-
Notifications
You must be signed in to change notification settings - Fork 1.7k
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
* Updated ModelingRules * Updated secrets * Updated yml * Update Packs/CyberArk_Privileged_Threat_Analytics/README.md Co-authored-by: ShirleyDenkberg <[email protected]> * Update Packs/CyberArk_Privileged_Threat_Analytics/README.md Co-authored-by: ShirleyDenkberg <[email protected]> * Update Packs/CyberArk_Privileged_Threat_Analytics/README.md Co-authored-by: ShirleyDenkberg <[email protected]> * Updated yml * Updated README * Updated Beta Note * Updated ModelingRules * Updated README --------- Co-authored-by: ShirleyDenkberg <[email protected]>
- Loading branch information
1 parent
91f3267
commit 727eff9
Showing
7 changed files
with
157 additions
and
0 deletions.
There are no files selected for viewing
Empty file.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1 @@ | ||
https://docs.cyberark.com |
28 changes: 28 additions & 0 deletions
28
...delingRules/CyberArk_Privileged_Threat_Analytics/CyberArk_Privileged_Threat_Analytics.xif
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,28 @@ | ||
[MODEL: dataset = "cyberark_pta_raw"] | ||
// This is a beta Modeling Rule, which lets you process CyberArk PTA log fields to XDM fields. | ||
// Since the Modeling Rule is considered as beta, it might not contain some of the fields that are available from the logs. | ||
// We appreciate your feedback on the quality and usability of the Modeling Rule to help us identify issues, fix them, and continually improve. | ||
alter | ||
src_ip_v4 = if(src !~= ":", src, null), | ||
src_ip_v6 = if(src ~= ":", src, null), | ||
tar_ip_v4 = if(dst !~= ":", dst, null), | ||
tar_ip_v6 = if(dst ~= ":", dst, null) | ||
| alter | ||
xdm.source.ipv4 = src_ip_v4, | ||
xdm.source.ipv6 = src_ip_v6, | ||
xdm.target.ipv4 = tar_ip_v4, | ||
xdm.target.ipv6 = tar_ip_v6, | ||
xdm.source.user.user_type = if(suser ~= "@", XDM_CONST.USER_TYPE_REGULAR, suser ~= "Vault user", XDM_CONST.USER_TYPE_SERVICE_ACCOUNT), | ||
xdm.target.user.user_type = if(duser ~= "@", XDM_CONST.USER_TYPE_REGULAR, duser ~= "Vault user", XDM_CONST.USER_TYPE_SERVICE_ACCOUNT), | ||
xdm.event.description = cs1, | ||
xdm.alert.original_alert_id = cs2, | ||
xdm.observer.unique_identifier = cs3, | ||
xdm.intermediate.application.name = cs4, | ||
xdm.event.operation_sub_type = cs5, | ||
xdm.target.host.hostname = dhost, | ||
xdm.target.user.username = duser, | ||
xdm.source.host.hostname = shost, | ||
xdm.source.user.username = suser, | ||
xdm.event.type = cefName, | ||
xdm.alert.severity = cefSeverity, | ||
xdm.event.id = cefDeviceEventClassId; |
6 changes: 6 additions & 0 deletions
6
...delingRules/CyberArk_Privileged_Threat_Analytics/CyberArk_Privileged_Threat_Analytics.yml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,6 @@ | ||
fromversion: 8.2.0 | ||
id: CyberArk_PTA_ModelingRule | ||
name: CyberArk PTA Modeling Rule | ||
rules: '' | ||
schema: '' | ||
tags: '' |
60 changes: 60 additions & 0 deletions
60
...les/CyberArk_Privileged_Threat_Analytics/CyberArk_Privileged_Threat_Analytics_schema.json
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,60 @@ | ||
{ | ||
"cyberark_pta_raw": { | ||
"src": { | ||
"type": "string", | ||
"is_array": false | ||
}, | ||
"dst": { | ||
"type": "string", | ||
"is_array": false | ||
}, | ||
"cs1": { | ||
"type": "string", | ||
"is_array": false | ||
}, | ||
"cs2": { | ||
"type": "string", | ||
"is_array": false | ||
}, | ||
"cs3": { | ||
"type": "string", | ||
"is_array": false | ||
}, | ||
"cs4": { | ||
"type": "string", | ||
"is_array": false | ||
}, | ||
"cs5": { | ||
"type": "string", | ||
"is_array": false | ||
}, | ||
"dhost": { | ||
"type": "string", | ||
"is_array": false | ||
