From 63a0e9e6822d2ce31749c09fb255930289b72167 Mon Sep 17 00:00:00 2001 From: Marius Iversen Date: Mon, 31 May 2021 17:27:23 +0200 Subject: [PATCH 1/7] updating cyberarkpas ECS version and adding pipeline tests --- .../pipeline/test-105-add-file-category.log | 6 ++++++ .../test-105-add-file-category.log-config.yml | 5 +++++ .../pipeline/test-106-update-file-category.log | 6 ++++++ ...est-106-update-file-category.log-config.yml | 5 +++++ .../pipeline/test-107-delete-file-category.log | 1 + ...est-107-delete-file-category.log-config.yml | 5 +++++ .../test/pipeline/test-124-rename-file.log | 1 + .../test-124-rename-file.log-config.yml | 5 +++++ .../pipeline/test-125-rename-file-cont.log | 1 + .../test-125-rename-file-cont.log-config.yml | 5 +++++ .../test/pipeline/test-126-unlock-file.log | 1 + .../test-126-unlock-file.log-config.yml | 5 +++++ .../pipeline/test-130-cpm-disable-password.log | 1 + ...est-130-cpm-disable-password.log-config.yml | 5 +++++ .../pipeline/test-178-get-user-s-details.log | 1 + .../test-178-get-user-s-details.log-config.yml | 5 +++++ .../_dev/test/pipeline/test-180-add-user.log | 12 ++++++++++++ .../pipeline/test-180-add-user.log-config.yml | 5 +++++ .../test/pipeline/test-181-update-safe.log | 1 + .../test-181-update-safe.log-config.yml | 5 +++++ .../_dev/test/pipeline/test-185-add-safe.log | 2 ++ .../pipeline/test-185-add-safe.log-config.yml | 5 +++++ .../_dev/test/pipeline/test-187-add-folder.log | 2 ++ .../test-187-add-folder.log-config.yml | 5 +++++ .../test-19-full-gateway-connection.log | 9 +++++++++ ...t-19-full-gateway-connection.log-config.yml | 5 +++++ .../test-20-partial-gateway-connection.log | 1 + ...0-partial-gateway-connection.log-config.yml | 5 +++++ ...est-202-old-backup-files-deletion-start.log | 1 + ...-backup-files-deletion-start.log-config.yml | 5 +++++ .../test-203-old-backup-files-deletion-end.log | 1 + ...ld-backup-files-deletion-end.log-config.yml | 5 +++++ .../pipeline/test-22-cpm-verify-password.log | 2 ++ .../test-22-cpm-verify-password.log-config.yml | 5 +++++ .../pipeline/test-23-action-on-closed-safe.log | 3 +++ ...est-23-action-on-closed-safe.log-config.yml | 5 +++++ .../pipeline/test-24-cpm-change-password.log | 4 ++++ .../test-24-cpm-change-password.log-config.yml | 5 +++++ .../pipeline/test-259-add-update-group.log | 4 ++++ .../test-259-add-update-group.log-config.yml | 5 +++++ .../pipeline/test-265-add-group-member.log | 14 ++++++++++++++ .../test-265-add-group-member.log-config.yml | 5 +++++ .../pipeline/test-266-remove-group-member.log | 2 ++ ...test-266-remove-group-member.log-config.yml | 5 +++++ .../test/pipeline/test-273-remove-owner.log | 1 + .../test-273-remove-owner.log-config.yml | 5 +++++ .../_dev/test/pipeline/test-278-add-rule.log | 1 + .../pipeline/test-278-add-rule.log-config.yml | 5 +++++ ...test-288-auto-clear-users-history-start.log | 2 ++ ...to-clear-users-history-start.log-config.yml | 5 +++++ .../test-289-auto-clear-users-history-end.log | 2 ++ ...auto-clear-users-history-end.log-config.yml | 5 +++++ ...test-290-auto-clear-safes-history-start.log | 1 + ...to-clear-safes-history-start.log-config.yml | 5 +++++ .../test-291-auto-clear-safes-history-end.log | 1 + ...auto-clear-safes-history-end.log-config.yml | 5 +++++ .../test/pipeline/test-294-store-password.log | 10 ++++++++++ .../test-294-store-password.log-config.yml | 5 +++++ .../pipeline/test-295-retrieve-password.log | 13 +++++++++++++ .../test-295-retrieve-password.log-config.yml | 5 +++++ .../test/pipeline/test-300-psm-connect.log | 17 +++++++++++++++++ .../test-300-psm-connect.log-config.yml | 5 +++++ .../test/pipeline/test-302-psm-disconnect.log | 16 ++++++++++++++++ .../test-302-psm-disconnect.log-config.yml | 5 +++++ .../pipeline/test-304-psm-upload-recording.log | 1 + ...est-304-psm-upload-recording.log-config.yml | 5 +++++ .../test/pipeline/test-308-use-password.log | 11 +++++++++++ .../test-308-use-password.log-config.yml | 5 +++++ .../pipeline/test-309-undefined-user-logon.log | 5 +++++ ...est-309-undefined-user-logon.log-config.yml | 5 +++++ .../test-31-cpm-reconcile-password.log | 1 + ...st-31-cpm-reconcile-password.log-config.yml | 5 +++++ .../test-310-monitor-dr-replication-start.log | 2 ++ ...monitor-dr-replication-start.log-config.yml | 5 +++++ .../test-311-monitor-dr-replication-end.log | 2 ++ ...1-monitor-dr-replication-end.log-config.yml | 5 +++++ ...eset-user-password-detailed-information.log | 1 + ...assword-detailed-information.log-config.yml | 5 +++++ .../pipeline/test-317-reset-user-password.log | 1 + ...test-317-reset-user-password.log-config.yml | 5 +++++ .../_dev/test/pipeline/test-32-add-owner.log | 16 ++++++++++++++++ .../pipeline/test-32-add-owner.log-config.yml | 5 +++++ .../test-326-cpm-auto-detection-start.log | 1 + ...326-cpm-auto-detection-start.log-config.yml | 5 +++++ .../test-327-cpm-auto-detection-end.log | 1 + ...t-327-cpm-auto-detection-end.log-config.yml | 5 +++++ .../test/pipeline/test-33-update-owner.log | 7 +++++++ .../test-33-update-owner.log-config.yml | 5 +++++ ...5-monitor-license-expiration-date-start.log | 1 + ...icense-expiration-date-start.log-config.yml | 5 +++++ ...356-monitor-license-expiration-date-end.log | 1 + ...-license-expiration-date-end.log-config.yml | 5 +++++ .../test-357-monitor-fw-rules-start.log | 2 ++ ...t-357-monitor-fw-rules-start.log-config.yml | 5 +++++ .../pipeline/test-358-monitor-fw-rules-end.log | 2 ++ ...est-358-monitor-fw-rules-end.log-config.yml | 5 +++++ .../test/pipeline/test-359-sql-command.log | 10 ++++++++++ .../test-359-sql-command.log-config.yml | 5 +++++ .../pipeline/test-361-keystroke-logging.log | 7 +++++++ .../test-361-keystroke-logging.log-config.yml | 5 +++++ .../test-38-cpm-verify-password-failed.log | 15 +++++++++++++++ ...8-cpm-verify-password-failed.log-config.yml | 5 +++++ .../test-385-blservice-audit-record.log | 5 +++++ ...t-385-blservice-audit-record.log-config.yml | 5 +++++ .../pipeline/test-4-user-authentication.log | 2 ++ .../test-4-user-authentication.log-config.yml | 5 +++++ .../test/pipeline/test-411-window-title.log | 1 + .../test-411-window-title.log-config.yml | 5 +++++ .../pipeline/test-412-keystroke-logging.log | 1 + .../test-412-keystroke-logging.log-config.yml | 5 +++++ .../pipeline/test-414-cpm-verify-ssh-key.log | 1 + .../test-414-cpm-verify-ssh-key.log-config.yml | 5 +++++ .../test/pipeline/test-427-store-ssh-key.log | 1 + .../test-427-store-ssh-key.log-config.yml | 5 +++++ .../pipeline/test-428-retrieve-ssh-key.log | 3 +++ .../test-428-retrieve-ssh-key.log-config.yml | 5 +++++ .../test-449-create-discovery-succeeded.log | 1 + ...9-create-discovery-succeeded.log-config.yml | 5 +++++ .../test/pipeline/test-459-general-audit.log | 3 +++ .../test-459-general-audit.log-config.yml | 5 +++++ ...-key-for-jwt-authentication-was-updated.log | 1 + ...t-authentication-was-updated.log-config.yml | 5 +++++ ...orithm-of-the-vault-certificate-is-sha1.log | 2 ++ ...he-vault-certificate-is-sha1.log-config.yml | 5 +++++ ...ng-add-account-bulk-operation-succeeded.log | 1 + ...unt-bulk-operation-succeeded.log-config.yml | 5 +++++ .../_dev/test/pipeline/test-50-store-file.log | 6 ++++++ .../pipeline/test-50-store-file.log-config.yml | 5 +++++ .../test/pipeline/test-51-retrieve-file.log | 2 ++ .../test-51-retrieve-file.log-config.yml | 5 +++++ .../_dev/test/pipeline/test-52-delete-file.log | 10 ++++++++++ .../test-52-delete-file.log-config.yml | 5 +++++ .../test-57-cpm-change-password-failed.log | 1 + ...7-cpm-change-password-failed.log-config.yml | 5 +++++ .../pipeline/test-59-clear-safe-history.log | 3 +++ .../test-59-clear-safe-history.log-config.yml | 5 +++++ .../test-60-cpm-reconcile-password-failed.log | 9 +++++++++ ...pm-reconcile-password-failed.log-config.yml | 5 +++++ .../pipeline/test-62-create-file-version.log | 8 ++++++++ .../test-62-create-file-version.log-config.yml | 5 +++++ .../audit/_dev/test/pipeline/test-7-logon.log | 12 ++++++++++++ .../test/pipeline/test-7-logon.log-config.yml | 5 +++++ .../audit/_dev/test/pipeline/test-8-logoff.log | 15 +++++++++++++++ .../test/pipeline/test-8-logoff.log-config.yml | 5 +++++ .../test/pipeline/test-88-set-password.log | 18 ++++++++++++++++++ .../test-88-set-password.log-config.yml | 5 +++++ .../pipeline/test-98-open-file-write-only.log | 4 ++++ ...test-98-open-file-write-only.log-config.yml | 5 +++++ .../_dev/test/pipeline/test-99-open-file.log | 1 + .../pipeline/test-99-open-file.log-config.yml | 5 +++++ .../_dev/test/pipeline/test-legacysyslog.log | 1 + .../pipeline/test-legacysyslog.log-config.yml | 5 +++++ .../_dev/test/pipeline/test-rfc5424syslog.log | 4 ++++ .../pipeline/test-rfc5424syslog.log-config.yml | 5 +++++ .../elasticsearch/ingest_pipeline/default.yml | 2 +- 155 files changed, 729 insertions(+), 1 deletion(-) create mode 100644 packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-105-add-file-category.log create mode 100644 packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-105-add-file-category.log-config.yml create mode 100644 packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-106-update-file-category.log create mode 100644 packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-106-update-file-category.log-config.yml create mode 100644 packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-107-delete-file-category.log create mode 100644 packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-107-delete-file-category.log-config.yml create mode 100644 packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-124-rename-file.log create mode 100644 packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-124-rename-file.log-config.yml create mode 100644 packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-125-rename-file-cont.log create mode 100644 packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-125-rename-file-cont.log-config.yml create mode 100644 packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-126-unlock-file.log create mode 100644 packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-126-unlock-file.log-config.yml create mode 100644 packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-130-cpm-disable-password.log create mode 100644 packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-130-cpm-disable-password.log-config.yml create mode 100644 packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-178-get-user-s-details.log create mode 100644 packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-178-get-user-s-details.log-config.yml create mode 100644 packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-180-add-user.log create mode 100644 packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-180-add-user.log-config.yml create mode 100644 packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-181-update-safe.log create mode 100644 packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-181-update-safe.log-config.yml create mode 100644 packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-185-add-safe.log create mode 100644 packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-185-add-safe.log-config.yml create mode 100644 packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-187-add-folder.log create mode 100644 packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-187-add-folder.log-config.yml create mode 100644 packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-19-full-gateway-connection.log create mode 100644 packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-19-full-gateway-connection.log-config.yml create mode 100644 packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-20-partial-gateway-connection.log create mode 100644 packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-20-partial-gateway-connection.log-config.yml create mode 100644 packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-202-old-backup-files-deletion-start.log create mode 100644 packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-202-old-backup-files-deletion-start.log-config.yml create mode 100644 packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-203-old-backup-files-deletion-end.log create mode 100644 packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-203-old-backup-files-deletion-end.log-config.yml create mode 100644 packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-22-cpm-verify-password.log create mode 100644 packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-22-cpm-verify-password.log-config.yml create mode 100644 packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-23-action-on-closed-safe.log create mode 100644 packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-23-action-on-closed-safe.log-config.yml create mode 100644 packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-24-cpm-change-password.log create mode 100644 packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-24-cpm-change-password.log-config.yml create mode 100644 packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-259-add-update-group.log create mode 100644 packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-259-add-update-group.log-config.yml create mode 100644 packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-265-add-group-member.log create mode 100644 packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-265-add-group-member.log-config.yml create mode 100644 packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-266-remove-group-member.log create mode 100644 packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-266-remove-group-member.log-config.yml create mode 100644 packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-273-remove-owner.log create mode 100644 packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-273-remove-owner.log-config.yml create mode 100644 packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-278-add-rule.log create mode 100644 packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-278-add-rule.log-config.yml create mode 100644 packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-288-auto-clear-users-history-start.log create mode 100644 packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-288-auto-clear-users-history-start.log-config.yml create mode 100644 packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-289-auto-clear-users-history-end.log create mode 100644 packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-289-auto-clear-users-history-end.log-config.yml create mode 100644 packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-290-auto-clear-safes-history-start.log create mode 100644 packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-290-auto-clear-safes-history-start.log-config.yml create mode 100644 packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-291-auto-clear-safes-history-end.log create mode 100644 packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-291-auto-clear-safes-history-end.log-config.yml create mode 100644 packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-294-store-password.log create mode 100644 packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-294-store-password.log-config.yml create mode 100644 packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-295-retrieve-password.log create mode 100644 packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-295-retrieve-password.log-config.yml create mode 100644 packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-300-psm-connect.log create mode 100644 packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-300-psm-connect.log-config.yml create mode 100644 packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-302-psm-disconnect.log create mode 100644 packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-302-psm-disconnect.log-config.yml create mode 100644 packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-304-psm-upload-recording.log create mode 100644 packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-304-psm-upload-recording.log-config.yml create mode 100644 packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-308-use-password.log create mode 100644 packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-308-use-password.log-config.yml create mode 100644 packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-309-undefined-user-logon.log create mode 100644 packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-309-undefined-user-logon.log-config.yml create mode 100644 packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-31-cpm-reconcile-password.log create mode 100644 packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-31-cpm-reconcile-password.log-config.yml create mode 100644 packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-310-monitor-dr-replication-start.log create mode 100644 packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-310-monitor-dr-replication-start.log-config.yml create mode 100644 packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-311-monitor-dr-replication-end.log create mode 100644 packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-311-monitor-dr-replication-end.log-config.yml create mode 100644 packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-316-reset-user-password-detailed-information.log create mode 100644 packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-316-reset-user-password-detailed-information.log-config.yml create mode 100644 packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-317-reset-user-password.log create mode 100644 packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-317-reset-user-password.log-config.yml create mode 100644 packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-32-add-owner.log create mode 100644 packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-32-add-owner.log-config.yml create mode 100644 packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-326-cpm-auto-detection-start.log create mode 100644 packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-326-cpm-auto-detection-start.log-config.yml create mode 100644 packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-327-cpm-auto-detection-end.log create mode 100644 packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-327-cpm-auto-detection-end.log-config.yml create mode 100644 packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-33-update-owner.log create mode 100644 packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-33-update-owner.log-config.yml create mode 100644 packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-355-monitor-license-expiration-date-start.log create mode 100644 packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-355-monitor-license-expiration-date-start.log-config.yml create mode 100644 packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-356-monitor-license-expiration-date-end.log create mode 100644 packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-356-monitor-license-expiration-date-end.log-config.yml create mode 100644 packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-357-monitor-fw-rules-start.log create mode 100644 packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-357-monitor-fw-rules-start.log-config.yml create mode 100644 packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-358-monitor-fw-rules-end.log create mode 100644 packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-358-monitor-fw-rules-end.log-config.yml create mode 100644 packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-359-sql-command.log create mode 100644 packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-359-sql-command.log-config.yml create mode 100644 packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-361-keystroke-logging.log create mode 100644 packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-361-keystroke-logging.log-config.yml create mode 100644 packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-38-cpm-verify-password-failed.log create mode 100644 packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-38-cpm-verify-password-failed.log-config.yml create mode 100644 packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-385-blservice-audit-record.log create mode 100644 packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-385-blservice-audit-record.log-config.yml create mode 100644 packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-4-user-authentication.log create mode 100644 packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-4-user-authentication.log-config.yml create mode 100644 packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-411-window-title.log create mode 100644 packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-411-window-title.log-config.yml create mode 100644 packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-412-keystroke-logging.log create mode 100644 packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-412-keystroke-logging.log-config.yml create mode 100644 packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-414-cpm-verify-ssh-key.log create mode 100644 packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-414-cpm-verify-ssh-key.log-config.yml create mode 100644 packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-427-store-ssh-key.log create mode 100644 packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-427-store-ssh-key.log-config.yml create mode 100644 packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-428-retrieve-ssh-key.log create mode 100644 packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-428-retrieve-ssh-key.log-config.yml create mode 100644 packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-449-create-discovery-succeeded.log create mode 100644 packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-449-create-discovery-succeeded.log-config.yml create mode 100644 packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-459-general-audit.log create mode 100644 packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-459-general-audit.log-config.yml create mode 100644 packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-467-the-component-public-key-for-jwt-authentication-was-updated.log create mode 100644 packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-467-the-component-public-key-for-jwt-authentication-was-updated.log-config.yml create mode 100644 packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-479-security-warning-the-signature-hash-algorithm-of-the-vault-certificate-is-sha1.log create mode 100644 packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-479-security-warning-the-signature-hash-algorithm-of-the-vault-certificate-is-sha1.log-config.yml create mode 100644 packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-482-update-existing-add-account-bulk-operation-succeeded.log create mode 100644 packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-482-update-existing-add-account-bulk-operation-succeeded.log-config.yml create mode 100644 packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-50-store-file.log create mode 100644 packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-50-store-file.log-config.yml create mode 100644 packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-51-retrieve-file.log create mode 100644 packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-51-retrieve-file.log-config.yml create mode 100644 packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-52-delete-file.log create mode 100644 packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-52-delete-file.log-config.yml create mode 100644 packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-57-cpm-change-password-failed.log create mode 100644 packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-57-cpm-change-password-failed.log-config.yml create mode 100644 packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-59-clear-safe-history.log create mode 100644 packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-59-clear-safe-history.log-config.yml create mode 100644 packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-60-cpm-reconcile-password-failed.log create mode 100644 packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-60-cpm-reconcile-password-failed.log-config.yml create mode 100644 packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-62-create-file-version.log create mode 100644 packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-62-create-file-version.log-config.yml create mode 100644 packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-7-logon.log create mode 100644 packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-7-logon.log-config.yml create mode 100644 packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-8-logoff.log create mode 100644 packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-8-logoff.log-config.yml create mode 100644 packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-88-set-password.log create mode 100644 packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-88-set-password.log-config.yml create mode 100644 packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-98-open-file-write-only.log create mode 100644 packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-98-open-file-write-only.log-config.yml create mode 100644 packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-99-open-file.log create mode 100644 packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-99-open-file.log-config.yml create mode 100644 packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-legacysyslog.log create mode 100644 packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-legacysyslog.log-config.yml create mode 100644 packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-rfc5424syslog.log create mode 100644 packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-rfc5424syslog.log-config.yml diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-105-add-file-category.log b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-105-add-file-category.log new file mode 100644 index 00000000000..cb662d0ec48 --- /dev/null +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-105-add-file-category.log @@ -0,0 +1,6 @@ +<5>1 2021-03-08T18:24:49Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 08 10:24:49","IsoTimestamp":"2021-03-08T18:24:49Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"105","Desc":"Add File Category","Severity":"Info","Issuer":"Administrator","Action":"Add File Category","SourceUser":"","TargetUser":"","Safe":"Test","File":"Root\\Operating System-WinDesktopLocal-Address-adriansr","Station":"127.0.0.1","Location":"","Category":"Address","RequestId":"","Reason":"Value=[Address]","ExtraDetails":"","Message":"Add File Category","GatewayStation":"10.0.1.20"}}} +<5>1 2021-03-10T09:11:54Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 01:11:54","IsoTimestamp":"2021-03-10T09:11:54Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"105","Desc":"Add File Category","Severity":"Info","Issuer":"PSMPApp_localhost.localdomain","Action":"Add File Category","SourceUser":"","TargetUser":"","Safe":"PSMPLiveSessions","File":"Root\\PSMPApp_localhost.localdomain.LiveSessions","Station":"81.32.170.205","Location":"","Category":"_PSMLiveSessions_1","RequestId":"","Reason":"","ExtraDetails":"","Message":"Add File Category","GatewayStation":""}}} +<5>1 2021-03-10T18:46:48Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 10:46:48","IsoTimestamp":"2021-03-10T18:46:48Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"105","Desc":"Add File Category","Severity":"Info","Issuer":"PSMApp_VAGRANT","Action":"Add File Category","SourceUser":"","TargetUser":"","Safe":"PSMLiveSessions","File":"Root\\PSMServer.LiveSessions","Station":"81.32.170.205","Location":"","Category":"_PSMLiveSessions_1","RequestId":"","Reason":"","ExtraDetails":"","Message":"Add File Category","GatewayStation":""}}} +<5>1 2021-03-10T22:17:26Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 14:17:26","IsoTimestamp":"2021-03-10T22:17:26Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"105","Desc":"Add File Category","Severity":"Info","Issuer":"Administrator","Action":"Add File Category","SourceUser":"","TargetUser":"","Safe":"PSM","File":"Root\\PSM-ASR-CYBERARK-WI","Station":"35.192.121.42","Location":"","Category":"LogonDomain","RequestId":"","Reason":"Value=[ASR-CYBERARK-WI]","ExtraDetails":"","Message":"Add File Category","GatewayStation":""}}} +<5>1 2021-03-10T22:20:12Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 14:20:12","IsoTimestamp":"2021-03-10T22:20:12Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"105","Desc":"Add File Category","Severity":"Info","Issuer":"PSMApp_ASR-WIN","Action":"Add File Category","SourceUser":"","TargetUser":"","Safe":"PSMLiveSessions","File":"Root\\PSM-ASR-CYBERARK-WI.LiveSessions","Station":"35.192.121.42","Location":"","Category":"_PSMLiveSessions_1","RequestId":"","Reason":"","ExtraDetails":"","Message":"Add File Category","GatewayStation":""}}} +<5>1 2021-03-11T16:59:58Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 11 08:59:58\n 2021-03-11T16:59:58Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 105\n Add File Category\n Info\n PSMPApp_VAGRANT\n Add File Category\n \n \n PSMPLiveSessions\n Root\\PSMPApp_VAGRANT.LiveSessions\n 81.32.170.205\n \n _PSMLiveSessions_1\n \n \n \n Add File Category\n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 11 08:59:58","IsoTimestamp":"2021-03-11T16:59:58Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"105","Desc":"Add File Category","Severity":"Info","Issuer":"PSMPApp_VAGRANT","Action":"Add File Category","SourceUser":"","TargetUser":"","Safe":"PSMPLiveSessions","File":"Root\\PSMPApp_VAGRANT.LiveSessions","Station":"81.32.170.205","Location":"","Category":"_PSMLiveSessions_1","RequestId":"","Reason":"","ExtraDetails":"","Message":"Add File Category","GatewayStation":""}}} diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-105-add-file-category.log-config.yml b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-105-add-file-category.log-config.yml new file mode 100644 index 00000000000..5622947e4b8 --- /dev/null +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-105-add-file-category.log-config.yml @@ -0,0 +1,5 @@ +dynamic_fields: + event.ingested: ".*" +fields: + tags: + - preserve_original_event diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-106-update-file-category.log b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-106-update-file-category.log new file mode 100644 index 00000000000..14adbc29da4 --- /dev/null +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-106-update-file-category.log @@ -0,0 +1,6 @@ +<5>1 2021-03-08T18:25:52Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 08 10:25:52","IsoTimestamp":"2021-03-08T18:25:52Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"106","Desc":"Update File Category","Severity":"Info","Issuer":"Administrator","Action":"Update File Category","SourceUser":"","TargetUser":"","Safe":"Test","File":"Root\\Operating System-WinDesktopLocal-Address-adriansr","Station":"127.0.0.1","Location":"","Category":"Address","RequestId":"","Reason":"Value=[components] Old Value=[Address]","ExtraDetails":"","Message":"Update File Category","GatewayStation":"10.0.1.20"}}} +<5>1 2021-03-10T18:46:48Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 10:46:48","IsoTimestamp":"2021-03-10T18:46:48Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"106","Desc":"Update File Category","Severity":"Info","Issuer":"PSMApp_VAGRANT","Action":"Update File Category","SourceUser":"","TargetUser":"","Safe":"PSMLiveSessions","File":"Root\\PSMServer.LiveSessions","Station":"81.32.170.205","Location":"","Category":"_PSMLiveSessions_1","RequestId":"","Reason":"","ExtraDetails":"","Message":"Update File Category","GatewayStation":""}}} +<5>1 2021-03-10T22:20:12Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 14:20:12","IsoTimestamp":"2021-03-10T22:20:12Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"106","Desc":"Update File Category","Severity":"Info","Issuer":"PSMApp_ASR-WIN","Action":"Update File Category","SourceUser":"","TargetUser":"","Safe":"PSMLiveSessions","File":"Root\\PSM-ASR-CYBERARK-WI.LiveSessions","Station":"35.192.121.42","Location":"","Category":"_PSMLiveSessions_1","RequestId":"","Reason":"","ExtraDetails":"","Message":"Update File Category","GatewayStation":""}}} +<5>1 2021-03-11T17:38:26Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 11 09:38:26\n 2021-03-11T17:38:26Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 106\n Update File Category\n Info\n PSMPApp_VAGRANT\n Update File Category\n \n \n PSMRecordings\n root\\87012dcc-8290-11eb-949e-080027efd402.session\n 81.32.170.205\n \n PSMStatus\n \n \n \n Update File Category\n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 11 09:38:26","IsoTimestamp":"2021-03-11T17:38:26Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"106","Desc":"Update File Category","Severity":"Info","Issuer":"PSMPApp_VAGRANT","Action":"Update File Category","SourceUser":"","TargetUser":"","Safe":"PSMRecordings","File":"root\\87012dcc-8290-11eb-949e-080027efd402.session","Station":"81.32.170.205","Location":"","Category":"PSMStatus","RequestId":"","Reason":"","ExtraDetails":"","Message":"Update File Category","GatewayStation":""}}} +<5>1 2021-03-11T20:10:33Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 11 12:10:33\n 2021-03-11T20:10:33Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 106\n Update File Category\n Info\n PSMApp_ASR-WIN\n Update File Category\n \n \n PSMLiveSessions\n Root\\PSM-ASR-CYBERARK-WI.LiveSessions\n 34.66.114.180\n \n _PSMLiveSessions_1\n \n \n \n Update File Category\n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 11 12:10:33","IsoTimestamp":"2021-03-11T20:10:33Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"106","Desc":"Update File Category","Severity":"Info","Issuer":"PSMApp_ASR-WIN","Action":"Update File Category","SourceUser":"","TargetUser":"","Safe":"PSMLiveSessions","File":"Root\\PSM-ASR-CYBERARK-WI.LiveSessions","Station":"34.66.114.180","Location":"","Category":"_PSMLiveSessions_1","RequestId":"","Reason":"","ExtraDetails":"","Message":"Update File Category","GatewayStation":""}}} +<5>1 2021-03-14T13:49:38Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 14 06:49:38\n 2021-03-14T13:49:38Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 106\n Update File Category\n Info\n PSMPApp_SSH\n Update File Category\n \n \n PSMPLiveSessions\n Root\\PSMPApp_SSH.LiveSessions\n 34.71.250.247\n \n _PSMLiveSessions_1\n \n \n \n Update File Category\n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 14 06:49:38","IsoTimestamp":"2021-03-14T13:49:38Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"106","Desc":"Update File Category","Severity":"Info","Issuer":"PSMPApp_SSH","Action":"Update File Category","SourceUser":"","TargetUser":"","Safe":"PSMPLiveSessions","File":"Root\\PSMPApp_SSH.LiveSessions","Station":"34.71.250.247","Location":"","Category":"_PSMLiveSessions_1","RequestId":"","Reason":"","ExtraDetails":"","Message":"Update File Category","GatewayStation":""}}} diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-106-update-file-category.log-config.yml b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-106-update-file-category.log-config.yml new file mode 100644 index 00000000000..5622947e4b8 --- /dev/null +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-106-update-file-category.log-config.yml @@ -0,0 +1,5 @@ +dynamic_fields: + event.ingested: ".*" +fields: + tags: + - preserve_original_event diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-107-delete-file-category.log b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-107-delete-file-category.log new file mode 100644 index 00000000000..92fadaab728 --- /dev/null +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-107-delete-file-category.log @@ -0,0 +1 @@ +<5>1 2021-03-15T10:22:24Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 15 03:22:24\n 2021-03-15T10:22:24Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 107\n Delete File Category\n Info\n Administrator\n Delete File Category\n \n \n partner\n Root\\Operating System-UnixSSH-34.123.103.115-testark\n 127.0.0.1\n \n LastFailDate\n \n Old Value=[1615803137]\n \n Delete File Category\n 10.0.1.20\n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 15 03:22:24","IsoTimestamp":"2021-03-15T10:22:24Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"107","Desc":"Delete File Category","Severity":"Info","Issuer":"Administrator","Action":"Delete File Category","SourceUser":"","TargetUser":"","Safe":"partner","File":"Root\\Operating System-UnixSSH-34.123.103.115-testark","Station":"127.0.0.1","Location":"","Category":"LastFailDate","RequestId":"","Reason":"Old Value=[1615803137]","ExtraDetails":"","Message":"Delete File Category","GatewayStation":"10.0.1.20"}}} diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-107-delete-file-category.log-config.yml b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-107-delete-file-category.log-config.yml new file mode 100644 index 00000000000..5622947e4b8 --- /dev/null +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-107-delete-file-category.log-config.yml @@ -0,0 +1,5 @@ +dynamic_fields: + event.ingested: ".*" +fields: + tags: + - preserve_original_event diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-124-rename-file.log b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-124-rename-file.log new file mode 100644 index 00000000000..b3191445d81 --- /dev/null +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-124-rename-file.log @@ -0,0 +1 @@ +<5>1 2021-03-14T13:42:20Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 14 06:42:20\n 2021-03-14T13:42:20Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 124\n Rename File\n Info\n Administrator\n Rename File\n \n \n PSM\n Root\\Operating System-UnixSSH-34.123.103.115-PSMConnect\n 127.0.0.1\n \n \n \n \n \n Rename File\n 10.0.1.20\n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 14 06:42:20","IsoTimestamp":"2021-03-14T13:42:20Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"124","Desc":"Rename File","Severity":"Info","Issuer":"Administrator","Action":"Rename File","SourceUser":"","TargetUser":"","Safe":"PSM","File":"Root\\Operating System-UnixSSH-34.123.103.115-PSMConnect","Station":"127.0.0.1","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Rename File","GatewayStation":"10.0.1.20"}}} diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-124-rename-file.log-config.yml b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-124-rename-file.log-config.yml new file mode 100644 index 00000000000..5622947e4b8 --- /dev/null +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-124-rename-file.log-config.yml @@ -0,0 +1,5 @@ +dynamic_fields: + event.ingested: ".*" +fields: + tags: + - preserve_original_event diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-125-rename-file-cont.log b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-125-rename-file-cont.log new file mode 100644 index 00000000000..d9c83a42d98 --- /dev/null +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-125-rename-file-cont.log @@ -0,0 +1 @@ +<5>1 2021-03-14T13:42:20Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 14 06:42:20\n 2021-03-14T13:42:20Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 125\n Rename File (Cont.)\n Info\n Administrator\n Rename File (Cont.)\n \n \n PSM\n Operating System-UnixSSH-34.71.250.247-PSMConnect\n 127.0.0.1\n \n \n \n \n \n Rename File (Cont.)\n 10.0.1.20\n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 14 06:42:20","IsoTimestamp":"2021-03-14T13:42:20Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"125","Desc":"Rename File (Cont.)","Severity":"Info","Issuer":"Administrator","Action":"Rename File (Cont.)","SourceUser":"","TargetUser":"","Safe":"PSM","File":"Operating System-UnixSSH-34.71.250.247-PSMConnect","Station":"127.0.0.1","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Rename File (Cont.)","GatewayStation":"10.0.1.20"}}} diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-125-rename-file-cont.log-config.yml b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-125-rename-file-cont.log-config.yml new file mode 100644 index 00000000000..5622947e4b8 --- /dev/null +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-125-rename-file-cont.log-config.yml @@ -0,0 +1,5 @@ +dynamic_fields: + event.ingested: ".*" +fields: + tags: + - preserve_original_event diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-126-unlock-file.log b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-126-unlock-file.log new file mode 100644 index 00000000000..eeacd9685bc --- /dev/null +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-126-unlock-file.log @@ -0,0 +1 @@ +<5>1 2021-03-10T18:33:34Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 10:33:34","IsoTimestamp":"2021-03-10T18:33:34Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"126","Desc":"Unlock File","Severity":"Info","Issuer":"Administrator","Action":"Unlock File","SourceUser":"","TargetUser":"","Safe":"PVWAConfig","File":"Root\\PVConfiguration.xml","Station":"127.0.0.1","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Unlock File","GatewayStation":""}}} diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-126-unlock-file.log-config.yml b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-126-unlock-file.log-config.yml new file mode 100644 index 00000000000..5622947e4b8 --- /dev/null +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-126-unlock-file.log-config.yml @@ -0,0 +1,5 @@ +dynamic_fields: + event.ingested: ".*" +fields: + tags: + - preserve_original_event diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-130-cpm-disable-password.log b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-130-cpm-disable-password.log new file mode 100644 index 00000000000..3f6ae5f7871 --- /dev/null +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-130-cpm-disable-password.log @@ -0,0 +1 @@ +<7>1 2021-03-15T12:57:13Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 15 05:57:13\n 2021-03-15T12:57:13Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 130\n CPM Disable Password\n Error\n PasswordManager\n CPM Disable Password\n \n \n partner\n Root\\Operating System-WinDomain-35.192.121.42-ELASTICbart\n 10.0.1.20\n \n \n \n MaxRetries. Failure Description: CACPM406E Reconciling Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-35.192.121.42-ELASTICbart failed (try #5). Code: 2101, Error: Parameter Reconcile account is mandatory but has an empty value or is not defined\n\n address=34.66.114.180;retriescount=5;username=ELASTIC\\bart;\n CPM Disable Password\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 15 05:57:13","IsoTimestamp":"2021-03-15T12:57:13Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"130","Desc":"CPM Disable Password","Severity":"Error","Issuer":"PasswordManager","Action":"CPM Disable Password","SourceUser":"","TargetUser":"","Safe":"partner","File":"Root\\Operating System-WinDomain-35.192.121.42-ELASTICbart","Station":"10.0.1.20","Location":"","Category":"","RequestId":"","Reason":"MaxRetries. Failure Description: CACPM406E Reconciling Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-35.192.121.42-ELASTICbart failed (try #5). Code: 2101, Error: Parameter Reconcile account is mandatory but has an empty value or is not defined\n","ExtraDetails":"address=34.66.114.180;retriescount=5;username=ELASTIC\\bart;","Message":"CPM Disable Password","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"WinDomain"},{"Name":"UserName","Value":"ELASTIC\\bart"},{"Name":"Address","Value":"34.66.114.180"},{"Name":"ResetImmediately","Value":"ReconcileTask"},{"Name":"CPMStatus","Value":"failure"},{"Name":"CPMDisabled","Value":"(CPM)MaxRetries"},{"Name":"RetriesCount","Value":"5"},{"Name":"LastFailDate","Value":"1615813031"},{"Name":"LastTask","Value":"ReconcileTask"},{"Name":"LogonDomain","Value":"34.66.114.180"},{"Name":"CPMErrorDetails","Value":"Parameter Reconcile account is mandatory but has an empty value or is not defined"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"}]}}}} diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-130-cpm-disable-password.log-config.yml b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-130-cpm-disable-password.log-config.yml new file mode 100644 index 00000000000..5622947e4b8 --- /dev/null +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-130-cpm-disable-password.log-config.yml @@ -0,0 +1,5 @@ +dynamic_fields: + event.ingested: ".*" +fields: + tags: + - preserve_original_event diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-178-get-user-s-details.log b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-178-get-user-s-details.log new file mode 100644 index 00000000000..77869bddde4 --- /dev/null +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-178-get-user-s-details.log @@ -0,0 +1 @@ +<7>1 2021-03-11T18:45:23Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 11 10:45:23\n 2021-03-11T18:45:23Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 178\n Get User's Details\n Error\n Administrator\n Get User's Details\n Master\n \n \n \n 127.0.0.1\n \n \n \n \n \n Get User's Details\n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 11 10:45:23","IsoTimestamp":"2021-03-11T18:45:23Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"178","Desc":"Get User's Details","Severity":"Error","Issuer":"Administrator","Action":"Get User's Details","SourceUser":"Master","TargetUser":"","Safe":"","File":"","Station":"127.0.0.1","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Get User's Details","GatewayStation":""}}} diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-178-get-user-s-details.log-config.yml b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-178-get-user-s-details.log-config.yml new file mode 100644 index 00000000000..5622947e4b8 --- /dev/null +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-178-get-user-s-details.log-config.yml @@ -0,0 +1,5 @@ +dynamic_fields: + event.ingested: ".