA
- Navigate to Administration > Configuration Options > Options > SIEM
- Configure syslog settings:
| Setting | Value |
|---|---|
| Syslog Server | Your KYRA Collector IP |
| Port | 514 |
| Protocol | TCP |
| Format | CEF |
- Enable audit event forwarding
- Save and apply the configuration
For REST API integration:
sources: - type: cyberark api_url: https://<pvwa-host>/PasswordVault username: <api-user> password: <password> poll_interval: 60sCollected Log Types
| Log Type | Description | Security Use |
|---|---|---|
| Credential Access | Safe and account access events | Credential misuse detection |
| Session | Privileged session events | Session monitoring |
| Policy | Policy change and enforcement | Security policy auditing |
| Authentication | PVWA login events | PAM access monitoring |
| Account Management | Account onboarding and changes | Credential lifecycle |
| Threat Detection | PTA threat alerts | Privileged threat detection |
Troubleshooting
No SIEM events: Verify the SIEM configuration is enabled and the Vault service has been restarted.
Missing session data: Session events require PSM (Privileged Session Manager) to be deployed.
PTA alerts: CyberArk PTA provides risk-based alerts for privileged accounts.
Contact kyra@seekerslab.com for support.