Integrate CyberArk with Microsoft Defender for IoT

This article helps you learn how to integrate and use CyberArk with Microsoft Defender for IoT.

Defender for IoT delivers ICS and IIoT cybersecurity platforms with ICS-aware threat analytics and machine learning.

Threat actors are using compromised remote access credentials to access critical infrastructure networks via remote desktop and VPN connections. By using trusted connections, this approach easily bypasses any OT perimeter security. Credentials are typically stolen from privileged users, such as control engineers and partner maintenance personnel, who require remote access to perform daily tasks.

The Defender for IoT integration along with CyberARK allows you to:

  • Reduce OT risks from unauthorized remote access

  • Provide continuous monitoring and privileged access security for OT

  • Enhance incident response, threat hunting, and threat modeling

The Defender for IoT appliance is connected to the OT network via a SPAN port (mirror port) on network devices, such as switches and routers, via a one-way (inbound) connection to the dedicated network interfaces on the Defender for IoT appliance.

A dedicated network interface is also provided in the Defender for IoT appliance for centralized management and API access. This interface is also used for communicating with the CyberArk PSM solution that is deployed in the data center of the organization to manage privileged users and secure remote access connections.

The CyberArk PSM solution deployment

In this article, you learn how to:

  • Configure PSM in CyberArk
  • Enable the integration in Defender for IoT
  • View and manage detections
  • Stop the integration


Before you begin, make sure that you have the following prerequisites:

Configure PSM CyberArk

CyberArk must be configured to allow communication with Defender for IoT. This communication is accomplished by configuring PSM.

To configure PSM:

  1. Locate and open the c:\Program Files\PrivateArk\Server\dbparam.xml file.

  2. Add the following parameters:

    [SYSLOG] UseLegacySyslogFormat=Yes SyslogTranslatorFile=Syslog\CyberX.xsl SyslogServerIP=<CyberX Server IP> SyslogServerProtocol=UDP SyslogMessageCodeFilter=319,320,295,378,380

  3. Save the file, then close it.

  4. Place the Defender for IoT syslog configuration file CyberX.xsl in c:\Program Files\PrivateArk\Server\Syslog\CyberX.xsl.

  5. Open the Server Central Administration.

  6. Select the Stop Traffic Light to stop the server.

  7. Select the Start Traffic Light to start the server.

Enable the integration in Defender for IoT

In order to enable the integration, Syslog Server needs to be enabled in the Defender for IoT on-premises management console. By default, the Syslog Server listens to the IP address of the system using port 514 UDP.

To configure Defender for IoT:

  1. Sign into your Defender for IoT on-premises management console, then navigate to System Settings.

  2. Toggle the Syslog Server to On.

    Screenshot of the syslog server toggled to on.

  3. (Optional) Change the port by signing into the system via the CLI, navigating to /var/cyberx/properties/, and then changing to listener: 514/udp.

View and manage detections

The integration between Microsoft Defender for IoT and CyberArk PSM is performed via syslog messages. These messages are sent by the PSM solution to Defender for IoT, notifying Defender for IoT of any remote sessions or verification failures.

Once the Defender for IoT platform receives these messages from PSM, it correlates them with the data it sees in the network. Thus, validating that any remote access connections to the network were generated by the PSM solution and not by an unauthorized user.

View alerts

Whenever the Defender for IoT platform identifies remote sessions that haven't been authorized by PSM, it issues an Unauthorized Remote Session. To facilitate immediate investigation, the alert also shows the IP addresses and names of the source and destination devices.

To view alerts:

  1. Sign into your on-premises management console, then select Alerts.

  2. From the list of alerts, select the alert titled Unauthorized Remote Session.

    The Unauthorized Remote Session alert.

Event timeline

Whenever PSM authorizes a remote connection, it's visible in the Defender for IoT Event Timeline page. The Event Timeline page shows a timeline of all alerts and notifications.

To view the event timeline:

  1. Sign into your network sensor, then select Event timeline.

  2. Locate any event titled PSM Remote Session.

Auditing & forensics

Administrators can audit and investigate remote access sessions by querying the Defender for IoT platform via its built-in data mining interface. This information can be used to identify all remote access connections that have occurred, including forensic details such as from or to devices, protocols (RDP, or SSH), source and destination users, time-stamps, and whether the sessions were authorized using PSM.

To audit and investigate:

  1. Sign into your network sensor, then select Data mining.

  2. Select Remote Access.

Stop the Integration

At any point in time, you can stop the integration from communicating.

To stop the integration:

  1. In the Defender for IoT on-premises management console, navigate to System Settings.

  2. Toggle the Syslog Server option to Off .

    A view of th Server status.

Next steps