*" +fields: + tags: + - preserve_original_event diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-180-add-user.log b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-180-add-user.log new file mode 100644 index 00000000000..78ec9f57fe6 --- /dev/null +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-180-add-user.log @@ -0,0 +1,12 @@ +<5>1 2021-03-10T09:11:20Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 01:11:20","IsoTimestamp":"2021-03-10T09:11:20Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"180","Desc":"Add User","Severity":"Info","Issuer":"Administrator","Action":"Add User","SourceUser":"PSMPApp_localhost.localdomain","TargetUser":"","Safe":"","File":"","Station":"81.32.170.205","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Add User","GatewayStation":""}}} +<5>1 2021-03-10T09:11:20Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 01:11:20","IsoTimestamp":"2021-03-10T09:11:20Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"180","Desc":"Add User","Severity":"Info","Issuer":"Administrator","Action":"Add User","SourceUser":"PSMPGW_localhost.localdomain","TargetUser":"","Safe":"","File":"","Station":"81.32.170.205","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Add User","GatewayStation":""}}} +<5>1 2021-03-10T09:11:35Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 01:11:35","IsoTimestamp":"2021-03-10T09:11:35Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"180","Desc":"Add User","Severity":"Info","Issuer":"Administrator","Action":"Add User","SourceUser":"PSMP_ADB_localhost.localdomain","TargetUser":"","Safe":"","File":"","Station":"81.32.170.205","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Add User","GatewayStation":""}}} +<5>1 2021-03-10T17:59:19Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 09:59:19","IsoTimestamp":"2021-03-10T17:59:19Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"180","Desc":"Add User","Severity":"Info","Issuer":"Administrator","Action":"Add User","SourceUser":"PSMApp_VAGRANT","TargetUser":"","Safe":"","File":"","Station":"81.32.170.205","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Add User","GatewayStation":""}}} +<5>1 2021-03-10T17:59:27Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 09:59:27","IsoTimestamp":"2021-03-10T17:59:27Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"180","Desc":"Add User","Severity":"Info","Issuer":"Administrator","Action":"Add User","SourceUser":"PSMGw_VAGRANT","TargetUser":"","Safe":"","File":"","Station":"81.32.170.205","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Add User","GatewayStation":""}}} +<5>1 2021-03-10T22:19:06Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 14:19:06","IsoTimestamp":"2021-03-10T22:19:06Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"180","Desc":"Add User","Severity":"Info","Issuer":"Administrator","Action":"Add User","SourceUser":"PSMApp_ASR-WIN","TargetUser":"","Safe":"","File":"","Station":"35.192.121.42","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Add User","GatewayStation":""}}} +<5>1 2021-03-10T22:19:15Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 14:19:15","IsoTimestamp":"2021-03-10T22:19:15Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"180","Desc":"Add User","Severity":"Info","Issuer":"Administrator","Action":"Add User","SourceUser":"PSMGw_ASR-WIN","TargetUser":"","Safe":"","File":"","Station":"35.192.121.42","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Add User","GatewayStation":""}}} +<5>1 2021-03-11T16:59:36Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 11 08:59:36\n 2021-03-11T16:59:36Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 180\n Add User\n Info\n Administrator\n Add User\n PSMPApp_VAGRANT\n \n \n \n 81.32.170.205\n \n \n \n \n \n Add User\n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 11 08:59:36","IsoTimestamp":"2021-03-11T16:59:36Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"180","Desc":"Add User","Severity":"Info","Issuer":"Administrator","Action":"Add User","SourceUser":"PSMPApp_VAGRANT","TargetUser":"","Safe":"","File":"","Station":"81.32.170.205","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Add User","GatewayStation":""}}} +<5>1 2021-03-11T16:59:36Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 11 08:59:36\n 2021-03-11T16:59:36Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 180\n Add User\n Info\n Administrator\n Add User\n PSMPGW_VAGRANT\n \n \n \n 81.32.170.205\n \n \n \n \n \n Add User\n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 11 08:59:36","IsoTimestamp":"2021-03-11T16:59:36Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"180","Desc":"Add User","Severity":"Info","Issuer":"Administrator","Action":"Add User","SourceUser":"PSMPGW_VAGRANT","TargetUser":"","Safe":"","File":"","Station":"81.32.170.205","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Add User","GatewayStation":""}}} +<5>1 2021-03-14T12:57:16Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 14 05:57:16\n 2021-03-14T12:57:16Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 180\n Add User\n Info\n Administrator\n Add User\n PSMPGW_SSH\n \n \n \n 34.71.250.247\n \n \n \n \n \n Add User\n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 14 05:57:16","IsoTimestamp":"2021-03-14T12:57:16Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"180","Desc":"Add User","Severity":"Info","Issuer":"Administrator","Action":"Add User","SourceUser":"PSMPGW_SSH","TargetUser":"","Safe":"","File":"","Station":"34.71.250.247","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Add User","GatewayStation":""}}} +<5>1 2021-03-14T12:57:16Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 14 05:57:16\n 2021-03-14T12:57:16Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 180\n Add User\n Info\n Administrator\n Add User\n PSMPApp_SSH\n \n \n \n 34.71.250.247\n \n \n \n \n \n Add User\n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 14 05:57:16","IsoTimestamp":"2021-03-14T12:57:16Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"180","Desc":"Add User","Severity":"Info","Issuer":"Administrator","Action":"Add User","SourceUser":"PSMPApp_SSH","TargetUser":"","Safe":"","File":"","Station":"34.71.250.247","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Add User","GatewayStation":""}}} +<5>1 2021-03-14T12:57:21Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 14 05:57:21\n 2021-03-14T12:57:21Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 180\n Add User\n Info\n Administrator\n Add User\n PSMP_ADB_asr-cyberark-psm-ssh\n \n \n \n 34.71.250.247\n \n \n \n \n \n Add User\n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 14 05:57:21","IsoTimestamp":"2021-03-14T12:57:21Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"180","Desc":"Add User","Severity":"Info","Issuer":"Administrator","Action":"Add User","SourceUser":"PSMP_ADB_asr-cyberark-psm-ssh","TargetUser":"","Safe":"","File":"","Station":"34.71.250.247","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Add User","GatewayStation":""}}} diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-180-add-user.log-config.yml b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-180-add-user.log-config.yml new file mode 100644 index 00000000000..5622947e4b8 --- /dev/null +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-180-add-user.log-config.yml @@ -0,0 +1,5 @@ +dynamic_fields: + event.ingested: ".*" +fields: + tags: + - preserve_original_event diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-181-update-safe.log b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-181-update-safe.log new file mode 100644 index 00000000000..93d8a45a00e --- /dev/null +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-181-update-safe.log @@ -0,0 +1 @@ +<5>1 2021-03-10T18:15:44Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 10:15:44","IsoTimestamp":"2021-03-10T18:15:44Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"181","Desc":"Update Safe","Severity":"Info","Issuer":"Administrator","Action":"Update Safe","SourceUser":"","TargetUser":"","Safe":"PSM","File":"","Station":"81.32.170.205","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Update Safe","GatewayStation":""}}} diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-181-update-safe.log-config.yml b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-181-update-safe.log-config.yml new file mode 100644 index 00000000000..5622947e4b8 --- /dev/null +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-181-update-safe.log-config.yml @@ -0,0 +1,5 @@ +dynamic_fields: + event.ingested: ".*" +fields: + tags: + - preserve_original_event diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-185-add-safe.log b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-185-add-safe.log new file mode 100644 index 00000000000..21a17a2c729 --- /dev/null +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-185-add-safe.log @@ -0,0 +1,2 @@ +<5>1 2021-03-10T09:11:20Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 01:11:20","IsoTimestamp":"2021-03-10T09:11:20Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"185","Desc":"Add Safe","Severity":"Info","Issuer":"Administrator","Action":"Add Safe","SourceUser":"","TargetUser":"","Safe":"PSMPConf","File":"","Station":"81.32.170.205","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Add Safe","GatewayStation":""}}} +<5>1 2021-03-11T17:38:13Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 11 09:38:13\n 2021-03-11T17:38:13Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 185\n Add Safe\n Info\n PSMPApp_VAGRANT\n Add Safe\n \n \n PSMRecordings\n \n 81.32.170.205\n \n \n \n \n \n Add Safe\n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 11 09:38:13","IsoTimestamp":"2021-03-11T17:38:13Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"185","Desc":"Add Safe","Severity":"Info","Issuer":"PSMPApp_VAGRANT","Action":"Add Safe","SourceUser":"","TargetUser":"","Safe":"PSMRecordings","File":"","Station":"81.32.170.205","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Add Safe","GatewayStation":""}}} diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-185-add-safe.log-config.yml b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-185-add-safe.log-config.yml new file mode 100644 index 00000000000..5622947e4b8 --- /dev/null +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-185-add-safe.log-config.yml @@ -0,0 +1,5 @@ +dynamic_fields: + event.ingested: ".*" +fields: + tags: + - preserve_original_event diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-187-add-folder.log b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-187-add-folder.log new file mode 100644 index 00000000000..3f7fa511cc8 --- /dev/null +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-187-add-folder.log @@ -0,0 +1,2 @@ +<5>1 2021-03-10T09:11:40Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 01:11:40","IsoTimestamp":"2021-03-10T09:11:40Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"187","Desc":"Add Folder","Severity":"Info","Issuer":"Administrator","Action":"Add Folder","SourceUser":"","TargetUser":"","Safe":"PSMPADBridgeConf","File":"Root\\Scripts\\","Station":"81.32.170.205","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Add Folder","GatewayStation":""}}} +<5>1 2021-03-11T18:01:14Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 11 10:01:14\n 2021-03-11T18:01:14Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 187\n Add Folder\n Info\n PVWAAppUser\n Add Folder\n \n \n PSMUnmanagedSessionAccounts\n Root\\2\\\n 10.0.1.20\n \n \n \n \n \n Add Folder\n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 11 10:01:14","IsoTimestamp":"2021-03-11T18:01:14Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"187","Desc":"Add Folder","Severity":"Info","Issuer":"PVWAAppUser","Action":"Add Folder","SourceUser":"","TargetUser":"","Safe":"PSMUnmanagedSessionAccounts","File":"Root\\2\\","Station":"10.0.1.20","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Add Folder","GatewayStation":""}}} diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-187-add-folder.log-config.yml b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-187-add-folder.log-config.yml new file mode 100644 index 00000000000..5622947e4b8 --- /dev/null +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-187-add-folder.log-config.yml @@ -0,0 +1,5 @@ +dynamic_fields: + event.ingested: ".*" +fields: + tags: + - preserve_original_event diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-19-full-gateway-connection.log b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-19-full-gateway-connection.log new file mode 100644 index 00000000000..88926eb1571 --- /dev/null +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-19-full-gateway-connection.log @@ -0,0 +1,9 @@ +<5>1 2021-03-08T18:07:51Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 08 10:07:51","IsoTimestamp":"2021-03-08T18:07:51Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"19","Desc":"Full Gateway Connection","Severity":"Info","Issuer":"Administrator","Action":"Full Gateway Connection","SourceUser":"PVWAGWUser","TargetUser":"","Safe":"","File":"","Station":"127.0.0.1","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Full Gateway Connection","GatewayStation":"10.0.1.20"}}} +<5>1 2021-03-09T08:32:51Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 09 00:32:51","IsoTimestamp":"2021-03-09T08:32:51Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"19","Desc":"Full Gateway Connection","Severity":"Info","Issuer":"Administrator","Action":"Full Gateway Connection","SourceUser":"PVWAGWUser","TargetUser":"","Safe":"","File":"","Station":"81.32.170.205","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Full Gateway Connection","GatewayStation":"10.0.1.20"}}} +<5>1 2021-03-09T10:14:58Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 09 02:14:58","IsoTimestamp":"2021-03-09T10:14:58Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"19","Desc":"Full Gateway Connection","Severity":"Info","Issuer":"Administrator","Action":"Full Gateway Connection","SourceUser":"PVWAGWUser","TargetUser":"","Safe":"","File":"","Station":"37.223.7.45","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Full Gateway Connection","GatewayStation":"10.0.1.20"}}} +<5>1 2021-03-10T08:31:50Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 00:31:50","IsoTimestamp":"2021-03-10T08:31:50Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"19","Desc":"Full Gateway Connection","Severity":"Info","Issuer":"PasswordManager","Action":"Full Gateway Connection","SourceUser":"PVWAGWUser","TargetUser":"","Safe":"","File":"","Station":"10.0.1.20","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Full Gateway Connection","GatewayStation":"10.0.1.20"}}} +<5>1 2021-03-10T22:37:00Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 14:37:00","IsoTimestamp":"2021-03-10T22:37:00Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"19","Desc":"Full Gateway Connection","Severity":"Info","Issuer":"Administrator","Action":"Full Gateway Connection","SourceUser":"PVWAGWUser","TargetUser":"","Safe":"","File":"","Station":"10.0.1.10","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Full Gateway Connection","GatewayStation":"10.0.1.20"}}} +<5>1 2021-03-11T17:38:05Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 11 09:38:05\n 2021-03-11T17:38:05Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 19\n Full Gateway Connection\n Info\n Administrator\n Full Gateway Connection\n PSMPGW_VAGRANT\n \n \n \n 127.0.0.1\n \n \n \n \n \n Full Gateway Connection\n 81.32.170.205\n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 11 09:38:05","IsoTimestamp":"2021-03-11T17:38:05Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"19","Desc":"Full Gateway Connection","Severity":"Info","Issuer":"Administrator","Action":"Full Gateway Connection","SourceUser":"PSMPGW_VAGRANT","TargetUser":"","Safe":"","File":"","Station":"127.0.0.1","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Full Gateway Connection","GatewayStation":"81.32.170.205"}}} +<5>1 2021-03-11T17:48:22Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 11 09:48:22\n 2021-03-11T17:48:22Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 19\n Full Gateway Connection\n Info\n Administrator\n Full Gateway Connection\n PSMPGW_VAGRANT\n \n \n \n 10.0.2.2\n \n \n \n \n \n Full Gateway Connection\n 81.32.170.205\n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 11 09:48:22","IsoTimestamp":"2021-03-11T17:48:22Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"19","Desc":"Full Gateway Connection","Severity":"Info","Issuer":"Administrator","Action":"Full Gateway Connection","SourceUser":"PSMPGW_VAGRANT","TargetUser":"","Safe":"","File":"","Station":"10.0.2.2","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Full Gateway Connection","GatewayStation":"81.32.170.205"}}} +<5>1 2021-03-11T18:02:57Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 11 10:02:57\n 2021-03-11T18:02:57Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 19\n Full Gateway Connection\n Info\n Administrator\n Full Gateway Connection\n PVWAGWUser\n \n \n \n 35.192.121.42\n \n \n \n \n \n Full Gateway Connection\n 10.0.1.20\n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 11 10:02:57","IsoTimestamp":"2021-03-11T18:02:57Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"19","Desc":"Full Gateway Connection","Severity":"Info","Issuer":"Administrator","Action":"Full Gateway Connection","SourceUser":"PVWAGWUser","TargetUser":"","Safe":"","File":"","Station":"35.192.121.42","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Full Gateway Connection","GatewayStation":"10.0.1.20"}}} +<5>1 2021-03-14T13:49:35Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 14 06:49:35\n 2021-03-14T13:49:35Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 19\n Full Gateway Connection\n Info\n Administrator\n Full Gateway Connection\n PSMPGW_SSH\n \n \n \n 81.32.170.205\n \n \n \n \n \n Full Gateway Connection\n 34.71.250.247\n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 14 06:49:35","IsoTimestamp":"2021-03-14T13:49:35Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"19","Desc":"Full Gateway Connection","Severity":"Info","Issuer":"Administrator","Action":"Full Gateway Connection","SourceUser":"PSMPGW_SSH","TargetUser":"","Safe":"","File":"","Station":"81.32.170.205","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Full Gateway Connection","GatewayStation":"34.71.250.247"}}} diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-19-full-gateway-connection.log-config.yml b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-19-full-gateway-connection.log-config.yml new file mode 100644 index 00000000000..5622947e4b8 --- /dev/null +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-19-full-gateway-connection.log-config.yml @@ -0,0 +1,5 @@ +dynamic_fields: + event.ingested: ".*" +fields: + tags: + - preserve_original_event diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-20-partial-gateway-connection.log b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-20-partial-gateway-connection.log new file mode 100644 index 00000000000..4c7b137fe67 --- /dev/null +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-20-partial-gateway-connection.log @@ -0,0 +1 @@ +<5>1 2021-03-25T09:20:07Z VLT01 {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 25 05:20:07\n 2021-03-25T09:20:07Z\n VLT01\n Cyber-Ark\n Vault\n 12.0.0000\n 20\n Partial Gateway Connection\n Info\n PSMGw_COMP01\n Partial Gateway Connection\n Administrator\n \n \n \n 10.0.0.15\n \n \n \n \n \n Partial Gateway Connection\n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 25 05:20:07","IsoTimestamp":"2021-03-25T09:20:07Z","Hostname":"VLT01","Vendor":"Cyber-Ark","Product":"Vault","Version":"12.0.0000","MessageID":"20","Desc":"Partial Gateway Connection","Severity":"Info","Issuer":"PSMGw_COMP01","Action":"Partial Gateway Connection","SourceUser":"Administrator","TargetUser":"","Safe":"","File":"","Station":"10.0.0.15","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Partial Gateway Connection","GatewayStation":""}}} diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-20-partial-gateway-connection.log-config.yml b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-20-partial-gateway-connection.log-config.yml new file mode 100644 index 00000000000..5622947e4b8 --- /dev/null +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-20-partial-gateway-connection.log-config.yml @@ -0,0 +1,5 @@ +dynamic_fields: + event.ingested: ".*" +fields: + tags: + - preserve_original_event diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-202-old-backup-files-deletion-start.log b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-202-old-backup-files-deletion-start.log new file mode 100644 index 00000000000..46036841299 --- /dev/null +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-202-old-backup-files-deletion-start.log @@ -0,0 +1 @@ +<5>1 2021-03-09T10:17:54Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 09 02:17:54","IsoTimestamp":"2021-03-09T10:17:54Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"202","Desc":"Old Backup Files Deletion Start","Severity":"Info","Issuer":"Batch","Action":"Old Backup Files Deletion Start","SourceUser":"","TargetUser":"","Safe":"","File":"","Station":"0.0.0.0","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Old Backup Files Deletion Start","GatewayStation":""}}} diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-202-old-backup-files-deletion-start.log-config.yml b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-202-old-backup-files-deletion-start.log-config.yml new file mode 100644 index 00000000000..5622947e4b8 --- /dev/null +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-202-old-backup-files-deletion-start.log-config.yml @@ -0,0 +1,5 @@ +dynamic_fields: + event.ingested: ".*" +fields: + tags: + - preserve_original_event diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-203-old-backup-files-deletion-end.log b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-203-old-backup-files-deletion-end.log new file mode 100644 index 00000000000..015edc3e25e --- /dev/null +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-203-old-backup-files-deletion-end.log @@ -0,0 +1 @@ +<5>1 2021-03-09T10:17:54Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 09 02:17:54","IsoTimestamp":"2021-03-09T10:17:54Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"203","Desc":"Old Backup Files Deletion End","Severity":"Info","Issuer":"Batch","Action":"Old Backup Files Deletion End","SourceUser":"","TargetUser":"","Safe":"","File":"","Station":"0.0.0.0","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Old Backup Files Deletion End","GatewayStation":""}}} diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-203-old-backup-files-deletion-end.log-config.yml b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-203-old-backup-files-deletion-end.log-config.yml new file mode 100644 index 00000000000..5622947e4b8 --- /dev/null +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-203-old-backup-files-deletion-end.log-config.yml @@ -0,0 +1,5 @@ +dynamic_fields: + event.ingested: ".*" +fields: + tags: + - preserve_original_event diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-22-cpm-verify-password.log b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-22-cpm-verify-password.log new file mode 100644 index 00000000000..f3949f536de --- /dev/null +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-22-cpm-verify-password.log @@ -0,0 +1,2 @@ +Apr 07 09:51:42 VAULT {"format":"elastic","version":"1.0","raw":"\n \n no\n Cyber-Ark\n Vault\n 11.6.0000\n 22\n CPM Verify Password\n Info\n PasswordManager\n CPM Verify Password\n \n \n Linux\n Root\\Operating System-LINUX-SSH-radiussrv.cyberark.local-test12\n 10.2.0.4\n \n \n \n ImmediateTask\n address=radiussrv.cyberark.local;username=test12;\n CPM Verify Password\n \n \n \n \n \n \n \n \n \n \n \n \n \n","syslog":{"audit_record":{"Rfc5424":"no","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.6.0000","MessageID":"22","Desc":"CPM Verify Password","Severity":"Info","Issuer":"PasswordManager","Action":"CPM Verify Password","SourceUser":"","TargetUser":"","IsoTimestamp":"2021-03-16T15:01:00Z","Safe":"Linux","File":"Root\\Operating System-LINUX-SSH-radiussrv.cyberark.local-test12","Station":"10.2.0.4","Location":"","Category":"","RequestId":"","Reason":"ImmediateTask","ExtraDetails":"address=radiussrv.cyberark.local;username=test12;","Message":"CPM Verify Password","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"LINUX-SSH"},{"Name":"UserName","Value":"test12"},{"Name":"Address","Value":"radiussrv.cyberark.local"},{"Name":"DeviceType","Value":"Operating System"},{"Name":"RetriesCount","Value":"-1"},{"Name":"LastSuccessVerification","Value":"1604943844"},{"Name":"LastTask","Value":"VerifyTask"},{"Name":"CPMStatus","Value":"success"},{"Name":"CreationMethod","Value":"PVWA"}]}}}} +<5>1 2021-03-15T10:22:44Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 15 03:22:44\n 2021-03-15T10:22:44Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 22\n CPM Verify Password\n Info\n PasswordManager\n CPM Verify Password\n \n \n partner\n Root\\Operating System-UnixSSH-34.123.103.115-testark\n 10.0.1.20\n \n \n \n ImmediateTask\n address=34.123.103.115;username=testark;\n CPM Verify Password\n \n \n \n \n \n \n \n \n \n \n \n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 15 03:22:44","IsoTimestamp":"2021-03-15T10:22:44Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"22","Desc":"CPM Verify Password","Severity":"Info","Issuer":"PasswordManager","Action":"CPM Verify Password","SourceUser":"","TargetUser":"","Safe":"partner","File":"Root\\Operating System-UnixSSH-34.123.103.115-testark","Station":"10.0.1.20","Location":"","Category":"","RequestId":"","Reason":"ImmediateTask","ExtraDetails":"address=34.123.103.115;username=testark;","Message":"CPM Verify Password","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"UnixSSH"},{"Name":"UserName","Value":"testark"},{"Name":"Address","Value":"34.123.103.115"},{"Name":"CPMStatus","Value":"success"},{"Name":"RetriesCount","Value":"-1"},{"Name":"LastTask","Value":"VerifyTask"},{"Name":"LastSuccessVerification","Value":"1615803764"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"}]}}}} diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-22-cpm-verify-password.log-config.yml b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-22-cpm-verify-password.log-config.yml new file mode 100644 index 00000000000..5622947e4b8 --- /dev/null +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-22-cpm-verify-password.log-config.yml @@ -0,0 +1,5 @@ +dynamic_fields: + event.ingested: ".*" +fields: + tags: + - preserve_original_event diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-23-action-on-closed-safe.log b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-23-action-on-closed-safe.log new file mode 100644 index 00000000000..51629665b2b --- /dev/null +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-23-action-on-closed-safe.log @@ -0,0 +1,3 @@ +<7>1 2021-03-10T09:11:20Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 01:11:20","IsoTimestamp":"2021-03-10T09:11:20Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"23","Desc":"Action On Closed Safe","Severity":"Error","Issuer":"Administrator","Action":"Action On Closed Safe","SourceUser":"","TargetUser":"","Safe":"PSMPConf","File":"","Station":"81.32.170.205","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Action On Closed Safe","GatewayStation":""}}} +<7>1 2021-03-14T12:07:27Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 14 05:07:27\n 2021-03-14T12:07:27Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 23\n Action On Closed Safe\n Error\n PasswordManager\n Action On Closed Safe\n \n \n AccountsFeedADAccounts\n \n 10.0.1.20\n \n \n \n \n \n Action On Closed Safe\n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 14 05:07:27","IsoTimestamp":"2021-03-14T12:07:27Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"23","Desc":"Action On Closed Safe","Severity":"Error","Issuer":"PasswordManager","Action":"Action On Closed Safe","SourceUser":"","TargetUser":"","Safe":"AccountsFeedADAccounts","File":"","Station":"10.0.1.20","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Action On Closed Safe","GatewayStation":""}}} +<7>1 2021-03-14T12:57:16Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 14 05:57:16\n 2021-03-14T12:57:16Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 23\n Action On Closed Safe\n Error\n Administrator\n Action On Closed Safe\n \n \n PSMPConf\n \n 34.71.250.247\n \n \n \n \n \n Action On Closed Safe\n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 14 05:57:16","IsoTimestamp":"2021-03-14T12:57:16Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"23","Desc":"Action On Closed Safe","Severity":"Error","Issuer":"Administrator","Action":"Action On Closed Safe","SourceUser":"","TargetUser":"","Safe":"PSMPConf","File":"","Station":"34.71.250.247","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Action On Closed Safe","GatewayStation":""}}} diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-23-action-on-closed-safe.log-config.yml b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-23-action-on-closed-safe.log-config.yml new file mode 100644 index 00000000000..5622947e4b8 --- /dev/null +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-23-action-on-closed-safe.log-config.yml @@ -0,0 +1,5 @@ +dynamic_fields: + event.ingested: ".*" +fields: + tags: + - preserve_original_event diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-24-cpm-change-password.log b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-24-cpm-change-password.log new file mode 100644 index 00000000000..f50102d48f7 --- /dev/null +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-24-cpm-change-password.log @@ -0,0 +1,4 @@ +{"format":"elastic","version":"1.0","raw":"\n \n no\n Cyber-Ark\n Vault\n 11.6.0000\n 24\n CPM Change Password\n Info\n PasswordManager\n CPM Change Password\n \n \n Linux\n Root\\Operating System-LINUX-SSH-radiussrv.cyberark.local-test12\n 10.2.0.4\n \n \n \n ImmediateTask\n address=radiussrv.cyberark.local;username=test12;\n CPM Change Password\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n","syslog":{"audit_record":{"Rfc5424":"no","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.6.0000","MessageID":"24","Desc":"CPM Change Password","Severity":"Info","IsoTimestamp":"2021-03-16T15:01:00Z","Issuer":"PasswordManager","Action":"CPM Change Password","SourceUser":"","TargetUser":"","Safe":"Linux","File":"Root\\Operating System-LINUX-SSH-radiussrv.cyberark.local-test12","Station":"10.2.0.4","Location":"","Category":"","RequestId":"","Reason":"ImmediateTask","ExtraDetails":"address=radiussrv.cyberark.local;username=test12;","Message":"CPM Change Password","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"LINUX-SSH"},{"Name":"UserName","Value":"test12"},{"Name":"Address","Value":"radiussrv.cyberark.local"},{"Name":"DeviceType","Value":"Operating System"},{"Name":"RetriesCount","Value":"-1"},{"Name":"LastSuccessVerification","Value":"1604943844"},{"Name":"LastTask","Value":"ChangeTask"},{"Name":"CPMStatus","Value":"success"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"LastSuccessChange","Value":"1604944158"}]}}}} +<5>1 2021-03-08T19:20:05Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 08 11:20:05","IsoTimestamp":"2021-03-08T19:20:05Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"24","Desc":"CPM Change Password","Severity":"Info","Issuer":"PasswordManager","Action":"CPM Change Password","SourceUser":"","TargetUser":"","Safe":"Test","File":"Root\\Operating System-WindowsDesktopLocalAccountsRotationalPolicy-10.0.1.20-x_accountA","Station":"10.0.1.20","Location":"","Category":"","RequestId":"","Reason":"ImmediateTask","ExtraDetails":"address=components;username=x_accountA;","Message":"CPM Change Password","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"WinDesktopLocal"},{"Name":"UserName","Value":"x_accountA"},{"Name":"Address","Value":"components"},{"Name":"SequenceID","Value":"27"},{"Name":"CPMStatus","Value":"success"},{"Name":"RetriesCount","Value":"-1"},{"Name":"LastTask","Value":"ChangeTask"},{"Name":"GroupName","Value":"WindowsGroup"},{"Name":"LastSuccessChange","Value":"1615231204"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"},{"Name":"Index","Value":"1"},{"Name":"DualAccountStatus","Value":"Inactive"},{"Name":"VirtualUsername","Value":"virtual"}]}}}} +<5>1 2021-03-10T23:39:28Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 15:39:28","IsoTimestamp":"2021-03-10T23:39:28Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"24","Desc":"CPM Change Password","Severity":"Info","Issuer":"PasswordManager","Action":"CPM Change Password","SourceUser":"","TargetUser":"","Safe":"Test","File":"Root\\Operating System-WindowsDesktopLocalAccountsRotationalPolicy-10.0.1.20-x_accountB","Station":"10.0.1.20","Location":"","Category":"","RequestId":"","Reason":"ImmediateTask","ExtraDetails":"address=components;username=x_accountB;","Message":"CPM Change Password","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"WinDesktopLocal"},{"Name":"UserName","Value":"x_accountB"},{"Name":"Address","Value":"components"},{"Name":"SequenceID","Value":"25"},{"Name":"CPMStatus","Value":"success"},{"Name":"RetriesCount","Value":"-1"},{"Name":"LastTask","Value":"ChangeTask"},{"Name":"GroupName","Value":"WindowsGroup"},{"Name":"LastSuccessChange","Value":"1615419568"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"},{"Name":"Index","Value":"2"},{"Name":"DualAccountStatus","Value":"Inactive"},{"Name":"VirtualUsername","Value":"virtual"}]}}}} +<5>1 2021-03-15T10:12:24Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 15 03:12:24\n 2021-03-15T10:12:24Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 24\n CPM Change Password\n Info\n PasswordManager\n CPM Change Password\n \n \n Test\n Root\\Operating System-WindowsDesktopLocalAccountsRotationalPolicy-10.0.1.20-x_accountA\n 10.0.1.20\n \n \n \n ImmediateTask\n address=components;username=x_accountA;\n CPM Change Password\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 15 03:12:24","IsoTimestamp":"2021-03-15T10:12:24Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"24","Desc":"CPM Change Password","Severity":"Info","Issuer":"PasswordManager","Action":"CPM Change Password","SourceUser":"","TargetUser":"","Safe":"Test","File":"Root\\Operating System-WindowsDesktopLocalAccountsRotationalPolicy-10.0.1.20-x_accountA","Station":"10.0.1.20","Location":"","Category":"","RequestId":"","Reason":"ImmediateTask","ExtraDetails":"address=components;username=x_accountA;","Message":"CPM Change Password","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"WinDesktopLocal"},{"Name":"UserName","Value":"x_accountA"},{"Name":"Address","Value":"components"},{"Name":"SequenceID","Value":"28"},{"Name":"CPMStatus","Value":"success"},{"Name":"RetriesCount","Value":"-1"},{"Name":"LastTask","Value":"ChangeTask"},{"Name":"GroupName","Value":"WindowsGroup"},{"Name":"LastSuccessChange","Value":"1615803143"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"},{"Name":"Index","Value":"1"},{"Name":"DualAccountStatus","Value":"Inactive"},{"Name":"VirtualUsername","Value":"virtual"}]}}}} diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-24-cpm-change-password.log-config.yml b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-24-cpm-change-password.log-config.yml new file mode 100644 index 00000000000..5622947e4b8 --- /dev/null +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-24-cpm-change-password.log-config.yml @@ -0,0 +1,5 @@ +dynamic_fields: + event.ingested: ".*" +fields: + tags: + - preserve_original_event diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-259-add-update-group.log b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-259-add-update-group.log new file mode 100644 index 00000000000..7284820d8e4 --- /dev/null +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-259-add-update-group.log @@ -0,0 +1,4 @@ +<5>1 2021-03-10T09:11:21Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 01:11:21","IsoTimestamp":"2021-03-10T09:11:21Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"259","Desc":"Add/Update Group","Severity":"Info","Issuer":"Administrator","Action":"Add/Update Group","SourceUser":"PSMMaster","TargetUser":"","Safe":"","File":"","Station":"81.32.170.205","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Add/Update Group","GatewayStation":""}}} +<5>1 2021-03-10T09:11:21Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 01:11:21","IsoTimestamp":"2021-03-10T09:11:21Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"259","Desc":"Add/Update Group","Severity":"Info","Issuer":"Administrator","Action":"Add/Update Group","SourceUser":"PSMAppUsers","TargetUser":"","Safe":"","File":"","Station":"81.32.170.205","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Add/Update Group","GatewayStation":""}}} +<5>1 2021-03-10T09:11:35Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 01:11:35","IsoTimestamp":"2021-03-10T09:11:35Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"259","Desc":"Add/Update Group","Severity":"Info","Issuer":"Administrator","Action":"Add/Update Group","SourceUser":"PSMP_ADB_AppUsers","TargetUser":"","Safe":"","File":"","Station":"81.32.170.205","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Add/Update Group","GatewayStation":""}}} +<5>1 2021-03-10T17:59:29Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 09:59:29","IsoTimestamp":"2021-03-10T17:59:29Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"259","Desc":"Add/Update Group","Severity":"Info","Issuer":"Administrator","Action":"Add/Update Group","SourceUser":"PSMLiveSessionTerminators","TargetUser":"","Safe":"","File":"","Station":"81.32.170.205","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Add/Update Group","GatewayStation":""}}} diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-259-add-update-group.log-config.yml b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-259-add-update-group.log-config.yml new file mode 100644 index 00000000000..5622947e4b8 --- /dev/null +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-259-add-update-group.log-config.yml @@ -0,0 +1,5 @@ +dynamic_fields: + event.ingested: ".*" +fields: + tags: + - preserve_original_event diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-265-add-group-member.log b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-265-add-group-member.log new file mode 100644 index 00000000000..bff61c277da --- /dev/null +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-265-add-group-member.log @@ -0,0 +1,14 @@ +<5>1 2021-03-10T09:11:22Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 01:11:22","IsoTimestamp":"2021-03-10T09:11:22Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"265","Desc":"Add Group Member","Severity":"Info","Issuer":"Administrator","Action":"Add Group Member","SourceUser":"PSMAppUsers","TargetUser":"PSMPApp_localhost.localdomain","Safe":"","File":"","Station":"81.32.170.205","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Add Group Member","GatewayStation":""}}} +<5>1 2021-03-10T09:11:22Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 01:11:22","IsoTimestamp":"2021-03-10T09:11:22Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"265","Desc":"Add Group Member","Severity":"Info","Issuer":"Administrator","Action":"Add Group Member","SourceUser":"PVWAGWAccounts","TargetUser":"PSMPGW_localhost.localdomain","Safe":"","File":"","Station":"81.32.170.205","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Add Group Member","GatewayStation":""}}} +<5>1 2021-03-10T09:11:35Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 01:11:35","IsoTimestamp":"2021-03-10T09:11:35Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"265","Desc":"Add Group Member","Severity":"Info","Issuer":"Administrator","Action":"Add Group Member","SourceUser":"PSMP_ADB_AppUsers","TargetUser":"PSMP_ADB_localhost.localdomain","Safe":"","File":"","Station":"81.32.170.205","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Add Group Member","GatewayStation":""}}} +<5>1 2021-03-10T17:58:01Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 09:58:01","IsoTimestamp":"2021-03-10T17:58:01Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"265","Desc":"Add Group Member","Severity":"Info","Issuer":"Administrator","Action":"Add Group Member","SourceUser":"PSMMaster","TargetUser":"Administrator","Safe":"","File":"","Station":"81.32.170.205","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Add Group Member","GatewayStation":""}}} +<5>1 2021-03-10T17:59:29Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 09:59:29","IsoTimestamp":"2021-03-10T17:59:29Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"265","Desc":"Add Group Member","Severity":"Info","Issuer":"Administrator","Action":"Add Group Member","SourceUser":"PSMAppUsers","TargetUser":"PSMApp_VAGRANT","Safe":"","File":"","Station":"81.32.170.205","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Add Group Member","GatewayStation":""}}} +<5>1 2021-03-10T17:59:30Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 09:59:30","IsoTimestamp":"2021-03-10T17:59:30Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"265","Desc":"Add Group Member","Severity":"Info","Issuer":"Administrator","Action":"Add Group Member","SourceUser":"PVWAGWAccounts","TargetUser":"PSMGw_VAGRANT","Safe":"","File":"","Station":"81.32.170.205","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Add Group Member","GatewayStation":""}}} +<5>1 2021-03-10T22:17:15Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 14:17:15","IsoTimestamp":"2021-03-10T22:17:15Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"265","Desc":"Add Group Member","Severity":"Info","Issuer":"Administrator","Action":"Add Group Member","SourceUser":"PSMMaster","TargetUser":"Administrator","Safe":"","File":"","Station":"35.192.121.42","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Add Group Member","GatewayStation":""}}} +<5>1 2021-03-10T22:19:16Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 14:19:16","IsoTimestamp":"2021-03-10T22:19:16Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"265","Desc":"Add Group Member","Severity":"Info","Issuer":"Administrator","Action":"Add Group Member","SourceUser":"PSMAppUsers","TargetUser":"PSMApp_ASR-WIN","Safe":"","File":"","Station":"35.192.121.42","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Add Group Member","GatewayStation":""}}} +<5>1 2021-03-10T22:19:16Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 14:19:16","IsoTimestamp":"2021-03-10T22:19:16Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"265","Desc":"Add Group Member","Severity":"Info","Issuer":"Administrator","Action":"Add Group Member","SourceUser":"PVWAGWAccounts","TargetUser":"PSMGw_ASR-WIN","Safe":"","File":"","Station":"35.192.121.42","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Add Group Member","GatewayStation":""}}} +<5>1 2021-03-11T16:59:38Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 11 08:59:38\n 2021-03-11T16:59:38Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 265\n Add Group Member\n Info\n Administrator\n Add Group Member\n PSMAppUsers\n PSMPApp_VAGRANT\n \n \n 81.32.170.205\n \n \n \n \n \n Add Group Member\n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 11 08:59:38","IsoTimestamp":"2021-03-11T16:59:38Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"265","Desc":"Add Group Member","Severity":"Info","Issuer":"Administrator","Action":"Add Group Member","SourceUser":"PSMAppUsers","TargetUser":"PSMPApp_VAGRANT","Safe":"","File":"","Station":"81.32.170.205","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Add Group Member","GatewayStation":""}}} +<5>1 2021-03-11T16:59:38Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 11 08:59:38\n 2021-03-11T16:59:38Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 265\n Add Group Member\n Info\n Administrator\n Add Group Member\n PVWAGWAccounts\n PSMPGW_VAGRANT\n \n \n 81.32.170.205\n \n \n \n \n \n Add Group Member\n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 11 08:59:38","IsoTimestamp":"2021-03-11T16:59:38Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"265","Desc":"Add Group Member","Severity":"Info","Issuer":"Administrator","Action":"Add Group Member","SourceUser":"PVWAGWAccounts","TargetUser":"PSMPGW_VAGRANT","Safe":"","File":"","Station":"81.32.170.205","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Add Group Member","GatewayStation":""}}} +<5>1 2021-03-14T12:57:17Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 14 05:57:17\n 2021-03-14T12:57:17Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 265\n Add Group Member\n Info\n Administrator\n Add Group Member\n PVWAGWAccounts\n PSMPGW_SSH\n \n \n 34.71.250.247\n \n \n \n \n \n Add Group Member\n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 14 05:57:17","IsoTimestamp":"2021-03-14T12:57:17Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"265","Desc":"Add Group Member","Severity":"Info","Issuer":"Administrator","Action":"Add Group Member","SourceUser":"PVWAGWAccounts","TargetUser":"PSMPGW_SSH","Safe":"","File":"","Station":"34.71.250.247","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Add Group Member","GatewayStation":""}}} +<5>1 2021-03-14T12:57:17Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 14 05:57:17\n 2021-03-14T12:57:17Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 265\n Add Group Member\n Info\n Administrator\n Add Group Member\n PSMAppUsers\n PSMPApp_SSH\n \n \n 34.71.250.247\n \n \n \n \n \n Add Group Member\n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 14 05:57:17","IsoTimestamp":"2021-03-14T12:57:17Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"265","Desc":"Add Group Member","Severity":"Info","Issuer":"Administrator","Action":"Add Group Member","SourceUser":"PSMAppUsers","TargetUser":"PSMPApp_SSH","Safe":"","File":"","Station":"34.71.250.247","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Add Group Member","GatewayStation":""}}} +<5>1 2021-03-14T12:57:21Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 14 05:57:21\n 2021-03-14T12:57:21Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 265\n Add Group Member\n Info\n Administrator\n Add Group Member\n PSMP_ADB_AppUsers\n PSMP_ADB_asr-cyberark-psm-ssh\n \n \n 34.71.250.247\n \n \n \n \n \n Add Group Member\n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 14 05:57:21","IsoTimestamp":"2021-03-14T12:57:21Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"265","Desc":"Add Group Member","Severity":"Info","Issuer":"Administrator","Action":"Add Group Member","SourceUser":"PSMP_ADB_AppUsers","TargetUser":"PSMP_ADB_asr-cyberark-psm-ssh","Safe":"","File":"","Station":"34.71.250.247","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Add Group Member","GatewayStation":""}}} diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-265-add-group-member.log-config.yml b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-265-add-group-member.log-config.yml new file mode 100644 index 00000000000..5622947e4b8 --- /dev/null +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-265-add-group-member.log-config.yml @@ -0,0 +1,5 @@ +dynamic_fields: + event.ingested: ".*" +fields: + tags: + - preserve_original_event diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-266-remove-group-member.log b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-266-remove-group-member.log new file mode 100644 index 00000000000..7b0f9be88a0 --- /dev/null +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-266-remove-group-member.log @@ -0,0 +1,2 @@ +<5>1 2021-03-10T17:59:48Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 09:59:48","IsoTimestamp":"2021-03-10T17:59:48Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"266","Desc":"Remove Group Member","Severity":"Info","Issuer":"Administrator","Action":"Remove Group Member","SourceUser":"PSMMaster","TargetUser":"Administrator","Safe":"","File":"","Station":"81.32.170.205","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Remove Group Member","GatewayStation":""}}} +<5>1 2021-03-10T22:19:23Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 14:19:23","IsoTimestamp":"2021-03-10T22:19:23Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"266","Desc":"Remove Group Member","Severity":"Info","Issuer":"Administrator","Action":"Remove Group Member","SourceUser":"PSMMaster","TargetUser":"Administrator","Safe":"","File":"","Station":"35.192.121.42","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Remove Group Member","GatewayStation":""}}} diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-266-remove-group-member.log-config.yml b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-266-remove-group-member.log-config.yml new file mode 100644 index 00000000000..5622947e4b8 --- /dev/null +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-266-remove-group-member.log-config.yml @@ -0,0 +1,5 @@ +dynamic_fields: + event.ingested: ".*" +fields: + tags: + - preserve_original_event diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-273-remove-owner.log b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-273-remove-owner.log new file mode 100644 index 00000000000..ea1458e5874 --- /dev/null +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-273-remove-owner.log @@ -0,0 +1 @@ +<5>1 2021-03-10T17:59:33Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 09:59:33","IsoTimestamp":"2021-03-10T17:59:33Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"273","Desc":"Remove Owner","Severity":"Info","Issuer":"Administrator","Action":"Remove Owner","SourceUser":"Administrator","TargetUser":"","Safe":"PSMSessions","File":"","Station":"81.32.170.205","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Remove Owner","GatewayStation":""}}} diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-273-remove-owner.log-config.yml b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-273-remove-owner.log-config.yml new file mode 100644 index 00000000000..5622947e4b8 --- /dev/null +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-273-remove-owner.log-config.yml @@ -0,0 +1,5 @@ +dynamic_fields: + event.ingested: ".