diff --git a/Packs/CyberArk_Privileged_Threat_Analytics/.pack-ignore b/Packs/CyberArk_Privileged_Threat_Analytics/.pack-ignore new file mode 100644 index 000000000000..e69de29bb2d1 diff --git a/Packs/CyberArk_Privileged_Threat_Analytics/.secrets-ignore b/Packs/CyberArk_Privileged_Threat_Analytics/.secrets-ignore new file mode 100644 index 000000000000..7157cec2ec06 --- /dev/null +++ b/Packs/CyberArk_Privileged_Threat_Analytics/.secrets-ignore @@ -0,0 +1 @@ +https://docs.cyberark.com \ No newline at end of file diff --git a/Packs/CyberArk_Privileged_Threat_Analytics/ModelingRules/CyberArk_Privileged_Threat_Analytics/CyberArk_Privileged_Threat_Analytics.xif b/Packs/CyberArk_Privileged_Threat_Analytics/ModelingRules/CyberArk_Privileged_Threat_Analytics/CyberArk_Privileged_Threat_Analytics.xif new file mode 100644 index 000000000000..d9adca2cbff2 --- /dev/null +++ b/Packs/CyberArk_Privileged_Threat_Analytics/ModelingRules/CyberArk_Privileged_Threat_Analytics/CyberArk_Privileged_Threat_Analytics.xif @@ -0,0 +1,28 @@ +[MODEL: dataset = "cyberark_pta_raw"] +// This is a beta Modeling Rule, which lets you process CyberArk PTA log fields to XDM fields. +// Since the Modeling Rule is considered as beta, it might not contain some of the fields that are available from the logs. +// We appreciate your feedback on the quality and usability of the Modeling Rule to help us identify issues, fix them, and continually improve. +alter + src_ip_v4 = if(src !~= ":", src, null), + src_ip_v6 = if(src ~= ":", src, null), + tar_ip_v4 = if(dst !~= ":", dst, null), + tar_ip_v6 = if(dst ~= ":", dst, null) +| alter + xdm.source.ipv4 = src_ip_v4, + xdm.source.ipv6 = src_ip_v6, + xdm.target.ipv4 = tar_ip_v4, + xdm.target.ipv6 = tar_ip_v6, + xdm.source.user.user_type = if(suser ~= "@", XDM_CONST.USER_TYPE_REGULAR, suser ~= "Vault user", XDM_CONST.USER_TYPE_SERVICE_ACCOUNT), + xdm.target.user.user_type = if(duser ~= "@", XDM_CONST.USER_TYPE_REGULAR, duser ~= "Vault user", XDM_CONST.USER_TYPE_SERVICE_ACCOUNT), + xdm.event.description = cs1, + xdm.alert.original_alert_id = cs2, + xdm.observer.unique_identifier = cs3, + xdm.intermediate.application.name = cs4, + xdm.event.operation_sub_type = cs5, + xdm.target.host.hostname = dhost, + xdm.target.user.username = duser, + xdm.source.host.hostname = shost, + xdm.source.user.username = suser, + xdm.event.type = cefName, + xdm.alert.severity = cefSeverity, + xdm.event.id = cefDeviceEventClassId; \ No newline at end of file diff --git a/Packs/CyberArk_Privileged_Threat_Analytics/ModelingRules/CyberArk_Privileged_Threat_Analytics/CyberArk_Privileged_Threat_Analytics.yml b/Packs/CyberArk_Privileged_Threat_Analytics/ModelingRules/CyberArk_Privileged_Threat_Analytics/CyberArk_Privileged_Threat_Analytics.yml new file mode 100644 index 000000000000..8d8d81c870ed --- /dev/null +++ b/Packs/CyberArk_Privileged_Threat_Analytics/ModelingRules/CyberArk_Privileged_Threat_Analytics/CyberArk_Privileged_Threat_Analytics.yml @@ -0,0 +1,6 @@ +fromversion: 8.2.0 +id: CyberArk_PTA_ModelingRule +name: CyberArk PTA Modeling Rule +rules: '' +schema: '' +tags: '' \ No newline at end of file diff --git a/Packs/CyberArk_Privileged_Threat_Analytics/ModelingRules/CyberArk_Privileged_Threat_Analytics/CyberArk_Privileged_Threat_Analytics_schema.json b/Packs/CyberArk_Privileged_Threat_Analytics/ModelingRules/CyberArk_Privileged_Threat_Analytics/CyberArk_Privileged_Threat_Analytics_schema.json new file mode 100644 index 000000000000..85890dc31df7 --- /dev/null +++ b/Packs/CyberArk_Privileged_Threat_Analytics/ModelingRules/CyberArk_Privileged_Threat_Analytics/CyberArk_Privileged_Threat_Analytics_schema.json @@ -0,0 +1,60 @@ +{ + "cyberark_pta_raw": { + "src": { + "type": "string", + "is_array": false + }, + "dst": { + "type": "string", + "is_array": false + }, + "cs1": { + "type": "string", + "is_array": false + }, + "cs2": { + "type": "string", + "is_array": false + }, + "cs3": { + "type": "string", + "is_array": false + }, + "cs4": { + "type": "string", + "is_array": false + }, + "cs5": { + "type": "string", + "is_array": false + }, + "dhost": { + "type": "string", + "is_array": false + }, + "duser": { + "type": "string", + "is_array": false + }, + "shost": { + "type": "string", + "is_array": false + }, + "suser": { + "type": "string", + "is_array": false + }, + "cefName": { + "type": "string", + "is_array": false + }, + "cefSeverity": { + "type": "string", + "is_array": false + }, + "cefDeviceEventClassId": { + "type": "string", + "is_array": false + } + } +} \ No newline at end of file diff --git a/Packs/CyberArk_Privileged_Threat_Analytics/README.md b/Packs/CyberArk_Privileged_Threat_Analytics/README.md new file mode 100644 index 000000000000..69c3deb70dbf --- /dev/null +++ b/Packs/CyberArk_Privileged_Threat_Analytics/README.md @@ -0,0 +1,44 @@ +# CyberArk Privileged Threat Analytics + +<~XSIAM> + +This pack includes Cortex XSIAM content. + +This pack contains a beta Modeling Rule, which lets you process CyberArk PTA log fields to XDM fields. +Since the Modeling Rule is considered as beta, it might not contain some of the fields that are available from the logs. +We appreciate your feedback on the quality and usability of the Modeling Rule to help us identify issues, fix them, and continually improve. + +## Configuration on Server Side +You need to configure CyberArk Privileged Threat Analytics (PTA) to forward Syslog messages in CEF format. + +Access your Cyberark PTA machine and follow these instructions [Product Documentation](https://docs.cyberark.com/PAS/Latest/en/Content/PTA/Outbound-Sending-%20PTA-syslog-Records-to-SIEM.htm): +1. On the PTA machine, open the default **systemparm.properties** file using the ***DEFAULTPARM*** command. +2. Copy the line containing the **syslog_outbound** property, and exit the file. +3. Open the local **systemparm.properties** file using the ***LOCALPARM*** command. +4. Press **i** to edit the file. +5. Paste the line you copied, uncomment the **syslog_outbound** property and edit the parameters. Use the following as a guide. + * format - CEF. + * protocol - UDP. + * siem - Assign a name to your configuration. + * host - Write the dedicated hostname or IP address. + * port - Write the dedicated port number. + * syslogType - RFC5424. + +## Collect Events from Vendor +In order to use the collector, use the [Broker VM](#broker-vm) option. + +### Broker VM +To create or configure the Broker VM, use the information described [here](https://docs-cortex.paloaltonetworks.com/r/Cortex-XDR/Cortex-XDR-Pro-Administrator-Guide/Configure-the-Broker-VM). + +You can configure the specific vendor and product for this instance. + +1. Navigate to **Settings** → **Configuration** → **Data Broker** → **Broker VMs**. +2. Go to the **Apps** column under the **Brokers** tab and add the **Syslog Collector** app for the relevant broker instance. If the app already exists, hover over it and click **Configure**. +3. Click **Add New** for adding a new syslog data source. +4. When configuring the new syslog data source, set the following values: + | Parameter | Value + | :--- | :--- + | `Vendor` | Enter **cyberark**. + | `Product` | Enter **pta**. + + \ No newline at end of file diff --git a/Packs/CyberArk_Privileged_Threat_Analytics/pack_metadata.json b/Packs/CyberArk_Privileged_Threat_Analytics/pack_metadata.json new file mode 100644 index 000000000000..a42f855a7be0 --- /dev/null +++ b/Packs/CyberArk_Privileged_Threat_Analytics/pack_metadata.json @@ -0,0 +1,18 @@ +{ + "name": "CyberArk Privileged Threat Analytics", + "description": "CyberArk Privileged Threat Analytics (PTA) leverages the analytic capabilities of PTA and assigns a risk score to privileged sessions.", + "support": "xsoar", + "currentVersion": "1.0.0", + "author": "Cortex XSOAR", + "url": "https://www.paloaltonetworks.com/cortex", + "email": "", + "categories": [ + "Analytics & SIEM" + ], + "tags": [], + "useCases": [], + "keywords": [], + "marketplaces": [ + "marketplacev2" + ] +} \ No newline at end of file