CyberArk Audit: Enhanced Detection Rules with Custom Data Field Analysis

Detection Logic

Enhanced CyberArk audit analytics rules with improved KQL logic leveraging custom data field parsing:

High Risk Actions: Modified to parse customData JSON for enriched context including authentication method, client IP, geo-location, and device OS details during off-hours privileged operations
Mass Actions: Enhanced to track bulk operations with custom data target extraction for improved correlation
Multi Failed and Success: Improved pattern detection with custom data enrichment for failed/successful authentication sequences
Sensitive Changes: Completely rewritten to detect control-plane modifications (safes, permissions, roles, entitlements) using customData fields

Security Impact (Visibility & Fidelity)

Significantly improved detection fidelity by extracting structured data from customData JSON fields rather than relying solely on message parsing. This reduces false positives and provides SOC analysts with enriched context for privileged access investigations.

MITRE Mapping

T1078 (Valid Accounts): Enhanced user activity correlation
Privilege Escalation tactics: Improved permission change detection

Affected Files

Solutions/CyberArkAudit/Analytics Rules/CyberArkAuditHighRiskActions.yaml
Solutions/CyberArkAudit/Analytics Rules/CyberArkAuditMassActions.yaml  
Solutions/CyberArkAudit/Analytics Rules/CyberArkAuditMultiFailedAndSuccess.yaml
Solutions/CyberArkAudit/Analytics Rules/CyberArkAuditSensitiveChanges.yaml
(packaging artefacts: mainTemplate.json, createUiDefinition.json)

Detection Logic#

Security Impact (Visibility & Fidelity)#

MITRE Mapping#

Affected Files#

Detection Logic

Security Impact (Visibility & Fidelity)

MITRE Mapping

Affected Files