*" +fields: + tags: + - preserve_original_event diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-278-add-rule.log b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-278-add-rule.log new file mode 100644 index 00000000000..b4e7a9ada36 --- /dev/null +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-278-add-rule.log @@ -0,0 +1 @@ +<5>1 2021-03-11T18:01:14Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 11 10:01:14\n 2021-03-11T18:01:14Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 278\n Add Rule\n Info\n PVWAAppUser\n Add Rule\n Administrator\n \n PSMUnmanagedSessionAccounts\n Root\\2\n 10.0.1.20\n \n \n \n Allow\n \n Add Rule\n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 11 10:01:14","IsoTimestamp":"2021-03-11T18:01:14Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"278","Desc":"Add Rule","Severity":"Info","Issuer":"PVWAAppUser","Action":"Add Rule","SourceUser":"Administrator","TargetUser":"","Safe":"PSMUnmanagedSessionAccounts","File":"Root\\2","Station":"10.0.1.20","Location":"","Category":"","RequestId":"","Reason":"Allow","ExtraDetails":"","Message":"Add Rule","GatewayStation":""}}} diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-278-add-rule.log-config.yml b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-278-add-rule.log-config.yml new file mode 100644 index 00000000000..5622947e4b8 --- /dev/null +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-278-add-rule.log-config.yml @@ -0,0 +1,5 @@ +dynamic_fields: + event.ingested: ".*" +fields: + tags: + - preserve_original_event diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-288-auto-clear-users-history-start.log b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-288-auto-clear-users-history-start.log new file mode 100644 index 00000000000..8a37e23616a --- /dev/null +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-288-auto-clear-users-history-start.log @@ -0,0 +1,2 @@ +<5>1 2021-03-05T11:00:06Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 05 03:00:06","IsoTimestamp":"2021-03-05T11:00:06Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"288","Desc":"Auto Clear Users History start","Severity":"Info","Issuer":"Batch","Action":"Auto Clear Users History start","SourceUser":"","TargetUser":"","Safe":"","File":"","Station":"0.0.0.0","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Auto Clear Users History start","GatewayStation":""}}} +Mar 08 03:00:20 VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"no","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"288","Desc":"Auto Clear Users History start","Severity":"Info","Issuer":"Batch","Action":"Auto Clear Users History start","SourceUser":"","TargetUser":"","Safe":"","File":"","Station":"0.0.0.0","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Auto Clear Users History start","GatewayStation":""}}} diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-288-auto-clear-users-history-start.log-config.yml b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-288-auto-clear-users-history-start.log-config.yml new file mode 100644 index 00000000000..5622947e4b8 --- /dev/null +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-288-auto-clear-users-history-start.log-config.yml @@ -0,0 +1,5 @@ +dynamic_fields: + event.ingested: ".*" +fields: + tags: + - preserve_original_event diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-289-auto-clear-users-history-end.log b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-289-auto-clear-users-history-end.log new file mode 100644 index 00000000000..8d873525e41 --- /dev/null +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-289-auto-clear-users-history-end.log @@ -0,0 +1,2 @@ +<5>1 2021-03-05T11:00:06Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 05 03:00:06","IsoTimestamp":"2021-03-05T11:00:06Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"289","Desc":"Auto Clear Users History end","Severity":"Info","Issuer":"Batch","Action":"Auto Clear Users History end","SourceUser":"","TargetUser":"","Safe":"","File":"","Station":"0.0.0.0","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Auto Clear Users History end","GatewayStation":""}}} +Mar 08 03:00:20 VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"no","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"289","Desc":"Auto Clear Users History end","Severity":"Info","Issuer":"Batch","Action":"Auto Clear Users History end","SourceUser":"","TargetUser":"","Safe":"","File":"","Station":"0.0.0.0","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Auto Clear Users History end","GatewayStation":""}}} diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-289-auto-clear-users-history-end.log-config.yml b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-289-auto-clear-users-history-end.log-config.yml new file mode 100644 index 00000000000..5622947e4b8 --- /dev/null +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-289-auto-clear-users-history-end.log-config.yml @@ -0,0 +1,5 @@ +dynamic_fields: + event.ingested: ".*" +fields: + tags: + - preserve_original_event diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-290-auto-clear-safes-history-start.log b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-290-auto-clear-safes-history-start.log new file mode 100644 index 00000000000..2c7336ea820 --- /dev/null +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-290-auto-clear-safes-history-start.log @@ -0,0 +1 @@ +<5>1 2021-03-09T09:00:47Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 09 01:00:47","IsoTimestamp":"2021-03-09T09:00:47Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"290","Desc":"Auto Clear Safes History start","Severity":"Info","Issuer":"Batch","Action":"Auto Clear Safes History start","SourceUser":"","TargetUser":"","Safe":"","File":"","Station":"0.0.0.0","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Auto Clear Safes History start","GatewayStation":""}}} diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-290-auto-clear-safes-history-start.log-config.yml b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-290-auto-clear-safes-history-start.log-config.yml new file mode 100644 index 00000000000..5622947e4b8 --- /dev/null +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-290-auto-clear-safes-history-start.log-config.yml @@ -0,0 +1,5 @@ +dynamic_fields: + event.ingested: ".*" +fields: + tags: + - preserve_original_event diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-291-auto-clear-safes-history-end.log b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-291-auto-clear-safes-history-end.log new file mode 100644 index 00000000000..8731e1e4ed9 --- /dev/null +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-291-auto-clear-safes-history-end.log @@ -0,0 +1 @@ +<5>1 2021-03-09T09:00:47Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 09 01:00:47","IsoTimestamp":"2021-03-09T09:00:47Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"291","Desc":"Auto Clear Safes History end","Severity":"Info","Issuer":"Batch","Action":"Auto Clear Safes History end","SourceUser":"","TargetUser":"","Safe":"","File":"","Station":"0.0.0.0","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Auto Clear Safes History end","GatewayStation":""}}} diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-291-auto-clear-safes-history-end.log-config.yml b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-291-auto-clear-safes-history-end.log-config.yml new file mode 100644 index 00000000000..5622947e4b8 --- /dev/null +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-291-auto-clear-safes-history-end.log-config.yml @@ -0,0 +1,5 @@ +dynamic_fields: + event.ingested: ".*" +fields: + tags: + - preserve_original_event diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-294-store-password.log b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-294-store-password.log new file mode 100644 index 00000000000..2ea7c7cf132 --- /dev/null +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-294-store-password.log @@ -0,0 +1,10 @@ +<5>1 2021-03-08T10:19:42Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 08 02:19:42","IsoTimestamp":"2021-03-08T10:19:42Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"294","Desc":"Store password","Severity":"Info","Issuer":"PasswordManager","Action":"Store password","SourceUser":"","TargetUser":"","Safe":"Test","File":"Root\\Groups\\WindowsGroup","Station":"10.0.1.20","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Store password","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"WindowsDesktopLocalAccountsRotationalPolicy"},{"Name":"InProcess","Value":"ChangeTask"},{"Name":"CPMStatus","Value":"failure"},{"Name":"LastTask","Value":"ChangeTask"},{"Name":"LastSuccessChange","Value":"1615198782"},{"Name":"CurrInd","Value":"2"}]}}}} +<5>1 2021-03-08T18:24:49Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 08 10:24:49","IsoTimestamp":"2021-03-08T18:24:49Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"294","Desc":"Store password","Severity":"Info","Issuer":"Administrator","Action":"Store password","SourceUser":"","TargetUser":"","Safe":"Test","File":"Root\\Operating System-WinDesktopLocal-Address-adriansr","Station":"127.0.0.1","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Store password","GatewayStation":"10.0.1.20"}}} +<5>1 2021-03-08T19:20:02Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 08 11:20:02","IsoTimestamp":"2021-03-08T19:20:02Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"294","Desc":"Store password","Severity":"Info","Issuer":"PasswordManager","Action":"Store password","SourceUser":"","TargetUser":"","Safe":"Test","File":"Root\\Operating System-WindowsDesktopLocalAccountsRotationalPolicy-10.0.1.20-x_accountA","Station":"10.0.1.20","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Store password","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"WinDesktopLocal"},{"Name":"UserName","Value":"x_accountA"},{"Name":"Address","Value":"components"},{"Name":"ResetImmediately","Value":"ChangeTask"},{"Name":"InProcess","Value":"ChangeTask"},{"Name":"SequenceID","Value":"26"},{"Name":"CPMStatus","Value":"failure"},{"Name":"RetriesCount","Value":"0"},{"Name":"LastTask","Value":"ChangeTask"},{"Name":"StartChangeNotBefore","Value":"1615231182"},{"Name":"GroupName","Value":"WindowsGroup"},{"Name":"LastSuccessChange","Value":"1614785704"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"},{"Name":"Index","Value":"1"},{"Name":"DualAccountStatus","Value":"Inactive"},{"Name":"VirtualUsername","Value":"virtual"}]}}}} +<5>1 2021-03-10T14:38:57Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 06:38:57","IsoTimestamp":"2021-03-10T14:38:57Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"294","Desc":"Store password","Severity":"Info","Issuer":"PasswordManager","Action":"Store password","SourceUser":"","TargetUser":"","Safe":"Test","File":"Root\\Groups\\WindowsGroup","Station":"10.0.1.20","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Store password","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"WindowsDesktopLocalAccountsRotationalPolicy"},{"Name":"InProcess","Value":"ChangeTask"},{"Name":"CPMStatus","Value":"failure"},{"Name":"LastTask","Value":"ChangeTask"},{"Name":"LastSuccessChange","Value":"1615387136"},{"Name":"CurrInd","Value":"1"}]}}}} +<5>1 2021-03-10T17:58:06Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 09:58:06","IsoTimestamp":"2021-03-10T17:58:06Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"294","Desc":"Store password","Severity":"Info","Issuer":"Administrator","Action":"Store password","SourceUser":"","TargetUser":"","Safe":"PSM","File":"Root\\PSMServer","Station":"81.32.170.205","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Store password","GatewayStation":""}}} +<5>1 2021-03-10T22:17:26Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 14:17:26","IsoTimestamp":"2021-03-10T22:17:26Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"294","Desc":"Store password","Severity":"Info","Issuer":"Administrator","Action":"Store password","SourceUser":"","TargetUser":"","Safe":"PSM","File":"Root\\PSM-ASR-CYBERARK-WI","Station":"35.192.121.42","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Store password","GatewayStation":""}}} +<5>1 2021-03-10T23:39:25Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 15:39:25","IsoTimestamp":"2021-03-10T23:39:25Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"294","Desc":"Store password","Severity":"Info","Issuer":"PasswordManager","Action":"Store password","SourceUser":"","TargetUser":"","Safe":"Test","File":"Root\\Operating System-WindowsDesktopLocalAccountsRotationalPolicy-10.0.1.20-x_accountB","Station":"10.0.1.20","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Store password","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"WinDesktopLocal"},{"Name":"UserName","Value":"x_accountB"},{"Name":"Address","Value":"components"},{"Name":"ResetImmediately","Value":"ChangeTask"},{"Name":"InProcess","Value":"ChangeTask"},{"Name":"SequenceID","Value":"24"},{"Name":"CPMStatus","Value":"failure"},{"Name":"RetriesCount","Value":"0"},{"Name":"LastTask","Value":"ChangeTask"},{"Name":"StartChangeNotBefore","Value":"1615419536"},{"Name":"GroupName","Value":"WindowsGroup"},{"Name":"LastSuccessChange","Value":"1614868762"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"},{"Name":"Index","Value":"2"},{"Name":"DualAccountStatus","Value":"Inactive"},{"Name":"VirtualUsername","Value":"virtual"}]}}}} +<5>1 2021-03-14T11:48:26Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 14 04:48:26\n 2021-03-14T11:48:26Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 294\n Store password\n Info\n PasswordManager\n Store password\n \n \n Test\n Root\\Groups\\WindowsGroup\n 10.0.1.20\n \n \n \n \n \n Store password\n \n \n \n \n \n \n \n \n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 14 04:48:26","IsoTimestamp":"2021-03-14T11:48:26Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"294","Desc":"Store password","Severity":"Info","Issuer":"PasswordManager","Action":"Store password","SourceUser":"","TargetUser":"","Safe":"Test","File":"Root\\Groups\\WindowsGroup","Station":"10.0.1.20","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Store password","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"WindowsDesktopLocalAccountsRotationalPolicy"},{"Name":"InProcess","Value":"ChangeTask"},{"Name":"CPMStatus","Value":"failure"},{"Name":"LastTask","Value":"ChangeTask"},{"Name":"LastSuccessChange","Value":"1615722505"},{"Name":"CurrInd","Value":"2"}]}}}} +<5>1 2021-03-15T10:12:21Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 15 03:12:21\n 2021-03-15T10:12:21Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 294\n Store password\n Info\n PasswordManager\n Store password\n \n \n Test\n Root\\Operating System-WindowsDesktopLocalAccountsRotationalPolicy-10.0.1.20-x_accountA\n 10.0.1.20\n \n \n \n \n \n Store password\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 15 03:12:21","IsoTimestamp":"2021-03-15T10:12:21Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"294","Desc":"Store password","Severity":"Info","Issuer":"PasswordManager","Action":"Store password","SourceUser":"","TargetUser":"","Safe":"Test","File":"Root\\Operating System-WindowsDesktopLocalAccountsRotationalPolicy-10.0.1.20-x_accountA","Station":"10.0.1.20","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Store password","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"WinDesktopLocal"},{"Name":"UserName","Value":"x_accountA"},{"Name":"Address","Value":"components"},{"Name":"ResetImmediately","Value":"ChangeTask"},{"Name":"InProcess","Value":"ChangeTask"},{"Name":"SequenceID","Value":"27"},{"Name":"CPMStatus","Value":"failure"},{"Name":"RetriesCount","Value":"0"},{"Name":"LastTask","Value":"ChangeTask"},{"Name":"StartChangeNotBefore","Value":"1615754905"},{"Name":"GroupName","Value":"WindowsGroup"},{"Name":"LastSuccessChange","Value":"1615231204"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"},{"Name":"Index","Value":"1"},{"Name":"DualAccountStatus","Value":"Inactive"},{"Name":"VirtualUsername","Value":"virtual"}]}}}} +<5>1 2021-03-15T13:13:01Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 15 06:13:01\n 2021-03-15T13:13:01Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 294\n Store password\n Info\n Administrator\n Store password\n \n \n partner\n Root\\Operating System-UnixSSH-34.123.103.115-testark\n 127.0.0.1\n \n \n \n \n \n Store password\n 10.0.1.20\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 15 06:13:01","IsoTimestamp":"2021-03-15T13:13:01Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"294","Desc":"Store password","Severity":"Info","Issuer":"Administrator","Action":"Store password","SourceUser":"","TargetUser":"","Safe":"partner","File":"Root\\Operating System-UnixSSH-34.123.103.115-testark","Station":"127.0.0.1","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Store password","GatewayStation":"10.0.1.20","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"UnixSSH"},{"Name":"UserName","Value":"testark"},{"Name":"Address","Value":"34.123.103.115"},{"Name":"ResetImmediately","Value":"ReconcileTask"},{"Name":"CPMStatus","Value":"failure"},{"Name":"RetriesCount","Value":"0"},{"Name":"LastFailDate","Value":"1615813465"},{"Name":"LastTask","Value":"ReconcileTask"},{"Name":"LastSuccessVerification","Value":"1615803764"},{"Name":"CPMErrorDetails","Value":"First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"}]}}}} diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-294-store-password.log-config.yml b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-294-store-password.log-config.yml new file mode 100644 index 00000000000..5622947e4b8 --- /dev/null +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-294-store-password.log-config.yml @@ -0,0 +1,5 @@ +dynamic_fields: + event.ingested: ".*" +fields: + tags: + - preserve_original_event diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-295-retrieve-password.log b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-295-retrieve-password.log new file mode 100644 index 00000000000..b7413a20012 --- /dev/null +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-295-retrieve-password.log @@ -0,0 +1,13 @@ +{"format":"elastic","version":"1.0","raw":"\n \n no\n Cyber-Ark\n Vault\n 11.6.0000\n 295\n Retrieve password\n Info\n Prov_PVWA\n Retrieve password\n \n \n Linux\n Root\\Operating System-LINUX-SSH-radiussrv.cyberark.local-admin2\n 10.2.0.3\n \n \n \n AIM password request\n \n Retrieve password\n \n \n \n \n \n \n \n \n \n \n \n","syslog":{"audit_record":{"Rfc5424":"no","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.6.0000","MessageID":"295","IsoTimestamp":"2021-03-16T15:01:00Z","Desc":"Retrieve password","Severity":"Info","Issuer":"Prov_PVWA","Action":"Retrieve password","SourceUser":"","TargetUser":"","Safe":"Linux","File":"Root\\Operating System-LINUX-SSH-radiussrv.cyberark.local-admin2","Station":"10.2.0.3","Location":"","Category":"","RequestId":"","Reason":"AIM password request","ExtraDetails":"","Message":"Retrieve password","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"LINUX-SSH"},{"Name":"UserName","Value":"admin2"},{"Name":"Address","Value":"radiussrv.cyberark.local"},{"Name":"DeviceType","Value":"Operating System"},{"Name":"CPMDisabled","Value":"No Reason"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"Customer","Value":"Nobody"}]}}}} +{"format":"elastic","version":"1.0","raw":"\n \n no\n Cyber-Ark\n Vault\n 11.6.0000\n 295\n Retrieve password\n Info\n adm2\n Retrieve password\n \n \n Windows\n Root\\Operating System-WIN-SERVER-LOCAL-dbserver.cyberark.local-Administrator2\n 10.2.0.6\n \n \n \n (Action: Show Password)\n \n \n Show Password\n \n\n \n Retrieve password\n 10.2.0.3\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n","syslog":{"audit_record":{"Rfc5424":"no","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.6.0000","MessageID":"295","IsoTimestamp":"2021-03-16T15:01:00Z","Desc":"Retrieve password","Severity":"Info","Issuer":"adm2","Action":"Retrieve password","SourceUser":"","TargetUser":"","Safe":"Windows","File":"Root\\Operating System-WIN-SERVER-LOCAL-dbserver.cyberark.local-Administrator2","Station":"10.2.0.6","Location":"","Category":"","RequestId":"","Reason":"(Action: Show Password)","PvwaDetails":{"RetrieveReason":{"General":{"RetrieveAction":"Show Password"}}},"ExtraDetails":"","Message":"Retrieve password","GatewayStation":"10.2.0.3","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"WIN-SERVER-LOCAL"},{"Name":"UserName","Value":"Administrator2"},{"Name":"Address","Value":"dbserver.cyberark.local"},{"Name":"DeviceType","Value":"Operating System"},{"Name":"LogonDomain","Value":"DBServer"},{"Name":"SequenceID","Value":"1"},{"Name":"RetriesCount","Value":"-1"},{"Name":"LastTask","Value":"ReconcileTask"},{"Name":"CPMStatus","Value":"success"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"LastSuccessReconciliation","Value":"1604944215"},{"Name":"Customer","Value":"EvilCorp"}]}}}} +<5>1 2021-03-08T18:16:51Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 08 10:16:51","IsoTimestamp":"2021-03-08T18:16:51Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"295","Desc":"Retrieve password","Severity":"Info","Issuer":"Administrator","Action":"Retrieve password","SourceUser":"","TargetUser":"","Safe":"Test","File":"Root\\testobject","Station":"10.0.1.20","Location":"","Category":"","RequestId":"","Reason":"testing","ExtraDetails":"","Message":"Retrieve password","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"WinDesktopLocal"},{"Name":"UserName","Value":"test"},{"Name":"Address","Value":"test"},{"Name":"CPMDisabled","Value":"testing"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"}]}}}} +<5>1 2021-03-08T19:19:59Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 08 11:19:59","IsoTimestamp":"2021-03-08T19:19:59Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"295","Desc":"Retrieve password","Severity":"Info","Issuer":"PasswordManager","Action":"Retrieve password","SourceUser":"","TargetUser":"","Safe":"Test","File":"Root\\Operating System-WindowsDesktopLocalAccountsRotationalPolicy-10.0.1.20-x_accountA","Station":"10.0.1.20","Location":"","Category":"","RequestId":"","Reason":"CPM","ExtraDetails":"","Message":"Retrieve password","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"WinDesktopLocal"},{"Name":"UserName","Value":"x_accountA"},{"Name":"Address","Value":"components"},{"Name":"ResetImmediately","Value":"ChangeTask"},{"Name":"InProcess","Value":"ChangeTask"},{"Name":"SequenceID","Value":"26"},{"Name":"CPMStatus","Value":"failure"},{"Name":"RetriesCount","Value":"0"},{"Name":"LastTask","Value":"ChangeTask"},{"Name":"StartChangeNotBefore","Value":"1615231182"},{"Name":"GroupName","Value":"WindowsGroup"},{"Name":"LastSuccessChange","Value":"1614785704"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"},{"Name":"Index","Value":"1"},{"Name":"DualAccountStatus","Value":"Inactive"},{"Name":"VirtualUsername","Value":"virtual"}]}}}} +<5>1 2021-03-08T19:20:02Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 08 11:20:02","IsoTimestamp":"2021-03-08T19:20:02Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"295","Desc":"Retrieve password","Severity":"Info","Issuer":"PasswordManager","Action":"Retrieve password","SourceUser":"","TargetUser":"","Safe":"Test","File":"Root\\Groups\\WindowsGroup","Station":"10.0.1.20","Location":"","Category":"","RequestId":"","Reason":"CPM","ExtraDetails":"","Message":"Retrieve password","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"WindowsDesktopLocalAccountsRotationalPolicy"},{"Name":"CPMStatus","Value":"success"},{"Name":"LastTask","Value":"ChangeTask"},{"Name":"LastSuccessChange","Value":"1615198782"},{"Name":"CurrInd","Value":"2"}]}}}} +<5>1 2021-03-10T14:40:37Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 06:40:37","IsoTimestamp":"2021-03-10T14:40:37Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"295","Desc":"Retrieve password","Severity":"Info","Issuer":"Prov_COMPONENTS","Action":"Retrieve password","SourceUser":"","TargetUser":"","Safe":"Test","File":"Root\\Operating System-WindowsDesktopLocalAccountsRotationalPolicy-10.0.1.20-x_accountA","Station":"10.0.1.20","Location":"","Category":"","RequestId":"","Reason":"Application provider background refresh job","ExtraDetails":"","Message":"Retrieve password","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"WinDesktopLocal"},{"Name":"UserName","Value":"x_accountA"},{"Name":"Address","Value":"components"},{"Name":"SequenceID","Value":"27"},{"Name":"CPMStatus","Value":"success"},{"Name":"RetriesCount","Value":"-1"},{"Name":"LastTask","Value":"ChangeTask"},{"Name":"GroupName","Value":"WindowsGroup"},{"Name":"LastSuccessChange","Value":"1615231204"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"},{"Name":"Index","Value":"1"},{"Name":"DualAccountStatus","Value":"Active"},{"Name":"VirtualUsername","Value":"virtual"}]}}}} +<5>1 2021-03-10T18:27:57Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 10:27:57","IsoTimestamp":"2021-03-10T18:27:57Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"295","Desc":"Retrieve password","Severity":"Info","Issuer":"Administrator","Action":"Retrieve password","SourceUser":"","TargetUser":"","Safe":"PSM","File":"Root\\PSMAdmin","Station":"127.0.0.1","Location":"","Category":"","RequestId":"","Reason":"test","ExtraDetails":"","Message":"Retrieve password","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"UserName","Value":"PSMAdminConnect"},{"Name":"Address","Value":"169.254.180.25"},{"Name":"LogonDomain","Value":"VAGRANT-2012-R2"}]}}}} +<5>1 2021-03-10T18:28:07Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 10:28:07","IsoTimestamp":"2021-03-10T18:28:07Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"295","Desc":"Retrieve password","Severity":"Info","Issuer":"Administrator","Action":"Retrieve password","SourceUser":"","TargetUser":"","Safe":"PSM","File":"Root\\PSMServer","Station":"127.0.0.1","Location":"","Category":"","RequestId":"","Reason":"test","ExtraDetails":"","Message":"Retrieve password","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"UserName","Value":"PSMConnect"},{"Name":"Address","Value":"169.254.180.25"},{"Name":"LogonDomain","Value":"VAGRANT-2012-R2"}]}}}} +<5>1 2021-03-10T23:39:22Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 15:39:22","IsoTimestamp":"2021-03-10T23:39:22Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"295","Desc":"Retrieve password","Severity":"Info","Issuer":"PasswordManager","Action":"Retrieve password","SourceUser":"","TargetUser":"","Safe":"Test","File":"Root\\Operating System-WindowsDesktopLocalAccountsRotationalPolicy-10.0.1.20-x_accountB","Station":"10.0.1.20","Location":"","Category":"","RequestId":"","Reason":"CPM","ExtraDetails":"","Message":"Retrieve password","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"WinDesktopLocal"},{"Name":"UserName","Value":"x_accountB"},{"Name":"Address","Value":"components"},{"Name":"ResetImmediately","Value":"ChangeTask"},{"Name":"InProcess","Value":"ChangeTask"},{"Name":"SequenceID","Value":"24"},{"Name":"CPMStatus","Value":"failure"},{"Name":"RetriesCount","Value":"0"},{"Name":"LastTask","Value":"ChangeTask"},{"Name":"StartChangeNotBefore","Value":"1615419536"},{"Name":"GroupName","Value":"WindowsGroup"},{"Name":"LastSuccessChange","Value":"1614868762"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"},{"Name":"Index","Value":"2"},{"Name":"DualAccountStatus","Value":"Inactive"},{"Name":"VirtualUsername","Value":"virtual"}]}}}} +<5>1 2021-03-10T23:39:25Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 15:39:25","IsoTimestamp":"2021-03-10T23:39:25Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"295","Desc":"Retrieve password","Severity":"Info","Issuer":"PasswordManager","Action":"Retrieve password","SourceUser":"","TargetUser":"","Safe":"Test","File":"Root\\Groups\\WindowsGroup","Station":"10.0.1.20","Location":"","Category":"","RequestId":"","Reason":"CPM","ExtraDetails":"","Message":"Retrieve password","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"WindowsDesktopLocalAccountsRotationalPolicy"},{"Name":"CPMStatus","Value":"success"},{"Name":"LastTask","Value":"ChangeTask"},{"Name":"LastSuccessChange","Value":"1615387136"},{"Name":"CurrInd","Value":"1"}]}}}} +<5>1 2021-03-11T16:41:21Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 11 08:41:21\n 2021-03-11T16:41:21Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 295\n Retrieve password\n Info\n Administrator\n Retrieve password\n \n \n PSM\n Root\\PSMAdmin\n 127.0.0.1\n \n \n \n lksajdflkasdf\n \n Retrieve password\n \n \n \n \n \n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 11 08:41:21","IsoTimestamp":"2021-03-11T16:41:21Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"295","Desc":"Retrieve password","Severity":"Info","Issuer":"Administrator","Action":"Retrieve password","SourceUser":"","TargetUser":"","Safe":"PSM","File":"Root\\PSMAdmin","Station":"127.0.0.1","Location":"","Category":"","RequestId":"","Reason":"lksajdflkasdf","ExtraDetails":"","Message":"Retrieve password","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"UserName","Value":"PSMAdminConnect"},{"Name":"Address","Value":"169.254.180.25"},{"Name":"LogonDomain","Value":"VAGRANT-2012-R2"}]}}}} +<5>1 2021-03-11T16:50:28Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 11 08:50:28\n 2021-03-11T16:50:28Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 295\n Retrieve password\n Info\n PVWAAppUser\n Retrieve password\n \n \n PSM\n Root\\PSMServer\n 10.0.1.20\n \n \n \n \n \n Retrieve password\n \n \n \n \n \n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 11 08:50:28","IsoTimestamp":"2021-03-11T16:50:28Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"295","Desc":"Retrieve password","Severity":"Info","Issuer":"PVWAAppUser","Action":"Retrieve password","SourceUser":"","TargetUser":"","Safe":"PSM","File":"Root\\PSMServer","Station":"10.0.1.20","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Retrieve password","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"UserName","Value":"PSMConnect"},{"Name":"Address","Value":"169.254.180.25"},{"Name":"LogonDomain","Value":"VAGRANT-2012-R2"}]}}}} +<5>1 2021-03-11T16:54:20Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 11 08:54:20\n 2021-03-11T16:54:20Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 295\n Retrieve password\n Info\n Administrator\n Retrieve password\n \n \n PSM\n Root\\Operating System-UnixSSH-centos8-PSMApp_VAGRANT\n 127.0.0.1\n \n \n \n sdfsdf\n \n Retrieve password\n \n \n \n \n \n \n \n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 11 08:54:20","IsoTimestamp":"2021-03-11T16:54:20Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"295","Desc":"Retrieve password","Severity":"Info","Issuer":"Administrator","Action":"Retrieve password","SourceUser":"","TargetUser":"","Safe":"PSM","File":"Root\\Operating System-UnixSSH-centos8-PSMApp_VAGRANT","Station":"127.0.0.1","Location":"","Category":"","RequestId":"","Reason":"sdfsdf","ExtraDetails":"","Message":"Retrieve password","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"UnixSSH"},{"Name":"UserName","Value":"PSMApp_VAGRANT"},{"Name":"Address","Value":"centos8"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"}]}}}} diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-295-retrieve-password.log-config.yml b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-295-retrieve-password.log-config.yml new file mode 100644 index 00000000000..5622947e4b8 --- /dev/null +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-295-retrieve-password.log-config.yml @@ -0,0 +1,5 @@ +dynamic_fields: + event.ingested: ".*" +fields: + tags: + - preserve_original_event diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-300-psm-connect.log b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-300-psm-connect.log new file mode 100644 index 00000000000..74928df0a23 --- /dev/null +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-300-psm-connect.log @@ -0,0 +1,17 @@ +{"format":"elastic","version":"1.0","raw":"\n \n no\n Cyber-Ark\n Vault\n 11.6.0000\n 300\n PSM Connect\n Info\n Administrator\n PSM Connect\n \n \n Linux\n Root\\Operating System-LINUX-SSH-radiussrv.cyberark.local-admin2\n 10.2.0.7\n \n \n \n \n ApplicationType=PSMP-SSH;DstHost=radiussrv.cyberark.local;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=35fac41e-22b5-11eb-83ca-000c297aae88;SrcHost=10.2.0.6;User=admin2;\n PSM Connect\n \n \n \n \n \n \n \n \n \n \n \n","syslog":{"audit_record":{"Rfc5424":"no","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.6.0000","MessageID":"300","IsoTimestamp":"2021-03-16T15:01:00Z","Desc":"PSM Connect","Severity":"Info","Issuer":"Administrator","Action":"PSM Connect","SourceUser":"","TargetUser":"","Safe":"Linux","File":"Root\\Operating System-LINUX-SSH-radiussrv.cyberark.local-admin2","Station":"10.2.0.7","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"ApplicationType=PSMP-SSH;DstHost=radiussrv.cyberark.local;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=35fac41e-22b5-11eb-83ca-000c297aae88;SrcHost=10.2.0.6;User=admin2;","Message":"PSM Connect","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"LINUX-SSH"},{"Name":"UserName","Value":"admin2"},{"Name":"Address","Value":"radiussrv.cyberark.local"},{"Name":"DeviceType","Value":"Operating System"},{"Name":"CPMDisabled","Value":"No Reason"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"Customer","Value":"Tesla"}]}}}} +<5>1 2021-03-11T17:38:20Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 11 09:38:20\n 2021-03-11T17:38:20Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 300\n PSM Connect\n Info\n Administrator\n PSM Connect\n \n \n PSM\n Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian\n 81.32.170.205\n \n \n \n \n ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=ssh;PSMID=PSMServer;SessionID=87012dcc-8290-11eb-949e-080027efd402;SrcHost=127.0.0.1;User=adrian;\n PSM Connect\n \n \n \n \n \n \n \n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 11 09:38:20","IsoTimestamp":"2021-03-11T17:38:20Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"300","Desc":"PSM Connect","Severity":"Info","Issuer":"Administrator","Action":"PSM Connect","SourceUser":"","TargetUser":"","Safe":"PSM","File":"Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian","Station":"81.32.170.205","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=ssh;PSMID=PSMServer;SessionID=87012dcc-8290-11eb-949e-080027efd402;SrcHost=127.0.0.1;User=adrian;","Message":"PSM Connect","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"UnixSSHKeys"},{"Name":"UserName","Value":"adrian"},{"Name":"Address","Value":"34.123.103.115"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"}]}}}} +<5>1 2021-03-11T17:46:56Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 11 09:46:56\n 2021-03-11T17:46:56Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 300\n PSM Connect\n Info\n Administrator\n PSM Connect\n \n \n PSM\n Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian\n 81.32.170.205\n \n \n \n \n ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=ssh;PSMID=PSMServer;SessionID=ba22b012-8291-11eb-b981-080027efd402;SrcHost=127.0.0.1;User=adrian;\n PSM Connect\n \n \n \n \n \n \n \n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 11 09:46:56","IsoTimestamp":"2021-03-11T17:46:56Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"300","Desc":"PSM Connect","Severity":"Info","Issuer":"Administrator","Action":"PSM Connect","SourceUser":"","TargetUser":"","Safe":"PSM","File":"Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian","Station":"81.32.170.205","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=ssh;PSMID=PSMServer;SessionID=ba22b012-8291-11eb-b981-080027efd402;SrcHost=127.0.0.1;User=adrian;","Message":"PSM Connect","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"UnixSSHKeys"},{"Name":"UserName","Value":"adrian"},{"Name":"Address","Value":"34.123.103.115"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"}]}}}} +<5>1 2021-03-11T17:48:34Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 11 09:48:34\n 2021-03-11T17:48:34Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 300\n PSM Connect\n Info\n Administrator\n PSM Connect\n \n \n PSM\n Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian\n 81.32.170.205\n \n \n \n \n ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=ssh;PSMID=PSMServer;SessionID=f6acbf00-8291-11eb-b9ba-080027efd402;SrcHost=10.0.2.2;User=adrian;\n PSM Connect\n \n \n \n \n \n \n \n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 11 09:48:34","IsoTimestamp":"2021-03-11T17:48:34Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"300","Desc":"PSM Connect","Severity":"Info","Issuer":"Administrator","Action":"PSM Connect","SourceUser":"","TargetUser":"","Safe":"PSM","File":"Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian","Station":"81.32.170.205","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=ssh;PSMID=PSMServer;SessionID=f6acbf00-8291-11eb-b9ba-080027efd402;SrcHost=10.0.2.2;User=adrian;","Message":"PSM Connect","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"UnixSSHKeys"},{"Name":"UserName","Value":"adrian"},{"Name":"Address","Value":"34.123.103.115"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"}]}}}} +<5>1 2021-03-11T17:54:56Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 11 09:54:56\n 2021-03-11T17:54:56Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 300\n PSM Connect\n Info\n Administrator\n PSM Connect\n \n \n PSM\n Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian\n 81.32.170.205\n \n \n \n \n ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=ssh;PSMID=PSMServer;SessionID=d8ff4d32-8292-11eb-b962-080027efd402;SrcHost=10.0.2.2;User=adrian;\n PSM Connect\n \n \n \n \n \n \n \n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 11 09:54:56","IsoTimestamp":"2021-03-11T17:54:56Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"300","Desc":"PSM Connect","Severity":"Info","Issuer":"Administrator","Action":"PSM Connect","SourceUser":"","TargetUser":"","Safe":"PSM","File":"Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian","Station":"81.32.170.205","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=ssh;PSMID=PSMServer;SessionID=d8ff4d32-8292-11eb-b962-080027efd402;SrcHost=10.0.2.2;User=adrian;","Message":"PSM Connect","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"UnixSSHKeys"},{"Name":"UserName","Value":"adrian"},{"Name":"Address","Value":"34.123.103.115"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"}]}}}} +<5>1 2021-03-11T17:56:37Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 11 09:56:37\n 2021-03-11T17:56:37Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 300\n PSM Connect\n Info\n Administrator\n PSM Connect\n \n \n PSM\n Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian\n 81.32.170.205\n \n \n \n \n ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=ssh;PSMID=PSMServer;SessionID=173dd46a-8293-11eb-afcb-080027efd402;SrcHost=10.0.2.2;User=adrian;\n PSM Connect\n \n \n \n \n \n \n \n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 11 09:56:37","IsoTimestamp":"2021-03-11T17:56:37Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"300","Desc":"PSM Connect","Severity":"Info","Issuer":"Administrator","Action":"PSM Connect","SourceUser":"","TargetUser":"","Safe":"PSM","File":"Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian","Station":"81.32.170.205","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=ssh;PSMID=PSMServer;SessionID=173dd46a-8293-11eb-afcb-080027efd402;SrcHost=10.0.2.2;User=adrian;","Message":"PSM Connect","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"UnixSSHKeys"},{"Name":"UserName","Value":"adrian"},{"Name":"Address","Value":"34.123.103.115"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"}]}}}} +<5>1 2021-03-11T20:23:25Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 11 12:23:25\n 2021-03-11T20:23:25Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 300\n PSM Connect\n Info\n Administrator\n PSM Connect\n \n \n PSM\n Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian\n 81.32.170.205\n \n \n \n \n ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=ssh;PSMID=PSMServer;SessionID=988b22e8-82a7-11eb-83b9-080027efd402;SrcHost=10.0.2.2;User=adrian;\n PSM Connect\n \n \n \n \n \n \n \n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 11 12:23:25","IsoTimestamp":"2021-03-11T20:23:25Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"300","Desc":"PSM Connect","Severity":"Info","Issuer":"Administrator","Action":"PSM Connect","SourceUser":"","TargetUser":"","Safe":"PSM","File":"Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian","Station":"81.32.170.205","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=ssh;PSMID=PSMServer;SessionID=988b22e8-82a7-11eb-83b9-080027efd402;SrcHost=10.0.2.2;User=adrian;","Message":"PSM Connect","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"UnixSSHKeys"},{"Name":"UserName","Value":"adrian"},{"Name":"Address","Value":"34.123.103.115"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"}]}}}} +<5>1 2021-03-14T13:49:37Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 14 06:49:37\n 2021-03-14T13:49:37Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 300\n PSM Connect\n Info\n Administrator\n PSM Connect\n \n \n partner\n Root\\Operating System-UnixSSH-34.123.103.115-testark\n 34.71.250.247\n \n \n \n \n ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=d284c268-2ba0-4366-af52-e33459b073a1;SrcHost=81.32.170.205;User=testark;\n PSM Connect\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 14 06:49:37","IsoTimestamp":"2021-03-14T13:49:37Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"300","Desc":"PSM Connect","Severity":"Info","Issuer":"Administrator","Action":"PSM Connect","SourceUser":"","TargetUser":"","Safe":"partner","File":"Root\\Operating System-UnixSSH-34.123.103.115-testark","Station":"34.71.250.247","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=d284c268-2ba0-4366-af52-e33459b073a1;SrcHost=81.32.170.205;User=testark;","Message":"PSM Connect","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"UnixSSH"},{"Name":"UserName","Value":"testark"},{"Name":"Address","Value":"34.123.103.115"},{"Name":"ResetImmediately","Value":"ReconcileTask"},{"Name":"CPMStatus","Value":"failure"},{"Name":"RetriesCount","Value":"0"},{"Name":"LastFailDate","Value":"1615729572"},{"Name":"LastTask","Value":"ReconcileTask"},{"Name":"CPMErrorDetails","Value":"First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"}]}}}} +<5>1 2021-03-14T13:50:43Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 14 06:50:43\n 2021-03-14T13:50:43Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 300\n PSM Connect\n Info\n Administrator\n PSM Connect\n \n \n partner\n Root\\Operating System-UnixSSH-34.123.103.115-testark\n 34.71.250.247\n \n \n \n \n ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=47747796-03e1-4a11-af39-ab56c00e7732;SrcHost=81.32.170.205;User=testark;\n PSM Connect\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 14 06:50:43","IsoTimestamp":"2021-03-14T13:50:43Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"300","Desc":"PSM Connect","Severity":"Info","Issuer":"Administrator","Action":"PSM Connect","SourceUser":"","TargetUser":"","Safe":"partner","File":"Root\\Operating System-UnixSSH-34.123.103.115-testark","Station":"34.71.250.247","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=47747796-03e1-4a11-af39-ab56c00e7732;SrcHost=81.32.170.205;User=testark;","Message":"PSM Connect","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"UnixSSH"},{"Name":"UserName","Value":"testark"},{"Name":"Address","Value":"34.123.103.115"},{"Name":"ResetImmediately","Value":"ReconcileTask"},{"Name":"CPMStatus","Value":"failure"},{"Name":"RetriesCount","Value":"0"},{"Name":"LastFailDate","Value":"1615729572"},{"Name":"LastTask","Value":"ReconcileTask"},{"Name":"CPMErrorDetails","Value":"First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"}]}}}} +<5>1 2021-03-15T10:31:56Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 15 03:31:56\n 2021-03-15T10:31:56Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 300\n PSM Connect\n Info\n Administrator\n PSM Connect\n \n \n partner\n Root\\Operating System-UnixSSH-34.123.103.115-testark\n 34.71.250.247\n \n \n \n \n ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=29f340df-89e9-405a-beae-0216390cda42;SrcHost=81.32.170.205;User=testark;\n PSM Connect\n \n \n \n \n \n \n \n \n \n \n \n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 15 03:31:56","IsoTimestamp":"2021-03-15T10:31:56Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"300","Desc":"PSM Connect","Severity":"Info","Issuer":"Administrator","Action":"PSM Connect","SourceUser":"","TargetUser":"","Safe":"partner","File":"Root\\Operating System-UnixSSH-34.123.103.115-testark","Station":"34.71.250.247","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=29f340df-89e9-405a-beae-0216390cda42;SrcHost=81.32.170.205;User=testark;","Message":"PSM Connect","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"UnixSSH"},{"Name":"UserName","Value":"testark"},{"Name":"Address","Value":"34.123.103.115"},{"Name":"CPMStatus","Value":"success"},{"Name":"RetriesCount","Value":"-1"},{"Name":"LastTask","Value":"VerifyTask"},{"Name":"LastSuccessVerification","Value":"1615803764"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"}]}}}} +<5>1 2021-03-15T10:33:39Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 15 03:33:39\n 2021-03-15T10:33:39Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 300\n PSM Connect\n Info\n Administrator\n PSM Connect\n \n \n partner\n Root\\Operating System-UnixSSH-34.123.103.115-testark\n 34.71.250.247\n \n \n \n \n ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=f1654cf8-8ce5-472a-8205-ba731b0fab46;SrcHost=81.32.170.205;User=testark;\n PSM Connect\n \n \n \n \n \n \n \n \n \n \n \n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 15 03:33:39","IsoTimestamp":"2021-03-15T10:33:39Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"300","Desc":"PSM Connect","Severity":"Info","Issuer":"Administrator","Action":"PSM Connect","SourceUser":"","TargetUser":"","Safe":"partner","File":"Root\\Operating System-UnixSSH-34.123.103.115-testark","Station":"34.71.250.247","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=f1654cf8-8ce5-472a-8205-ba731b0fab46;SrcHost=81.32.170.205;User=testark;","Message":"PSM Connect","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"UnixSSH"},{"Name":"UserName","Value":"testark"},{"Name":"Address","Value":"34.123.103.115"},{"Name":"CPMStatus","Value":"success"},{"Name":"RetriesCount","Value":"-1"},{"Name":"LastTask","Value":"VerifyTask"},{"Name":"LastSuccessVerification","Value":"1615803764"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"}]}}}} +<5>1 2021-03-15T10:35:00Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 15 03:35:00\n 2021-03-15T10:35:00Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 300\n PSM Connect\n Info\n Administrator\n PSM Connect\n \n \n partner\n Root\\Operating System-UnixSSH-34.123.103.115-testark\n 34.71.250.247\n \n \n \n \n ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=8b3d0b38-aef5-49d9-bdd7-d57706887d8b;SrcHost=81.32.170.205;User=testark;\n PSM Connect\n \n \n \n \n \n \n \n \n \n \n \n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 15 03:35:00","IsoTimestamp":"2021-03-15T10:35:00Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"300","Desc":"PSM