Skip to content

Commit

Permalink
Cyberark PTA Mapping (#30295)
Browse files Browse the repository at this point in the history
* Updated ModelingRules

* Updated secrets

* Updated yml

* Update Packs/CyberArk_Privileged_Threat_Analytics/README.md

Co-authored-by: ShirleyDenkberg <[email protected]>

* Update Packs/CyberArk_Privileged_Threat_Analytics/README.md

Co-authored-by: ShirleyDenkberg <[email protected]>

* Update Packs/CyberArk_Privileged_Threat_Analytics/README.md

Co-authored-by: ShirleyDenkberg <[email protected]>

* Updated yml

* Updated README

* Updated Beta Note

* Updated ModelingRules

* Updated README

---------

Co-authored-by: ShirleyDenkberg <[email protected]>
  • Loading branch information
eepstain and ShirleyDenkberg authored Oct 23, 2023
1 parent 91f3267 commit 727eff9
Show file tree
Hide file tree
Showing 7 changed files with 157 additions and 0 deletions.
Empty file.
1 change: 1 addition & 0 deletions Packs/CyberArk_Privileged_Threat_Analytics/.secrets-ignore
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
https://docs.cyberark.com
Original file line number Diff line number Diff line change
@@ -0,0 +1,28 @@
[MODEL: dataset = "cyberark_pta_raw"]
// This is a beta Modeling Rule, which lets you process CyberArk PTA log fields to XDM fields.
// Since the Modeling Rule is considered as beta, it might not contain some of the fields that are available from the logs.
// We appreciate your feedback on the quality and usability of the Modeling Rule to help us identify issues, fix them, and continually improve.
alter
src_ip_v4 = if(src !~= ":", src, null),
src_ip_v6 = if(src ~= ":", src, null),
tar_ip_v4 = if(dst !~= ":", dst, null),
tar_ip_v6 = if(dst ~= ":", dst, null)
| alter
xdm.source.ipv4 = src_ip_v4,
xdm.source.ipv6 = src_ip_v6,
xdm.target.ipv4 = tar_ip_v4,
xdm.target.ipv6 = tar_ip_v6,
xdm.source.user.user_type = if(suser ~= "@", XDM_CONST.USER_TYPE_REGULAR, suser ~= "Vault user", XDM_CONST.USER_TYPE_SERVICE_ACCOUNT),
xdm.target.user.user_type = if(duser ~= "@", XDM_CONST.USER_TYPE_REGULAR, duser ~= "Vault user", XDM_CONST.USER_TYPE_SERVICE_ACCOUNT),
xdm.event.description = cs1,
xdm.alert.original_alert_id = cs2,
xdm.observer.unique_identifier = cs3,
xdm.intermediate.application.name = cs4,
xdm.event.operation_sub_type = cs5,
xdm.target.host.hostname = dhost,
xdm.target.user.username = duser,
xdm.source.host.hostname = shost,
xdm.source.user.username = suser,
xdm.event.type = cefName,
xdm.alert.severity = cefSeverity,
xdm.event.id = cefDeviceEventClassId;
Original file line number Diff line number Diff line change
@@ -0,0 +1,6 @@
fromversion: 8.2.0
id: CyberArk_PTA_ModelingRule
name: CyberArk PTA Modeling Rule
rules: ''
schema: ''
tags: ''
Original file line number Diff line number Diff line change
@@ -0,0 +1,60 @@
{
"cyberark_pta_raw": {
"src": {
"type": "string",
"is_array": false
},
"dst": {
"type": "string",
"is_array": false
},
"cs1": {
"type": "string",
"is_array": false
},
"cs2": {
"type": "string",
"is_array": false
},
"cs3": {
"type": "string",
"is_array": false
},
"cs4": {
"type": "string",
"is_array": false
},
"cs5": {
"type": "string",
"is_array": false
},
"dhost": {
"type": "string",
"is_array": false
},
"duser": {
"type": "string",
"is_array": false
},
"shost": {
"type": "string",
"is_array": false
},
"suser": {
"type": "string",
"is_array": false
},
"cefName": {
"type": "string",
"is_array": false
},
"cefSeverity": {
"type": "string",
"is_array": false
},
"cefDeviceEventClassId": {
"type": "string",
"is_array": false
}
}
}
44 changes: 44 additions & 0 deletions Packs/CyberArk_Privileged_Threat_Analytics/README.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,44 @@
# CyberArk Privileged Threat Analytics

<~XSIAM>

This pack includes Cortex XSIAM content.

This pack contains a beta Modeling Rule, which lets you process CyberArk PTA log fields to XDM fields.
Since the Modeling Rule is considered as beta, it might not contain some of the fields that are available from the logs.
We appreciate your feedback on the quality and usability of the Modeling Rule to help us identify issues, fix them, and continually improve.

## Configuration on Server Side
You need to configure CyberArk Privileged Threat Analytics (PTA) to forward Syslog messages in CEF format.

Access your Cyberark PTA machine and follow these instructions [Product Documentation](https://docs.cyberark.com/PAS/Latest/en/Content/PTA/Outbound-Sending-%20PTA-syslog-Records-to-SIEM.htm):
1. On the PTA machine, open the default **systemparm.properties** file using the ***DEFAULTPARM*** command.
2. Copy the line containing the **syslog_outbound** property, and exit the file.
3. Open the local **systemparm.properties** file using the ***LOCALPARM*** command.
4. Press **i** to edit the file.
5. Paste the line you copied, uncomment the **syslog_outbound** property and edit the parameters. Use the following as a guide.
* format - CEF.
* protocol - UDP.
* siem - Assign a name to your configuration.
* host - Write the dedicated hostname or IP address.
* port - Write the dedicated port number.
* syslogType - RFC5424.

## Collect Events from Vendor
In order to use the collector, use the [Broker VM](#broker-vm) option.

### Broker VM
To create or configure the Broker VM, use the information described [here](https://docs-cortex.paloaltonetworks.com/r/Cortex-XDR/Cortex-XDR-Pro-Administrator-Guide/Configure-the-Broker-VM).

You can configure the specific vendor and product for this instance.

1. Navigate to **Settings** &rarr; **Configuration** &rarr; **Data Broker** &rarr; **Broker VMs**.
2. Go to the **Apps** column under the **Brokers** tab and add the **Syslog Collector** app for the relevant broker instance. If the app already exists, hover over it and click **Configure**.
3. Click **Add New** for adding a new syslog data source.
4. When configuring the new syslog data source, set the following values:
| Parameter | Value
| :--- | :---
| `Vendor` | Enter **cyberark**.
| `Product` | Enter **pta**.

</~XSIAM>
18 changes: 18 additions & 0 deletions Packs/CyberArk_Privileged_Threat_Analytics/pack_metadata.json
Original file line number Diff line number Diff line change
@@ -0,0 +1,18 @@
{
"name": "CyberArk Privileged Threat Analytics",
"description": "CyberArk Privileged Threat Analytics (PTA) leverages the analytic capabilities of PTA and assigns a risk score to privileged sessions.",
"support": "xsoar",
"currentVersion": "1.0.0",
"author": "Cortex XSOAR",
"url": "https://www.paloaltonetworks.com/cortex",
"email": "",
"categories": [
"Analytics & SIEM"
],
"tags": [],
"useCases": [],
"keywords": [],
"marketplaces": [
"marketplacev2"
]
}

0 comments on commit 727eff9

Please sign in to comment.