CyberArk Vault Token
Service Name: CyberArk Privileged Access Security
Service Description: CyberArk is a leading privileged access management solution that helps organizations secure, manage, and monitor privileged accounts and credentials. The vault token is used to authenticate and access the CyberArk Privileged Access Security platform.
Service Address: https://www.cyberark.com/
Validation Type: API Auth
IP Allow list: IP restrictions can be configured at the platform level through network access controls and policies within CyberArk.
Secret Access Scope: Grants access to the CyberArk Vault and its stored privileged credentials, depending on the permissions assigned to the token. Can be used to retrieve passwords, SSH keys, and other sensitive credentials stored in the vault.
Secret Revokement URL: https://docs.cyberark.com/Product-Doc/OnlineHelp/PAS/Latest/en/Content/WebServices/Revoke-Authentication.htm
Secret Example: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiJDeWJlckFya1ZhdWx0VG9rZW4iLCJuYW1lIjoiQWRtaW5Vc2VyIiwiaWF0IjoxNTE2MjM5MDIyfQ.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c
Suspicious Activity Investigation Instructions:
- Review CyberArk audit logs for unusual access patterns or credential retrievals
- Check for unauthorized access attempts from unfamiliar IP addresses
- Monitor for unusual credential checkout durations or frequencies
-
Verify if sensitive credentials were accessed outside of normal business hours
-
Look for failed authentication attempts before successful ones (potential brute
force)
- Review which accounts and credentials were accessed using the token
Mitigation Instructions:
- Immediately revoke the compromised token through the CyberArk web interface or API
- Generate a new token with appropriate permissions if needed
- Review and update access policies for the affected user account
- Enable or review multi-factor authentication settings for privileged users
- Check if any accessed credentials need to be rotated
- Update IP restrictions and access policies as needed
- Consider implementing just-in-time access for privileged accounts
- Review CyberArk's session recording to determine what actions were performed with the token