Connect","Severity":"Info","Issuer":"Administrator","Action":"PSM Connect","SourceUser":"","TargetUser":"","Safe":"partner","File":"Root\\Operating System-UnixSSH-34.123.103.115-testark","Station":"34.71.250.247","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=8b3d0b38-aef5-49d9-bdd7-d57706887d8b;SrcHost=81.32.170.205;User=testark;","Message":"PSM Connect","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"UnixSSH"},{"Name":"UserName","Value":"testark"},{"Name":"Address","Value":"34.123.103.115"},{"Name":"CPMStatus","Value":"success"},{"Name":"RetriesCount","Value":"-1"},{"Name":"LastTask","Value":"VerifyTask"},{"Name":"LastSuccessVerification","Value":"1615803764"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"}]}}}} +<5>1 2021-03-15T13:18:31Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 15 06:18:31\n 2021-03-15T13:18:31Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 300\n PSM Connect\n Info\n Administrator\n PSM Connect\n \n \n PSM\n Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian\n 34.71.250.247\n \n \n \n \n ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=692fe25f-f940-4170-8ea4-5241b35173f0;SrcHost=81.32.170.205;User=adrian;\n PSM Connect\n \n \n \n \n \n \n \n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 15 06:18:31","IsoTimestamp":"2021-03-15T13:18:31Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"300","Desc":"PSM Connect","Severity":"Info","Issuer":"Administrator","Action":"PSM Connect","SourceUser":"","TargetUser":"","Safe":"PSM","File":"Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian","Station":"34.71.250.247","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=692fe25f-f940-4170-8ea4-5241b35173f0;SrcHost=81.32.170.205;User=adrian;","Message":"PSM Connect","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"UnixSSHKeys"},{"Name":"UserName","Value":"adrian"},{"Name":"Address","Value":"34.123.103.115"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"}]}}}} +<5>1 2021-03-15T14:08:06Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 15 07:08:06\n 2021-03-15T14:08:06Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 300\n PSM Connect\n Info\n Administrator\n PSM Connect\n \n \n PSM\n Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian\n 34.71.250.247\n \n \n \n \n ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=f5725611-ca57-4a2a-a089-f45b3174a358;SrcHost=81.32.170.205;User=adrian;\n PSM Connect\n \n \n \n \n \n \n \n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 15 07:08:06","IsoTimestamp":"2021-03-15T14:08:06Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"300","Desc":"PSM Connect","Severity":"Info","Issuer":"Administrator","Action":"PSM Connect","SourceUser":"","TargetUser":"","Safe":"PSM","File":"Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian","Station":"34.71.250.247","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=f5725611-ca57-4a2a-a089-f45b3174a358;SrcHost=81.32.170.205;User=adrian;","Message":"PSM Connect","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"UnixSSHKeys"},{"Name":"UserName","Value":"adrian"},{"Name":"Address","Value":"34.123.103.115"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"}]}}}} +<5>1 2021-03-15T14:08:28Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 15 07:08:28\n 2021-03-15T14:08:28Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 300\n PSM Connect\n Info\n Administrator\n PSM Connect\n \n \n partner\n Root\\Operating System-UnixSSH-34.123.103.115-testark\n 34.71.250.247\n \n \n \n \n ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=7db90436-8a1a-4203-9a96-65137625ab2d;SrcHost=81.32.170.205;User=testark;\n PSM Connect\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 15 07:08:28","IsoTimestamp":"2021-03-15T14:08:28Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"300","Desc":"PSM Connect","Severity":"Info","Issuer":"Administrator","Action":"PSM Connect","SourceUser":"","TargetUser":"","Safe":"partner","File":"Root\\Operating System-UnixSSH-34.123.103.115-testark","Station":"34.71.250.247","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=7db90436-8a1a-4203-9a96-65137625ab2d;SrcHost=81.32.170.205;User=testark;","Message":"PSM Connect","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"UnixSSH"},{"Name":"UserName","Value":"testark"},{"Name":"Address","Value":"34.123.103.115"},{"Name":"ResetImmediately","Value":"ReconcileTask"},{"Name":"CPMStatus","Value":"failure"},{"Name":"RetriesCount","Value":"0"},{"Name":"LastFailDate","Value":"1615814025"},{"Name":"LastTask","Value":"ReconcileTask"},{"Name":"LastSuccessVerification","Value":"1615803764"},{"Name":"CPMErrorDetails","Value":"First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"},{"Name":"UseSudoOnReconcile","Value":"Yes"}]}}}} +<5>1 2021-03-15T14:11:09Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 15 07:11:09\n 2021-03-15T14:11:09Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 300\n PSM Connect\n Info\n Administrator\n PSM Connect\n \n \n partner\n Root\\Operating System-UnixSSH-34.123.103.115-testark\n 34.71.250.247\n \n \n \n \n ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=27f74dce-f5d5-4c94-bf99-ca6aafe2c518;SrcHost=81.32.170.205;User=testark;\n PSM Connect\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 15 07:11:09","IsoTimestamp":"2021-03-15T14:11:09Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"300","Desc":"PSM Connect","Severity":"Info","Issuer":"Administrator","Action":"PSM Connect","SourceUser":"","TargetUser":"","Safe":"partner","File":"Root\\Operating System-UnixSSH-34.123.103.115-testark","Station":"34.71.250.247","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=27f74dce-f5d5-4c94-bf99-ca6aafe2c518;SrcHost=81.32.170.205;User=testark;","Message":"PSM Connect","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"UnixSSH"},{"Name":"UserName","Value":"testark"},{"Name":"Address","Value":"34.123.103.115"},{"Name":"ResetImmediately","Value":"ReconcileTask"},{"Name":"CPMStatus","Value":"failure"},{"Name":"RetriesCount","Value":"0"},{"Name":"LastFailDate","Value":"1615814025"},{"Name":"LastTask","Value":"ReconcileTask"},{"Name":"LastSuccessVerification","Value":"1615803764"},{"Name":"CPMErrorDetails","Value":"First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"},{"Name":"UseSudoOnReconcile","Value":"Yes"}]}}}} +<5>1 2021-03-16T10:04:51Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 16 03:04:51\n 2021-03-16T10:04:51Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 300\n PSM Connect\n Info\n Administrator\n PSM Connect\n \n \n partner\n Root\\Operating System-UnixSSH-34.123.103.115-testark\n 34.71.250.247\n \n \n \n \n ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=8b222ac9-c2ad-49ea-9c4e-6829940f58d4;SrcHost=81.32.170.205;User=testark;\n PSM Connect\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 16 03:04:51","IsoTimestamp":"2021-03-16T10:04:51Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"300","Desc":"PSM Connect","Severity":"Info","Issuer":"Administrator","Action":"PSM Connect","SourceUser":"","TargetUser":"","Safe":"partner","File":"Root\\Operating System-UnixSSH-34.123.103.115-testark","Station":"34.71.250.247","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=8b222ac9-c2ad-49ea-9c4e-6829940f58d4;SrcHost=81.32.170.205;User=testark;","Message":"PSM Connect","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"UnixSSH"},{"Name":"UserName","Value":"testark"},{"Name":"Address","Value":"34.123.103.115"},{"Name":"ResetImmediately","Value":"ReconcileTask"},{"Name":"CPMStatus","Value":"failure"},{"Name":"RetriesCount","Value":"4"},{"Name":"LastFailDate","Value":"1615888216"},{"Name":"LastTask","Value":"ReconcileTask"},{"Name":"LastSuccessVerification","Value":"1615803764"},{"Name":"CPMErrorDetails","Value":"First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"},{"Name":"UseSudoOnReconcile","Value":"Yes"}]}}}} diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-300-psm-connect.log-config.yml b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-300-psm-connect.log-config.yml new file mode 100644 index 00000000000..5622947e4b8 --- /dev/null +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-300-psm-connect.log-config.yml @@ -0,0 +1,5 @@ +dynamic_fields: + event.ingested: ".*" +fields: + tags: + - preserve_original_event diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-302-psm-disconnect.log b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-302-psm-disconnect.log new file mode 100644 index 00000000000..c172f644c9f --- /dev/null +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-302-psm-disconnect.log @@ -0,0 +1,16 @@ +{"format":"elastic","version":"1.0","raw":"\n \n no\n Cyber-Ark\n Vault\n 11.6.0000\n 302\n PSM Disconnect\n Info\n Administrator\n PSM Disconnect\n \n \n Linux\n Root\\Operating System-LINUX-SSH-radiussrv.cyberark.local-admin2\n 10.2.0.7\n \n \n \n \n ApplicationType=PSMP-SSH;DstHost=radiussrv.cyberark.local;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionDuration=00:00:07;SessionID=35fac41e-22b5-11eb-83ca-000c297aae88;SrcHost=10.2.0.6;User=admin2;\n PSM Disconnect\n \n \n \n \n \n \n \n \n \n \n \n","syslog":{"audit_record":{"Rfc5424":"no","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.6.0000","MessageID":"302","IsoTimestamp":"2021-03-16T15:01:00Z","Desc":"PSM Disconnect","Severity":"Info","Issuer":"Administrator","Action":"PSM Disconnect","SourceUser":"","TargetUser":"","Safe":"Linux","File":"Root\\Operating System-LINUX-SSH-radiussrv.cyberark.local-admin2","Station":"10.2.0.7","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"ApplicationType=PSMP-SSH;DstHost=radiussrv.cyberark.local;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionDuration=00:00:07;SessionID=35fac41e-22b5-11eb-83ca-000c297aae88;SrcHost=10.2.0.6;User=admin2;","Message":"PSM Disconnect","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"LINUX-SSH"},{"Name":"UserName","Value":"admin2"},{"Name":"Address","Value":"radiussrv.cyberark.local"},{"Name":"DeviceType","Value":"Operating System"},{"Name":"CPMDisabled","Value":"No Reason"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"Customer","Value":"Tesla"}]}}}} +<5>1 2021-03-11T17:38:26Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 11 09:38:26\n 2021-03-11T17:38:26Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 302\n PSM Disconnect\n Info\n Administrator\n PSM Disconnect\n \n \n PSM\n Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian\n 81.32.170.205\n \n \n \n \n ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=ssh;PSMID=PSMServer;SessionDuration=00:00:13;SessionID=87012dcc-8290-11eb-949e-080027efd402;SrcHost=127.0.0.1;User=adrian;\n PSM Disconnect\n \n \n \n \n \n \n \n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 11 09:38:26","IsoTimestamp":"2021-03-11T17:38:26Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"302","Desc":"PSM Disconnect","Severity":"Info","Issuer":"Administrator","Action":"PSM Disconnect","SourceUser":"","TargetUser":"","Safe":"PSM","File":"Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian","Station":"81.32.170.205","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=ssh;PSMID=PSMServer;SessionDuration=00:00:13;SessionID=87012dcc-8290-11eb-949e-080027efd402;SrcHost=127.0.0.1;User=adrian;","Message":"PSM Disconnect","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"UnixSSHKeys"},{"Name":"UserName","Value":"adrian"},{"Name":"Address","Value":"34.123.103.115"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"}]}}}} +<5>1 2021-03-11T17:47:01Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 11 09:47:01\n 2021-03-11T17:47:01Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 302\n PSM Disconnect\n Info\n Administrator\n PSM Disconnect\n \n \n PSM\n Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian\n 81.32.170.205\n \n \n \n \n ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=ssh;PSMID=PSMServer;SessionDuration=00:00:11;SessionID=ba22b012-8291-11eb-b981-080027efd402;SrcHost=127.0.0.1;User=adrian;\n PSM Disconnect\n \n \n \n \n \n \n \n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 11 09:47:01","IsoTimestamp":"2021-03-11T17:47:01Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"302","Desc":"PSM Disconnect","Severity":"Info","Issuer":"Administrator","Action":"PSM Disconnect","SourceUser":"","TargetUser":"","Safe":"PSM","File":"Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian","Station":"81.32.170.205","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=ssh;PSMID=PSMServer;SessionDuration=00:00:11;SessionID=ba22b012-8291-11eb-b981-080027efd402;SrcHost=127.0.0.1;User=adrian;","Message":"PSM Disconnect","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"UnixSSHKeys"},{"Name":"UserName","Value":"adrian"},{"Name":"Address","Value":"34.123.103.115"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"}]}}}} +<5>1 2021-03-11T17:48:40Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 11 09:48:40\n 2021-03-11T17:48:40Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 302\n PSM Disconnect\n Info\n Administrator\n PSM Disconnect\n \n \n PSM\n Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian\n 81.32.170.205\n \n \n \n \n ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=ssh;PSMID=PSMServer;SessionDuration=00:00:12;SessionID=f6acbf00-8291-11eb-b9ba-080027efd402;SrcHost=10.0.2.2;User=adrian;\n PSM Disconnect\n \n \n \n \n \n \n \n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 11 09:48:40","IsoTimestamp":"2021-03-11T17:48:40Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"302","Desc":"PSM Disconnect","Severity":"Info","Issuer":"Administrator","Action":"PSM Disconnect","SourceUser":"","TargetUser":"","Safe":"PSM","File":"Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian","Station":"81.32.170.205","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=ssh;PSMID=PSMServer;SessionDuration=00:00:12;SessionID=f6acbf00-8291-11eb-b9ba-080027efd402;SrcHost=10.0.2.2;User=adrian;","Message":"PSM Disconnect","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"UnixSSHKeys"},{"Name":"UserName","Value":"adrian"},{"Name":"Address","Value":"34.123.103.115"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"}]}}}} +<5>1 2021-03-11T17:55:02Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 11 09:55:02\n 2021-03-11T17:55:02Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 302\n PSM Disconnect\n Info\n Administrator\n PSM Disconnect\n \n \n PSM\n Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian\n 81.32.170.205\n \n \n \n \n ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=ssh;PSMID=PSMServer;SessionDuration=00:00:12;SessionID=d8ff4d32-8292-11eb-b962-080027efd402;SrcHost=10.0.2.2;User=adrian;\n PSM Disconnect\n \n \n \n \n \n \n \n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 11 09:55:02","IsoTimestamp":"2021-03-11T17:55:02Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"302","Desc":"PSM Disconnect","Severity":"Info","Issuer":"Administrator","Action":"PSM Disconnect","SourceUser":"","TargetUser":"","Safe":"PSM","File":"Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian","Station":"81.32.170.205","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=ssh;PSMID=PSMServer;SessionDuration=00:00:12;SessionID=d8ff4d32-8292-11eb-b962-080027efd402;SrcHost=10.0.2.2;User=adrian;","Message":"PSM Disconnect","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"UnixSSHKeys"},{"Name":"UserName","Value":"adrian"},{"Name":"Address","Value":"34.123.103.115"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"}]}}}} +<5>1 2021-03-11T17:56:42Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 11 09:56:42\n 2021-03-11T17:56:42Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 302\n PSM Disconnect\n Info\n Administrator\n PSM Disconnect\n \n \n PSM\n Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian\n 81.32.170.205\n \n \n \n \n ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=ssh;PSMID=PSMServer;SessionDuration=00:00:12;SessionID=173dd46a-8293-11eb-afcb-080027efd402;SrcHost=10.0.2.2;User=adrian;\n PSM Disconnect\n \n \n \n \n \n \n \n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 11 09:56:42","IsoTimestamp":"2021-03-11T17:56:42Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"302","Desc":"PSM Disconnect","Severity":"Info","Issuer":"Administrator","Action":"PSM Disconnect","SourceUser":"","TargetUser":"","Safe":"PSM","File":"Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian","Station":"81.32.170.205","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=ssh;PSMID=PSMServer;SessionDuration=00:00:12;SessionID=173dd46a-8293-11eb-afcb-080027efd402;SrcHost=10.0.2.2;User=adrian;","Message":"PSM Disconnect","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"UnixSSHKeys"},{"Name":"UserName","Value":"adrian"},{"Name":"Address","Value":"34.123.103.115"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"}]}}}} +<5>1 2021-03-11T20:23:30Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 11 12:23:30\n 2021-03-11T20:23:30Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 302\n PSM Disconnect\n Info\n Administrator\n PSM Disconnect\n \n \n PSM\n Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian\n 81.32.170.205\n \n \n \n \n ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=ssh;PSMID=PSMServer;SessionDuration=00:00:12;SessionID=988b22e8-82a7-11eb-83b9-080027efd402;SrcHost=10.0.2.2;User=adrian;\n PSM Disconnect\n \n \n \n \n \n \n \n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 11 12:23:30","IsoTimestamp":"2021-03-11T20:23:30Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"302","Desc":"PSM Disconnect","Severity":"Info","Issuer":"Administrator","Action":"PSM Disconnect","SourceUser":"","TargetUser":"","Safe":"PSM","File":"Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian","Station":"81.32.170.205","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=ssh;PSMID=PSMServer;SessionDuration=00:00:12;SessionID=988b22e8-82a7-11eb-83b9-080027efd402;SrcHost=10.0.2.2;User=adrian;","Message":"PSM Disconnect","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"UnixSSHKeys"},{"Name":"UserName","Value":"adrian"},{"Name":"Address","Value":"34.123.103.115"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"}]}}}} +<5>1 2021-03-14T13:49:54Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 14 06:49:54\n 2021-03-14T13:49:54Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 302\n PSM Disconnect\n Info\n Administrator\n PSM Disconnect\n \n \n partner\n Root\\Operating System-UnixSSH-34.123.103.115-testark\n 34.71.250.247\n \n \n \n \n ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionDuration=00:00:18;SessionID=d284c268-2ba0-4366-af52-e33459b073a1;SrcHost=81.32.170.205;User=testark;\n PSM Disconnect\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 14 06:49:54","IsoTimestamp":"2021-03-14T13:49:54Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"302","Desc":"PSM Disconnect","Severity":"Info","Issuer":"Administrator","Action":"PSM Disconnect","SourceUser":"","TargetUser":"","Safe":"partner","File":"Root\\Operating System-UnixSSH-34.123.103.115-testark","Station":"34.71.250.247","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionDuration=00:00:18;SessionID=d284c268-2ba0-4366-af52-e33459b073a1;SrcHost=81.32.170.205;User=testark;","Message":"PSM Disconnect","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"UnixSSH"},{"Name":"UserName","Value":"testark"},{"Name":"Address","Value":"34.123.103.115"},{"Name":"ResetImmediately","Value":"ReconcileTask"},{"Name":"CPMStatus","Value":"failure"},{"Name":"RetriesCount","Value":"0"},{"Name":"LastFailDate","Value":"1615729572"},{"Name":"LastTask","Value":"ReconcileTask"},{"Name":"CPMErrorDetails","Value":"First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"}]}}}} +<5>1 2021-03-14T13:51:35Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 14 06:51:35\n 2021-03-14T13:51:35Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 302\n PSM Disconnect\n Info\n Administrator\n PSM Disconnect\n \n \n partner\n Root\\Operating System-UnixSSH-34.123.103.115-testark\n 34.71.250.247\n \n \n \n \n ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionDuration=00:00:54;SessionID=47747796-03e1-4a11-af39-ab56c00e7732;SrcHost=81.32.170.205;User=testark;\n PSM Disconnect\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 14 06:51:35","IsoTimestamp":"2021-03-14T13:51:35Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"302","Desc":"PSM Disconnect","Severity":"Info","Issuer":"Administrator","Action":"PSM Disconnect","SourceUser":"","TargetUser":"","Safe":"partner","File":"Root\\Operating System-UnixSSH-34.123.103.115-testark","Station":"34.71.250.247","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionDuration=00:00:54;SessionID=47747796-03e1-4a11-af39-ab56c00e7732;SrcHost=81.32.170.205;User=testark;","Message":"PSM Disconnect","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"UnixSSH"},{"Name":"UserName","Value":"testark"},{"Name":"Address","Value":"34.123.103.115"},{"Name":"ResetImmediately","Value":"ReconcileTask"},{"Name":"CPMStatus","Value":"failure"},{"Name":"RetriesCount","Value":"0"},{"Name":"LastFailDate","Value":"1615729572"},{"Name":"LastTask","Value":"ReconcileTask"},{"Name":"CPMErrorDetails","Value":"First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"}]}}}} +<5>1 2021-03-15T10:33:30Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 15 03:33:30\n 2021-03-15T10:33:30Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 302\n PSM Disconnect\n Info\n Administrator\n PSM Disconnect\n \n \n partner\n Root\\Operating System-UnixSSH-34.123.103.115-testark\n 34.71.250.247\n \n \n \n \n ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionDuration=00:01:35;SessionID=29f340df-89e9-405a-beae-0216390cda42;SrcHost=81.32.170.205;User=testark;\n PSM Disconnect\n \n \n \n \n \n \n \n \n \n \n \n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 15 03:33:30","IsoTimestamp":"2021-03-15T10:33:30Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"302","Desc":"PSM Disconnect","Severity":"Info","Issuer":"Administrator","Action":"PSM Disconnect","SourceUser":"","TargetUser":"","Safe":"partner","File":"Root\\Operating System-UnixSSH-34.123.103.115-testark","Station":"34.71.250.247","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionDuration=00:01:35;SessionID=29f340df-89e9-405a-beae-0216390cda42;SrcHost=81.32.170.205;User=testark;","Message":"PSM Disconnect","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"UnixSSH"},{"Name":"UserName","Value":"testark"},{"Name":"Address","Value":"34.123.103.115"},{"Name":"CPMStatus","Value":"success"},{"Name":"RetriesCount","Value":"-1"},{"Name":"LastTask","Value":"VerifyTask"},{"Name":"LastSuccessVerification","Value":"1615803764"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"}]}}}} +<5>1 2021-03-15T10:34:50Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 15 03:34:50\n 2021-03-15T10:34:50Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 302\n PSM Disconnect\n Info\n Administrator\n PSM Disconnect\n \n \n partner\n Root\\Operating System-UnixSSH-34.123.103.115-testark\n 34.71.250.247\n \n \n \n \n ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionDuration=00:01:13;SessionID=f1654cf8-8ce5-472a-8205-ba731b0fab46;SrcHost=81.32.170.205;User=testark;\n PSM Disconnect\n \n \n \n \n \n \n \n \n \n \n \n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 15 03:34:50","IsoTimestamp":"2021-03-15T10:34:50Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"302","Desc":"PSM Disconnect","Severity":"Info","Issuer":"Administrator","Action":"PSM Disconnect","SourceUser":"","TargetUser":"","Safe":"partner","File":"Root\\Operating System-UnixSSH-34.123.103.115-testark","Station":"34.71.250.247","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionDuration=00:01:13;SessionID=f1654cf8-8ce5-472a-8205-ba731b0fab46;SrcHost=81.32.170.205;User=testark;","Message":"PSM Disconnect","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"UnixSSH"},{"Name":"UserName","Value":"testark"},{"Name":"Address","Value":"34.123.103.115"},{"Name":"CPMStatus","Value":"success"},{"Name":"RetriesCount","Value":"-1"},{"Name":"LastTask","Value":"VerifyTask"},{"Name":"LastSuccessVerification","Value":"1615803764"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"}]}}}} +<5>1 2021-03-15T11:12:09Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 15 04:12:09\n 2021-03-15T11:12:09Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 302\n PSM Disconnect\n Info\n Administrator\n PSM Disconnect\n \n \n partner\n Root\\Operating System-UnixSSH-34.123.103.115-testark\n 34.71.250.247\n \n \n \n \n ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionDuration=00:37:10;SessionID=8b3d0b38-aef5-49d9-bdd7-d57706887d8b;SrcHost=81.32.170.205;User=testark;\n PSM Disconnect\n \n \n \n \n \n \n \n \n \n \n \n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 15 04:12:09","IsoTimestamp":"2021-03-15T11:12:09Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"302","Desc":"PSM Disconnect","Severity":"Info","Issuer":"Administrator","Action":"PSM Disconnect","SourceUser":"","TargetUser":"","Safe":"partner","File":"Root\\Operating System-UnixSSH-34.123.103.115-testark","Station":"34.71.250.247","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionDuration=00:37:10;SessionID=8b3d0b38-aef5-49d9-bdd7-d57706887d8b;SrcHost=81.32.170.205;User=testark;","Message":"PSM Disconnect","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"UnixSSH"},{"Name":"UserName","Value":"testark"},{"Name":"Address","Value":"34.123.103.115"},{"Name":"CPMStatus","Value":"success"},{"Name":"RetriesCount","Value":"-1"},{"Name":"LastTask","Value":"VerifyTask"},{"Name":"LastSuccessVerification","Value":"1615803764"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"}]}}}} +<5>1 2021-03-15T13:18:36Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 15 06:18:36\n 2021-03-15T13:18:36Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 302\n PSM Disconnect\n Info\n Administrator\n PSM Disconnect\n \n \n PSM\n Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian\n 34.71.250.247\n \n \n \n \n ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionDuration=00:00:05;SessionID=692fe25f-f940-4170-8ea4-5241b35173f0;SrcHost=81.32.170.205;User=adrian;\n PSM Disconnect\n \n \n \n \n \n \n \n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 15 06:18:36","IsoTimestamp":"2021-03-15T13:18:36Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"302","Desc":"PSM Disconnect","Severity":"Info","Issuer":"Administrator","Action":"PSM Disconnect","SourceUser":"","TargetUser":"","Safe":"PSM","File":"Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian","Station":"34.71.250.247","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionDuration=00:00:05;SessionID=692fe25f-f940-4170-8ea4-5241b35173f0;SrcHost=81.32.170.205;User=adrian;","Message":"PSM Disconnect","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"UnixSSHKeys"},{"Name":"UserName","Value":"adrian"},{"Name":"Address","Value":"34.123.103.115"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"}]}}}} +<5>1 2021-03-15T14:08:11Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 15 07:08:11\n 2021-03-15T14:08:11Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 302\n PSM Disconnect\n Info\n Administrator\n PSM Disconnect\n \n \n PSM\n Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian\n 34.71.250.247\n \n \n \n \n ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionDuration=00:00:06;SessionID=f5725611-ca57-4a2a-a089-f45b3174a358;SrcHost=81.32.170.205;User=adrian;\n PSM Disconnect\n \n \n \n \n \n \n \n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 15 07:08:11","IsoTimestamp":"2021-03-15T14:08:11Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"302","Desc":"PSM Disconnect","Severity":"Info","Issuer":"Administrator","Action":"PSM Disconnect","SourceUser":"","TargetUser":"","Safe":"PSM","File":"Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian","Station":"34.71.250.247","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionDuration=00:00:06;SessionID=f5725611-ca57-4a2a-a089-f45b3174a358;SrcHost=81.32.170.205;User=adrian;","Message":"PSM Disconnect","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"UnixSSHKeys"},{"Name":"UserName","Value":"adrian"},{"Name":"Address","Value":"34.123.103.115"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"}]}}}} +<5>1 2021-03-15T14:08:36Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 15 07:08:36\n 2021-03-15T14:08:36Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 302\n PSM Disconnect\n Info\n Administrator\n PSM Disconnect\n \n \n partner\n Root\\Operating System-UnixSSH-34.123.103.115-testark\n 34.71.250.247\n \n \n \n \n ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionDuration=00:00:09;SessionID=7db90436-8a1a-4203-9a96-65137625ab2d;SrcHost=81.32.170.205;User=testark;\n PSM Disconnect\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 15 07:08:36","IsoTimestamp":"2021-03-15T14:08:36Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"302","Desc":"PSM Disconnect","Severity":"Info","Issuer":"Administrator","Action":"PSM Disconnect","SourceUser":"","TargetUser":"","Safe":"partner","File":"Root\\Operating System-UnixSSH-34.123.103.115-testark","Station":"34.71.250.247","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionDuration=00:00:09;SessionID=7db90436-8a1a-4203-9a96-65137625ab2d;SrcHost=81.32.170.205;User=testark;","Message":"PSM Disconnect","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"UnixSSH"},{"Name":"UserName","Value":"testark"},{"Name":"Address","Value":"34.123.103.115"},{"Name":"ResetImmediately","Value":"ReconcileTask"},{"Name":"CPMStatus","Value":"failure"},{"Name":"RetriesCount","Value":"0"},{"Name":"LastFailDate","Value":"1615814025"},{"Name":"LastTask","Value":"ReconcileTask"},{"Name":"LastSuccessVerification","Value":"1615803764"},{"Name":"CPMErrorDetails","Value":"First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"},{"Name":"UseSudoOnReconcile","Value":"Yes"}]}}}} +<5>1 2021-03-15T15:00:21Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 15 08:00:21\n 2021-03-15T15:00:21Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 302\n PSM Disconnect\n Info\n Administrator\n PSM Disconnect\n \n \n partner\n Root\\Operating System-UnixSSH-34.123.103.115-testark\n 34.71.250.247\n \n \n \n \n ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionDuration=00:49:12;SessionID=27f74dce-f5d5-4c94-bf99-ca6aafe2c518;SrcHost=81.32.170.205;User=testark;\n PSM Disconnect\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 15 08:00:21","IsoTimestamp":"2021-03-15T15:00:21Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"302","Desc":"PSM Disconnect","Severity":"Info","Issuer":"Administrator","Action":"PSM Disconnect","SourceUser":"","TargetUser":"","Safe":"partner","File":"Root\\Operating System-UnixSSH-34.123.103.115-testark","Station":"34.71.250.247","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionDuration=00:49:12;SessionID=27f74dce-f5d5-4c94-bf99-ca6aafe2c518;SrcHost=81.32.170.205;User=testark;","Message":"PSM Disconnect","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"UnixSSH"},{"Name":"UserName","Value":"testark"},{"Name":"Address","Value":"34.123.103.115"},{"Name":"ResetImmediately","Value":"ReconcileTask"},{"Name":"CPMStatus","Value":"failure"},{"Name":"RetriesCount","Value":"1"},{"Name":"LastFailDate","Value":"1615819476"},{"Name":"LastTask","Value":"ReconcileTask"},{"Name":"LastSuccessVerification","Value":"1615803764"},{"Name":"CPMErrorDetails","Value":"First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"},{"Name":"UseSudoOnReconcile","Value":"Yes"}]}}}} diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-302-psm-disconnect.log-config.yml b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-302-psm-disconnect.log-config.yml new file mode 100644 index 00000000000..5622947e4b8 --- /dev/null +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-302-psm-disconnect.log-config.yml @@ -0,0 +1,5 @@ +dynamic_fields: + event.ingested: ".*" +fields: + tags: + - preserve_original_event diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-304-psm-upload-recording.log b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-304-psm-upload-recording.log new file mode 100644 index 00000000000..1469d6ed00a --- /dev/null +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-304-psm-upload-recording.log @@ -0,0 +1 @@ +<5>1 2021-03-25T09:20:56Z VLT01 {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 25 05:20:56\n 2021-03-25T09:20:56Z\n VLT01\n Cyber-Ark\n Vault\n 12.0.0000\n 304\n PSM Upload Recording\n Info\n PSMApp_COMP01\n PSM Upload Recording\n \n \n PSMRecordings\n Root\\a4636750-50a2-492e-984c-e08743d8a883.SSH.txt\n 10.0.0.15\n \n \n \n \n DstHost=rhel7.cybr.com;LogonAccount=logon;Protocol=SSH;PSMID=PSMServer;SessionDuration=00:00:46;SessionID=a4636750-50a2-492e-984c-e08743d8a883;SrcHost=127.0.0.1;User=root;\n PSM Upload Recording\n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 25 05:20:56","IsoTimestamp":"2021-03-25T09:20:56Z","Hostname":"VLT01","Vendor":"Cyber-Ark","Product":"Vault","Version":"12.0.0000","MessageID":"304","Desc":"PSM Upload Recording","Severity":"Info","Issuer":"PSMApp_COMP01","Action":"PSM Upload Recording","SourceUser":"","TargetUser":"","Safe":"PSMRecordings","File":"Root\\a4636750-50a2-492e-984c-e08743d8a883.SSH.txt","Station":"10.0.0.15","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"DstHost=rhel7.cybr.com;LogonAccount=logon;Protocol=SSH;PSMID=PSMServer;SessionDuration=00:00:46;SessionID=a4636750-50a2-492e-984c-e08743d8a883;SrcHost=127.0.0.1;User=root;","Message":"PSM Upload Recording","GatewayStation":""}}} diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-304-psm-upload-recording.log-config.yml b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-304-psm-upload-recording.log-config.yml new file mode 100644 index 00000000000..5622947e4b8 --- /dev/null +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-304-psm-upload-recording.log-config.yml @@ -0,0 +1,5 @@ +dynamic_fields: + event.ingested: ".*" +fields: + tags: + - preserve_original_event diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-308-use-password.log b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-308-use-password.log new file mode 100644 index 00000000000..8c77aabf909 --- /dev/null +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-308-use-password.log @@ -0,0 +1,11 @@ +{"format":"elastic","version":"1.0","raw":"\n \n no\n Cyber-Ark\n Vault\n 11.6.0000\n 308\n Use Password\n Info\n adm2\n Use Password\n \n \n Windows\n Root\\Operating System-WIN-SERVER-LOCAL-dbserver.cyberark.local-Administrator2\n 10.2.0.6\n \n \n \n (Action: Connect)\n \n Use Password\n 10.2.0.3\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n","syslog":{"audit_record":{"Rfc5424":"no","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.6.0000","MessageID":"308","IsoTimestamp":"2021-03-16T15:01:00Z","Desc":"Use Password","Severity":"Info","Issuer":"adm2","Action":"Use Password","SourceUser":"","TargetUser":"","Safe":"Windows","File":"Root\\Operating System-WIN-SERVER-LOCAL-dbserver.cyberark.local-Administrator2","Station":"10.2.0.6","Location":"","Category":"","RequestId":"","Reason":"(Action: Connect)","ExtraDetails":"","Message":"Use Password","GatewayStation":"10.2.0.3","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"WIN-SERVER-LOCAL"},{"Name":"UserName","Value":"Administrator2"},{"Name":"Address","Value":"dbserver.cyberark.local"},{"Name":"DeviceType","Value":"Operating System"},{"Name":"LogonDomain","Value":"DBServer"},{"Name":"SequenceID","Value":"1"},{"Name":"RetriesCount","Value":"-1"},{"Name":"LastTask","Value":"ReconcileTask"},{"Name":"CPMStatus","Value":"success"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"LastSuccessReconciliation","Value":"1604944215"},{"Name":"Customer","Value":"EvilCorp"}]}}}} +<5>1 2021-03-11T17:38:12Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 11 09:38:12\n 2021-03-11T17:38:12Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 308\n Use Password\n Info\n Administrator\n Use Password\n \n \n PSM\n Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian\n 127.0.0.1\n \n \n \n fun and profit\n \n Use Password\n 81.32.170.205\n \n \n \n \n \n \n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 11 09:38:12","IsoTimestamp":"2021-03-11T17:38:12Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"308","Desc":"Use Password","Severity":"Info","Issuer":"Administrator","Action":"Use Password","SourceUser":"","TargetUser":"","Safe":"PSM","File":"Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian","Station":"127.0.0.1","Location":"","Category":"","RequestId":"","Reason":"fun and profit","ExtraDetails":"","Message":"Use Password","GatewayStation":"81.32.170.205","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"UnixSSHKeys"},{"Name":"UserName","Value":"adrian"},{"Name":"Address","Value":"34.123.103.115"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"}]}}}} +<5>1 2021-03-11T17:46:49Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 11 09:46:49\n 2021-03-11T17:46:49Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 308\n Use Password\n Info\n Administrator\n Use Password\n \n \n PSM\n Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian\n 127.0.0.1\n \n \n \n FOR FUN.\n \n Use Password\n 81.32.170.205\n \n \n \n \n \n \n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 11 09:46:49","IsoTimestamp":"2021-03-11T17:46:49Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"308","Desc":"Use Password","Severity":"Info","Issuer":"Administrator","Action":"Use Password","SourceUser":"","TargetUser":"","Safe":"PSM","File":"Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian","Station":"127.0.0.1","Location":"","Category":"","RequestId":"","Reason":"FOR FUN.","ExtraDetails":"","Message":"Use Password","GatewayStation":"81.32.170.205","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"UnixSSHKeys"},{"Name":"UserName","Value":"adrian"},{"Name":"Address","Value":"34.123.103.115"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"}]}}}} +<5>1 2021-03-11T17:48:27Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 11 09:48:27\n 2021-03-11T17:48:27Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 308\n Use Password\n Info\n Administrator\n Use Password\n \n \n PSM\n Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian\n 10.0.2.2\n \n \n \n For fun and profit\n \n Use Password\n 81.32.170.205\n \n \n \n \n \n \n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 11 09:48:27","IsoTimestamp":"2021-03-11T17:48:27Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"308","Desc":"Use Password","Severity":"Info","Issuer":"Administrator","Action":"Use Password","SourceUser":"","TargetUser":"","Safe":"PSM","File":"Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian","Station":"10.0.2.2","Location":"","Category":"","RequestId":"","Reason":"For fun and profit","ExtraDetails":"","Message":"Use Password","GatewayStation":"81.32.170.205","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"UnixSSHKeys"},{"Name":"UserName","Value":"adrian"},{"Name":"Address","Value":"34.123.103.115"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"}]}}}} +<5>1 2021-03-11T17:54:49Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 11 09:54:49\n 2021-03-11T17:54:49Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 308\n Use Password\n Info\n Administrator\n Use Password\n \n \n PSM\n Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian\n 10.0.2.2\n \n \n \n Because I say so\n \n Use Password\n 81.32.170.205\n \n \n \n \n \n \n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 11 09:54:49","IsoTimestamp":"2021-03-11T17:54:49Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"308","Desc":"Use Password","Severity":"Info","Issuer":"Administrator","Action":"Use Password","SourceUser":"","TargetUser":"","Safe":"PSM","File":"Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian","Station":"10.0.2.2","Location":"","Category":"","RequestId":"","Reason":"Because I say so","ExtraDetails":"","Message":"Use Password","GatewayStation":"81.32.170.205","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"UnixSSHKeys"},{"Name":"UserName","Value":"adrian"},{"Name":"Address","Value":"34.123.103.115"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"}]}}}} +<5>1 2021-03-11T17:56:30Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 11 09:56:30\n 2021-03-11T17:56:30Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 308\n Use Password\n Info\n Administrator\n Use Password\n \n \n PSM\n Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian\n 10.0.2.2\n \n \n \n for fun\n \n Use Password\n 81.32.170.205\n \n \n \n \n \n \n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 11 09:56:30","IsoTimestamp":"2021-03-11T17:56:30Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"308","Desc":"Use Password","Severity":"Info","Issuer":"Administrator","Action":"Use Password","SourceUser":"","TargetUser":"","Safe":"PSM","File":"Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian","Station":"10.0.2.2","Location":"","Category":"","RequestId":"","Reason":"for fun","ExtraDetails":"","Message":"Use Password","GatewayStation":"81.32.170.205","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"UnixSSHKeys"},{"Name":"UserName","Value":"adrian"},{"Name":"Address","Value":"34.123.103.115"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"}]}}}} +<5>1 2021-03-11T20:23:17Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 11 12:23:17\n 2021-03-11T20:23:17Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 308\n Use Password\n Info\n Administrator\n Use Password\n \n \n PSM\n Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian\n 10.0.2.2\n \n \n \n testing\n \n Use Password\n 81.32.170.205\n \n \n \n \n \n \n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 11 12:23:17","IsoTimestamp":"2021-03-11T20:23:17Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"308","Desc":"Use Password","Severity":"Info","Issuer":"Administrator","Action":"Use Password","SourceUser":"","TargetUser":"","Safe":"PSM","File":"Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian","Station":"10.0.2.2","Location":"","Category":"","RequestId":"","Reason":"testing","ExtraDetails":"","Message":"Use Password","GatewayStation":"81.32.170.205","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"UnixSSHKeys"},{"Name":"UserName","Value":"adrian"},{"Name":"Address","Value":"34.123.103.115"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"}]}}}} +<5>1 2021-03-14T13:49:35Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 14 06:49:35\n 2021-03-14T13:49:35Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 308\n Use Password\n Info\n Administrator\n Use Password\n \n \n partner\n Root\\Operating System-UnixSSH-34.123.103.115-testark\n 81.32.170.205\n \n \n \n \n \n Use Password\n 34.71.250.247\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 14 06:49:35","IsoTimestamp":"2021-03-14T13:49:35Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"308","Desc":"Use Password","Severity":"Info","Issuer":"Administrator","Action":"Use Password","SourceUser":"","TargetUser":"","Safe":"partner","File":"Root\\Operating System-UnixSSH-34.123.103.115-testark","Station":"81.32.170.205","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Use Password","GatewayStation":"34.71.250.247","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"UnixSSH"},{"Name":"UserName","Value":"testark"},{"Name":"Address","Value":"34.123.103.115"},{"Name":"ResetImmediately","Value":"ReconcileTask"},{"Name":"CPMStatus","Value":"failure"},{"Name":"RetriesCount","Value":"0"},{"Name":"LastFailDate","Value":"1615729572"},{"Name":"LastTask","Value":"ReconcileTask"},{"Name":"CPMErrorDetails","Value":"First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"}]}}}} +<5>1 2021-03-15T10:31:54Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 15 03:31:54\n 2021-03-15T10:31:54Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 308\n Use Password\n Info\n Administrator\n Use Password\n \n \n partner\n Root\\Operating System-UnixSSH-34.123.103.115-testark\n 81.32.170.205\n \n \n \n \n \n Use Password\n 34.71.250.247\n \n \n \n \n \n \n \n \n \n \n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 15 03:31:54","IsoTimestamp":"2021-03-15T10:31:54Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"308","Desc":"Use Password","Severity":"Info","Issuer":"Administrator","Action":"Use Password","SourceUser":"","TargetUser":"","Safe":"partner","File":"Root\\Operating System-UnixSSH-34.123.103.115-testark","Station":"81.32.170.205","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Use Password","GatewayStation":"34.71.250.247","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"UnixSSH"},{"Name":"UserName","Value":"testark"},{"Name":"Address","Value":"34.123.103.115"},{"Name":"CPMStatus","Value":"success"},{"Name":"RetriesCount","Value":"-1"},{"Name":"LastTask","Value":"VerifyTask"},{"Name":"LastSuccessVerification","Value":"1615803764"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"}]}}}} +<5>1 2021-03-15T14:08:26Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 15 07:08:26\n 2021-03-15T14:08:26Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 308\n Use Password\n Info\n Administrator\n Use Password\n \n \n partner\n Root\\Operating System-UnixSSH-34.123.103.115-testark\n 81.32.170.205\n \n \n \n \n \n Use Password\n 34.71.250.247\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 15 07:08:26","IsoTimestamp":"2021-03-15T14:08:26Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"308","Desc":"Use Password","Severity":"Info","Issuer":"Administrator","Action":"Use Password","SourceUser":"","TargetUser":"","Safe":"partner","File":"Root\\Operating System-UnixSSH-34.123.103.115-testark","Station":"81.32.170.205","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Use Password","GatewayStation":"34.71.250.247","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"UnixSSH"},{"Name":"UserName","Value":"testark"},{"Name":"Address","Value":"34.123.103.115"},{"Name":"ResetImmediately","Value":"ReconcileTask"},{"Name":"CPMStatus","Value":"failure"},{"Name":"RetriesCount","Value":"0"},{"Name":"LastFailDate","Value":"1615814025"},{"Name":"LastTask","Value":"ReconcileTask"},{"Name":"LastSuccessVerification","Value":"1615803764"},{"Name":"CPMErrorDetails","Value":"First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"},{"Name":"UseSudoOnReconcile","Value":"Yes"}]}}}} +<5>1 2021-03-16T10:04:49Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 16 03:04:49\n 2021-03-16T10:04:49Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 308\n Use Password\n Info\n Administrator\n Use Password\n \n \n partner\n Root\\Operating System-UnixSSH-34.123.103.115-testark\n 81.32.170.205\n \n \n \n \n \n Use Password\n 34.71.250.247\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 16 03:04:49","IsoTimestamp":"2021-03-16T10:04:49Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"308","Desc":"Use Password","Severity":"Info","Issuer":"Administrator","Action":"Use Password","SourceUser":"","TargetUser":"","Safe":"partner","File":"Root\\Operating System-UnixSSH-34.123.103.115-testark","Station":"81.32.170.205","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Use Password","GatewayStation":"34.71.250.247","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"UnixSSH"},{"Name":"UserName","Value":"testark"},{"Name":"Address","Value":"34.123.103.115"},{"Name":"ResetImmediately","Value":"ReconcileTask"},{"Name":"CPMStatus","Value":"failure"},{"Name":"RetriesCount","Value":"4"},{"Name":"LastFailDate","Value":"1615888216"},{"Name":"LastTask","Value":"ReconcileTask"},{"Name":"LastSuccessVerification","Value":"1615803764"},{"Name":"CPMErrorDetails","Value":"First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"},{"Name":"UseSudoOnReconcile","Value":"Yes"}]}}}} diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-308-use-password.log-config.yml b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-308-use-password.log-config.yml new file mode 100644 index 00000000000..5622947e4b8 --- /dev/null +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-308-use-password.log-config.yml @@ -0,0 +1,5 @@ +dynamic_fields: + event.ingested: ".