}, | ||
"duser": { | ||
"type": "string", | ||
"is_array": false | ||
}, | ||
"shost": { | ||
"type": "string", | ||
"is_array": false | ||
}, | ||
"suser": { | ||
"type": "string", | ||
"is_array": false | ||
}, | ||
"cefName": { | ||
"type": "string", | ||
"is_array": false | ||
}, | ||
"cefSeverity": { | ||
"type": "string", | ||
"is_array": false | ||
}, | ||
"cefDeviceEventClassId": { | ||
"type": "string", | ||
"is_array": false | ||
} | ||
} | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,44 @@ | ||
# CyberArk Privileged Threat Analytics | ||
|
||
<~XSIAM> | ||
|
||
This pack includes Cortex XSIAM content. | ||
|
||
This pack contains a beta Modeling Rule, which lets you process CyberArk PTA log fields to XDM fields. | ||
Since the Modeling Rule is considered as beta, it might not contain some of the fields that are available from the logs. | ||
We appreciate your feedback on the quality and usability of the Modeling Rule to help us identify issues, fix them, and continually improve. | ||
|
||
## Configuration on Server Side | ||
You need to configure CyberArk Privileged Threat Analytics (PTA) to forward Syslog messages in CEF format. | ||
|
||
Access your Cyberark PTA machine and follow these instructions [Product Documentation](https://docs.cyberark.com/PAS/Latest/en/Content/PTA/Outbound-Sending-%20PTA-syslog-Records-to-SIEM.htm): | ||
1. On the PTA machine, open the default **systemparm.properties** file using the ***DEFAULTPARM*** command. | ||
2. Copy the line containing the **syslog_outbound** property, and exit the file. | ||
3. Open the local **systemparm.properties** file using the ***LOCALPARM*** command. | ||
4. Press **i** to edit the file. | ||
5. Paste the line you copied, uncomment the **syslog_outbound** property and edit the parameters. Use the following as a guide. | ||
* format - CEF. | ||
* protocol - UDP. | ||
* siem - Assign a name to your configuration. | ||
* host - Write the dedicated hostname or IP address. | ||
* port - Write the dedicated port number. | ||
* syslogType - RFC5424. | ||
|
||
## Collect Events from Vendor | ||
In order to use the collector, use the [Broker VM](#broker-vm) option. | ||
|
||
### Broker VM | ||
To create or configure the Broker VM, use the information described [here](https://docs-cortex.paloaltonetworks.com/r/Cortex-XDR/Cortex-XDR-Pro-Administrator-Guide/Configure-the-Broker-VM). | ||
|
||
You can configure the specific vendor and product for this instance. | ||
|
||
1. Navigate to **Settings** → **Configuration** → **Data Broker** → **Broker VMs**. | ||
2. Go to the **Apps** column under the **Brokers** tab and add the **Syslog Collector** app for the relevant broker instance. If the app already exists, hover over it and click **Configure**. | ||
3. Click **Add New** for adding a new syslog data source. | ||
4. When configuring the new syslog data source, set the following values: | ||
| Parameter | Value | ||
| :--- | :--- | ||
| `Vendor` | Enter **cyberark**. | ||
| `Product` | Enter **pta**. | ||
|
||
</~XSIAM> |
18 changes: 18 additions & 0 deletions
18
Packs/CyberArk_Privileged_Threat_Analytics/pack_metadata.json
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,18 @@ | ||
{ | ||
"name": "CyberArk Privileged Threat Analytics", | ||
"description": "CyberArk Privileged Threat Analytics (PTA) leverages the analytic capabilities of PTA and assigns a risk score to privileged sessions.", | ||
"support": "xsoar", | ||
"currentVersion": "1.0.0", | ||
"author": "Cortex XSOAR", | ||
"url": "https://www.paloaltonetworks.com/cortex", | ||
"email": "", | ||
"categories": [ | ||
"Analytics & SIEM" | ||
], | ||
"tags": [], | ||
"useCases": [], | ||
"keywords": [], | ||
"marketplaces": [ | ||
"marketplacev2" | ||
] | ||
} |