*" +fields: + tags: + - preserve_original_event diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-309-undefined-user-logon.log b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-309-undefined-user-logon.log new file mode 100644 index 00000000000..18c5b7e67fb --- /dev/null +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-309-undefined-user-logon.log @@ -0,0 +1,5 @@ +<7>1 2021-03-08T18:31:52Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 08 10:31:52","IsoTimestamp":"2021-03-08T18:31:52Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"309","Desc":"Undefined User Logon","Severity":"Error","Issuer":"adriansr","Action":"Undefined User Logon","SourceUser":"","TargetUser":"","Safe":"","File":"","Station":"127.0.0.1","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Undefined User Logon","GatewayStation":"10.0.1.20"}}} +<7>1 2021-03-08T18:32:03Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 08 10:32:03","IsoTimestamp":"2021-03-08T18:32:03Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"309","Desc":"Undefined User Logon","Severity":"Error","Issuer":"adriansra","Action":"Undefined User Logon","SourceUser":"","TargetUser":"","Safe":"","File":"","Station":"127.0.0.1","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Undefined User Logon","GatewayStation":"10.0.1.20"}}} +<7>1 2021-03-11T16:43:26Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 11 08:43:26\n 2021-03-11T16:43:26Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 309\n Undefined User Logon\n Error\n PSMAdmin\n Undefined User Logon\n \n \n \n \n 81.32.170.205\n \n \n \n \n \n Undefined User Logon\n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 11 08:43:26","IsoTimestamp":"2021-03-11T16:43:26Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"309","Desc":"Undefined User Logon","Severity":"Error","Issuer":"PSMAdmin","Action":"Undefined User Logon","SourceUser":"","TargetUser":"","Safe":"","File":"","Station":"81.32.170.205","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Undefined User Logon","GatewayStation":""}}} +<7>1 2021-03-11T17:46:28Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 11 09:46:28\n 2021-03-11T17:46:28Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 309\n Undefined User Logon\n Error\n adrian\n Undefined User Logon\n \n \n \n \n 127.0.0.1\n \n \n \n \n \n Undefined User Logon\n 81.32.170.205\n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 11 09:46:28","IsoTimestamp":"2021-03-11T17:46:28Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"309","Desc":"Undefined User Logon","Severity":"Error","Issuer":"adrian","Action":"Undefined User Logon","SourceUser":"","TargetUser":"","Safe":"","File":"","Station":"127.0.0.1","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Undefined User Logon","GatewayStation":"81.32.170.205"}}} +<7>1 2021-03-14T13:28:00Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 14 06:28:00\n 2021-03-14T13:28:00Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 309\n Undefined User Logon\n Error\n testark\n Undefined User Logon\n \n \n \n \n 81.32.170.205\n \n \n \n \n \n Undefined User Logon\n 34.71.250.247\n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 14 06:28:00","IsoTimestamp":"2021-03-14T13:28:00Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"309","Desc":"Undefined User Logon","Severity":"Error","Issuer":"testark","Action":"Undefined User Logon","SourceUser":"","TargetUser":"","Safe":"","File":"","Station":"81.32.170.205","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Undefined User Logon","GatewayStation":"34.71.250.247"}}} diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-309-undefined-user-logon.log-config.yml b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-309-undefined-user-logon.log-config.yml new file mode 100644 index 00000000000..5622947e4b8 --- /dev/null +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-309-undefined-user-logon.log-config.yml @@ -0,0 +1,5 @@ +dynamic_fields: + event.ingested: ".*" +fields: + tags: + - preserve_original_event diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-31-cpm-reconcile-password.log b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-31-cpm-reconcile-password.log new file mode 100644 index 00000000000..ec268677c60 --- /dev/null +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-31-cpm-reconcile-password.log @@ -0,0 +1 @@ +{"format":"elastic","version":"1.0","raw":"\n \n no\n Cyber-Ark\n Vault\n 11.6.0000\n 31\n CPM Reconcile Password\n Info\n PasswordManager\n CPM Reconcile Password\n \n \n Windows\n Root\\Operating System-WIN-SERVER-LOCAL-dbserver.cyberark.local-Administrator2\n 10.2.0.4\n \n \n \n ImmediateTask\n address=dbserver.cyberark.local;username=Administrator2;\n CPM Reconcile Password\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n","syslog":{"audit_record":{"Rfc5424":"no","Vendor":"Cyber-Ark","Product":"Vault","IsoTimestamp":"2021-03-16T15:01:00Z","Version":"11.6.0000","MessageID":"31","Desc":"CPM Reconcile Password","Severity":"Info","Issuer":"PasswordManager","Action":"CPM Reconcile Password","SourceUser":"","TargetUser":"","Safe":"Windows","File":"Root\\Operating System-WIN-SERVER-LOCAL-dbserver.cyberark.local-Administrator2","Station":"10.2.0.4","Location":"","Category":"","RequestId":"","Reason":"ImmediateTask","ExtraDetails":"address=dbserver.cyberark.local;username=Administrator2;","Message":"CPM Reconcile Password","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"WIN-SERVER-LOCAL"},{"Name":"UserName","Value":"Administrator2"},{"Name":"Address","Value":"dbserver.cyberark.local"},{"Name":"DeviceType","Value":"Operating System"},{"Name":"LogonDomain","Value":"DBServer"},{"Name":"SequenceID","Value":"1"},{"Name":"RetriesCount","Value":"-1"},{"Name":"LastTask","Value":"ReconcileTask"},{"Name":"CPMStatus","Value":"success"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"LastSuccessReconciliation","Value":"1604944215"},{"Name":"Customer","Value":"EvilCorp"}]}}}} diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-31-cpm-reconcile-password.log-config.yml b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-31-cpm-reconcile-password.log-config.yml new file mode 100644 index 00000000000..5622947e4b8 --- /dev/null +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-31-cpm-reconcile-password.log-config.yml @@ -0,0 +1,5 @@ +dynamic_fields: + event.ingested: ".*" +fields: + tags: + - preserve_original_event diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-310-monitor-dr-replication-start.log b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-310-monitor-dr-replication-start.log new file mode 100644 index 00000000000..f2577708d06 --- /dev/null +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-310-monitor-dr-replication-start.log @@ -0,0 +1,2 @@ +<5>1 2021-03-04T19:10:01Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 04 11:10:01","IsoTimestamp":"2021-03-04T19:10:01Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"310","Desc":"Monitor DR Replication start","Severity":"Info","Issuer":"Batch","Action":"Monitor DR Replication start","SourceUser":"","TargetUser":"","Safe":"","File":"","Station":"0.0.0.0","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Monitor DR Replication start","GatewayStation":""}}} +Mar 08 02:48:07 VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"no","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"310","Desc":"Monitor DR Replication start","Severity":"Info","Issuer":"Batch","Action":"Monitor DR Replication start","SourceUser":"","TargetUser":"","Safe":"","File":"","Station":"0.0.0.0","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Monitor DR Replication start","GatewayStation":""}}} diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-310-monitor-dr-replication-start.log-config.yml b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-310-monitor-dr-replication-start.log-config.yml new file mode 100644 index 00000000000..5622947e4b8 --- /dev/null +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-310-monitor-dr-replication-start.log-config.yml @@ -0,0 +1,5 @@ +dynamic_fields: + event.ingested: ".*" +fields: + tags: + - preserve_original_event diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-311-monitor-dr-replication-end.log b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-311-monitor-dr-replication-end.log new file mode 100644 index 00000000000..1e3812c2a8b --- /dev/null +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-311-monitor-dr-replication-end.log @@ -0,0 +1,2 @@ +<5>1 2021-03-04T19:10:01Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 04 11:10:01","IsoTimestamp":"2021-03-04T19:10:01Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"311","Desc":"Monitor DR Replication end","Severity":"Info","Issuer":"Batch","Action":"Monitor DR Replication end","SourceUser":"","TargetUser":"","Safe":"","File":"","Station":"0.0.0.0","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Monitor DR Replication end","GatewayStation":""}}} +Mar 08 02:48:07 VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"no","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"311","Desc":"Monitor DR Replication end","Severity":"Info","Issuer":"Batch","Action":"Monitor DR Replication end","SourceUser":"","TargetUser":"","Safe":"","File":"","Station":"0.0.0.0","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Monitor DR Replication end","GatewayStation":""}}} diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-311-monitor-dr-replication-end.log-config.yml b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-311-monitor-dr-replication-end.log-config.yml new file mode 100644 index 00000000000..5622947e4b8 --- /dev/null +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-311-monitor-dr-replication-end.log-config.yml @@ -0,0 +1,5 @@ +dynamic_fields: + event.ingested: ".*" +fields: + tags: + - preserve_original_event diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-316-reset-user-password-detailed-information.log b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-316-reset-user-password-detailed-information.log new file mode 100644 index 00000000000..41f67cb2add --- /dev/null +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-316-reset-user-password-detailed-information.log @@ -0,0 +1 @@ +<5>1 2021-03-10T18:16:45Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 10:16:45","IsoTimestamp":"2021-03-10T18:16:45Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"316","Desc":"Reset User Password Detailed Information","Severity":"Info","Issuer":"Administrator","Action":"Reset User Password Detailed Information","SourceUser":"PSMGw_VAGRANT","TargetUser":"","Safe":"","File":"","Station":"81.32.170.205","Location":"","Category":"","RequestId":"","Reason":"Password changed","ExtraDetails":"","Message":"Reset User Password Detailed Information","GatewayStation":""}}} diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-316-reset-user-password-detailed-information.log-config.yml b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-316-reset-user-password-detailed-information.log-config.yml new file mode 100644 index 00000000000..5622947e4b8 --- /dev/null +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-316-reset-user-password-detailed-information.log-config.yml @@ -0,0 +1,5 @@ +dynamic_fields: + event.ingested: ".*" +fields: + tags: + - preserve_original_event diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-317-reset-user-password.log b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-317-reset-user-password.log new file mode 100644 index 00000000000..f52711e43b9 --- /dev/null +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-317-reset-user-password.log @@ -0,0 +1 @@ +<5>1 2021-03-10T18:16:45Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 10:16:45","IsoTimestamp":"2021-03-10T18:16:45Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"317","Desc":"Reset User Password","Severity":"Info","Issuer":"Administrator","Action":"Reset User Password","SourceUser":"PSMGw_VAGRANT","TargetUser":"","Safe":"","File":"","Station":"81.32.170.205","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Reset User Password","GatewayStation":""}}} diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-317-reset-user-password.log-config.yml b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-317-reset-user-password.log-config.yml new file mode 100644 index 00000000000..5622947e4b8 --- /dev/null +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-317-reset-user-password.log-config.yml @@ -0,0 +1,5 @@ +dynamic_fields: + event.ingested: ".*" +fields: + tags: + - preserve_original_event diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-32-add-owner.log b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-32-add-owner.log new file mode 100644 index 00000000000..6aee911c509 --- /dev/null +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-32-add-owner.log @@ -0,0 +1,16 @@ +<5>1 2021-03-10T09:11:20Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 01:11:20","IsoTimestamp":"2021-03-10T09:11:20Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"32","Desc":"Add Owner","Severity":"Info","Issuer":"Administrator","Action":"Add Owner","SourceUser":"Master","TargetUser":"","Safe":"PSMPConf","File":"","Station":"81.32.170.205","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Add Owner","GatewayStation":""}}} +<5>1 2021-03-10T09:11:20Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 01:11:20","IsoTimestamp":"2021-03-10T09:11:20Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"32","Desc":"Add Owner","Severity":"Info","Issuer":"Administrator","Action":"Add Owner","SourceUser":"Administrator","TargetUser":"","Safe":"PSMPConf","File":"","Station":"81.32.170.205","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Add Owner","GatewayStation":""}}} +<5>1 2021-03-10T09:11:20Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 01:11:20","IsoTimestamp":"2021-03-10T09:11:20Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"32","Desc":"Add Owner","Severity":"Info","Issuer":"Administrator","Action":"Add Owner","SourceUser":"Batch","TargetUser":"","Safe":"PSMPConf","File":"","Station":"81.32.170.205","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Add Owner","GatewayStation":""}}} +<5>1 2021-03-10T09:11:20Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 01:11:20","IsoTimestamp":"2021-03-10T09:11:20Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"32","Desc":"Add Owner","Severity":"Info","Issuer":"Administrator","Action":"Add Owner","SourceUser":"Operators","TargetUser":"","Safe":"PSMPConf","File":"","Station":"81.32.170.205","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Add Owner","GatewayStation":""}}} +<5>1 2021-03-10T09:11:20Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 01:11:20","IsoTimestamp":"2021-03-10T09:11:20Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"32","Desc":"Add Owner","Severity":"Info","Issuer":"Administrator","Action":"Add Owner","SourceUser":"Backup Users","TargetUser":"","Safe":"PSMPConf","File":"","Station":"81.32.170.205","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Add Owner","GatewayStation":""}}} +<5>1 2021-03-10T09:11:20Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 01:11:20","IsoTimestamp":"2021-03-10T09:11:20Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"32","Desc":"Add Owner","Severity":"Info","Issuer":"Administrator","Action":"Add Owner","SourceUser":"Auditors","TargetUser":"","Safe":"PSMPConf","File":"","Station":"81.32.170.205","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Add Owner","GatewayStation":""}}} +<5>1 2021-03-10T09:11:20Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 01:11:20","IsoTimestamp":"2021-03-10T09:11:20Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"32","Desc":"Add Owner","Severity":"Info","Issuer":"Administrator","Action":"Add Owner","SourceUser":"DR Users","TargetUser":"","Safe":"PSMPConf","File":"","Station":"81.32.170.205","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Add Owner","GatewayStation":""}}} +<5>1 2021-03-10T09:11:20Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 01:11:20","IsoTimestamp":"2021-03-10T09:11:20Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"32","Desc":"Add Owner","Severity":"Info","Issuer":"Administrator","Action":"Add Owner","SourceUser":"Notification Engines","TargetUser":"","Safe":"PSMPConf","File":"","Station":"81.32.170.205","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Add Owner","GatewayStation":""}}} +<5>1 2021-03-10T09:11:22Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 01:11:22","IsoTimestamp":"2021-03-10T09:11:22Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"32","Desc":"Add Owner","Severity":"Info","Issuer":"Administrator","Action":"Add Owner","SourceUser":"PSMPApp_localhost.localdomain","TargetUser":"","Safe":"PVWAConfig","File":"","Station":"81.32.170.205","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Add Owner","GatewayStation":""}}} +<5>1 2021-03-10T09:11:23Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 01:11:23","IsoTimestamp":"2021-03-10T09:11:23Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"32","Desc":"Add Owner","Severity":"Info","Issuer":"Administrator","Action":"Add Owner","SourceUser":"PSMAppUsers","TargetUser":"","Safe":"PSMPLiveSessions","File":"","Station":"81.32.170.205","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Add Owner","GatewayStation":""}}} +<5>1 2021-03-10T09:11:23Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 01:11:23","IsoTimestamp":"2021-03-10T09:11:23Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"32","Desc":"Add Owner","Severity":"Info","Issuer":"Administrator","Action":"Add Owner","SourceUser":"Vault Admins","TargetUser":"","Safe":"PSMPConf","File":"","Station":"81.32.170.205","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Add Owner","GatewayStation":""}}} +<5>1 2021-03-10T09:11:23Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 01:11:23","IsoTimestamp":"2021-03-10T09:11:23Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"32","Desc":"Add Owner","Severity":"Info","Issuer":"Administrator","Action":"Add Owner","SourceUser":"PVWAAppUsers","TargetUser":"","Safe":"PSMPLiveSessions","File":"","Station":"81.32.170.205","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Add Owner","GatewayStation":""}}} +<5>1 2021-03-10T09:11:36Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 01:11:36","IsoTimestamp":"2021-03-10T09:11:36Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"32","Desc":"Add Owner","Severity":"Info","Issuer":"Administrator","Action":"Add Owner","SourceUser":"PVWAGWAccounts","TargetUser":"","Safe":"PSMPADBUserProfile","File":"","Station":"81.32.170.205","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Add Owner","GatewayStation":""}}} +<5>1 2021-03-10T09:11:37Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 01:11:37","IsoTimestamp":"2021-03-10T09:11:37Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"32","Desc":"Add Owner","Severity":"Info","Issuer":"Administrator","Action":"Add Owner","SourceUser":"PSMP_ADB_localhost.localdomain","TargetUser":"","Safe":"PSMPADBridgeConf","File":"","Station":"81.32.170.205","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Add Owner","GatewayStation":""}}} +<5>1 2021-03-10T09:11:38Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 01:11:38","IsoTimestamp":"2021-03-10T09:11:38Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"32","Desc":"Add Owner","Severity":"Info","Issuer":"Administrator","Action":"Add Owner","SourceUser":"PSMP_ADB_AppUsers","TargetUser":"","Safe":"PSMPADBridgeCustom","File":"","Station":"81.32.170.205","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Add Owner","GatewayStation":""}}} +<5>1 2021-03-10T17:59:32Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 09:59:32","IsoTimestamp":"2021-03-10T17:59:32Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"32","Desc":"Add Owner","Severity":"Info","Issuer":"Administrator","Action":"Add Owner","SourceUser":"PSMApp_VAGRANT","TargetUser":"","Safe":"PVWAConfig","File":"","Station":"81.32.170.205","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Add Owner","GatewayStation":""}}} diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-32-add-owner.log-config.yml b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-32-add-owner.log-config.yml new file mode 100644 index 00000000000..5622947e4b8 --- /dev/null +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-32-add-owner.log-config.yml @@ -0,0 +1,5 @@ +dynamic_fields: + event.ingested: ".*" +fields: + tags: + - preserve_original_event diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-326-cpm-auto-detection-start.log b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-326-cpm-auto-detection-start.log new file mode 100644 index 00000000000..e58b64d6750 --- /dev/null +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-326-cpm-auto-detection-start.log @@ -0,0 +1 @@ +<5>1 2021-03-11T16:21:37Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 11 08:21:37\n 2021-03-11T16:21:37Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 326\n CPM Auto-detection Start\n Info\n PasswordManager\n CPM Auto-detection Start\n \n \n PasswordManager_info\n \n 10.0.1.20\n \n \n \n \n ADProcessID=2b2d3024-be5a-4b57-9f64-3813fb56e9b9;ADProcessName=LDAP Based Windows Local Administrator Account Provisioning;\n CPM Auto-detection Start\n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 11 08:21:37","IsoTimestamp":"2021-03-11T16:21:37Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"326","Desc":"CPM Auto-detection Start","Severity":"Info","Issuer":"PasswordManager","Action":"CPM Auto-detection Start","SourceUser":"","TargetUser":"","Safe":"PasswordManager_info","File":" ","Station":"10.0.1.20","Location":"","Category":"","RequestId":"","Reason":" ","ExtraDetails":"ADProcessID=2b2d3024-be5a-4b57-9f64-3813fb56e9b9;ADProcessName=LDAP Based Windows Local Administrator Account Provisioning;","Message":"CPM Auto-detection Start","GatewayStation":""}}} diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-326-cpm-auto-detection-start.log-config.yml b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-326-cpm-auto-detection-start.log-config.yml new file mode 100644 index 00000000000..5622947e4b8 --- /dev/null +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-326-cpm-auto-detection-start.log-config.yml @@ -0,0 +1,5 @@ +dynamic_fields: + event.ingested: ".*" +fields: + tags: + - preserve_original_event diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-327-cpm-auto-detection-end.log b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-327-cpm-auto-detection-end.log new file mode 100644 index 00000000000..8055d656a08 --- /dev/null +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-327-cpm-auto-detection-end.log @@ -0,0 +1 @@ +<5>1 2021-03-11T16:21:37Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 11 08:21:37\n 2021-03-11T16:21:37Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 327\n CPM Auto-detection End\n Info\n PasswordManager\n CPM Auto-detection End\n \n \n PasswordManager_info\n \n 10.0.1.20\n \n \n \n \n ADProcessID=2b2d3024-be5a-4b57-9f64-3813fb56e9b9;ADProcessName=LDAP Based Windows Local Administrator Account Provisioning;\n CPM Auto-detection End\n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 11 08:21:37","IsoTimestamp":"2021-03-11T16:21:37Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"327","Desc":"CPM Auto-detection End","Severity":"Info","Issuer":"PasswordManager","Action":"CPM Auto-detection End","SourceUser":"","TargetUser":"","Safe":"PasswordManager_info","File":" ","Station":"10.0.1.20","Location":"","Category":"","RequestId":"","Reason":" ","ExtraDetails":"ADProcessID=2b2d3024-be5a-4b57-9f64-3813fb56e9b9;ADProcessName=LDAP Based Windows Local Administrator Account Provisioning;","Message":"CPM Auto-detection End","GatewayStation":""}}} diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-327-cpm-auto-detection-end.log-config.yml b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-327-cpm-auto-detection-end.log-config.yml new file mode 100644 index 00000000000..5622947e4b8 --- /dev/null +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-327-cpm-auto-detection-end.log-config.yml @@ -0,0 +1,5 @@ +dynamic_fields: + event.ingested: ".*" +fields: + tags: + - preserve_original_event diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-33-update-owner.log b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-33-update-owner.log new file mode 100644 index 00000000000..16ec40c4f3c --- /dev/null +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-33-update-owner.log @@ -0,0 +1,7 @@ +<5>1 2021-03-10T18:16:49Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 10:16:49","IsoTimestamp":"2021-03-10T18:16:49Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"33","Desc":"Update Owner","Severity":"Info","Issuer":"Administrator","Action":"Update Owner","SourceUser":"PVWAAppUsers","TargetUser":"","Safe":"PSM","File":"","Station":"81.32.170.205","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Update Owner","GatewayStation":""}}} +<5>1 2021-03-10T18:16:50Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 10:16:50","IsoTimestamp":"2021-03-10T18:16:50Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"33","Desc":"Update Owner","Severity":"Info","Issuer":"Administrator","Action":"Update Owner","SourceUser":"PSMApp_VAGRANT","TargetUser":"","Safe":"PVWAConfig","File":"","Station":"81.32.170.205","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Update Owner","GatewayStation":""}}} +<5>1 2021-03-10T18:16:51Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 10:16:51","IsoTimestamp":"2021-03-10T18:16:51Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"33","Desc":"Update Owner","Severity":"Info","Issuer":"Administrator","Action":"Update Owner","SourceUser":"PSMAppUsers","TargetUser":"","Safe":"PSM","File":"","Station":"81.32.170.205","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Update Owner","GatewayStation":""}}} +<5>1 2021-03-10T18:16:51Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 10:16:51","IsoTimestamp":"2021-03-10T18:16:51Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"33","Desc":"Update Owner","Severity":"Info","Issuer":"Administrator","Action":"Update Owner","SourceUser":"PSMMaster","TargetUser":"","Safe":"PSM","File":"","Station":"81.32.170.205","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Update Owner","GatewayStation":""}}} +<5>1 2021-03-10T18:16:53Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 10:16:53","IsoTimestamp":"2021-03-10T18:16:53Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"33","Desc":"Update Owner","Severity":"Info","Issuer":"Administrator","Action":"Update Owner","SourceUser":"Vault Admins","TargetUser":"","Safe":"PSMUniversalConnectors","File":"","Station":"81.32.170.205","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Update Owner","GatewayStation":""}}} +<5>1 2021-03-10T22:19:18Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 14:19:18","IsoTimestamp":"2021-03-10T22:19:18Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"33","Desc":"Update Owner","Severity":"Info","Issuer":"Administrator","Action":"Update Owner","SourceUser":"PVWAAppUsers","TargetUser":"","Safe":"PSM","File":"","Station":"35.192.121.42","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Update Owner","GatewayStation":""}}} +<5>1 2021-03-11T17:38:14Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 11 09:38:14\n 2021-03-11T17:38:14Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 33\n Update Owner\n Info\n PSMPApp_VAGRANT\n Update Owner\n Auditors\n \n PSMRecordings\n \n 81.32.170.205\n \n \n \n \n \n Update Owner\n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 11 09:38:14","IsoTimestamp":"2021-03-11T17:38:14Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"33","Desc":"Update Owner","Severity":"Info","Issuer":"PSMPApp_VAGRANT","Action":"Update Owner","SourceUser":"Auditors","TargetUser":"","Safe":"PSMRecordings","File":"","Station":"81.32.170.205","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Update Owner","GatewayStation":""}}} diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-33-update-owner.log-config.yml b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-33-update-owner.log-config.yml new file mode 100644 index 00000000000..5622947e4b8 --- /dev/null +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-33-update-owner.log-config.yml @@ -0,0 +1,5 @@ +dynamic_fields: + event.ingested: ".*" +fields: + tags: + - preserve_original_event diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-355-monitor-license-expiration-date-start.log b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-355-monitor-license-expiration-date-start.log new file mode 100644 index 00000000000..726201faa4d --- /dev/null +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-355-monitor-license-expiration-date-start.log @@ -0,0 +1 @@ +<5>1 2021-03-09T10:17:54Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 09 02:17:54","IsoTimestamp":"2021-03-09T10:17:54Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"355","Desc":"Monitor License Expiration Date start","Severity":"Info","Issuer":"Batch","Action":"Monitor License Expiration Date start","SourceUser":"","TargetUser":"","Safe":"","File":"","Station":"0.0.0.0","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Monitor License Expiration Date start","GatewayStation":""}}} diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-355-monitor-license-expiration-date-start.log-config.yml b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-355-monitor-license-expiration-date-start.log-config.yml new file mode 100644 index 00000000000..5622947e4b8 --- /dev/null +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-355-monitor-license-expiration-date-start.log-config.yml @@ -0,0 +1,5 @@ +dynamic_fields: + event.ingested: ".*" +fields: + tags: + - preserve_original_event diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-356-monitor-license-expiration-date-end.log b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-356-monitor-license-expiration-date-end.log new file mode 100644 index 00000000000..a5ed2fa3bef --- /dev/null +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-356-monitor-license-expiration-date-end.log @@ -0,0 +1 @@ +<5>1 2021-03-09T10:17:54Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 09 02:17:54","IsoTimestamp":"2021-03-09T10:17:54Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"356","Desc":"Monitor License Expiration Date end","Severity":"Info","Issuer":"Batch","Action":"Monitor License Expiration Date end","SourceUser":"","TargetUser":"","Safe":"","File":"","Station":"0.0.0.0","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Monitor License Expiration Date end","GatewayStation":""}}} diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-356-monitor-license-expiration-date-end.log-config.yml b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-356-monitor-license-expiration-date-end.log-config.yml new file mode 100644 index 00000000000..5622947e4b8 --- /dev/null +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-356-monitor-license-expiration-date-end.log-config.yml @@ -0,0 +1,5 @@ +dynamic_fields: + event.ingested: ".*" +fields: + tags: + - preserve_original_event diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-357-monitor-fw-rules-start.log b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-357-monitor-fw-rules-start.log new file mode 100644 index 00000000000..50743ea86e7 --- /dev/null +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-357-monitor-fw-rules-start.log @@ -0,0 +1,2 @@ +<5>1 2021-03-04T19:10:01Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 04 11:10:01","IsoTimestamp":"2021-03-04T19:10:01Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"357","Desc":"Monitor FW rules start","Severity":"Info","Issuer":"Batch","Action":"Monitor FW rules start","SourceUser":"","TargetUser":"","Safe":"","File":"","Station":"0.0.0.0","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Monitor FW rules start","GatewayStation":""}}} +Mar 08 02:32:56 VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"no","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"357","Desc":"Monitor FW rules start","Severity":"Info","Issuer":"Batch","Action":"Monitor FW rules start","SourceUser":"","TargetUser":"","Safe":"","File":"","Station":"0.0.0.0","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Monitor FW rules start","GatewayStation":""}}} diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-357-monitor-fw-rules-start.log-config.yml b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-357-monitor-fw-rules-start.log-config.yml new file mode 100644 index 00000000000..5622947e4b8 --- /dev/null +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-357-monitor-fw-rules-start.log-config.yml @@ -0,0 +1,5 @@ +dynamic_fields: + event.ingested: ".*" +fields: + tags: + - preserve_original_event diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-358-monitor-fw-rules-end.log b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-358-monitor-fw-rules-end.log new file mode 100644 index 00000000000..cbda469d1fc --- /dev/null +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-358-monitor-fw-rules-end.log @@ -0,0 +1,2 @@ +<5>1 2021-03-04T19:10:01Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 04 11:10:01","IsoTimestamp":"2021-03-04T19:10:01Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"358","Desc":"Monitor FW Rules end","Severity":"Info","Issuer":"Batch","Action":"Monitor FW Rules end","SourceUser":"","TargetUser":"","Safe":"","File":"","Station":"0.0.0.0","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Monitor FW Rules end","GatewayStation":""}}} +Mar 08 02:32:56 VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"no","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"358","Desc":"Monitor FW Rules end","Severity":"Info","Issuer":"Batch","Action":"Monitor FW Rules end","SourceUser":"","TargetUser":"","Safe":"","File":"","Station":"0.0.0.0","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Monitor FW Rules end","GatewayStation":""}}} diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-358-monitor-fw-rules-end.log-config.yml b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-358-monitor-fw-rules-end.log-config.yml new file mode 100644 index 00000000000..5622947e4b8 --- /dev/null +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-358-monitor-fw-rules-end.log-config.yml @@ -0,0 +1,5 @@ +dynamic_fields: + event.ingested: ".*" +fields: + tags: + - preserve_original_event diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-359-sql-command.log b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-359-sql-command.log new file mode 100644 index 00000000000..3006cd28bbd --- /dev/null +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-359-sql-command.log @@ -0,0 +1,10 @@ +<5>1 2021-03-25T14:56:44Z VLT01 {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 25 10:56:44\n 2021-03-25T14:56:44Z\n VLT01\n Cyber-Ark\n Vault\n 12.0.0000\n 359\n SQL Command\n Info\n Administrator\n SQL Command\n \n \n Oracle\n Root\\Database-Oracle-oracle.cybr.com-HR\n 10.0.0.15\n \n \n \n \n Command=SELECT USER FROM DUAL;ConnectionComponentId=PSM-SQLPlus;DataBase=XE;DstHost=oracle.cybr.com;Protocol=SQLNet;PSMID=PSMServer;SessionID=0887c643-42f2-4a4f-806e-58c1689de0e6;SQLOffset=69B;SrcHost=127.0.0.1;User=HR;VIDOffset=4T;\n SQL Command\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 25 10:56:44","IsoTimestamp":"2021-03-25T14:56:44Z","Hostname":"VLT01","Vendor":"Cyber-Ark","Product":"Vault","Version":"12.0.0000","MessageID":"359","Desc":"SQL Command","Severity":"Info","Issuer":"Administrator","Action":"SQL Command","SourceUser":"","TargetUser":"","Safe":"Oracle","File":"Root\\Database-Oracle-oracle.cybr.com-HR","Station":"10.0.0.15","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"Command=SELECT USER FROM DUAL;ConnectionComponentId=PSM-SQLPlus;DataBase=XE;DstHost=oracle.cybr.com;Protocol=SQLNet;PSMID=PSMServer;SessionID=0887c643-42f2-4a4f-806e-58c1689de0e6;SQLOffset=69B;SrcHost=127.0.0.1;User=HR;VIDOffset=4T;","Message":"SQL Command","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"Oracle"},{"Name":"UserName","Value":"HR"},{"Name":"Address","Value":"oracle.cybr.com"},{"Name":"Database","Value":"XE"},{"Name":"DeviceType","Value":"Database"},{"Name":"CPMStatus","Value":"success"},{"Name":"RetriesCount","Value":"-1"},{"Name":"LastTask","Value":"VerifyTask"},{"Name":"LastSuccessVerification","Value":"1616580248"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"Port","Value":"1521"},{"Name":"LastSuccessChange","Value":"1616011984"},{"Name":"Tags","Value":"Oracle;DB"},{"Name":"Privcloud","Value":"privcloud"}]}}}} +<5>1 2021-03-25T14:56:44Z VLT01 {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 25 10:56:44\n 2021-03-25T14:56:44Z\n VLT01\n Cyber-Ark\n Vault\n 12.0.0000\n 359\n SQL Command\n Info\n Administrator\n SQL Command\n \n \n Oracle\n Root\\Database-Oracle-oracle.cybr.com-HR\n 10.0.0.15\n \n \n \n \n Command=BEGIN DBMS_OUTPUT.DISABLE\\; END\\;;ConnectionComponentId=PSM-SQLPlus;DataBase=XE;DstHost=oracle.cybr.com;Protocol=SQLNet;PSMID=PSMServer;SessionID=0887c643-42f2-4a4f-806e-58c1689de0e6;SQLOffset=123B;SrcHost=127.0.0.1;User=HR;VIDOffset=4T;\n SQL Command\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 25 10:56:44","IsoTimestamp":"2021-03-25T14:56:44Z","Hostname":"VLT01","Vendor":"Cyber-Ark","Product":"Vault","Version":"12.0.0000","MessageID":"359","Desc":"SQL Command","Severity":"Info","Issuer":"Administrator","Action":"SQL Command","SourceUser":"","TargetUser":"","Safe":"Oracle","File":"Root\\Database-Oracle-oracle.cybr.com-HR","Station":"10.0.0.15","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"Command=BEGIN DBMS_OUTPUT.DISABLE\\; END\\;;ConnectionComponentId=PSM-SQLPlus;DataBase=XE;DstHost=oracle.cybr.com;Protocol=SQLNet;PSMID=PSMServer;SessionID=0887c643-42f2-4a4f-806e-58c1689de0e6;SQLOffset=123B;SrcHost=127.0.0.1;User=HR;VIDOffset=4T;","Message":"SQL Command","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"Oracle"},{"Name":"UserName","Value":"HR"},{"Name":"Address","Value":"oracle.cybr.com"},{"Name":"Database","Value":"XE"},{"Name":"DeviceType","Value":"Database"},{"Name":"CPMStatus","Value":"success"},{"Name":"RetriesCount","Value":"-1"},{"Name":"LastTask","Value":"VerifyTask"},{"Name":"LastSuccessVerification","Value":"1616580248"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"Port","Value":"1521"},{"Name":"LastSuccessChange","Value":"1616011984"},{"Name":"Tags","Value":"Oracle;DB"},{"Name":"Privcloud","Value":"privcloud"}]}}}} +<5>1 2021-03-25T14:56:44Z VLT01 {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 25 10:56:44\n 2021-03-25T14:56:44Z\n VLT01\n Cyber-Ark\n Vault\n 12.0.0000\n 359\n SQL Command\n Info\n Administrator\n SQL Command\n \n \n Oracle\n Root\\Database-Oracle-oracle.cybr.com-HR\n 10.0.0.15\n \n \n \n \n Command=SELECT ATTRIBUTE,SCOPE,NUMERIC_VALUE,CHAR_VALUE,DATE_VALUE FROM SYSTEM.PRODUCT_PRIVS WHERE (UPPER('SQL*Plus') LIKE UPPER(PRODUCT)) AND (UPPER(USER) LIKE USERID);ConnectionComponentId=PSM-SQLPlus;DataBase=XE;DstHost=oracle.cybr.com;Protocol=SQLNet;PSMID=PSMServer;SessionID=0887c643-42f2-4a4f-806e-58c1689de0e6;SQLOffset=187B;SrcHost=127.0.0.1;User=HR;VIDOffset=4T;\n SQL Command\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 25 10:56:44","IsoTimestamp":"2021-03-25T14:56:44Z","Hostname":"VLT01","Vendor":"Cyber-Ark","Product":"Vault","Version":"12.0.0000","MessageID":"359","Desc":"SQL Command","Severity":"Info","Issuer":"Administrator","Action":"SQL Command","SourceUser":"","TargetUser":"","Safe":"Oracle","File":"Root\\Database-Oracle-oracle.cybr.com-HR","Station":"10.0.0.15","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"Command=SELECT ATTRIBUTE,SCOPE,NUMERIC_VALUE,CHAR_VALUE,DATE_VALUE FROM SYSTEM.PRODUCT_PRIVS WHERE (UPPER('SQL*Plus') LIKE UPPER(PRODUCT)) AND (UPPER(USER) LIKE USERID);ConnectionComponentId=PSM-SQLPlus;DataBase=XE;DstHost=oracle.cybr.com;Protocol=SQLNet;PSMID=PSMServer;SessionID=0887c643-42f2-4a4f-806e-58c1689de0e6;SQLOffset=187B;SrcHost=127.0.0.1;User=HR;VIDOffset=4T;","Message":"SQL Command","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"Oracle"},{"Name":"UserName","Value":"HR"},{"Name":"Address","Value":"oracle.cybr.com"},{"Name":"Database","Value":"XE"},{"Name":"DeviceType","Value":"Database"},{"Name":"CPMStatus","Value":"success"},{"Name":"RetriesCount","Value":"-1"},{"Name":"LastTask","Value":"VerifyTask"},{"Name":"LastSuccessVerification","Value":"1616580248"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"Port","Value":"1521"},{"Name":"LastSuccessChange","Value":"1616011984"},{"Name":"Tags","Value":"Oracle;DB"},{"Name":"Privcloud","Value":"privcloud"}]}}}} +<5>1 2021-03-25T14:56:44Z VLT01 {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 25 10:56:44\n 2021-03-25T14:56:44Z\n VLT01\n Cyber-Ark\n Vault\n 12.0.0000\n 359\n SQL Command\n Info\n Administrator\n SQL Command\n \n \n Oracle\n Root\\Database-Oracle-oracle.cybr.com-HR\n 10.0.0.15\n \n \n \n \n Command=SELECT CHAR_VALUE FROM SYSTEM.PRODUCT_PRIVS WHERE (UPPER('SQL*Plus') LIKE UPPER(PRODUCT)) AND ((UPPER(USER) LIKE USERID) OR (USERID \\= 'PUBLIC')) AND (UPPER(ATTRIBUTE) \\= 'ROLES');ConnectionComponentId=PSM-SQLPlus;DataBase=XE;DstHost=oracle.cybr.com;Protocol=SQLNet;PSMID=PSMServer;SessionID=0887c643-42f2-4a4f-806e-58c1689de0e6;SQLOffset=380B;SrcHost=127.0.0.1;User=HR;VIDOffset=4T;\n SQL Command\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 25 10:56:44","IsoTimestamp":"2021-03-25T14:56:44Z","Hostname":"VLT01","Vendor":"Cyber-Ark","Product":"Vault","Version":"12.0.0000","MessageID":"359","Desc":"SQL Command","Severity":"Info","Issuer":"Administrator","Action":"SQL Command","SourceUser":"","TargetUser":"","Safe":"Oracle","File":"Root\\Database-Oracle-oracle.cybr.com-HR","Station":"10.0.0.15","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"Command=SELECT CHAR_VALUE FROM SYSTEM.PRODUCT_PRIVS WHERE (UPPER('SQL*Plus') LIKE UPPER(PRODUCT)) AND ((UPPER(USER) LIKE USERID) OR (USERID \\= 'PUBLIC')) AND (UPPER(ATTRIBUTE) \\= 'ROLES');ConnectionComponentId=PSM-SQLPlus;DataBase=XE;DstHost=oracle.cybr.com;Protocol=SQLNet;PSMID=PSMServer;SessionID=0887c643-42f2-4a4f-806e-58c1689de0e6;SQLOffset=380B;SrcHost=127.0.0.1;User=HR;VIDOffset=4T;","Message":"SQL Command","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"Oracle"},{"Name":"UserName","Value":"HR"},{"Name":"Address","Value":"oracle.cybr.com"},{"Name":"Database","Value":"XE"},{"Name":"DeviceType","Value":"Database"},{"Name":"CPMStatus","Value":"success"},{"Name":"RetriesCount","Value":"-1"},{"Name":"LastTask","Value":"VerifyTask"},{"Name":"LastSuccessVerification","Value":"1616580248"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"Port","Value":"1521"},{"Name":"LastSuccessChange","Value":"1616011984"},{"Name":"Tags","Value":"Oracle;DB"},{"Name":"Privcloud","Value":"privcloud"}]}}}} +<5>1 2021-03-25T14:56:44Z VLT01 {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 25 10:56:44\n 2021-03-25T14:56:44Z\n VLT01\n Cyber-Ark\n Vault\n 12.0.0000\n 359\n SQL Command\n Info\n Administrator\n SQL Command\n \n \n Oracle\n Root\\Database-Oracle-oracle.cybr.com-HR\n 10.0.0.15\n \n \n \n \n Command=BEGIN DBMS_APPLICATION_INFO.SET_MODULE(:1,NULL)\\; END\\; (Parameters bound by position: 1\\=[SQL*Plus]);ConnectionComponentId=PSM-SQLPlus;DataBase=XE;DstHost=oracle.cybr.com;Protocol=SQLNet;PSMID=PSMServer;SessionID=0887c643-42f2-4a4f-806e-58c1689de0e6;SQLOffset=596B;SrcHost=127.0.0.1;User=HR;VIDOffset=4T;\n SQL Command\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 25 10:56:44","IsoTimestamp":"2021-03-25T14:56:44Z","Hostname":"VLT01","Vendor":"Cyber-Ark","Product":"Vault","Version":"12.0.0000","MessageID":"359","Desc":"SQL Command","Severity":"Info","Issuer":"Administrator","Action":"SQL Command","SourceUser":"","TargetUser":"","Safe":"Oracle","File":"Root\\Database-Oracle-oracle.cybr.com-HR","Station":"10.0.0.15","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"Command=BEGIN DBMS_APPLICATION_INFO.SET_MODULE(:1,NULL)\\; END\\; (Parameters bound by position: 1\\=[SQL*Plus]);ConnectionComponentId=PSM-SQLPlus;DataBase=XE;DstHost=oracle.cybr.com;Protocol=SQLNet;PSMID=PSMServer;SessionID=0887c643-42f2-4a4f-806e-58c1689de0e6;SQLOffset=596B;SrcHost=127.0.0.1;User=HR;VIDOffset=4T;","Message":"SQL Command","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"Oracle"},{"Name":"UserName","Value":"HR"},{"Name":"Address","Value":"oracle.cybr.com"},{"Name":"Database","Value":"XE"},{"Name":"DeviceType","Value":"Database"},{"Name":"CPMStatus","Value":"success"},{"Name":"RetriesCount","Value":"-1"},{"Name":"LastTask","Value":"VerifyTask"},{"Name":"LastSuccessVerification","Value":"1616580248"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"Port","Value":"1521"},{"Name":"LastSuccessChange","Value":"1616011984"},{"Name":"Tags","Value":"Oracle;DB"},{"Name":"Privcloud","Value":"privcloud"}]}}}} +<5>1 2021-03-25T14:56:45Z VLT01 {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 25 10:56:45\n 2021-03-25T14:56:45Z\n VLT01\n Cyber-Ark\n Vault\n 12.0.0000\n 359\n SQL Command\n Info\n Administrator\n SQL Command\n \n \n Oracle\n Root\\Database-Oracle-oracle.cybr.com-HR\n 10.0.0.15\n \n \n \n \n Command=SELECT DECODE('A','A','1','2') FROM DUAL;ConnectionComponentId=PSM-SQLPlus;DataBase=XE;DstHost=oracle.cybr.com;Protocol=SQLNet;PSMID=PSMServer;SessionID=0887c643-42f2-4a4f-806e-58c1689de0e6;SQLOffset=727B;SrcHost=127.0.0.1;User=HR;VIDOffset=5T;\n SQL Command\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 25 10:56:45","IsoTimestamp":"2021-03-25T14:56:45Z","Hostname":"VLT01","Vendor":"Cyber-Ark","Product":"Vault","Version":"12.0.0000","MessageID":"359","Desc":"SQL Command","Severity":"Info","Issuer":"Administrator","Action":"SQL Command","SourceUser":"","TargetUser":"","Safe":"Oracle","File":"Root\\Database-Oracle-oracle.cybr.com-HR","Station":"10.0.0.15","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"Command=SELECT DECODE('A','A','1','2') FROM DUAL;ConnectionComponentId=PSM-SQLPlus;DataBase=XE;DstHost=oracle.cybr.com;Protocol=SQLNet;PSMID=PSMServer;SessionID=0887c643-42f2-4a4f-806e-58c1689de0e6;SQLOffset=727B;SrcHost=127.0.0.1;User=HR;VIDOffset=5T;","Message":"SQL Command","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"Oracle"},{"Name":"UserName","Value":"HR"},{"Name":"Address","Value":"oracle.cybr.com"},{"Name":"Database","Value":"XE"},{"Name":"DeviceType","Value":"Database"},{"Name":"CPMStatus","Value":"success"},{"Name":"RetriesCount","Value":"-1"},{"Name":"LastTask","Value":"VerifyTask"},{"Name":"LastSuccessVerification","Value":"1616580248"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"Port","Value":"1521"},{"Name":"LastSuccessChange","Value":"1616011984"},{"Name":"Tags","Value":"Oracle;DB"},{"Name":"Privcloud","Value":"privcloud"}]}}}} +<5>1 2021-03-25T14:56:54Z VLT01 {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 25 10:56:54\n 2021-03-25T14:56:54Z\n VLT01\n Cyber-Ark\n Vault\n 12.0.0000\n 359\n SQL Command\n Info\n Administrator\n SQL Command\n \n \n Oracle\n Root\\Database-Oracle-oracle.cybr.com-HR\n 10.0.0.15\n \n \n \n \n Command=SELECT INFO FROM SYSTEM.HELP WHERE UPPER(TOPIC) LIKE :1 ORDER BY TOPIC,SEQ (Parameters bound by position: 1\\=[HELP]);ConnectionComponentId=PSM-SQLPlus;DataBase=XE;DstHost=oracle.cybr.com;Protocol=SQLNet;PSMID=PSMServer;SessionID=0887c643-42f2-4a4f-806e-58c1689de0e6;SQLOffset=800B;SrcHost=127.0.0.1;User=HR;VIDOffset=14T;\n SQL Command\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 25 10:56:54","IsoTimestamp":"2021-03-25T14:56:54Z","Hostname":"VLT01","Vendor":"Cyber-Ark","Product":"Vault","Version":"12.0.0000","MessageID":"359","Desc":"SQL Command","Severity":"Info","Issuer":"Administrator","Action":"SQL Command","SourceUser":"","TargetUser":"","Safe":"Oracle","File":"Root\\Database-Oracle-oracle.cybr.com-HR","Station":"10.0.0.15","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"Command=SELECT INFO FROM SYSTEM.HELP WHERE UPPER(TOPIC) LIKE :1 ORDER BY TOPIC,SEQ (Parameters bound by position: 1\\=[HELP]);ConnectionComponentId=PSM-SQLPlus;DataBase=XE;DstHost=oracle.cybr.com;Protocol=SQLNet;PSMID=PSMServer;SessionID=0887c643-42f2-4a4f-806e-58c1689de0e6;SQLOffset=800B;SrcHost=127.0.0.1;User=HR;VIDOffset=14T;","Message":"SQL Command","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"Oracle"},{"Name":"UserName","Value":"HR"},{"Name":"Address","Value":"oracle.cybr.com"},{"Name":"Database","Value":"XE"},{"Name":"DeviceType","Value":"Database"},{"Name":"CPMStatus","Value":"success"},{"Name":"RetriesCount","Value":"-1"},{"Name":"LastTask","Value":"VerifyTask"},{"Name":"LastSuccessVerification","Value":"1616580248"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"Port","Value":"1521"},{"Name":"LastSuccessChange","Value":"1616011984"},{"Name":"Tags","Value":"Oracle;DB"},{"Name":"Privcloud","Value":"privcloud"}]}}}} +<5>1 2021-03-25T14:58:02Z VLT01 {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 25 10:58:02\n 2021-03-25T14:58:02Z\n VLT01\n Cyber-Ark\n Vault\n 12.0.0000\n 359\n SQL Command\n Info\n Administrator\n SQL Command\n \n \n Oracle\n Root\\Database-Oracle-oracle.cybr.com-HR\n 10.0.0.15\n \n \n \n \n Command=SELECT * FROM DBA_USERS;ConnectionComponentId=PSM-SQLPlus;DataBase=XE;DstHost=oracle.cybr.com;Protocol=SQLNet;PSMID=PSMServer;SessionID=0887c643-42f2-4a4f-806e-58c1689de0e6;SQLOffset=1097B;SrcHost=127.0.0.1;User=HR;VIDOffset=82T;\n SQL Command\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 25 10:58:02","IsoTimestamp":"2021-03-25T14:58:02Z","Hostname":"VLT01","Vendor":"Cyber-Ark","Product":"Vault","Version":"12.0.0000","MessageID":"359","Desc":"SQL Command","Severity":"Info","Issuer":"Administrator","Action":"SQL Command","SourceUser":"","TargetUser":"","Safe":"Oracle","File":"Root\\Database-Oracle-oracle.cybr.com-HR","Station":"10.0.0.15","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"Command=SELECT * FROM DBA_USERS;ConnectionComponentId=PSM-SQLPlus;DataBase=XE;DstHost=oracle.cybr.com;Protocol=SQLNet;PSMID=PSMServer;SessionID=0887c643-42f2-4a4f-806e-58c1689de0e6;SQLOffset=1097B;SrcHost=127.0.0.1;User=HR;VIDOffset=82T;","Message":"SQL Command","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"Oracle"},{"Name":"UserName","Value":"HR"},{"Name":"Address","Value":"oracle.cybr.com"},{"Name":"Database","Value":"XE"},{"Name":"DeviceType","Value":"Database"},{"Name":"CPMStatus","Value":"success"},{"Name":"RetriesCount","Value":"-1"},{"Name":"LastTask","Value":"VerifyTask"},{"Name":"LastSuccessVerification","Value":"1616580248"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"Port","Value":"1521"},{"Name":"LastSuccessChange","Value":"1616011984"},{"Name":"Tags","Value":"Oracle;DB"},{"Name":"Privcloud","Value":"privcloud"}]}}}} +<5>1 2021-03-25T14:57:05Z VLT01 {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 25 10:57:05\n 2021-03-25T14:57:05Z\n VLT01\n Cyber-Ark\n Vault\n 12.0.0000\n 359\n SQL Command\n Info\n Administrator\n SQL Command\n \n \n Oracle\n Root\\Database-Oracle-oracle.cybr.com-HR\n 10.0.0.15\n \n \n \n \n Command=SELECT INFO FROM SYSTEM.HELP WHERE UPPER(TOPIC) LIKE :1 ORDER BY TOPIC,SEQ (Parameters bound by position: 1\\=[SHOW%]);ConnectionComponentId=PSM-SQLPlus;DataBase=XE;DstHost=oracle.cybr.com;Protocol=SQLNet;PSMID=PSMServer;SessionID=0887c643-42f2-4a4f-806e-58c1689de0e6;SQLOffset=948B;SrcHost=127.0.0.1;User=HR;VIDOffset=25T;\n SQL Command\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 25 10:57:05","IsoTimestamp":"2021-03-25T14:57:05Z","Hostname":"VLT01","Vendor":"Cyber-Ark","Product":"Vault","Version":"12.0.0000","MessageID":"359","Desc":"SQL Command","Severity":"Info","Issuer":"Administrator","Action":"SQL Command","SourceUser":"","TargetUser":"","Safe":"Oracle","File":"Root\\Database-Oracle-oracle.cybr.com-HR","Station":"10.0.0.15","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"Command=SELECT INFO FROM SYSTEM.HELP WHERE UPPER(TOPIC) LIKE :1 ORDER BY TOPIC,SEQ (Parameters bound by position: 1\\=[SHOW%]);ConnectionComponentId=PSM-SQLPlus;DataBase=XE;DstHost=oracle.cybr.com;Protocol=SQLNet;PSMID=PSMServer;SessionID=0887c643-42f2-4a4f-806e-58c1689de0e6;SQLOffset=948B;SrcHost=127.0.0.1;User=HR;VIDOffset=25T;","Message":"SQL Command","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"Oracle"},{"Name":"UserName","Value":"HR"},{"Name":"Address","Value":"oracle.cybr.com"},{"Name":"Database","Value":"XE"},{"Name":"DeviceType","Value":"Database"},{"Name":"CPMStatus","Value":"success"},{"Name":"RetriesCount","Value":"-1"},{"Name":"LastTask","Value":"VerifyTask"},{"Name":"LastSuccessVerification","Value":"1616580248"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"Port","Value":"1521"},{"Name":"LastSuccessChange","Value":"1616011984"},{"Name":"Tags","Value":"Oracle;DB"},{"Name":"Privcloud","Value":"privcloud"}]}}}} +<5>1 2021-03-25T14:58:44Z VLT01 {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 25 10:58:44\n 2021-03-25T14:58:44Z\n VLT01\n Cyber-Ark\n Vault\n 12.0.0000\n 359\n SQL Command\n Info\n Administrator\n SQL Command\n \n \n Oracle\n Root\\Database-Oracle-oracle.cybr.com-HR\n 10.0.0.15\n \n \n \n \n Command=select distinct owner from all_objects;ConnectionComponentId=PSM-SQLPlus;DataBase=XE;DstHost=oracle.cybr.com;Protocol=SQLNet;PSMID=PSMServer;SessionID=0887c643-42f2-4a4f-806e-58c1689de0e6;SQLOffset=1153B;SrcHost=127.0.0.1;User=HR;VIDOffset=124T;\n SQL Command\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 25 10:58:44","IsoTimestamp":"2021-03-25T14:58:44Z","Hostname":"VLT01","Vendor":"Cyber-Ark","Product":"Vault","Version":"12.0.0000","MessageID":"359","Desc":"SQL Command","Severity":"Info","Issuer":"Administrator","Action":"SQL Command","SourceUser":"","TargetUser":"","Safe":"Oracle","File":"Root\\Database-Oracle-oracle.cybr.com-HR","Station":"10.0.0.15","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"Command=select distinct owner from all_objects;ConnectionComponentId=PSM-SQLPlus;DataBase=XE;DstHost=oracle.cybr.com;Protocol=SQLNet;PSMID=PSMServer;SessionID=0887c643-42f2-4a4f-806e-58c1689de0e6;SQLOffset=1153B;SrcHost=127.0.0.1;User=HR;VIDOffset=124T;","Message":"SQL Command","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"Oracle"},{"Name":"UserName","Value":"HR"},{"Name":"Address","Value":"oracle.cybr.com"},{"Name":"Database","Value":"XE"},{"Name":"DeviceType","Value":"Database"},{"Name":"CPMStatus","Value":"success"},{"Name":"RetriesCount","Value":"-1"},{"Name":"LastTask","Value":"VerifyTask"},{"Name":"LastSuccessVerification","Value":"1616580248"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"Port","Value":"1521"},{"Name":"LastSuccessChange","Value":"1616011984"},{"Name":"Tags","Value":"Oracle;DB"},{"Name":"Privcloud","Value":"privcloud"}]}}}} diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-359-sql-command.log-config.yml b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-359-sql-command.log-config.yml new file mode 100644 index 00000000000..5622947e4b8 --- /dev/null +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-359-sql-command.log-config.yml @@ -0,0 +1,5 @@ +dynamic_fields: + event.ingested: ".*" +fields: + tags: + - preserve_original_event diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-361-keystroke-logging.log b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-361-keystroke-logging.log new file mode 100644 index 00000000000..6c959f21d65 --- /dev/null +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-361-keystroke-logging.log @@ -0,0 +1,7 @@ +{"format":"elastic","version":"1.0","raw":"\n \n no\n Cyber-Ark\n Vault\n 11.6.0000\n 361\n Keystroke logging\n Info\n Administrator\n Keystroke logging\n \n \n Linux\n Root\\Operating System-LINUX-SSH-radiussrv.cyberark.local-admin2\n 10.2.0.7\n \n \n \n \n Command=ls \"/var/tmp\";ConnectionComponentId=PSMP-SSH;DstHost=radiussrv.cyberark.local;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=499852f2-22b5-11eb-8bff-000c297aae88;SrcHost=10.2.0.6;SSHOffset=3642B;User=admin2;VIDOffset=125T;\n Keystroke logging\n \n \n \n \n \n \n \n \n \n \n \n","syslog":{"audit_record":{"Rfc5424":"no","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.6.0000","MessageID":"361","IsoTimestamp":"2021-03-16T15:01:00Z","Desc":"Keystroke logging","Severity":"Info","Issuer":"Administrator","Action":"Keystroke logging","SourceUser":"","TargetUser":"","Safe":"Linux","File":"Root\\Operating System-LINUX-SSH-radiussrv.cyberark.local-admin2","Station":"10.2.0.7","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"Command=ls \"/var/tmp\";ConnectionComponentId=PSMP-SSH;DstHost=radiussrv.cyberark.local;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=499852f2-22b5-11eb-8bff-000c297aae88;SrcHost=10.2.0.6;SSHOffset=3642B;User=admin2;VIDOffset=125T;","Message":"Keystroke logging","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"LINUX-SSH"},{"Name":"UserName","Value":"admin2"},{"Name":"Address","Value":"radiussrv.cyberark.local"},{"Name":"DeviceType","Value":"Operating System"},{"Name":"CPMDisabled","Value":"No Reason"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"Customer","Value":"Tesla"}]}}}} +<5>1 2021-03-14T13:49:49Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 14 06:49:49\n 2021-03-14T13:49:49Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 361\n Keystroke logging\n Info\n Administrator\n Keystroke logging\n \n \n partner\n Root\\Operating System-UnixSSH-34.123.103.115-testark\n 34.71.250.247\n \n \n \n \n Command=sudo su;ConnectionComponentId=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=d284c268-2ba0-4366-af52-e33459b073a1;SrcHost=81.32.170.205;SSHOffset=1309B;User=testark;VIDOffset=10T;\n Keystroke logging\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 14 06:49:49","IsoTimestamp":"2021-03-14T13:49:49Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"361","Desc":"Keystroke logging","Severity":"Info","Issuer":"Administrator","Action":"Keystroke logging","SourceUser":"","TargetUser":"","Safe":"partner","File":"Root\\Operating System-UnixSSH-34.123.103.115-testark","Station":"34.71.250.247","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"Command=sudo su;ConnectionComponentId=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=d284c268-2ba0-4366-af52-e33459b073a1;SrcHost=81.32.170.205;SSHOffset=1309B;User=testark;VIDOffset=10T;","Message":"Keystroke logging","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"UnixSSH"},{"Name":"UserName","Value":"testark"},{"Name":"Address","Value":"34.123.103.115"},{"Name":"ResetImmediately","Value":"ReconcileTask"},{"Name":"CPMStatus","Value":"failure"},{"Name":"RetriesCount","Value":"0"},{"Name":"LastFailDate","Value":"1615729572"},{"Name":"LastTask","Value":"ReconcileTask"},{"Name":"CPMErrorDetails","Value":"First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"}]}}}} +<5>1 2021-03-15T10:32:04Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 15 03:32:04\n 2021-03-15T10:32:04Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 361\n Keystroke logging\n Info\n Administrator\n Keystroke logging\n \n \n partner\n Root\\Operating System-UnixSSH-34.123.103.115-testark\n 34.71.250.247\n \n \n \n \n Command=sudo su;ConnectionComponentId=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=29f340df-89e9-405a-beae-0216390cda42;SrcHost=81.32.170.205;SSHOffset=1312B;User=testark;VIDOffset=6T;\n Keystroke logging\n \n \n \n \n \n \n \n \n \n \n \n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 15 03:32:04","IsoTimestamp":"2021-03-15T10:32:04Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"361","Desc":"Keystroke logging","Severity":"Info","Issuer":"Administrator","Action":"Keystroke logging","SourceUser":"","TargetUser":"","Safe":"partner","File":"Root\\Operating System-UnixSSH-34.123.103.115-testark","Station":"34.71.250.247","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"Command=sudo su;ConnectionComponentId=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=29f340df-89e9-405a-beae-0216390cda42;SrcHost=81.32.170.205;SSHOffset=1312B;User=testark;VIDOffset=6T;","Message":"Keystroke logging","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"UnixSSH"},{"Name":"UserName","Value":"testark"},{"Name":"Address","Value":"34.123.103.115"},{"Name":"CPMStatus","Value":"success"},{"Name":"RetriesCount","Value":"-1"},{"Name":"LastTask","Value":"VerifyTask"},{"Name":"LastSuccessVerification","Value":"1615803764"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"}]}}}} +<5>1 2021-03-15T10:33:47Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 15 03:33:47\n 2021-03-15T10:33:47Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 361\n Keystroke logging\n Info\n Administrator\n Keystroke logging\n \n \n partner\n Root\\Operating System-UnixSSH-34.123.103.115-testark\n 34.71.250.247\n \n \n \n \n Command=sudo su;ConnectionComponentId=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=f1654cf8-8ce5-472a-8205-ba731b0fab46;SrcHost=81.32.170.205;SSHOffset=1309B;User=testark;VIDOffset=7T;\n Keystroke logging\n \n \n \n \n \n \n \n \n \n \n \n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 15 03:33:47","IsoTimestamp":"2021-03-15T10:33:47Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"361","Desc":"Keystroke logging","Severity":"Info","Issuer":"Administrator","Action":"Keystroke logging","SourceUser":"","TargetUser":"","Safe":"partner","File":"Root\\Operating System-UnixSSH-34.123.103.115-testark","Station":"34.71.250.247","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"Command=sudo su;ConnectionComponentId=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=f1654cf8-8ce5-472a-8205-ba731b0fab46;SrcHost=81.32.170.205;SSHOffset=1309B;User=testark;VIDOffset=7T;","Message":"Keystroke logging","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"UnixSSH"},{"Name":"UserName","Value":"testark"},{"Name":"Address","Value":"34.123.103.115"},{"Name":"CPMStatus","Value":"success"},{"Name":"RetriesCount","Value":"-1"},{"Name":"LastTask","Value":"VerifyTask"},{"Name":"LastSuccessVerification","Value":"1615803764"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"}]}}}} +<5>1 2021-03-15T10:35:08Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 15 03:35:08\n 2021-03-15T10:35:08Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 361\n Keystroke logging\n Info\n Administrator\n Keystroke logging\n \n \n partner\n Root\\Operating System-UnixSSH-34.123.103.115-testark\n 34.71.250.247\n \n \n \n \n Command=sudo su;ConnectionComponentId=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=8b3d0b38-aef5-49d9-bdd7-d57706887d8b;SrcHost=81.32.170.205;SSHOffset=1309B;User=testark;VIDOffset=7T;\n Keystroke logging\n \n \n \n \n \n \n \n \n \n \n \n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 15 03:35:08","IsoTimestamp":"2021-03-15T10:35:08Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"361","Desc":"Keystroke logging","Severity":"Info","Issuer":"Administrator","Action":"Keystroke logging","SourceUser":"","TargetUser":"","Safe":"partner","File":"Root\\Operating System-UnixSSH-34.123.103.115-testark","Station":"34.71.250.247","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"Command=sudo su;ConnectionComponentId=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=8b3d0b38-aef5-49d9-bdd7-d57706887d8b;SrcHost=81.32.170.205;SSHOffset=1309B;User=testark;VIDOffset=7T;","Message":"Keystroke logging","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"UnixSSH"},{"Name":"UserName","Value":"testark"},{"Name":"Address","Value":"34.123.103.115"},{"Name":"CPMStatus","Value":"success"},{"Name":"RetriesCount","Value":"-1"},{"Name":"LastTask","Value":"VerifyTask"},{"Name":"LastSuccessVerification","Value":"1615803764"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"}]}}}} +<5>1 2021-03-15T14:11:18Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 15 07:11:18\n 2021-03-15T14:11:18Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 361\n Keystroke logging\n Info\n Administrator\n Keystroke logging\n \n \n partner\n Root\\Operating System-UnixSSH-34.123.103.115-testark\n 34.71.250.247\n \n \n \n \n Command=sudo su;ConnectionComponentId=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=27f74dce-f5d5-4c94-bf99-ca6aafe2c518;SrcHost=81.32.170.205;SSHOffset=1309B;User=testark;VIDOffset=8T;\n Keystroke logging\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 15 07:11:18","IsoTimestamp":"2021-03-15T14:11:18Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"361","Desc":"Keystroke logging","Severity":"Info","Issuer":"Administrator","Action":"Keystroke logging","SourceUser":"","TargetUser":"","Safe":"partner","File":"Root\\Operating System-UnixSSH-34.123.103.115-testark","Station":"34.71.250.247","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"Command=sudo su;ConnectionComponentId=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=27f74dce-f5d5-4c94-bf99-ca6aafe2c518;SrcHost=81.32.170.205;SSHOffset=1309B;User=testark;VIDOffset=8T;","Message":"Keystroke logging","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"UnixSSH"},{"Name":"UserName","Value":"testark"},{"Name":"Address","Value":"34.123.103.115"},{"Name":"ResetImmediately","Value":"ReconcileTask"},{"Name":"CPMStatus","Value":"failure"},{"Name":"RetriesCount","Value":"0"},{"Name":"LastFailDate","Value":"1615814025"},{"Name":"LastTask","Value":"ReconcileTask"},{"Name":"LastSuccessVerification","Value":"1615803764"},{"Name":"CPMErrorDetails","Value":"First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"},{"Name":"UseSudoOnReconcile","Value":"Yes"}]}}}} +<5>1 2021-03-15T14:45:51Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 15 07:45:51\n 2021-03-15T14:45:51Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 361\n Keystroke logging\n Info\n Administrator\n Keystroke logging\n \n \n partner\n Root\\Operating System-UnixSSH-34.123.103.115-testark\n 34.71.250.247\n \n \n \n \n Command=(reverse-i-search)`grant': grant all privileges on *.* TO 'root'@'%' with grant option\\;;ConnectionComponentId=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=27f74dce-f5d5-4c94-bf99-ca6aafe2c518;SrcHost=81.32.170.205;SSHOffset=296291B;User=testark;VIDOffset=2081T;\n Keystroke logging\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 15 07:45:51","IsoTimestamp":"2021-03-15T14:45:51Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"361","Desc":"Keystroke logging","Severity":"Info","Issuer":"Administrator","Action":"Keystroke logging","SourceUser":"","TargetUser":"","Safe":"partner","File":"Root\\Operating System-UnixSSH-34.123.103.115-testark","Station":"34.71.250.247","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"Command=(reverse-i-search)`grant': grant all privileges on *.* TO 'root'@'%' with grant option\\;;ConnectionComponentId=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=27f74dce-f5d5-4c94-bf99-ca6aafe2c518;SrcHost=81.32.170.205;SSHOffset=296291B;User=testark;VIDOffset=2081T;","Message":"Keystroke logging","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"UnixSSH"},{"Name":"UserName","Value":"testark"},{"Name":"Address","Value":"34.123.103.115"},{"Name":"ResetImmediately","Value":"ReconcileTask"},{"Name":"CPMStatus","Value":"failure"},{"Name":"RetriesCount","Value":"1"},{"Name":"LastFailDate","Value":"1615819476"},{"Name":"LastTask","Value":"ReconcileTask"},{"Name":"LastSuccessVerification","Value":"1615803764"},{"Name":"CPMErrorDetails","Value":"First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"},{"Name":"UseSudoOnReconcile","Value":"Yes"}]}}}} diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-361-keystroke-logging.log-config.yml b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-361-keystroke-logging.log-config.yml new file mode 100644 index 00000000000..5622947e4b8 --- /dev/null +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-361-keystroke-logging.log-config.yml @@ -0,0 +1,5 @@ +dynamic_fields: + event.ingested: ".*" +fields: + tags: + - preserve_original_event diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-38-cpm-verify-password-failed.log b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-38-cpm-verify-password-failed.log new file mode 100644 index 00000000000..211d487b613 --- /dev/null +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-38-cpm-verify-password-failed.log @@ -0,0 +1,15 @@ +<7>1 2021-03-15T13:19:58Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 15 06:19:58\n 2021-03-15T13:19:58Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 38\n CPM Verify Password Failed\n Error\n PasswordManager\n CPM Verify Password Failed\n \n \n partner\n Root\\Operating System-WinDomain-35.192.121.42-ELASTICbart\n 10.0.1.20\n \n \n \n ImmediateTask. Failure Description: CACPM344E Verifying Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-35.192.121.42-ELASTICbart failed (try #0). Code: 2101, Error: Error in verifypass to user 34.66.114.180\\ELASTIC\\bart on domain 34.66.114.180(\\\\34.66.114.180). Reason: The specified username is invalid. (winRc=2202). \n\n address=34.66.114.180;username=ELASTIC\\bart;\n CPM Verify Password Failed\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 15 06:19:58","IsoTimestamp":"2021-03-15T13:19:58Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"38","Desc":"CPM Verify Password Failed","Severity":"Error","Issuer":"PasswordManager","Action":"CPM Verify Password Failed","SourceUser":"","TargetUser":"","Safe":"partner","File":"Root\\Operating System-WinDomain-35.192.121.42-ELASTICbart","Station":"10.0.1.20","Location":"","Category":"","RequestId":"","Reason":"ImmediateTask. Failure Description: CACPM344E Verifying Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-35.192.121.42-ELASTICbart failed (try #0). Code: 2101, Error: Error in verifypass to user 34.66.114.180\\ELASTIC\\bart on domain 34.66.114.180(\\\\34.66.114.180). Reason: The specified username is invalid. (winRc=2202). \n","ExtraDetails":"address=34.66.114.180;username=ELASTIC\\bart;","Message":"CPM Verify Password Failed","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"WinDomain"},{"Name":"UserName","Value":"ELASTIC\\bart"},{"Name":"Address","Value":"34.66.114.180"},{"Name":"ResetImmediately","Value":"VerifyTask"},{"Name":"CPMStatus","Value":"failure"},{"Name":"RetriesCount","Value":"0"},{"Name":"LastFailDate","Value":"1615814397"},{"Name":"LastTask","Value":"VerifyTask"},{"Name":"LogonDomain","Value":"34.66.114.180"},{"Name":"CPMErrorDetails","Value":"Error in verifypass to user 34.66.114.180\\ELASTIC\\bart on domain 34.66.114.180(\\\\34.66.114.180). Reason: The specified username is invalid. (winRc=2202). "},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"}]}}}} +<7>1 2021-03-15T13:25:32Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 15 06:25:32\n 2021-03-15T13:25:32Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 38\n CPM Verify Password Failed\n Error\n PasswordManager\n CPM Verify Password Failed\n \n \n partner\n Root\\Operating System-WinDomain-35.192.121.42-ELASTICbart\n 10.0.1.20\n \n \n \n ImmediateTask. Failure Description: CACPM344E Verifying Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-35.192.121.42-ELASTICbart failed (try #0). Code: 2101, Error: Error in verifypass to user 34.66.114.180\\bart on domain 34.66.114.180(\\\\34.66.114.180). Reason: The network name cannot be found. (winRc=67). \n\n address=34.66.114.180;username=bart;\n CPM Verify Password Failed\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 15 06:25:32","IsoTimestamp":"2021-03-15T13:25:32Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"38","Desc":"CPM Verify Password Failed","Severity":"Error","Issuer":"PasswordManager","Action":"CPM Verify Password Failed","SourceUser":"","TargetUser":"","Safe":"partner","File":"Root\\Operating System-WinDomain-35.192.121.42-ELASTICbart","Station":"10.0.1.20","Location":"","Category":"","RequestId":"","Reason":"ImmediateTask. Failure Description: CACPM344E Verifying Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-35.192.121.42-ELASTICbart failed (try #0). Code: 2101, Error: Error in verifypass to user 34.66.114.180\\bart on domain 34.66.114.180(\\\\34.66.114.180). Reason: The network name cannot be found. (winRc=67). \n","ExtraDetails":"address=34.66.114.180;username=bart;","Message":"CPM Verify Password Failed","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"WinDomain"},{"Name":"UserName","Value":"bart"},{"Name":"Address","Value":"34.66.114.180"},{"Name":"ResetImmediately","Value":"VerifyTask"},{"Name":"CPMStatus","Value":"failure"},{"Name":"RetriesCount","Value":"0"},{"Name":"LastFailDate","Value":"1615814709"},{"Name":"LastTask","Value":"VerifyTask"},{"Name":"UserDN","Value":"ELASTIC.local"},{"Name":"LogonDomain","Value":"34.66.114.180"},{"Name":"CPMErrorDetails","Value":"Error in verifypass to user 34.66.114.180\\bart on domain 34.66.114.180(\\\\34.66.114.180). Reason: The network name cannot be found. (winRc=67). "},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"}]}}}} +<7>1 2021-03-15T13:33:26Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 15 06:33:26\n 2021-03-15T13:33:26Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 38\n CPM Verify Password Failed\n Error\n PasswordManager\n CPM Verify Password Failed\n \n \n partner\n Root\\Operating System-WinDomain-34.66.114.180-ELASTICbart\n 10.0.1.20\n \n \n \n ImmediateTask. Failure Description: CACPM344E Verifying Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-34.66.114.180-ELASTICbart failed (try #0). Code: 2101, Error: Error in verifypass to user 34.66.114.180\\ELASTIC.local\\bart on domain 34.66.114.180(\\\\34.66.114.180). Reason: The specified username is invalid. (winRc=2202). \n\n address=34.66.114.180;username=ELASTIC.local\\bart;\n CPM Verify Password Failed\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 15 06:33:26","IsoTimestamp":"2021-03-15T13:33:26Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"38","Desc":"CPM Verify Password Failed","Severity":"Error","Issuer":"PasswordManager","Action":"CPM Verify Password Failed","SourceUser":"","TargetUser":"","Safe":"partner","File":"Root\\Operating System-WinDomain-34.66.114.180-ELASTICbart","Station":"10.0.1.20","Location":"","Category":"","RequestId":"","Reason":"ImmediateTask. Failure Description: CACPM344E Verifying Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-34.66.114.180-ELASTICbart failed (try #0). Code: 2101, Error: Error in verifypass to user 34.66.114.180\\ELASTIC.local\\bart on domain 34.66.114.180(\\\\34.66.114.180). Reason: The specified username is invalid. (winRc=2202). \n","ExtraDetails":"address=34.66.114.180;username=ELASTIC.local\\bart;","Message":"CPM Verify Password Failed","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"WinDomain"},{"Name":"UserName","Value":"ELASTIC.local\\bart"},{"Name":"Address","Value":"34.66.114.180"},{"Name":"ResetImmediately","Value":"VerifyTask"},{"Name":"CPMStatus","Value":"failure"},{"Name":"RetriesCount","Value":"0"},{"Name":"LastFailDate","Value":"1615815206"},{"Name":"LastTask","Value":"VerifyTask"},{"Name":"LogonDomain","Value":"34.66.114.180"},{"Name":"CPMErrorDetails","Value":"Error in verifypass to user 34.66.114.180\\ELASTIC.local\\bart on domain 34.66.114.180(\\\\34.66.114.180). Reason: The specified username is invalid. (winRc=2202). "},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"}]}}}} +<7>1 2021-03-15T15:04:11Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 15 08:04:11\n 2021-03-15T15:04:11Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 38\n CPM Verify Password Failed\n Error\n PasswordManager\n CPM Verify Password Failed\n \n \n partner\n Root\\Operating System-WinDomain-34.66.114.180-ELASTICbart\n 10.0.1.20\n \n \n \n ImmediateTask,Failure. Failure Description: CACPM344E Verifying Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-34.66.114.180-ELASTICbart failed (try #1). Code: 2101, Error: Error in verifypass to user 34.66.114.180\\ELASTIC.local\\bart on domain 34.66.114.180(\\\\34.66.114.180). Reason: The specified username is invalid. (winRc=2202). \n\n address=34.66.114.180;retriescount=1;username=ELASTIC.local\\bart;\n CPM Verify Password Failed\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 15 08:04:11","IsoTimestamp":"2021-03-15T15:04:11Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"38","Desc":"CPM Verify Password Failed","Severity":"Error","Issuer":"PasswordManager","Action":"CPM Verify Password Failed","SourceUser":"","TargetUser":"","Safe":"partner","File":"Root\\Operating System-WinDomain-34.66.114.180-ELASTICbart","Station":"10.0.1.20","Location":"","Category":"","RequestId":"","Reason":"ImmediateTask,Failure. Failure Description: CACPM344E Verifying Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-34.66.114.180-ELASTICbart failed (try #1). Code: 2101, Error: Error in verifypass to user 34.66.114.180\\ELASTIC.local\\bart on domain 34.66.114.180(\\\\34.66.114.180). Reason: The specified username is invalid. (winRc=2202). \n","ExtraDetails":"address=34.66.114.180;retriescount=1;username=ELASTIC.local\\bart;","Message":"CPM Verify Password Failed","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"WinDomain"},{"Name":"UserName","Value":"ELASTIC.local\\bart"},{"Name":"Address","Value":"34.66.114.180"},{"Name":"ResetImmediately","Value":"VerifyTask"},{"Name":"CPMStatus","Value":"failure"},{"Name":"RetriesCount","Value":"1"},{"Name":"LastFailDate","Value":"1615820651"},{"Name":"LastTask","Value":"VerifyTask"},{"Name":"LogonDomain","Value":"34.66.114.180"},{"Name":"CPMErrorDetails","Value":"Error in verifypass to user 34.66.114.180\\ELASTIC.local\\bart on domain 34.66.114.180(\\\\34.66.114.180). Reason: The specified username is invalid. (winRc=2202). "},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"}]}}}} +<7>1 2021-03-15T16:35:01Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 15 09:35:01\n 2021-03-15T16:35:01Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 38\n CPM Verify Password Failed\n Error\n PasswordManager\n CPM Verify Password Failed\n \n \n partner\n Root\\Operating System-WinDomain-34.66.114.180-ELASTICbart\n 10.0.1.20\n \n \n \n ImmediateTask,Failure. Failure Description: CACPM344E Verifying Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-34.66.114.180-ELASTICbart failed (try #2). Code: 2101, Error: Error in verifypass to user 34.66.114.180\\ELASTIC.local\\bart on domain 34.66.114.180(\\\\34.66.114.180). Reason: The specified username is invalid. (winRc=2202). \n\n address=34.66.114.180;retriescount=2;username=ELASTIC.local\\bart;\n CPM Verify Password Failed\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 15 09:35:01","IsoTimestamp":"2021-03-15T16:35:01Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"38","Desc":"CPM Verify Password Failed","Severity":"Error","Issuer":"PasswordManager","Action":"CPM Verify Password Failed","SourceUser":"","TargetUser":"","Safe":"partner","File":"Root\\Operating System-WinDomain-34.66.114.180-ELASTICbart","Station":"10.0.1.20","Location":"","Category":"","RequestId":"","Reason":"ImmediateTask,Failure. Failure Description: CACPM344E Verifying Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-34.66.114.180-ELASTICbart failed (try #2). Code: 2101, Error: Error in verifypass to user 34.66.114.180\\ELASTIC.local\\bart on domain 34.66.114.180(\\\\34.66.114.180). Reason: The specified username is invalid. (winRc=2202). \n","ExtraDetails":"address=34.66.114.180;retriescount=2;username=ELASTIC.local\\bart;","Message":"CPM Verify Password Failed","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"WinDomain"},{"Name":"UserName","Value":"ELASTIC.local\\bart"},{"Name":"Address","Value":"34.66.114.180"},{"Name":"ResetImmediately","Value":"VerifyTask"},{"Name":"CPMStatus","Value":"failure"},{"Name":"RetriesCount","Value":"2"},{"Name":"LastFailDate","Value":"1615826099"},{"Name":"LastTask","Value":"VerifyTask"},{"Name":"LogonDomain","Value":"34.66.114.180"},{"Name":"CPMErrorDetails","Value":"Error in verifypass to user 34.66.114.180\\ELASTIC.local\\bart on domain 34.66.114.180(\\\\34.66.114.180). Reason: The specified username is invalid. (winRc=2202). "},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"}]}}}} +<7>1 2021-03-15T16:56:29Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 15 09:56:29\n 2021-03-15T16:56:29Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 38\n CPM Verify Password Failed\n Error\n PasswordManager\n CPM Verify Password Failed\n \n \n partner\n Root\\Database-MySQL-10.0.1.20-root\n 10.0.1.20\n \n \n \n ImmediateTask. Failure Description: CACPM344E Verifying Password Safe: partner, Folder: Root, Object: Database-MySQL-10.0.1.20-root failed (try #0). Code: 2103, Error: Error when verifypass to User root on Server 10.0.1.20. State: IM002 Native error: 0 Message: [Microsoft][ODBC Driver Manager] Data source name not found and no default driver specified\n\n address=10.0.1.20;username=root;\n CPM Verify Password Failed\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 15 09:56:29","IsoTimestamp":"2021-03-15T16:56:29Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"38","Desc":"CPM Verify Password Failed","Severity":"Error","Issuer":"PasswordManager","Action":"CPM Verify Password Failed","SourceUser":"","TargetUser":"","Safe":"partner","File":"Root\\Database-MySQL-10.0.1.20-root","Station":"10.0.1.20","Location":"","Category":"","RequestId":"","Reason":"ImmediateTask. Failure Description: CACPM344E Verifying Password Safe: partner, Folder: Root, Object: Database-MySQL-10.0.1.20-root failed (try #0). Code: 2103, Error: Error when verifypass to User root on Server 10.0.1.20. State: IM002 Native error: 0 Message: [Microsoft][ODBC Driver Manager] Data source name not found and no default driver specified\n","ExtraDetails":"address=10.0.1.20;username=root;","Message":"CPM Verify Password Failed","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"MySQL"},{"Name":"UserName","Value":"root"},{"Name":"Address","Value":"10.0.1.20"},{"Name":"ResetImmediately","Value":"VerifyTask"},{"Name":"CPMStatus","Value":"failure"},{"Name":"RetriesCount","Value":"0"},{"Name":"LastFailDate","Value":"1615827245"},{"Name":"LastTask","Value":"VerifyTask"},{"Name":"CPMErrorDetails","Value":"Error when verifypass to User root on Server 10.0.1.20. State: IM002 Native error: 0 Message: [Microsoft][ODBC Driver Manager] Data source name not found and no default driver specified"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Database"}]}}}} +<7>1 2021-03-15T17:01:07Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 15 10:01:07\n 2021-03-15T17:01:07Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 38\n CPM Verify Password Failed\n Error\n PasswordManager\n CPM Verify Password Failed\n \n \n partner\n Root\\Database-MySQL-10.0.1.20-root\n 10.0.1.20\n \n \n \n ImmediateTask. Failure Description: CACPM344E Verifying Password Safe: partner, Folder: Root, Object: Database-MySQL-10.0.1.20-root failed (try #0). Code: 2103, Error: Error when verifypass to User root on Server . State: IM014 Native error: 0 Message: [Microsoft][ODBC Driver Manager] The specified DSN contains an architecture mismatch between the Driver and Application\n\n address=10.0.1.20;username=root;\n CPM Verify Password Failed\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 15 10:01:07","IsoTimestamp":"2021-03-15T17:01:07Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"38","Desc":"CPM Verify Password Failed","Severity":"Error","Issuer":"PasswordManager","Action":"CPM Verify Password Failed","SourceUser":"","TargetUser":"","Safe":"partner","File":"Root\\Database-MySQL-10.0.1.20-root","Station":"10.0.1.20","Location":"","Category":"","RequestId":"","Reason":"ImmediateTask. Failure Description: CACPM344E Verifying Password Safe: partner, Folder: Root, Object: Database-MySQL-10.0.1.20-root failed (try #0). Code: 2103, Error: Error when verifypass to User root on Server . State: IM014 Native error: 0 Message: [Microsoft][ODBC Driver Manager] The specified DSN contains an architecture mismatch between the Driver and Application\n","ExtraDetails":"address=10.0.1.20;username=root;","Message":"CPM Verify Password Failed","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"MySQL"},{"Name":"UserName","Value":"root"},{"Name":"Address","Value":"10.0.1.20"},{"Name":"ResetImmediately","Value":"VerifyTask"},{"Name":"CPMStatus","Value":"failure"},{"Name":"RetriesCount","Value":"0"},{"Name":"LastFailDate","Value":"1615827554"},{"Name":"LastTask","Value":"VerifyTask"},{"Name":"DSN","Value":"mariadb"},{"Name":"CPMErrorDetails","Value":"Error when verifypass to User root on Server . State: IM014 Native error: 0 Message: [Microsoft][ODBC Driver Manager] The specified DSN contains an architecture mismatch between the Driver and Application"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Database"}]}}}} +<7>1 2021-03-15T17:05:47Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 15 10:05:47\n 2021-03-15T17:05:47Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 38\n CPM Verify Password Failed\n Error\n PasswordManager\n CPM Verify Password Failed\n \n \n partner\n Root\\Database-MySQL-10.0.1.20-root\n 10.0.1.20\n \n \n \n ImmediateTask. Failure Description: CACPM344E Verifying Password Safe: partner, Folder: Root, Object: Database-MySQL-10.0.1.20-root failed (try #0). Code: 2103, Error: Error when verifypass to User root on Server . State: HY090 Native error: 0 Message: [Microsoft][ODBC Driver Manager] Invalid string or buffer length\n\n address=10.0.1.20;username=root;\n CPM Verify Password Failed\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 15 10:05:47","IsoTimestamp":"2021-03-15T17:05:47Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"38","Desc":"CPM Verify Password Failed","Severity":"Error","Issuer":"PasswordManager","Action":"CPM Verify Password Failed","SourceUser":"","TargetUser":"","Safe":"partner","File":"Root\\Database-MySQL-10.0.1.20-root","Station":"10.0.1.20","Location":"","Category":"","RequestId":"","Reason":"ImmediateTask. Failure Description: CACPM344E Verifying Password Safe: partner, Folder: Root, Object: Database-MySQL-10.0.1.20-root failed (try #0). Code: 2103, Error: Error when verifypass to User root on Server . State: HY090 Native error: 0 Message: [Microsoft][ODBC Driver Manager] Invalid string or buffer length\n","ExtraDetails":"address=10.0.1.20;username=root;","Message":"CPM Verify Password Failed","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"MySQL"},{"Name":"UserName","Value":"root"},{"Name":"Address","Value":"10.0.1.20"},{"Name":"ResetImmediately","Value":"VerifyTask"},{"Name":"CPMStatus","Value":"failure"},{"Name":"RetriesCount","Value":"0"},{"Name":"LastFailDate","Value":"1615827864"},{"Name":"LastTask","Value":"VerifyTask"},{"Name":"DSN","Value":"DRIVER={MariaDB ODBC 3.1 Driver};TCPIP=1;SERVER=localhost;UID=root;PWD=1234;DATABASE=test"},{"Name":"CPMErrorDetails","Value":"Error when verifypass to User root on Server . State: HY090 Native error: 0 Message: [Microsoft][ODBC Driver Manager] Invalid string or buffer length"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Database"}]}}}} +<7>1 2021-03-15T17:10:25Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 15 10:10:25\n 2021-03-15T17:10:25Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 38\n CPM Verify Password Failed\n Error\n PasswordManager\n CPM Verify Password Failed\n \n \n partner\n Root\\Database-MySQL-10.0.1.20-root\n 10.0.1.20\n \n \n \n ImmediateTask. Failure Description: CACPM344E Verifying Password Safe: partner, Folder: Root, Object: Database-MySQL-10.0.1.20-root failed (try #0). Code: 2103, Error: Error when verifypass to User root on Server . State: HY090 Native error: 0 Message: [Microsoft][ODBC Driver Manager] Invalid string or buffer length\n\n address=10.0.1.20;username=root;\n CPM Verify Password Failed\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 15 10:10:25","IsoTimestamp":"2021-03-15T17:10:25Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"38","Desc":"CPM Verify Password Failed","Severity":"Error","Issuer":"PasswordManager","Action":"CPM Verify Password Failed","SourceUser":"","TargetUser":"","Safe":"partner","File":"Root\\Database-MySQL-10.0.1.20-root","Station":"10.0.1.20","Location":"","Category":"","RequestId":"","Reason":"ImmediateTask. Failure Description: CACPM344E Verifying Password Safe: partner, Folder: Root, Object: Database-MySQL-10.0.1.20-root failed (try #0). Code: 2103, Error: Error when verifypass to User root on Server . State: HY090 Native error: 0 Message: [Microsoft][ODBC Driver Manager] Invalid string or buffer length\n","ExtraDetails":"address=10.0.1.20;username=root;","Message":"CPM Verify Password Failed","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"MySQL"},{"Name":"UserName","Value":"root"},{"Name":"Address","Value":"10.0.1.20"},{"Name":"ResetImmediately","Value":"VerifyTask"},{"Name":"CPMStatus","Value":"failure"},{"Name":"RetriesCount","Value":"0"},{"Name":"LastFailDate","Value":"1615828174"},{"Name":"LastTask","Value":"VerifyTask"},{"Name":"DSN","Value":"DSN=mariadb;TCPIP=1;SERVER=localhost;UID=root;PWD=1234;DATABASE=test"},{"Name":"CPMErrorDetails","Value":"Error when verifypass to User root on Server . State: HY090 Native error: 0 Message: [Microsoft][ODBC Driver Manager] Invalid string or buffer length"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Database"}]}}}} +<7>1 2021-03-15T17:28:07Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 15 10:28:07\n 2021-03-15T17:28:07Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 38\n CPM Verify Password Failed\n Error\n PasswordManager\n CPM Verify Password Failed\n \n \n partner\n Root\\Database-MySQL-10.0.1.20-root\n 10.0.1.20\n \n \n \n ImmediateTask. Failure Description: CACPM344E Verifying Password Safe: partner, Folder: Root, Object: Database-MySQL-10.0.1.20-root failed (try #0). Code: 2103, Error: Error when verifypass to User root on Server 127.0.0.1. State: IM002 Native error: 0 Message: [Microsoft][ODBC Driver Manager] Data source name not found and no default driver specified\n\n address=127.0.0.1;username=root;\n CPM Verify Password Failed\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 15 10:28:07","IsoTimestamp":"2021-03-15T17:28:07Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"38","Desc":"CPM Verify Password Failed","Severity":"Error","Issuer":"PasswordManager","Action":"CPM Verify Password Failed","SourceUser":"","TargetUser":"","Safe":"partner","File":"Root\\Database-MySQL-10.0.1.20-root","Station":"10.0.1.20","Location":"","Category":"","RequestId":"","Reason":"ImmediateTask. Failure Description: CACPM344E Verifying Password Safe: partner, Folder: Root, Object: Database-MySQL-10.0.1.20-root failed (try #0). Code: 2103, Error: Error when verifypass to User root on Server 127.0.0.1. State: IM002 Native error: 0 Message: [Microsoft][ODBC Driver Manager] Data source name not found and no default driver specified\n","ExtraDetails":"address=127.0.0.1;username=root;","Message":"CPM Verify Password Failed","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"MySQL"},{"Name":"UserName","Value":"root"},{"Name":"Address","Value":"127.0.0.1"},{"Name":"ResetImmediately","Value":"VerifyTask"},{"Name":"CPMStatus","Value":"failure"},{"Name":"RetriesCount","Value":"0"},{"Name":"LastFailDate","Value":"1615829287"},{"Name":"LastTask","Value":"VerifyTask"},{"Name":"Port","Value":"3306"},{"Name":"Database","Value":"test"},{"Name":"CPMErrorDetails","Value":"Error when verifypass to User root on Server 127.0.0.1. State: IM002 Native error: 0 Message: [Microsoft][ODBC Driver Manager] Data source name not found and no default driver specified"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Database"}]}}}} +<7>1 2021-03-15T17:33:17Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 15 10:33:17\n 2021-03-15T17:33:17Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 38\n CPM Verify Password Failed\n Error\n PasswordManager\n CPM Verify Password Failed\n \n \n partner\n Root\\Database-MySQL-10.0.1.20-root\n 10.0.1.20\n \n \n \n ImmediateTask. Failure Description: CACPM344E Verifying Password Safe: partner, Folder: Root, Object: Database-MySQL-10.0.1.20-root failed (try #0). Code: 2103, Error: Error when verifypass to User root on Server . State: IM002 Native error: 0 Message: [Microsoft][ODBC Driver Manager] Data source name not found and no default driver specified\n\n address=127.0.0.1;username=root;\n CPM Verify Password Failed\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 15 10:33:17","IsoTimestamp":"2021-03-15T17:33:17Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"38","Desc":"CPM Verify Password Failed","Severity":"Error","Issuer":"PasswordManager","Action":"CPM Verify Password Failed","SourceUser":"","TargetUser":"","Safe":"partner","File":"Root\\Database-MySQL-10.0.1.20-root","Station":"10.0.1.20","Location":"","Category":"","RequestId":"","Reason":"ImmediateTask. Failure Description: CACPM344E Verifying Password Safe: partner, Folder: Root, Object: Database-MySQL-10.0.1.20-root failed (try #0). Code: 2103, Error: Error when verifypass to User root on Server . State: IM002 Native error: 0 Message: [Microsoft][ODBC Driver Manager] Data source name not found and no default driver specified\n","ExtraDetails":"address=127.0.0.1;username=root;","Message":"CPM Verify Password Failed","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"MySQL"},{"Name":"UserName","Value":"root"},{"Name":"Address","Value":"127.0.0.1"},{"Name":"ResetImmediately","Value":"VerifyTask"},{"Name":"CPMStatus","Value":"failure"},{"Name":"RetriesCount","Value":"0"},{"Name":"LastFailDate","Value":"1615829597"},{"Name":"LastTask","Value":"VerifyTask"},{"Name":"Port","Value":"3306"},{"Name":"Database","Value":"test"},{"Name":"DSN","Value":"mysql"},{"Name":"CPMErrorDetails","Value":"Error when verifypass to User root on Server . State: IM002 Native error: 0 Message: [Microsoft][ODBC Driver Manager] Data source name not found and no default driver specified"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Database"}]}}}} +<7>1 2021-03-15T17:38:27Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 15 10:38:27\n 2021-03-15T17:38:27Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 38\n CPM Verify Password Failed\n Error\n PasswordManager\n CPM Verify Password Failed\n \n \n partner\n Root\\Database-MySQL-10.0.1.20-root\n 10.0.1.20\n \n \n \n ImmediateTask. Failure Description: CACPM344E Verifying Password Safe: partner, Folder: Root, Object: Database-MySQL-10.0.1.20-root failed (try #0). Code: 2103, Error: Error when verifypass to User root on Server . State: HY090 Native error: 0 Message: [Microsoft][ODBC Driver Manager] Invalid string or buffer length\n\n address=127.0.0.1;username=root;\n CPM Verify Password Failed\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 15 10:38:27","IsoTimestamp":"2021-03-15T17:38:27Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"38","Desc":"CPM Verify Password Failed","Severity":"Error","Issuer":"PasswordManager","Action":"CPM Verify Password Failed","SourceUser":"","TargetUser":"","Safe":"partner","File":"Root\\Database-MySQL-10.0.1.20-root","Station":"10.0.1.20","Location":"","Category":"","RequestId":"","Reason":"ImmediateTask. Failure Description: CACPM344E Verifying Password Safe: partner, Folder: Root, Object: Database-MySQL-10.0.1.20-root failed (try #0). Code: 2103, Error: Error when verifypass to User root on Server . State: HY090 Native error: 0 Message: [Microsoft][ODBC Driver Manager] Invalid string or buffer length\n","ExtraDetails":"address=127.0.0.1;username=root;","Message":"CPM Verify Password Failed","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"MySQL"},{"Name":"UserName","Value":"root"},{"Name":"Address","Value":"127.0.0.1"},{"Name":"ResetImmediately","Value":"VerifyTask"},{"Name":"CPMStatus","Value":"failure"},{"Name":"RetriesCount","Value":"0"},{"Name":"LastFailDate","Value":"1615829907"},{"Name":"LastTask","Value":"VerifyTask"},{"Name":"Port","Value":"3306"},{"Name":"Database","Value":"test"},{"Name":"DSN","Value":"Driver={MySQL ODBC 5.3 Unicode Driver};server=%ADDRESS%;user=%USER%;option=3;port=%PORT%;Password=%LOGONPASSWORD%"},{"Name":"CPMErrorDetails","Value":"Error when verifypass to User root on Server . State: HY090 Native error: 0 Message: [Microsoft][ODBC Driver Manager] Invalid string or buffer length"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Database"}]}}}} +<7>1 2021-03-15T18:00:07Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 15 11:00:07\n 2021-03-15T18:00:07Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 38\n CPM Verify Password Failed\n Error\n PasswordManager\n CPM Verify Password Failed\n \n \n partner\n Root\\Database-MySQL-10.0.1.20-root\n 10.0.1.20\n \n \n \n ImmediateTask. Failure Description: CACPM344E Verifying Password Safe: partner, Folder: Root, Object: Database-MySQL-10.0.1.20-root failed (try #0). Code: 2103, Error: Error when verifypass to User root on Server . State: IM002 Native error: 0 Message: [Microsoft][ODBC Driver Manager] Data source name not found and no default driver specified\n\n address=Driver\\={MySQL ODBC 5.3 Unicode Driver}\\;server\\=127.0.0.1\\;user\\=root\\;option\\=3\\;port\\=3306\\;Password\\=1234;username=root;\n CPM Verify Password Failed\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 15 11:00:07","IsoTimestamp":"2021-03-15T18:00:07Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"38","Desc":"CPM Verify Password Failed","Severity":"Error","Issuer":"PasswordManager","Action":"CPM Verify Password Failed","SourceUser":"","TargetUser":"","Safe":"partner","File":"Root\\Database-MySQL-10.0.1.20-root","Station":"10.0.1.20","Location":"","Category":"","RequestId":"","Reason":"ImmediateTask. Failure Description: CACPM344E Verifying Password Safe: partner, Folder: Root, Object: Database-MySQL-10.0.1.20-root failed (try #0). Code: 2103, Error: Error when verifypass to User root on Server . State: IM002 Native error: 0 Message: [Microsoft][ODBC Driver Manager] Data source name not found and no default driver specified\n","ExtraDetails":"address=Driver\\={MySQL ODBC 5.3 Unicode Driver}\\;server\\=127.0.0.1\\;user\\=root\\;option\\=3\\;port\\=3306\\;Password\\=1234;username=root;","Message":"CPM Verify Password Failed","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"MySQL"},{"Name":"UserName","Value":"root"},{"Name":"Address","Value":"Driver={MySQL ODBC 5.3 Unicode Driver};server=127.0.0.1;user=root;option=3;port=3306;Password=1234"},{"Name":"ResetImmediately","Value":"VerifyTask"},{"Name":"CPMStatus","Value":"failure"},{"Name":"RetriesCount","Value":"0"},{"Name":"LastFailDate","Value":"1615831206"},{"Name":"LastTask","Value":"VerifyTask"},{"Name":"Port","Value":"3306"},{"Name":"Database","Value":"test"},{"Name":"DSN","Value":"mysql"},{"Name":"CPMErrorDetails","Value":"Error when verifypass to User root on Server . State: IM002 Native error: 0 Message: [Microsoft][ODBC Driver Manager] Data source name not found and no default driver specified"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Database"}]}}}} +<7>1 2021-03-15T18:05:16Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 15 11:05:16\n 2021-03-15T18:05:16Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 38\n CPM Verify Password Failed\n Error\n PasswordManager\n CPM Verify Password Failed\n \n \n partner\n Root\\Operating System-WinDomain-34.66.114.180-ELASTICbart\n 10.0.1.20\n \n \n \n ImmediateTask,Failure. Failure Description: CACPM344E Verifying Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-34.66.114.180-ELASTICbart failed (try #3). Code: 2101, Error: Error in verifypass to user 34.66.114.180\\ELASTIC.local\\bart on domain 34.66.114.180(\\\\34.66.114.180). Reason: The specified username is invalid. (winRc=2202). \n\n address=34.66.114.180;retriescount=3;username=ELASTIC.local\\bart;\n CPM Verify Password Failed\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 15 11:05:16","IsoTimestamp":"2021-03-15T18:05:16Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"38","Desc":"CPM Verify Password Failed","Severity":"Error","Issuer":"PasswordManager","Action":"CPM Verify Password Failed","SourceUser":"","TargetUser":"","Safe":"partner","File":"Root\\Operating System-WinDomain-34.66.114.180-ELASTICbart","Station":"10.0.1.20","Location":"","Category":"","RequestId":"","Reason":"ImmediateTask,Failure. Failure Description: CACPM344E Verifying Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-34.66.114.180-ELASTICbart failed (try #3). Code: 2101, Error: Error in verifypass to user 34.66.114.180\\ELASTIC.local\\bart on domain 34.66.114.180(\\\\34.66.114.180). Reason: The specified username is invalid. (winRc=2202). \n","ExtraDetails":"address=34.66.114.180;retriescount=3;username=ELASTIC.local\\bart;","Message":"CPM Verify Password Failed","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"WinDomain"},{"Name":"UserName","Value":"ELASTIC.local\\bart"},{"Name":"Address","Value":"34.66.114.180"},{"Name":"ResetImmediately","Value":"VerifyTask"},{"Name":"CPMStatus","Value":"failure"},{"Name":"RetriesCount","Value":"3"},{"Name":"LastFailDate","Value":"1615831516"},{"Name":"LastTask","Value":"VerifyTask"},{"Name":"LogonDomain","Value":"34.66.114.180"},{"Name":"CPMErrorDetails","Value":"Error in verifypass to user 34.66.114.180\\ELASTIC.local\\bart on domain 34.66.114.180(\\\\34.66.114.180). Reason: The specified username is invalid. (winRc=2202). "},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"}]}}}} +<7>1 2021-03-16T09:50:19Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 16 02:50:19\n 2021-03-16T09:50:19Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 38\n CPM Verify Password Failed\n Error\n PasswordManager\n CPM Verify Password Failed\n \n \n partner\n Root\\Operating System-WinDomain-34.66.114.180-ELASTICbart\n 10.0.1.20\n \n \n \n ImmediateTask,Failure. Failure Description: CACPM344E Verifying Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-34.66.114.180-ELASTICbart failed (try #4). Code: 2101, Error: Error in verifypass to user 34.66.114.180\\ELASTIC.local\\bart on domain 34.66.114.180(\\\\34.66.114.180). Reason: The specified username is invalid. (winRc=2202). \n\n address=34.66.114.180;retriescount=4;username=ELASTIC.local\\bart;\n CPM Verify Password Failed\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 16 02:50:19","IsoTimestamp":"2021-03-16T09:50:19Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"38","Desc":"CPM Verify Password Failed","Severity":"Error","Issuer":"PasswordManager","Action":"CPM Verify Password Failed","SourceUser":"","TargetUser":"","Safe":"partner","File":"Root\\Operating System-WinDomain-34.66.114.180-ELASTICbart","Station":"10.0.1.20","Location":"","Category":"","RequestId":"","Reason":"ImmediateTask,Failure. Failure Description: CACPM344E Verifying Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-34.66.114.180-ELASTICbart failed (try #4). Code: 2101, Error: Error in verifypass to user 34.66.114.180\\ELASTIC.local\\bart on domain 34.66.114.180(\\\\34.66.114.180). Reason: The specified username is invalid. (winRc=2202). \n","ExtraDetails":"address=34.66.114.180;retriescount=4;username=ELASTIC.local\\bart;","Message":"CPM Verify Password Failed","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"WinDomain"},{"Name":"UserName","Value":"ELASTIC.local\\bart"},{"Name":"Address","Value":"34.66.114.180"},{"Name":"ResetImmediately","Value":"VerifyTask"},{"Name":"CPMStatus","Value":"failure"},{"Name":"RetriesCount","Value":"4"},{"Name":"LastFailDate","Value":"1615888216"},{"Name":"LastTask","Value":"VerifyTask"},{"Name":"LogonDomain","Value":"34.66.114.180"},{"Name":"CPMErrorDetails","Value":"Error in verifypass to user 34.66.114.180\\ELASTIC.local\\bart on domain 34.66.114.180(\\\\34.66.114.180). Reason: The specified username is invalid. (winRc=2202). "},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"}]}}}} diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-38-cpm-verify-password-failed.log-config.yml b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-38-cpm-verify-password-failed.log-config.yml new file mode 100644 index 00000000000..5622947e4b8 --- /dev/null +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-38-cpm-verify-password-failed.log-config.yml @@ -0,0 +1,5 @@ +dynamic_fields: + event.ingested: ".*" +fields: + tags: + - preserve_original_event diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-385-blservice-audit-record.log b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-385-blservice-audit-record.log new file mode 100644 index 00000000000..54143042844 --- /dev/null +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-385-blservice-audit-record.log @@ -0,0 +1,5 @@ +<5>1 2021-03-11T16:31:13Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 11 08:31:13\n 2021-03-11T16:31:13Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 385\n BLService Audit Record\n Info\n Administrator\n BLService Audit Record\n \n \n \n \n 127.0.0.1\n UpdatetrueEnforceExclusiveAccess: False; EnforceOneTimePasswords: False; AllowOPMAccess: True; RecordSessions: False; EnforceExpirationPeriod: 90; EnforceVerificationPeriod: 7; AuditRetentionPeriod: 90; PSMEnabled: True; RequireReason: AllowFreeTextReason: True, BasicValue: True; AllowTransparentConnection: AllowViewingPasswords: True, BasicValue: True; DualControl: BasicValue: False, DualControlRequireMultilevelApproval: False, DualControlRequireManagerialApproval: False, DualControlRequiredConfirmers: 1N/AMaster Policy\n \n \n \n \n BLService Audit Record\n 10.0.1.20\n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 11 08:31:13","IsoTimestamp":"2021-03-11T16:31:13Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"385","Desc":"BLService Audit Record","Severity":"Info","Issuer":"Administrator","Action":"BLService Audit Record","SourceUser":"","TargetUser":"","Safe":"","File":"","Station":"127.0.0.1","Location":"UpdatetrueEnforceExclusiveAccess: False; EnforceOneTimePasswords: False; AllowOPMAccess: True; RecordSessions: False; EnforceExpirationPeriod: 90; EnforceVerificationPeriod: 7; AuditRetentionPeriod: 90; PSMEnabled: True; RequireReason: AllowFreeTextReason: True, BasicValue: True; AllowTransparentConnection: AllowViewingPasswords: True, BasicValue: True; DualControl: BasicValue: False, DualControlRequireMultilevelApproval: False, DualControlRequireManagerialApproval: False, DualControlRequiredConfirmers: 1N/AMaster Policy","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"BLService Audit Record","GatewayStation":"10.0.1.20"}}} +<5>1 2021-03-11T16:31:23Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 11 08:31:23\n 2021-03-11T16:31:23Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 385\n BLService Audit Record\n Info\n Administrator\n BLService Audit Record\n \n \n \n \n 127.0.0.1\n UpdatetrueEnforceExclusiveAccess: False; EnforceOneTimePasswords: False; AllowOPMAccess: True; RecordSessions: True; EnforceExpirationPeriod: 90; EnforceVerificationPeriod: 7; AuditRetentionPeriod: 90; PSMEnabled: True; RequireReason: AllowFreeTextReason: True, BasicValue: True; AllowTransparentConnection: AllowViewingPasswords: True, BasicValue: True; DualControl: BasicValue: False, DualControlRequireMultilevelApproval: False, DualControlRequireManagerialApproval: False, DualControlRequiredConfirmers: 1N/AMaster Policy\n \n \n \n \n BLService Audit Record\n 10.0.1.20\n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 11 08:31:23","IsoTimestamp":"2021-03-11T16:31:23Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"385","Desc":"BLService Audit Record","Severity":"Info","Issuer":"Administrator","Action":"BLService Audit Record","SourceUser":"","TargetUser":"","Safe":"","File":"","Station":"127.0.0.1","Location":"UpdatetrueEnforceExclusiveAccess: False; EnforceOneTimePasswords: False; AllowOPMAccess: True; RecordSessions: True; EnforceExpirationPeriod: 90; EnforceVerificationPeriod: 7; AuditRetentionPeriod: 90; PSMEnabled: True; RequireReason: AllowFreeTextReason: True, BasicValue: True; AllowTransparentConnection: AllowViewingPasswords: True, BasicValue: True; DualControl: BasicValue: False, DualControlRequireMultilevelApproval: False, DualControlRequireManagerialApproval: False, DualControlRequiredConfirmers: 1N/AMaster Policy","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"BLService Audit Record","GatewayStation":"10.0.1.20"}}} +<5>1 2021-03-11T19:40:52Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 11 11:40:52\n 2021-03-11T19:40:52Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 385\n BLService Audit Record\n Info\n Administrator\n BLService Audit Record\n \n \n \n \n 127.0.0.1\n UpdatetrueEnforceExclusiveAccess: False; EnforceOneTimePasswords: False; AllowOPMAccess: True; RecordSessions: True; EnforceExpirationPeriod: 90; EnforceVerificationPeriod: 7; AuditRetentionPeriod: 90; PSMEnabled: False; RequireReason: AllowFreeTextReason: True, BasicValue: True; AllowTransparentConnection: AllowViewingPasswords: True, BasicValue: True; DualControl: BasicValue: False, DualControlRequireMultilevelApproval: False, DualControlRequireManagerialApproval: False, DualControlRequiredConfirmers: 1N/AMaster Policy\n \n \n \n \n BLService Audit Record\n 10.0.1.20\n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 11 11:40:52","IsoTimestamp":"2021-03-11T19:40:52Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"385","Desc":"BLService Audit Record","Severity":"Info","Issuer":"Administrator","Action":"BLService Audit Record","SourceUser":"","TargetUser":"","Safe":"","File":"","Station":"127.0.0.1","Location":"UpdatetrueEnforceExclusiveAccess: False; EnforceOneTimePasswords: False; AllowOPMAccess: True; RecordSessions: True; EnforceExpirationPeriod: 90; EnforceVerificationPeriod: 7; AuditRetentionPeriod: 90; PSMEnabled: False; RequireReason: AllowFreeTextReason: True, BasicValue: True; AllowTransparentConnection: AllowViewingPasswords: True, BasicValue: True; DualControl: BasicValue: False, DualControlRequireMultilevelApproval: False, DualControlRequireManagerialApproval: False, DualControlRequiredConfirmers: 1N/AMaster Policy","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"BLService Audit Record","GatewayStation":"10.0.1.20"}}} +<5>1 2021-03-14T12:04:35Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 14 05:04:35\n 2021-03-14T12:04:35Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 385\n BLService Audit Record\n Info\n Administrator\n BLService Audit Record\n \n \n \n \n 127.0.0.1\n UpdatetrueEnforceExclusiveAccess: False; EnforceOneTimePasswords: False; AllowOPMAccess: True; RecordSessions: True; EnforceExpirationPeriod: 90; EnforceVerificationPeriod: 7; AuditRetentionPeriod: 90; PSMEnabled: False; RequireReason: AllowFreeTextReason: True, BasicValue: False; AllowTransparentConnection: AllowViewingPasswords: True, BasicValue: True; DualControl: BasicValue: False, DualControlRequireMultilevelApproval: False, DualControlRequireManagerialApproval: False, DualControlRequiredConfirmers: 1N/AMaster Policy\n \n \n \n \n BLService Audit Record\n 10.0.1.20\n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 14 05:04:35","IsoTimestamp":"2021-03-14T12:04:35Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"385","Desc":"BLService Audit Record","Severity":"Info","Issuer":"Administrator","Action":"BLService Audit Record","SourceUser":"","TargetUser":"","Safe":"","File":"","Station":"127.0.0.1","Location":"UpdatetrueEnforceExclusiveAccess: False; EnforceOneTimePasswords: False; AllowOPMAccess: True; RecordSessions: True; EnforceExpirationPeriod: 90; EnforceVerificationPeriod: 7; AuditRetentionPeriod: 90; PSMEnabled: False; RequireReason: AllowFreeTextReason: True, BasicValue: False; AllowTransparentConnection: AllowViewingPasswords: True, BasicValue: True; DualControl: BasicValue: False, DualControlRequireMultilevelApproval: False, DualControlRequireManagerialApproval: False, DualControlRequiredConfirmers: 1N/AMaster Policy","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"BLService Audit Record","GatewayStation":"10.0.1.20"}}} +<5>1 2021-03-14T12:04:53Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 14 05:04:53\n 2021-03-14T12:04:53Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 385\n BLService Audit Record\n Info\n Administrator\n BLService Audit Record\n \n \n \n \n 127.0.0.1\n UpdatetrueEnforceExclusiveAccess: False; EnforceOneTimePasswords: False; AllowOPMAccess: True; RecordSessions: True; EnforceExpirationPeriod: 500; EnforceVerificationPeriod: 7; AuditRetentionPeriod: 90; PSMEnabled: False; RequireReason: AllowFreeTextReason: True, BasicValue: False; AllowTransparentConnection: AllowViewingPasswords: True, BasicValue: True; DualControl: BasicValue: False, DualControlRequireMultilevelApproval: False, DualControlRequireManagerialApproval: False, DualControlRequiredConfirmers: 1N/AMaster Policy\n \n \n \n \n BLService Audit Record\n 10.0.1.20\n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 14 05:04:53","IsoTimestamp":"2021-03-14T12:04:53Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"385","Desc":"BLService Audit Record","Severity":"Info","Issuer":"Administrator","Action":"BLService Audit Record","SourceUser":"","TargetUser":"","Safe":"","File":"","Station":"127.0.0.1","Location":"UpdatetrueEnforceExclusiveAccess: False; EnforceOneTimePasswords: False; AllowOPMAccess: True; RecordSessions: True; EnforceExpirationPeriod: 500; EnforceVerificationPeriod: 7; AuditRetentionPeriod: 90; PSMEnabled: False; RequireReason: AllowFreeTextReason: True, BasicValue: False; AllowTransparentConnection: AllowViewingPasswords: True, BasicValue: True; DualControl: BasicValue: False, DualControlRequireMultilevelApproval: False, DualControlRequireManagerialApproval: False, DualControlRequiredConfirmers: 1N/AMaster Policy","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"BLService Audit Record","GatewayStation":"10.0.1.20"}}} diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-385-blservice-audit-record.log-config.yml b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-385-blservice-audit-record.log-config.yml new file mode 100644 index 00000000000..5622947e4b8 --- /dev/null +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-385-blservice-audit-record.log-config.yml @@ -0,0 +1,5 @@ +dynamic_fields: + event.ingested: ".*" +fields: + tags: + - preserve_original_event diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-4-user-authentication.log b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-4-user-authentication.log new file mode 100644 index 00000000000..283cc15f94e --- /dev/null +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-4-user-authentication.log @@ -0,0 +1,2 @@ +<7>1 2021-03-10T18:42:36Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 10:42:36","IsoTimestamp":"2021-03-10T18:42:36Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"4","Desc":"User Authentication","Severity":"Error","Issuer":"Administrator","Action":"User Authentication","SourceUser":"","TargetUser":"","Safe":"","File":"","Station":"81.32.170.205","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"User Authentication","GatewayStation":""}}} +<7>1 2021-03-11T18:03:43Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 11 10:03:43\n 2021-03-11T18:03:43Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 4\n User Authentication\n Error\n Administrator\n User Authentication\n \n \n \n \n 127.0.0.1\n \n \n \n \n \n User Authentication\n 10.0.1.20\n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 11 10:03:43","IsoTimestamp":"2021-03-11T18:03:43Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"4","Desc":"User Authentication","Severity":"Error","Issuer":"Administrator","Action":"User Authentication","SourceUser":"","TargetUser":"","Safe":"","File":"","Station":"127.0.0.1","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"User Authentication","GatewayStation":"10.0.1.20"}}} diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-4-user-authentication.log-config.yml b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-4-user-authentication.log-config.yml new file mode 100644 index 00000000000..5622947e4b8 --- /dev/null +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-4-user-authentication.log-config.yml @@ -0,0 +1,5 @@ +dynamic_fields: + event.ingested: ".*" +fields: + tags: + - preserve_original_event diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-411-window-title.log b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-411-window-title.log new file mode 100644 index 00000000000..1bc88cc1bbe --- /dev/null +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-411-window-title.log @@ -0,0 +1 @@ +{"format":"elastic","version":"1.0","raw":"\n \n no\n Cyber-Ark\n Vault\n 11.6.0000\n 411\n Window Title\n Info\n adm2\n Window Title\n \n \n Windows\n Root\\Operating System-WIN-SERVER-LOCAL-dbserver.cyberark.local-Administrator2\n 10.2.0.5\n \n \n \n \n Command=shutdown.exe, Shutdown Event Tracker;ConnectionComponentId=PSM-RDP;DstHost=dbserver.cyberark.local;ProcessId=4144;ProcessName=shutdown.exe;Protocol=RDP;PSMID=PSMServer_88f6598;RDPOffset=218B;SessionID=a1f46060-1de4-4f56-a8ba-71fdf3140ac1;SrcHost=10.2.0.6;User=Administrator2;VIDOffset=12T;\n Window Title\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n","syslog":{"audit_record":{"Rfc5424":"no","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.6.0000","MessageID":"411","Desc":"Window Title","Severity":"Info","Issuer":"adm2","Action":"Window Title","SourceUser":"","TargetUser":"","Safe":"Windows","File":"Root\\Operating System-WIN-SERVER-LOCAL-dbserver.cyberark.local-Administrator2","Station":"10.2.0.5","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"Command=shutdown.exe, Shutdown Event Tracker;ConnectionComponentId=PSM-RDP;DstHost=dbserver.cyberark.local;ProcessId=4144;ProcessName=shutdown.exe;Protocol=RDP;PSMID=PSMServer_88f6598;RDPOffset=218B;SessionID=a1f46060-1de4-4f56-a8ba-71fdf3140ac1;SrcHost=10.2.0.6;User=Administrator2;VIDOffset=12T;","IsoTimestamp":"2021-03-16T17:11:42Z","Message":"Window Title","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"WIN-SERVER-LOCAL"},{"Name":"UserName","Value":"Administrator2"},{"Name":"Address","Value":"dbserver.cyberark.local"},{"Name":"DeviceType","Value":"Operating System"},{"Name":"LogonDomain","Value":"DBServer"},{"Name":"SequenceID","Value":"1"},{"Name":"RetriesCount","Value":"-1"},{"Name":"LastTask","Value":"ReconcileTask"},{"Name":"CPMStatus","Value":"success"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"LastSuccessReconciliation","Value":"1604944215"},{"Name":"Customer","Value":"EvilCorp"}]}}}} diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-411-window-title.log-config.yml b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-411-window-title.log-config.yml new file mode 100644 index 00000000000..5622947e4b8 --- /dev/null +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-411-window-title.log-config.yml @@ -0,0 +1,5 @@ +dynamic_fields: + event.ingested: ".*" +fields: + tags: + - preserve_original_event diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-412-keystroke-logging.log b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-412-keystroke-logging.log new file mode 100644 index 00000000000..e10964e76c2 --- /dev/null +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-412-keystroke-logging.log @@ -0,0 +1 @@ +<5>1 2021-03-25T11:29:37Z VLT01 {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 25 07:29:37\n 2021-03-25T11:29:37Z\n VLT01\n Cyber-Ark\n Vault\n 12.0.0000\n 412\n Keystroke logging\n Info\n Administrator\n Keystroke logging\n \n \n MSSQL\n Root\\Database-MSSql-epmsvr01.cybr.com-sa\n 10.0.0.15\n \n \n \n \n Command=SHOW DATABASES\\;;ConnectionComponentId=PSM-SQLServerMgmtStudio;DataBase=master;DstHost=tgtsvr01.cybr.com;Protocol=SQLNet;PSMID=PSMServer;SessionID=975edc19-ad10-4b42-8098-f26afab40fac;SrcHost=127.0.0.1;TXTOffset=702B;User=sa;VIDOffset=33T;\n Keystroke logging\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 25 07:29:37","IsoTimestamp":"2021-03-25T11:29:37Z","Hostname":"VLT01","Vendor":"Cyber-Ark","Product":"Vault","Version":"12.0.0000","MessageID":"412","Desc":"Keystroke logging","Severity":"Info","Issuer":"Administrator","Action":"Keystroke logging","SourceUser":"","TargetUser":"","Safe":"MSSQL","File":"Root\\Database-MSSql-epmsvr01.cybr.com-sa","Station":"10.0.0.15","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"Command=SHOW DATABASES\\;;ConnectionComponentId=PSM-SQLServerMgmtStudio;DataBase=master;DstHost=tgtsvr01.cybr.com;Protocol=SQLNet;PSMID=PSMServer;SessionID=975edc19-ad10-4b42-8098-f26afab40fac;SrcHost=127.0.0.1;TXTOffset=702B;User=sa;VIDOffset=33T;","Message":"Keystroke logging","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"MSSql"},{"Name":"UserName","Value":"sa"},{"Name":"Address","Value":"tgtsvr01.cybr.com"},{"Name":"Database","Value":"master"},{"Name":"DeviceType","Value":"Database"},{"Name":"CPMStatus","Value":"success"},{"Name":"RetriesCount","Value":"-1"},{"Name":"LastTask","Value":"VerifyTask"},{"Name":"LastSuccessVerification","Value":"1616580240"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"LastSuccessChange","Value":"1616011980"},{"Name":"Tags","Value":"SQL;DB"},{"Name":"Privcloud","Value":"privcloud"}]}}}} diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-412-keystroke-logging.log-config.yml b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-412-keystroke-logging.log-config.yml new file mode 100644 index 00000000000..5622947e4b8 --- /dev/null +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-412-keystroke-logging.log-config.yml @@ -0,0 +1,5 @@ +dynamic_fields: + event.ingested: ".*" +fields: + tags: + - preserve_original_event diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-414-cpm-verify-ssh-key.log b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-414-cpm-verify-ssh-key.log new file mode 100644 index 00000000000..d1548afa3c1 --- /dev/null +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-414-cpm-verify-ssh-key.log @@ -0,0 +1 @@ +<5>1 2021-03-25T10:04:06Z VLT01 {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 25 06:04:06\n 2021-03-25T10:04:06Z\n VLT01\n Cyber-Ark\n Vault\n 12.0.0000\n 414\n CPM Verify SSH Key\n Info\n PasswordManager\n CPM Verify SSH Key\n \n \n Linux SSH Keys\n Root\\Operating System-UnixSSHKeys-rhel7.cybr.com-firecall1\n 10.0.0.15\n \n \n \n VerificationPeriod\n address=rhel7.cybr.com;username=firecall1;\n CPM Verify SSH Key\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 25 06:04:06","IsoTimestamp":"2021-03-25T10:04:06Z","Hostname":"VLT01","Vendor":"Cyber-Ark","Product":"Vault","Version":"12.0.0000","MessageID":"414","Desc":"CPM Verify SSH Key","Severity":"Info","Issuer":"PasswordManager","Action":"CPM Verify SSH Key","SourceUser":"","TargetUser":"","Safe":"Linux SSH Keys","File":"Root\\Operating System-UnixSSHKeys-rhel7.cybr.com-firecall1","Station":"10.0.0.15","Location":"","Category":"","RequestId":"","Reason":"VerificationPeriod","ExtraDetails":"address=rhel7.cybr.com;username=firecall1;","Message":"CPM Verify SSH Key","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"UnixSSHKeys"},{"Name":"UserName","Value":"firecall1"},{"Name":"Address","Value":"rhel7.cybr.com"},{"Name":"DeviceType","Value":"Operating System"},{"Name":"SequenceID","Value":"2"},{"Name":"CPMStatus","Value":"success"},{"Name":"ExtraPass3Name","Value":"Operating System-UnixSSH-rhel7.cybr.com-root"},{"Name":"ExtraPass3Folder","Value":"Root"},{"Name":"ExtraPass3Safe","Value":"Linux Root"},{"Name":"RetriesCount","Value":"-1"},{"Name":"LastTask","Value":"VerifyTask"},{"Name":"LastSuccessVerification","Value":"1616666646"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"LastSuccessChange","Value":"1582315464"},{"Name":"Tags","Value":"SSH"},{"Name":"Privcloud","Value":"privcloud"}]}}}} diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-414-cpm-verify-ssh-key.log-config.yml b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-414-cpm-verify-ssh-key.log-config.yml new file mode 100644 index 00000000000..5622947e4b8 --- /dev/null +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-414-cpm-verify-ssh-key.log-config.yml @@ -0,0 +1,5 @@ +dynamic_fields: + event.ingested: ".*" +fields: + tags: + - preserve_original_event diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-427-store-ssh-key.log b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-427-store-ssh-key.log new file mode 100644 index 00000000000..8c7361274f6 --- /dev/null +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-427-store-ssh-key.log @@ -0,0 +1 @@ +<5>1 2021-03-11T16:50:17Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 11 08:50:17\n 2021-03-11T16:50:17Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 427\n Store SSH Key\n Info\n Administrator\n Store SSH Key\n \n \n PSM\n Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian\n 127.0.0.1\n \n \n \n \n \n Store SSH Key\n 10.0.1.20\n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 11 08:50:17","IsoTimestamp":"2021-03-11T16:50:17Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"427","Desc":"Store SSH Key","Severity":"Info","Issuer":"Administrator","Action":"Store SSH Key","SourceUser":"","TargetUser":"","Safe":"PSM","File":"Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian","Station":"127.0.0.1","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Store SSH Key","GatewayStation":"10.0.1.20"}}} diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-427-store-ssh-key.log-config.yml b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-427-store-ssh-key.log-config.yml new file mode 100644 index 00000000000..5622947e4b8 --- /dev/null +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-427-store-ssh-key.log-config.yml @@ -0,0 +1,5 @@ +dynamic_fields: + event.ingested: ".*" +fields: + tags: + - preserve_original_event diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-428-retrieve-ssh-key.log b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-428-retrieve-ssh-key.log new file mode 100644 index 00000000000..1420d0a428e --- /dev/null +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-428-retrieve-ssh-key.log @@ -0,0 +1,3 @@ +<5>1 2021-03-11T17:43:44Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 11 09:43:44\n 2021-03-11T17:43:44Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 428\n Retrieve SSH Key\n Info\n Administrator\n Retrieve SSH Key\n \n \n PSM\n Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian\n 127.0.0.1\n \n \n \n (Action: Retrieve SSH key)for fun and profit\n \n \n for fun and profit\n Retrieve SSH key\n \n\n \n Retrieve SSH Key\n 10.0.1.20\n \n \n \n \n \n \n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 11 09:43:44","IsoTimestamp":"2021-03-11T17:43:44Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"428","Desc":"Retrieve SSH Key","Severity":"Info","Issuer":"Administrator","Action":"Retrieve SSH Key","SourceUser":"","TargetUser":"","Safe":"PSM","File":"Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian","Station":"127.0.0.1","Location":"","Category":"","RequestId":"","Reason":"(Action: Retrieve SSH key)for fun and profit","PvwaDetails":{"RetrieveReason":{"General":{"UserReason":"for fun and profit","RetrieveAction":"Retrieve SSH key"}}},"ExtraDetails":"","Message":"Retrieve SSH Key","GatewayStation":"10.0.1.20","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"UnixSSHKeys"},{"Name":"UserName","Value":"adrian"},{"Name":"Address","Value":"34.123.103.115"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"}]}}}} +<5>1 2021-03-11T21:08:48Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 11 13:08:48\n 2021-03-11T21:08:48Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 428\n Retrieve SSH Key\n Info\n Administrator\n Retrieve SSH Key\n \n \n PSM\n Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian\n 127.0.0.1\n \n \n \n (Action: Connect)testing(Connection to address: 34.123.103.115)\n \n \n testing\n Connect\n \n \n 34.123.103.115\n \n\n \n Retrieve SSH Key\n 10.0.1.20\n \n \n \n \n \n \n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 11 13:08:48","IsoTimestamp":"2021-03-11T21:08:48Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"428","Desc":"Retrieve SSH Key","Severity":"Info","Issuer":"Administrator","Action":"Retrieve SSH Key","SourceUser":"","TargetUser":"","Safe":"PSM","File":"Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian","Station":"127.0.0.1","Location":"","Category":"","RequestId":"","Reason":"(Action: Connect)testing(Connection to address: 34.123.103.115)","PvwaDetails":{"RetrieveReason":{"General":{"UserReason":"testing","RetrieveAction":"Connect"},"ConnectionDetails":{"ConnectionAddress":"34.123.103.115"}}},"ExtraDetails":"","Message":"Retrieve SSH Key","GatewayStation":"10.0.1.20","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"UnixSSHKeys"},{"Name":"UserName","Value":"adrian"},{"Name":"Address","Value":"34.123.103.115"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"}]}}}} +<5>1 2021-03-15T13:18:52Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 15 06:18:52\n 2021-03-15T13:18:52Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 428\n Retrieve SSH Key\n Info\n Administrator\n Retrieve SSH Key\n \n \n PSM\n Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian\n 127.0.0.1\n \n \n \n (Action: Retrieve SSH key)\n \n \n Retrieve SSH key\n \n\n \n Retrieve SSH Key\n 10.0.1.20\n \n \n \n \n \n \n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 15 06:18:52","IsoTimestamp":"2021-03-15T13:18:52Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"428","Desc":"Retrieve SSH Key","Severity":"Info","Issuer":"Administrator","Action":"Retrieve SSH Key","SourceUser":"","TargetUser":"","Safe":"PSM","File":"Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian","Station":"127.0.0.1","Location":"","Category":"","RequestId":"","Reason":"(Action: Retrieve SSH key)","PvwaDetails":{"RetrieveReason":{"General":{"RetrieveAction":"Retrieve SSH key"}}},"ExtraDetails":"","Message":"Retrieve SSH Key","GatewayStation":"10.0.1.20","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"UnixSSHKeys"},{"Name":"UserName","Value":"adrian"},{"Name":"Address","Value":"34.123.103.115"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"}]}}}} diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-428-retrieve-ssh-key.log-config.yml b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-428-retrieve-ssh-key.log-config.yml new file mode 100644 index 00000000000..5622947e4b8 --- /dev/null +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-428-retrieve-ssh-key.log-config.yml @@ -0,0 +1,5 @@ +dynamic_fields: + event.ingested: ".*" +fields: + tags: + - preserve_original_event diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-449-create-discovery-succeeded.log b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-449-create-discovery-succeeded.log new file mode 100644 index 00000000000..2101b711cb2 --- /dev/null +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-449-create-discovery-succeeded.log @@ -0,0 +1 @@ +<5>1 2021-03-14T12:06:35Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 14 05:06:35\n 2021-03-14T12:06:35Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 449\n Create Discovery Succeeded\n Info\n Administrator\n Create Discovery Succeeded\n \n \n \n \n 10.0.1.20\n \n \n \n Status:Success; Discovery:; Reason:;\n \n Create Discovery Succeeded\n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 14 05:06:35","IsoTimestamp":"2021-03-14T12:06:35Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"449","Desc":"Create Discovery Succeeded","Severity":"Info","Issuer":"Administrator","Action":"Create Discovery Succeeded","SourceUser":"","TargetUser":"","Safe":"","File":"","Station":"10.0.1.20","Location":"","Category":"","RequestId":"","Reason":"Status:Success; Discovery:; Reason:;","ExtraDetails":"","Message":"Create Discovery Succeeded","GatewayStation":""}}} diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-449-create-discovery-succeeded.log-config.yml b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-449-create-discovery-succeeded.log-config.yml new file mode 100644 index 00000000000..5622947e4b8 --- /dev/null +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-449-create-discovery-succeeded.log-config.yml @@ -0,0 +1,5 @@ +dynamic_fields: + event.ingested: ".*" +fields: + tags: + - preserve_original_event diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-459-general-audit.log b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-459-general-audit.log new file mode 100644 index 00000000000..918e0a5df3a --- /dev/null +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-459-general-audit.log @@ -0,0 +1,3 @@ +<5>1 2021-03-08T10:19:42Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 08 02:19:42","IsoTimestamp":"2021-03-08T10:19:42Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"459","Desc":"General Audit","Severity":"Info","Issuer":"PasswordManager","Action":"General Audit","SourceUser":"","TargetUser":"","Safe":"Test","File":"Root\\Operating System-WindowsDesktopLocalAccountsRotationalPolicy-10.0.1.20-x_accountB","Station":"10.0.1.20","Location":"","Category":"","RequestId":"","Reason":"Dual account rotation","ExtraDetails":"DualAccountStatus=Active;Index=2;","Message":"General Audit","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"WinDesktopLocal"},{"Name":"UserName","Value":"x_accountB"},{"Name":"Address","Value":"components"},{"Name":"SequenceID","Value":"24"},{"Name":"CPMStatus","Value":"success"},{"Name":"RetriesCount","Value":"-1"},{"Name":"LastTask","Value":"ChangeTask"},{"Name":"GroupName","Value":"WindowsGroup"},{"Name":"LastSuccessChange","Value":"1614868762"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"},{"Name":"Index","Value":"2"},{"Name":"DualAccountStatus","Value":"Active"},{"Name":"VirtualUsername","Value":"virtual"}]}}}} +<5>1 2021-03-10T14:38:57Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 06:38:57","IsoTimestamp":"2021-03-10T14:38:57Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"459","Desc":"General Audit","Severity":"Info","Issuer":"PasswordManager","Action":"General Audit","SourceUser":"","TargetUser":"","Safe":"Test","File":"Root\\Operating System-WindowsDesktopLocalAccountsRotationalPolicy-10.0.1.20-x_accountA","Station":"10.0.1.20","Location":"","Category":"","RequestId":"","Reason":"Dual account rotation","ExtraDetails":"DualAccountStatus=Active;Index=1;","Message":"General Audit","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"WinDesktopLocal"},{"Name":"UserName","Value":"x_accountA"},{"Name":"Address","Value":"components"},{"Name":"SequenceID","Value":"27"},{"Name":"CPMStatus","Value":"success"},{"Name":"RetriesCount","Value":"-1"},{"Name":"LastTask","Value":"ChangeTask"},{"Name":"GroupName","Value":"WindowsGroup"},{"Name":"LastSuccessChange","Value":"1615231204"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"},{"Name":"Index","Value":"1"},{"Name":"DualAccountStatus","Value":"Active"},{"Name":"VirtualUsername","Value":"virtual"}]}}}} +<5>1 2021-03-14T11:48:26Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 14 04:48:26\n 2021-03-14T11:48:26Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 459\n General Audit\n Info\n PasswordManager\n General Audit\n \n \n Test\n Root\\Operating System-WindowsDesktopLocalAccountsRotationalPolicy-10.0.1.20-x_accountB\n 10.0.1.20\n \n \n \n Dual account rotation\n DualAccountStatus=Active;Index=2;\n General Audit\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 14 04:48:26","IsoTimestamp":"2021-03-14T11:48:26Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"459","Desc":"General Audit","Severity":"Info","Issuer":"PasswordManager","Action":"General Audit","SourceUser":"","TargetUser":"","Safe":"Test","File":"Root\\Operating System-WindowsDesktopLocalAccountsRotationalPolicy-10.0.1.20-x_accountB","Station":"10.0.1.20","Location":"","Category":"","RequestId":"","Reason":"Dual account rotation","ExtraDetails":"DualAccountStatus=Active;Index=2;","Message":"General Audit","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"WinDesktopLocal"},{"Name":"UserName","Value":"x_accountB"},{"Name":"Address","Value":"components"},{"Name":"SequenceID","Value":"25"},{"Name":"CPMStatus","Value":"success"},{"Name":"RetriesCount","Value":"-1"},{"Name":"LastTask","Value":"ChangeTask"},{"Name":"GroupName","Value":"WindowsGroup"},{"Name":"LastSuccessChange","Value":"1615419568"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"},{"Name":"Index","Value":"2"},{"Name":"DualAccountStatus","Value":"Active"},{"Name":"VirtualUsername","Value":"virtual"}]}}}} diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-459-general-audit.log-config.yml b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-459-general-audit.log-config.yml new file mode 100644 index 00000000000..5622947e4b8 --- /dev/null +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-459-general-audit.log-config.yml @@ -0,0 +1,5 @@ +dynamic_fields: + event.ingested: ".*" +fields: + tags: + - preserve_original_event diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-467-the-component-public-key-for-jwt-authentication-was-updated.log b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-467-the-component-public-key-for-jwt-authentication-was-updated.log new file mode 100644 index 00000000000..3888e2be150 --- /dev/null +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-467-the-component-public-key-for-jwt-authentication-was-updated.log @@ -0,0 +1 @@ +<5>1 2021-03-10T18:14:35Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 10:14:35","IsoTimestamp":"2021-03-10T18:14:35Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"467","Desc":"The component public key for JWT authentication was updated","Severity":"Info","Issuer":"PasswordManager","Action":"The component public key for JWT authentication was updated","SourceUser":"","TargetUser":"","Safe":"","File":"","Station":"10.0.1.20","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"The component public key for JWT authentication was updated","GatewayStation":""}}} diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-467-the-component-public-key-for-jwt-authentication-was-updated.log-config.yml b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-467-the-component-public-key-for-jwt-authentication-was-updated.log-config.yml new file mode 100644 index 00000000000..5622947e4b8 --- /dev/null +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-467-the-component-public-key-for-jwt-authentication-was-updated.log-config.yml @@ -0,0 +1,5 @@ +dynamic_fields: + event.ingested: ".*" +fields: + tags: + - preserve_original_event diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-479-security-warning-the-signature-hash-algorithm-of-the-vault-certificate-is-sha1.log b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-479-security-warning-the-signature-hash-algorithm-of-the-vault-certificate-is-sha1.log new file mode 100644 index 00000000000..2fe8ec3c4c7 --- /dev/null +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-479-security-warning-the-signature-hash-algorithm-of-the-vault-certificate-is-sha1.log @@ -0,0 +1,2 @@ +<7>1 2021-03-04T19:10:01Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 04 11:10:01","IsoTimestamp":"2021-03-04T19:10:01Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"479","Desc":"Security warning - The Signature Hash Algorithm of the Vault certificate is SHA1.","Severity":"Error","Issuer":"Builtin","Action":"Security warning - The Signature Hash Algorithm of the Vault certificate is SHA1.","SourceUser":"","TargetUser":"","Safe":"","File":"","Station":"0.0.0.0","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Security warning - The Signature Hash Algorithm of the Vault certificate is SHA1.","GatewayStation":""}}} +Mar 08 07:46:54 VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"no","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"479","Desc":"Security warning - The Signature Hash Algorithm of the Vault certificate is SHA1.","Severity":"Error","Issuer":"Builtin","Action":"Security warning - The Signature Hash Algorithm of the Vault certificate is SHA1.","SourceUser":"","TargetUser":"","Safe":"","File":"","Station":"0.0.0.0","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Security warning - The Signature Hash Algorithm of the Vault certificate is SHA1.","GatewayStation":""}}} diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-479-security-warning-the-signature-hash-algorithm-of-the-vault-certificate-is-sha1.log-config.yml b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-479-security-warning-the-signature-hash-algorithm-of-the-vault-certificate-is-sha1.log-config.yml new file mode 100644 index 00000000000..5622947e4b8 --- /dev/null +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-479-security-warning-the-signature-hash-algorithm-of-the-vault-certificate-is-sha1.log-config.yml @@ -0,0 +1,5 @@ +dynamic_fields: + event.ingested: ".*" +fields: + tags: + - preserve_original_event diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-482-update-existing-add-account-bulk-operation-succeeded.log b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-482-update-existing-add-account-bulk-operation-succeeded.log new file mode 100644 index 00000000000..fb620b8f180 --- /dev/null +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-482-update-existing-add-account-bulk-operation-succeeded.log @@ -0,0 +1 @@ +<5>1 2021-03-10T08:31:49Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 00:31:49","IsoTimestamp":"2021-03-10T08:31:49Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"482","Desc":"Update existing Add Account Bulk Operation succeeded","Severity":"Info","Issuer":"PVWAAppUser","Action":"Update existing Add Account Bulk Operation succeeded","SourceUser":"","TargetUser":"","Safe":"","File":"","Station":"10.0.1.20","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Update existing Add Account Bulk Operation succeeded","GatewayStation":""}}} diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-482-update-existing-add-account-bulk-operation-succeeded.log-config.yml b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-482-update-existing-add-account-bulk-operation-succeeded.log-config.yml new file mode 100644 index 00000000000..5622947e4b8 --- /dev/null +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-482-update-existing-add-account-bulk-operation-succeeded.log-config.yml @@ -0,0 +1,5 @@ +dynamic_fields: + event.ingested: ".*" +fields: + tags: + - preserve_original_event diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-50-store-file.log b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-50-store-file.log new file mode 100644 index 00000000000..f3d9bd31a39 --- /dev/null +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-50-store-file.log @@ -0,0 +1,6 @@ +<5>1 2021-03-08T18:24:50Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 08 10:24:50","IsoTimestamp":"2021-03-08T18:24:50Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"50","Desc":"Store File","Severity":"Info","Issuer":"PVWAAppUser","Action":"Store File","SourceUser":"","TargetUser":"","Safe":"PVWAPrivateUserPrefs","File":"Root\\YWRtaW5pc3RyYXRvcg==","Station":"10.0.1.20","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Store File","GatewayStation":""}}} +<5>1 2021-03-10T09:11:21Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 01:11:21","IsoTimestamp":"2021-03-10T09:11:21Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"50","Desc":"Store File","Severity":"Info","Issuer":"Administrator","Action":"Store File","SourceUser":"","TargetUser":"","Safe":"PSMPConf","File":"Root\\syntaxparser-conf.json.1.1","Station":"81.32.170.205","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Store File","GatewayStation":""}}} +<5>1 2021-03-10T18:36:22Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 10:36:22","IsoTimestamp":"2021-03-10T18:36:22Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"50","Desc":"Store File","Severity":"Info","Issuer":"Administrator","Action":"Store File","SourceUser":"","TargetUser":"","Safe":"PVWAConfig","File":"Root\\PVConfiguration.xml","Station":"127.0.0.1","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Store File","GatewayStation":""}}} +<5>1 2021-03-10T22:17:56Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 14:17:56","IsoTimestamp":"2021-03-10T22:17:56Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"50","Desc":"Store File","Severity":"Info","Issuer":"Administrator","Action":"Store File","SourceUser":"","TargetUser":"","Safe":"PVWAConfig","File":"ROOT\\PVConfiguration.xml","Station":"35.192.121.42","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Store File","GatewayStation":""}}} +<5>1 2021-03-11T17:38:27Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 11 09:38:27\n 2021-03-11T17:38:27Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 50\n Store File\n Info\n PSMPApp_VAGRANT\n Store File\n \n \n PSMRecordings\n root\\87012dcc-8290-11eb-949e-080027efd402.SSH.txt\n 81.32.170.205\n \n \n \n \n \n Store File\n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 11 09:38:27","IsoTimestamp":"2021-03-11T17:38:27Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"50","Desc":"Store File","Severity":"Info","Issuer":"PSMPApp_VAGRANT","Action":"Store File","SourceUser":"","TargetUser":"","Safe":"PSMRecordings","File":"root\\87012dcc-8290-11eb-949e-080027efd402.SSH.txt","Station":"81.32.170.205","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Store File","GatewayStation":""}}} +<5>1 2021-03-11T19:45:26Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 11 11:45:26\n 2021-03-11T19:45:26Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 50\n Store File\n Info\n Administrator\n Store File\n \n \n PVWAConfig\n Root\\PVConfiguration.xml\n 127.0.0.1\n \n \n \n \n \n Store File\n 10.0.1.20\n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 11 11:45:26","IsoTimestamp":"2021-03-11T19:45:26Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"50","Desc":"Store File","Severity":"Info","Issuer":"Administrator","Action":"Store File","SourceUser":"","TargetUser":"","Safe":"PVWAConfig","File":"Root\\PVConfiguration.xml","Station":"127.0.0.1","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Store File","GatewayStation":"10.0.1.20"}}} diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-50-store-file.log-config.yml b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-50-store-file.log-config.yml new file mode 100644 index 00000000000..5622947e4b8 --- /dev/null +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-50-store-file.log-config.yml @@ -0,0 +1,5 @@ +dynamic_fields: + event.ingested: ".*" +fields: + tags: + - preserve_original_event diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-51-retrieve-file.log b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-51-retrieve-file.log new file mode 100644 index 00000000000..8cd3214a84f --- /dev/null +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-51-retrieve-file.log @@ -0,0 +1,2 @@ +<5>1 2021-03-04T19:10:05Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 04 11:10:05","IsoTimestamp":"2021-03-04T19:10:05Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"51","Desc":"Retrieve File","Severity":"Info","Issuer":"PasswordManager","Action":"Retrieve File","SourceUser":"","TargetUser":"","Safe":"PasswordManagerShared","File":"Root\\Policies\\Policy-GenericWebApp.ini","Station":"10.0.1.20","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Retrieve File","GatewayStation":""}}} +<5>1 2021-03-04T19:11:23Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 04 11:11:23","IsoTimestamp":"2021-03-04T19:11:23Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"51","Desc":"Retrieve File","Severity":"Info","Issuer":"Prov_COMPONENTS","Action":"Retrieve File","SourceUser":"","TargetUser":"","Safe":"AppProviderConf","File":"Root\\main_appprovider.conf.Win64.11.04","Station":"10.0.1.20","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Retrieve File","GatewayStation":""}}} diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-51-retrieve-file.log-config.yml b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-51-retrieve-file.log-config.yml new file mode 100644 index 00000000000..5622947e4b8 --- /dev/null +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-51-retrieve-file.log-config.yml @@ -0,0 +1,5 @@ +dynamic_fields: + event.ingested: ".*" +fields: + tags: + - preserve_original_event diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-52-delete-file.log b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-52-delete-file.log new file mode 100644 index 00000000000..d9d8af79da4 --- /dev/null +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-52-delete-file.log @@ -0,0 +1,10 @@ +<5>1 2021-03-08T18:32:43Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 08 10:32:43","IsoTimestamp":"2021-03-08T18:32:43Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"52","Desc":"Delete File","Severity":"Info","Issuer":"Administrator","Action":"Delete File","SourceUser":"","TargetUser":"","Safe":"Test","File":"Root\\Operating System-WinDesktopLocal-Address-adriansr","Station":"127.0.0.1","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Delete File","GatewayStation":"10.0.1.20","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"WinDesktopLocal"},{"Name":"UserName","Value":"adriansr"},{"Name":"Address","Value":"components"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"}]}}}} +<5>1 2021-03-08T18:38:21Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 08 10:38:21","IsoTimestamp":"2021-03-08T18:38:21Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"52","Desc":"Delete File","Severity":"Info","Issuer":"Administrator","Action":"Delete File","SourceUser":"","TargetUser":"","Safe":"VaultInternal","File":"Root\\Operating System-WinServerLocal-components-adriansr","Station":"127.0.0.1","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Delete File","GatewayStation":"10.0.1.20","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"WinServerLocal"},{"Name":"UserName","Value":"adriansr"},{"Name":"Address","Value":"components"},{"Name":"LogonDomain","Value":"COMPONENTS"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"}]}}}} +<5>1 2021-03-08T19:20:04Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 08 11:20:04","IsoTimestamp":"2021-03-08T19:20:04Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"52","Desc":"Delete File","Severity":"Info","Issuer":"PasswordManager","Action":"Delete File","SourceUser":"","TargetUser":"","Safe":"PasswordManager_workspace","File":"Root\\Test_4","Station":"10.0.1.20","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Delete File","GatewayStation":""}}} +<5>1 2021-03-11T18:59:57Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 11 10:59:57\n 2021-03-11T18:59:57Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 52\n Delete File\n Info\n PSMApp_ASR-WIN\n Delete File\n \n \n PSMSessions\n Root\\c89ca3ba9c76f820fdc58e86f2c854f99d232fcd\n 35.192.121.42\n \n \n \n \n \n Delete File\n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 11 10:59:57","IsoTimestamp":"2021-03-11T18:59:57Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"52","Desc":"Delete File","Severity":"Info","Issuer":"PSMApp_ASR-WIN","Action":"Delete File","SourceUser":"","TargetUser":"","Safe":"PSMSessions","File":"Root\\c89ca3ba9c76f820fdc58e86f2c854f99d232fcd","Station":"35.192.121.42","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Delete File","GatewayStation":""}}} +<5>1 2021-03-11T19:32:12Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 11 11:32:12\n 2021-03-11T19:32:12Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 52\n Delete File\n Info\n Administrator\n Delete File\n \n \n PSMPLiveSessions\n Root\\PSMPApp_VAGRANT.LiveSessions\n 127.0.0.1\n \n \n \n \n \n Delete File\n \n \n \n \n \n \n \n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 11 11:32:12","IsoTimestamp":"2021-03-11T19:32:12Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"52","Desc":"Delete File","Severity":"Info","Issuer":"Administrator","Action":"Delete File","SourceUser":"","TargetUser":"","Safe":"PSMPLiveSessions","File":"Root\\PSMPApp_VAGRANT.LiveSessions","Station":"127.0.0.1","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Delete File","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"_PSMLiveSessions_1","Value":""},{"Name":"_PSMLiveSessions_2","Value":""},{"Name":"_PSMLiveSessions_3","Value":""},{"Name":"_PSMLiveSessions_4","Value":""},{"Name":"_PSMLiveSessions_5","Value":""}]}}}} +<5>1 2021-03-11T21:06:40Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 11 13:06:40\n 2021-03-11T21:06:40Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 52\n Delete File\n Info\n Administrator\n Delete File\n \n \n PSM\n Root\\Operating System-WinDomain-35.192.121.42-PSMConnect\n 127.0.0.1\n \n \n \n \n \n Delete File\n 10.0.1.20\n \n \n \n \n \n \n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 11 13:06:40","IsoTimestamp":"2021-03-11T21:06:40Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"52","Desc":"Delete File","Severity":"Info","Issuer":"Administrator","Action":"Delete File","SourceUser":"","TargetUser":"","Safe":"PSM","File":"Root\\Operating System-WinDomain-35.192.121.42-PSMConnect","Station":"127.0.0.1","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Delete File","GatewayStation":"10.0.1.20","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"WinDomain"},{"Name":"UserName","Value":"PSMConnect"},{"Name":"Address","Value":"35.192.121.42"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"}]}}}} +<5>1 2021-03-11T21:06:50Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 11 13:06:50\n 2021-03-11T21:06:50Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 52\n Delete File\n Info\n Administrator\n Delete File\n \n \n PSM\n Root\\PSM-ASR-CYBERARK-WI\n 127.0.0.1\n \n \n \n \n \n Delete File\n 10.0.1.20\n \n \n \n \n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 11 13:06:50","IsoTimestamp":"2021-03-11T21:06:50Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"52","Desc":"Delete File","Severity":"Info","Issuer":"Administrator","Action":"Delete File","SourceUser":"","TargetUser":"","Safe":"PSM","File":"Root\\PSM-ASR-CYBERARK-WI","Station":"127.0.0.1","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Delete File","GatewayStation":"10.0.1.20","CAProperties":{"CAProperty":[{"Name":"UserName","Value":"PSMConnect"},{"Name":"Address","Value":"10.128.0.65"},{"Name":"LogonDomain","Value":"ASR-CYBERARK-WI"}]}}}} +<5>1 2021-03-14T12:10:17Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 14 05:10:17\n 2021-03-14T12:10:17Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 52\n Delete File\n Info\n Administrator\n Delete File\n \n \n PSM\n Root\\PSMAdmin\n 127.0.0.1\n \n \n \n \n \n Delete File\n 10.0.1.20\n \n \n \n \n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 14 05:10:17","IsoTimestamp":"2021-03-14T12:10:17Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"52","Desc":"Delete File","Severity":"Info","Issuer":"Administrator","Action":"Delete File","SourceUser":"","TargetUser":"","Safe":"PSM","File":"Root\\PSMAdmin","Station":"127.0.0.1","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Delete File","GatewayStation":"10.0.1.20","CAProperties":{"CAProperty":[{"Name":"UserName","Value":"PSMAdminConnect"},{"Name":"Address","Value":"169.254.180.25"},{"Name":"LogonDomain","Value":"VAGRANT-2012-R2"}]}}}} +<5>1 2021-03-15T15:09:00Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 15 08:09:00\n 2021-03-15T15:09:00Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 52\n Delete File\n Info\n Administrator\n Delete File\n \n \n partner\n Root\\Database-Oracle-10.128.0.7-adrian\n 127.0.0.1\n \n \n \n \n \n Delete File\n 10.0.1.20\n \n \n \n \n \n \n \n \n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 15 08:09:00","IsoTimestamp":"2021-03-15T15:09:00Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"52","Desc":"Delete File","Severity":"Info","Issuer":"Administrator","Action":"Delete File","SourceUser":"","TargetUser":"","Safe":"partner","File":"Root\\Database-Oracle-10.128.0.7-adrian","Station":"127.0.0.1","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Delete File","GatewayStation":"10.0.1.20","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"Oracle"},{"Name":"UserName","Value":"adrian"},{"Name":"Address","Value":"10.128.0.7"},{"Name":"Port","Value":"3306"},{"Name":"Database","Value":"test"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Database"}]}}}} +<5>1 2021-03-15T15:13:59Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 15 08:13:59\n 2021-03-15T15:13:59Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 52\n Delete File\n Info\n Administrator\n Delete File\n \n \n partner\n Root\\Database-MySQL-10.128.0.7-adrian\n 127.0.0.1\n \n \n \n \n \n Delete File\n 10.0.1.20\n \n \n \n \n \n \n \n \n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 15 08:13:59","IsoTimestamp":"2021-03-15T15:13:59Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"52","Desc":"Delete File","Severity":"Info","Issuer":"Administrator","Action":"Delete File","SourceUser":"","TargetUser":"","Safe":"partner","File":"Root\\Database-MySQL-10.128.0.7-adrian","Station":"127.0.0.1","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Delete File","GatewayStation":"10.0.1.20","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"MySQL"},{"Name":"UserName","Value":"adrian"},{"Name":"Address","Value":"10.128.0.7"},{"Name":"Port","Value":"3306"},{"Name":"Database","Value":"test"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Database"}]}}}} diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-52-delete-file.log-config.yml b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-52-delete-file.log-config.yml new file mode 100644 index 00000000000..5622947e4b8 --- /dev/null +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-52-delete-file.log-config.yml @@ -0,0 +1,5 @@ +dynamic_fields: + event.ingested: ".*" +fields: + tags: + - preserve_original_event diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-57-cpm-change-password-failed.log b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-57-cpm-change-password-failed.log new file mode 100644 index 00000000000..2131bafce3e --- /dev/null +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-57-cpm-change-password-failed.log @@ -0,0 +1 @@ +<7>1 2021-03-25T12:00:08Z VLT01 {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 25 08:00:08\n 2021-03-25T12:00:08Z\n VLT01\n Cyber-Ark\n Vault\n 12.0.0000\n 57\n CPM Change Password Failed\n Error\n PasswordManager\n CPM Change Password Failed\n \n \n Linux Accounts\n Root\\Operating System-UnixSSH-rhel7.cybr.com-firecall2\n 10.0.0.15\n \n \n \n ImmediateTask. Failure Description: Execution error. EXT01::A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond. Error code:9002\n address=rhel7.cybr.com;username=firecall2;\n CPM Change Password Failed\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 25 08:00:08","IsoTimestamp":"2021-03-25T12:00:08Z","Hostname":"VLT01","Vendor":"Cyber-Ark","Product":"Vault","Version":"12.0.0000","MessageID":"57","Desc":"CPM Change Password Failed","Severity":"Error","Issuer":"PasswordManager","Action":"CPM Change Password Failed","SourceUser":"","TargetUser":"","Safe":"Linux Accounts","File":"Root\\Operating System-UnixSSH-rhel7.cybr.com-firecall2","Station":"10.0.0.15","Location":"","Category":"","RequestId":"","Reason":"ImmediateTask. Failure Description: Execution error. EXT01::A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond. Error code:9002","ExtraDetails":"address=rhel7.cybr.com;username=firecall2;","Message":"CPM Change Password Failed","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"UnixSSH"},{"Name":"UserName","Value":"firecall2"},{"Name":"Address","Value":"rhel7.cybr.com"},{"Name":"DeviceType","Value":"Operating System"},{"Name":"ResetImmediately","Value":"ChangeTask"},{"Name":"CPMStatus","Value":"failure"},{"Name":"ExtraPass3Name","Value":"Operating System-UnixSSH-rhel7.cybr.com-root"},{"Name":"ExtraPass3Folder","Value":"Root"},{"Name":"ExtraPass3Safe","Value":"Linux Root"},{"Name":"RetriesCount","Value":"0"},{"Name":"LastFailDate","Value":"1616673608"},{"Name":"LastTask","Value":"ChangeTask"},{"Name":"LastSuccessVerification","Value":"1616580255"},{"Name":"CPMErrorDetails","Value":"Execution error. EXT01::A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond. Error code:9002"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"LastSuccessChange","Value":"1616011989"},{"Name":"LastSuccessReconciliation","Value":"1576120341"},{"Name":"UseSudoOnReconcile","Value":"No"},{"Name":"Tags","Value":"SSH"},{"Name":"Privcloud","Value":"privcloud"}]}}}} diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-57-cpm-change-password-failed.log-config.yml b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-57-cpm-change-password-failed.log-config.yml new file mode 100644 index 00000000000..5622947e4b8 --- /dev/null +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-57-cpm-change-password-failed.log-config.yml @@ -0,0 +1,5 @@ +dynamic_fields: + event.ingested: ".*" +fields: + tags: + - preserve_original_event diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-59-clear-safe-history.log b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-59-clear-safe-history.log new file mode 100644 index 00000000000..9b834634185 --- /dev/null +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-59-clear-safe-history.log @@ -0,0 +1,3 @@ +<5>1 2021-03-04T19:25:02Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 04 11:25:02","IsoTimestamp":"2021-03-04T19:25:02Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"59","Desc":"Clear Safe History","Severity":"Info","Issuer":"PasswordManager","Action":"Clear Safe History","SourceUser":"","TargetUser":"","Safe":"PasswordManager_workspace","File":"","Station":"10.0.1.20","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Clear Safe History","GatewayStation":""}}} +Mar 08 03:10:31 VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"no","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"59","Desc":"Clear Safe History","Severity":"Info","Issuer":"PasswordManager","Action":"Clear Safe History","SourceUser":"","TargetUser":"","Safe":"PasswordManager_workspace","File":"","Station":"10.0.1.20","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Clear Safe History","GatewayStation":""}}} +<5>1 2021-03-09T09:00:47Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 09 01:00:47","IsoTimestamp":"2021-03-09T09:00:47Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"59","Desc":"Clear Safe History","Severity":"Info","Issuer":"Batch","Action":"Clear Safe History","SourceUser":"","TargetUser":"","Safe":"System","File":"","Station":"0.0.0.0","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Clear Safe History","GatewayStation":""}}} diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-59-clear-safe-history.log-config.yml b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-59-clear-safe-history.log-config.yml new file mode 100644 index 00000000000..5622947e4b8 --- /dev/null +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-59-clear-safe-history.log-config.yml @@ -0,0 +1,5 @@ +dynamic_fields: + event.ingested: ".*" +fields: + tags: + - preserve_original_event diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-60-cpm-reconcile-password-failed.log b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-60-cpm-reconcile-password-failed.log new file mode 100644 index 00000000000..2a5483207bf --- /dev/null +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-60-cpm-reconcile-password-failed.log @@ -0,0 +1,9 @@ +<7>1 2021-03-11T21:12:22Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 11 13:12:22\n 2021-03-11T21:12:22Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 60\n CPM Reconcile Password Failed\n Error\n PasswordManager\n CPM Reconcile Password Failed\n \n \n partner\n Root\\Operating System-WinDomain-35.192.121.42-ELASTICbart\n 10.0.1.20\n \n \n \n ImmediateTask. Failure Description: CACPM406E Reconciling Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-35.192.121.42-ELASTICbart failed (try #0). Code: 2101, Error: Parameter Reconcile account is mandatory but has an empty value or is not defined\n\n address=34.66.114.180;username=ELASTIC\\bart;\n CPM Reconcile Password Failed\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 11 13:12:22","IsoTimestamp":"2021-03-11T21:12:22Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"60","Desc":"CPM Reconcile Password Failed","Severity":"Error","Issuer":"PasswordManager","Action":"CPM Reconcile Password Failed","SourceUser":"","TargetUser":"","Safe":"partner","File":"Root\\Operating System-WinDomain-35.192.121.42-ELASTICbart","Station":"10.0.1.20","Location":"","Category":"","RequestId":"","Reason":"ImmediateTask. Failure Description: CACPM406E Reconciling Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-35.192.121.42-ELASTICbart failed (try #0). Code: 2101, Error: Parameter Reconcile account is mandatory but has an empty value or is not defined\n","ExtraDetails":"address=34.66.114.180;username=ELASTIC\\bart;","Message":"CPM Reconcile Password Failed","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"WinDomain"},{"Name":"UserName","Value":"ELASTIC\\bart"},{"Name":"Address","Value":"34.66.114.180"},{"Name":"ResetImmediately","Value":"ReconcileTask"},{"Name":"CPMStatus","Value":"failure"},{"Name":"RetriesCount","Value":"0"},{"Name":"LastFailDate","Value":"1615497142"},{"Name":"LastTask","Value":"ReconcileTask"},{"Name":"LogonDomain","Value":"34.66.114.180"},{"Name":"CPMErrorDetails","Value":"Parameter Reconcile account is mandatory but has an empty value or is not defined"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"}]}}}} +<7>1 2021-03-14T13:18:15Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 14 06:18:15\n 2021-03-14T13:18:15Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 60\n CPM Reconcile Password Failed\n Error\n PasswordManager\n CPM Reconcile Password Failed\n \n \n partner\n Root\\Operating System-WinDomain-35.192.121.42-ELASTICbart\n 10.0.1.20\n \n \n \n ImmediateTask. Failure Description: CACPM406E Reconciling Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-35.192.121.42-ELASTICbart failed (try #2). Code: 2101, Error: Parameter Reconcile account is mandatory but has an empty value or is not defined\n\n address=34.66.114.180;retriescount=2;username=ELASTIC\\bart;\n CPM Reconcile Password Failed\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 14 06:18:15","IsoTimestamp":"2021-03-14T13:18:15Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"60","Desc":"CPM Reconcile Password Failed","Severity":"Error","Issuer":"PasswordManager","Action":"CPM Reconcile Password Failed","SourceUser":"","TargetUser":"","Safe":"partner","File":"Root\\Operating System-WinDomain-35.192.121.42-ELASTICbart","Station":"10.0.1.20","Location":"","Category":"","RequestId":"","Reason":"ImmediateTask. Failure Description: CACPM406E Reconciling Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-35.192.121.42-ELASTICbart failed (try #2). Code: 2101, Error: Parameter Reconcile account is mandatory but has an empty value or is not defined\n","ExtraDetails":"address=34.66.114.180;retriescount=2;username=ELASTIC\\bart;","Message":"CPM Reconcile Password Failed","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"WinDomain"},{"Name":"UserName","Value":"ELASTIC\\bart"},{"Name":"Address","Value":"34.66.114.180"},{"Name":"ResetImmediately","Value":"ReconcileTask"},{"Name":"CPMStatus","Value":"failure"},{"Name":"RetriesCount","Value":"2"},{"Name":"LastFailDate","Value":"1615727895"},{"Name":"LastTask","Value":"ReconcileTask"},{"Name":"LogonDomain","Value":"34.66.114.180"},{"Name":"CPMErrorDetails","Value":"Parameter Reconcile account is mandatory but has an empty value or is not defined"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"}]}}}} +<7>1 2021-03-14T13:46:13Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 14 06:46:13\n 2021-03-14T13:46:13Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 60\n CPM Reconcile Password Failed\n Error\n PasswordManager\n CPM Reconcile Password Failed\n \n \n partner\n Root\\Operating System-UnixSSH-34.123.103.115-testark\n 10.0.1.20\n \n \n \n ImmediateTask. Failure Description: CACPM406E Reconciling Password Safe: partner, Folder: Root, Object: Operating System-UnixSSH-34.123.103.115-testark failed (try #0). Code: 8031, Error: First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031\n\n address=34.123.103.115;username=testark;\n CPM Reconcile Password Failed\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 14 06:46:13","IsoTimestamp":"2021-03-14T13:46:13Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"60","Desc":"CPM Reconcile Password Failed","Severity":"Error","Issuer":"PasswordManager","Action":"CPM Reconcile Password Failed","SourceUser":"","TargetUser":"","Safe":"partner","File":"Root\\Operating System-UnixSSH-34.123.103.115-testark","Station":"10.0.1.20","Location":"","Category":"","RequestId":"","Reason":"ImmediateTask. Failure Description: CACPM406E Reconciling Password Safe: partner, Folder: Root, Object: Operating System-UnixSSH-34.123.103.115-testark failed (try #0). Code: 8031, Error: First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031\n","ExtraDetails":"address=34.123.103.115;username=testark;","Message":"CPM Reconcile Password Failed","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"UnixSSH"},{"Name":"UserName","Value":"testark"},{"Name":"Address","Value":"34.123.103.115"},{"Name":"ResetImmediately","Value":"ReconcileTask"},{"Name":"CPMStatus","Value":"failure"},{"Name":"RetriesCount","Value":"0"},{"Name":"LastFailDate","Value":"1615729572"},{"Name":"LastTask","Value":"ReconcileTask"},{"Name":"CPMErrorDetails","Value":"First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"}]}}}} +<7>1 2021-03-14T14:49:11Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 14 07:49:11\n 2021-03-14T14:49:11Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 60\n CPM Reconcile Password Failed\n Error\n PasswordManager\n CPM Reconcile Password Failed\n \n \n partner\n Root\\Operating System-WinDomain-35.192.121.42-ELASTICbart\n 10.0.1.20\n \n \n \n ImmediateTask,Failure. Failure Description: CACPM406E Reconciling Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-35.192.121.42-ELASTICbart failed (try #3). Code: 2101, Error: Parameter Reconcile account is mandatory but has an empty value or is not defined\n\n address=34.66.114.180;retriescount=3;username=ELASTIC\\bart;\n CPM Reconcile Password Failed\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 14 07:49:11","IsoTimestamp":"2021-03-14T14:49:11Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"60","Desc":"CPM Reconcile Password Failed","Severity":"Error","Issuer":"PasswordManager","Action":"CPM Reconcile Password Failed","SourceUser":"","TargetUser":"","Safe":"partner","File":"Root\\Operating System-WinDomain-35.192.121.42-ELASTICbart","Station":"10.0.1.20","Location":"","Category":"","RequestId":"","Reason":"ImmediateTask,Failure. Failure Description: CACPM406E Reconciling Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-35.192.121.42-ELASTICbart failed (try #3). Code: 2101, Error: Parameter Reconcile account is mandatory but has an empty value or is not defined\n","ExtraDetails":"address=34.66.114.180;retriescount=3;username=ELASTIC\\bart;","Message":"CPM Reconcile Password Failed","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"WinDomain"},{"Name":"UserName","Value":"ELASTIC\\bart"},{"Name":"Address","Value":"34.66.114.180"},{"Name":"ResetImmediately","Value":"ReconcileTask"},{"Name":"CPMStatus","Value":"failure"},{"Name":"RetriesCount","Value":"3"},{"Name":"LastFailDate","Value":"1615733350"},{"Name":"LastTask","Value":"ReconcileTask"},{"Name":"LogonDomain","Value":"34.66.114.180"},{"Name":"CPMErrorDetails","Value":"Parameter Reconcile account is mandatory but has an empty value or is not defined"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"}]}}}} +<7>1 2021-03-15T10:12:18Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 15 03:12:18\n 2021-03-15T10:12:18Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 60\n CPM Reconcile Password Failed\n Error\n PasswordManager\n CPM Reconcile Password Failed\n \n \n partner\n Root\\Operating System-WinDomain-35.192.121.42-ELASTICbart\n 10.0.1.20\n \n \n \n ImmediateTask,Failure. Failure Description: CACPM406E Reconciling Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-35.192.121.42-ELASTICbart failed (try #4). Code: 2101, Error: Parameter Reconcile account is mandatory but has an empty value or is not defined\n\n address=34.66.114.180;retriescount=4;username=ELASTIC\\bart;\n CPM Reconcile Password Failed\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 15 03:12:18","IsoTimestamp":"2021-03-15T10:12:18Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"60","Desc":"CPM Reconcile Password Failed","Severity":"Error","Issuer":"PasswordManager","Action":"CPM Reconcile Password Failed","SourceUser":"","TargetUser":"","Safe":"partner","File":"Root\\Operating System-WinDomain-35.192.121.42-ELASTICbart","Station":"10.0.1.20","Location":"","Category":"","RequestId":"","Reason":"ImmediateTask,Failure. Failure Description: CACPM406E Reconciling Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-35.192.121.42-ELASTICbart failed (try #4). Code: 2101, Error: Parameter Reconcile account is mandatory but has an empty value or is not defined\n","ExtraDetails":"address=34.66.114.180;retriescount=4;username=ELASTIC\\bart;","Message":"CPM Reconcile Password Failed","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"WinDomain"},{"Name":"UserName","Value":"ELASTIC\\bart"},{"Name":"Address","Value":"34.66.114.180"},{"Name":"ResetImmediately","Value":"ReconcileTask"},{"Name":"CPMStatus","Value":"failure"},{"Name":"RetriesCount","Value":"4"},{"Name":"LastFailDate","Value":"1615803137"},{"Name":"LastTask","Value":"ReconcileTask"},{"Name":"LogonDomain","Value":"34.66.114.180"},{"Name":"CPMErrorDetails","Value":"Parameter Reconcile account is mandatory but has an empty value or is not defined"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"}]}}}} +<7>1 2021-03-15T10:12:19Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 15 03:12:19\n 2021-03-15T10:12:19Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 60\n CPM Reconcile Password Failed\n Error\n PasswordManager\n CPM Reconcile Password Failed\n \n \n partner\n Root\\Operating System-UnixSSH-34.123.103.115-testark\n 10.0.1.20\n \n \n \n ImmediateTask,Failure. Failure Description: CACPM406E Reconciling Password Safe: partner, Folder: Root, Object: Operating System-UnixSSH-34.123.103.115-testark failed (try #1). Code: 8031, Error: First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031\n\n address=34.123.103.115;retriescount=1;username=testark;\n CPM Reconcile Password Failed\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 15 03:12:19","IsoTimestamp":"2021-03-15T10:12:19Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"60","Desc":"CPM Reconcile Password Failed","Severity":"Error","Issuer":"PasswordManager","Action":"CPM Reconcile Password Failed","SourceUser":"","TargetUser":"","Safe":"partner","File":"Root\\Operating System-UnixSSH-34.123.103.115-testark","Station":"10.0.1.20","Location":"","Category":"","RequestId":"","Reason":"ImmediateTask,Failure. Failure Description: CACPM406E Reconciling Password Safe: partner, Folder: Root, Object: Operating System-UnixSSH-34.123.103.115-testark failed (try #1). Code: 8031, Error: First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031\n","ExtraDetails":"address=34.123.103.115;retriescount=1;username=testark;","Message":"CPM Reconcile Password Failed","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"UnixSSH"},{"Name":"UserName","Value":"testark"},{"Name":"Address","Value":"34.123.103.115"},{"Name":"ResetImmediately","Value":"ReconcileTask"},{"Name":"CPMStatus","Value":"failure"},{"Name":"RetriesCount","Value":"1"},{"Name":"LastFailDate","Value":"1615803137"},{"Name":"LastTask","Value":"ReconcileTask"},{"Name":"CPMErrorDetails","Value":"First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"}]}}}} +<7>1 2021-03-15T12:57:13Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 15 05:57:13\n 2021-03-15T12:57:13Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 60\n CPM Reconcile Password Failed\n Error\n PasswordManager\n CPM Reconcile Password Failed\n \n \n partner\n Root\\Operating System-WinDomain-35.192.121.42-ELASTICbart\n 10.0.1.20\n \n \n \n ImmediateTask,Failure. Failure Description: CACPM406E Reconciling Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-35.192.121.42-ELASTICbart failed (try #5). Code: 2101, Error: Parameter Reconcile account is mandatory but has an empty value or is not defined\n\n address=34.66.114.180;retriescount=5;username=ELASTIC\\bart;\n CPM Reconcile Password Failed\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 15 05:57:13","IsoTimestamp":"2021-03-15T12:57:13Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"60","Desc":"CPM Reconcile Password Failed","Severity":"Error","Issuer":"PasswordManager","Action":"CPM Reconcile Password Failed","SourceUser":"","TargetUser":"","Safe":"partner","File":"Root\\Operating System-WinDomain-35.192.121.42-ELASTICbart","Station":"10.0.1.20","Location":"","Category":"","RequestId":"","Reason":"ImmediateTask,Failure. Failure Description: CACPM406E Reconciling Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-35.192.121.42-ELASTICbart failed (try #5). Code: 2101, Error: Parameter Reconcile account is mandatory but has an empty value or is not defined\n","ExtraDetails":"address=34.66.114.180;retriescount=5;username=ELASTIC\\bart;","Message":"CPM Reconcile Password Failed","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"WinDomain"},{"Name":"UserName","Value":"ELASTIC\\bart"},{"Name":"Address","Value":"34.66.114.180"},{"Name":"ResetImmediately","Value":"ReconcileTask"},{"Name":"CPMStatus","Value":"failure"},{"Name":"CPMDisabled","Value":"(CPM)MaxRetries"},{"Name":"RetriesCount","Value":"5"},{"Name":"LastFailDate","Value":"1615813031"},{"Name":"LastTask","Value":"ReconcileTask"},{"Name":"LogonDomain","Value":"34.66.114.180"},{"Name":"CPMErrorDetails","Value":"Parameter Reconcile account is mandatory but has an empty value or is not defined"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"}]}}}} +<7>1 2021-03-15T13:04:27Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 15 06:04:27\n 2021-03-15T13:04:27Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 60\n CPM Reconcile Password Failed\n Error\n PasswordManager\n CPM Reconcile Password Failed\n \n \n partner\n Root\\Operating System-UnixSSH-34.123.103.115-testark\n 10.0.1.20\n \n \n \n ImmediateTask. Failure Description: CACPM406E Reconciling Password Safe: partner, Folder: Root, Object: Operating System-UnixSSH-34.123.103.115-testark failed (try #0). Code: 8031, Error: First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031\n\n address=34.123.103.115;username=testark;\n CPM Reconcile Password Failed\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 15 06:04:27","IsoTimestamp":"2021-03-15T13:04:27Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"60","Desc":"CPM Reconcile Password Failed","Severity":"Error","Issuer":"PasswordManager","Action":"CPM Reconcile Password Failed","SourceUser":"","TargetUser":"","Safe":"partner","File":"Root\\Operating System-UnixSSH-34.123.103.115-testark","Station":"10.0.1.20","Location":"","Category":"","RequestId":"","Reason":"ImmediateTask. Failure Description: CACPM406E Reconciling Password Safe: partner, Folder: Root, Object: Operating System-UnixSSH-34.123.103.115-testark failed (try #0). Code: 8031, Error: First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031\n","ExtraDetails":"address=34.123.103.115;username=testark;","Message":"CPM Reconcile Password Failed","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"UnixSSH"},{"Name":"UserName","Value":"testark"},{"Name":"Address","Value":"34.123.103.115"},{"Name":"ResetImmediately","Value":"ReconcileTask"},{"Name":"CPMStatus","Value":"failure"},{"Name":"RetriesCount","Value":"0"},{"Name":"LastFailDate","Value":"1615813465"},{"Name":"LastTask","Value":"ReconcileTask"},{"Name":"LastSuccessVerification","Value":"1615803764"},{"Name":"CPMErrorDetails","Value":"First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"}]}}}} +<7>1 2021-03-15T14:44:37Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 15 07:44:37\n 2021-03-15T14:44:37Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 60\n CPM Reconcile Password Failed\n Error\n PasswordManager\n CPM Reconcile Password Failed\n \n \n partner\n Root\\Operating System-UnixSSH-34.123.103.115-testark\n 10.0.1.20\n \n \n \n ImmediateTask. Failure Description: CACPM406E Reconciling Password Safe: partner, Folder: Root, Object: Operating System-UnixSSH-34.123.103.115-testark failed (try #1). Code: 8031, Error: First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031\n\n address=34.123.103.115;retriescount=1;username=testark;\n CPM Reconcile Password Failed\n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 15 07:44:37","IsoTimestamp":"2021-03-15T14:44:37Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"60","Desc":"CPM Reconcile Password Failed","Severity":"Error","Issuer":"PasswordManager","Action":"CPM Reconcile Password Failed","SourceUser":"","TargetUser":"","Safe":"partner","File":"Root\\Operating System-UnixSSH-34.123.103.115-testark","Station":"10.0.1.20","Location":"","Category":"","RequestId":"","Reason":"ImmediateTask. Failure Description: CACPM406E Reconciling Password Safe: partner, Folder: Root, Object: Operating System-UnixSSH-34.123.103.115-testark failed (try #1). Code: 8031, Error: First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031\n","ExtraDetails":"address=34.123.103.115;retriescount=1;username=testark;","Message":"CPM Reconcile Password Failed","GatewayStation":"","CAProperties":{"CAProperty":[{"Name":"PolicyID","Value":"UnixSSH"},{"Name":"UserName","Value":"testark"},{"Name":"Address","Value":"34.123.103.115"},{"Name":"ResetImmediately","Value":"ReconcileTask"},{"Name":"CPMStatus","Value":"failure"},{"Name":"RetriesCount","Value":"1"},{"Name":"LastFailDate","Value":"1615819476"},{"Name":"LastTask","Value":"ReconcileTask"},{"Name":"LastSuccessVerification","Value":"1615803764"},{"Name":"CPMErrorDetails","Value":"First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031"},{"Name":"CreationMethod","Value":"PVWA"},{"Name":"DeviceType","Value":"Operating System"},{"Name":"UseSudoOnReconcile","Value":"Yes"}]}}}} diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-60-cpm-reconcile-password-failed.log-config.yml b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-60-cpm-reconcile-password-failed.log-config.yml new file mode 100644 index 00000000000..5622947e4b8 --- /dev/null +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-60-cpm-reconcile-password-failed.log-config.yml @@ -0,0 +1,5 @@ +dynamic_fields: + event.ingested: ".*" +fields: + tags: + - preserve_original_event diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-62-create-file-version.log b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-62-create-file-version.log new file mode 100644 index 00000000000..0d2f4d0e96e --- /dev/null +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-62-create-file-version.log @@ -0,0 +1,8 @@ +<5>1 2021-03-10T09:11:54Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 01:11:54","IsoTimestamp":"2021-03-10T09:11:54Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"62","Desc":"Create File Version","Severity":"Info","Issuer":"PSMPApp_localhost.localdomain","Action":"Create File Version","SourceUser":"","TargetUser":"","Safe":"PSMPLiveSessions","File":"Root\\PSMPApp_localhost.localdomain.LiveSessions","Station":"81.32.170.205","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Create File Version","GatewayStation":""}}} +<5>1 2021-03-10T17:58:05Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 09:58:05","IsoTimestamp":"2021-03-10T17:58:05Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"62","Desc":"Create File Version","Severity":"Info","Issuer":"Administrator","Action":"Create File Version","SourceUser":"","TargetUser":"","Safe":"PSMNotifications","File":"Root\\SessionControl","Station":"81.32.170.205","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Create File Version","GatewayStation":""}}} +<5>1 2021-03-10T18:46:47Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 10:46:47","IsoTimestamp":"2021-03-10T18:46:47Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"62","Desc":"Create File Version","Severity":"Info","Issuer":"PSMApp_VAGRANT","Action":"Create File Version","SourceUser":"","TargetUser":"","Safe":"PSMLiveSessions","File":"Root\\PSMServer.LiveSessions","Station":"81.32.170.205","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Create File Version","GatewayStation":""}}} +<5>1 2021-03-10T22:20:12Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 14:20:12","IsoTimestamp":"2021-03-10T22:20:12Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"62","Desc":"Create File Version","Severity":"Info","Issuer":"PSMApp_ASR-WIN","Action":"Create File Version","SourceUser":"","TargetUser":"","Safe":"PSMLiveSessions","File":"Root\\PSM-ASR-CYBERARK-WI.LiveSessions","Station":"35.192.121.42","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Create File Version","GatewayStation":""}}} +<5>1 2021-03-11T16:50:29Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 11 08:50:29\n 2021-03-11T16:50:29Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 62\n Create File Version\n Info\n PVWAAppUser\n Create File Version\n \n \n PSMSessions\n Root\\ec7c3e3bd11069dd20a491a6b11bbe293bf4780b\n 10.0.1.20\n \n \n \n \n \n Create File Version\n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 11 08:50:29","IsoTimestamp":"2021-03-11T16:50:29Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"62","Desc":"Create File Version","Severity":"Info","Issuer":"PVWAAppUser","Action":"Create File Version","SourceUser":"","TargetUser":"","Safe":"PSMSessions","File":"Root\\ec7c3e3bd11069dd20a491a6b11bbe293bf4780b","Station":"10.0.1.20","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Create File Version","GatewayStation":""}}} +<5>1 2021-03-11T16:59:58Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 11 08:59:58\n 2021-03-11T16:59:58Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 62\n Create File Version\n Info\n PSMPApp_VAGRANT\n Create File Version\n \n \n PSMPLiveSessions\n Root\\PSMPApp_VAGRANT.LiveSessions\n 81.32.170.205\n \n \n \n \n \n Create File Version\n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 11 08:59:58","IsoTimestamp":"2021-03-11T16:59:58Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"62","Desc":"Create File Version","Severity":"Info","Issuer":"PSMPApp_VAGRANT","Action":"Create File Version","SourceUser":"","TargetUser":"","Safe":"PSMPLiveSessions","File":"Root\\PSMPApp_VAGRANT.LiveSessions","Station":"81.32.170.205","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Create File Version","GatewayStation":""}}} +<5>1 2021-03-14T12:07:32Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 14 05:07:32\n 2021-03-14T12:07:32Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 62\n Create File Version\n Info\n PasswordManager\n Create File Version\n \n \n AccountsFeedDiscoveryLogs\n Root\\Windows discovery from ELASTIC.local_PasswordManager_UID1.log\n 10.0.1.20\n \n \n \n \n \n Create File Version\n 10.0.1.20\n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 14 05:07:32","IsoTimestamp":"2021-03-14T12:07:32Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"62","Desc":"Create File Version","Severity":"Info","Issuer":"PasswordManager","Action":"Create File Version","SourceUser":"","TargetUser":"","Safe":"AccountsFeedDiscoveryLogs","File":"Root\\Windows discovery from ELASTIC.local_PasswordManager_UID1.log","Station":"10.0.1.20","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Create File Version","GatewayStation":"10.0.1.20"}}} +<5>1 2021-03-14T12:57:27Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 14 05:57:27\n 2021-03-14T12:57:27Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 62\n Create File Version\n Info\n PSMPApp_SSH\n Create File Version\n \n \n PSMPLiveSessions\n Root\\PSMPApp_SSH.LiveSessions\n 34.71.250.247\n \n \n \n \n \n Create File Version\n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 14 05:57:27","IsoTimestamp":"2021-03-14T12:57:27Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"62","Desc":"Create File Version","Severity":"Info","Issuer":"PSMPApp_SSH","Action":"Create File Version","SourceUser":"","TargetUser":"","Safe":"PSMPLiveSessions","File":"Root\\PSMPApp_SSH.LiveSessions","Station":"34.71.250.247","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Create File Version","GatewayStation":""}}} diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-62-create-file-version.log-config.yml b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-62-create-file-version.log-config.yml new file mode 100644 index 00000000000..5622947e4b8 --- /dev/null +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-62-create-file-version.log-config.yml @@ -0,0 +1,5 @@ +dynamic_fields: + event.ingested: ".*" +fields: + tags: + - preserve_original_event diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-7-logon.log b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-7-logon.log new file mode 100644 index 00000000000..82be0d698c1 --- /dev/null +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-7-logon.log @@ -0,0 +1,12 @@ +{"format":"elastic","version":"1.0","raw":"\n \n no\n Cyber-Ark\n Vault\n 11.6.0000\n 7\n Logon\n Info\n adm2\n Logon\n \n \n \n \n 10.2.0.6\n \n \n \n \n \n Logon\n 10.2.0.3\n \n","syslog":{"audit_record":{"Rfc5424":"no","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.6.0000","MessageID":"7","Desc":"Logon","Severity":"Info","Issuer":"adm2","Action":"Logon","SourceUser":"","TargetUser":"","Safe":"","File":"","Station":"10.2.0.6","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Logon","GatewayStation":"10.2.0.3","IsoTimestamp":"2021-03-16T15:01:00Z"}}} +<5>1 2021-03-04T19:10:05Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 04 11:10:05","IsoTimestamp":"2021-03-04T19:10:05Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"7","Desc":"Logon","Severity":"Info","Issuer":"PasswordManager","Action":"Logon","SourceUser":"","TargetUser":"","Safe":"","File":"","Station":"10.0.1.20","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Logon","GatewayStation":""}}} +<5>1 2021-03-04T19:10:20Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 04 11:10:20","IsoTimestamp":"2021-03-04T19:10:20Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"7","Desc":"Logon","Severity":"Info","Issuer":"SCIM-user","Action":"Logon","SourceUser":"","TargetUser":"","Safe":"","File":"","Station":"10.0.1.20","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Logon","GatewayStation":""}}} +<5>1 2021-03-04T19:11:20Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 04 11:11:20","IsoTimestamp":"2021-03-04T19:11:20Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"7","Desc":"Logon","Severity":"Info","Issuer":"PVWAGWUser","Action":"Logon","SourceUser":"","TargetUser":"","Safe":"","File":"","Station":"10.0.1.20","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Logon","GatewayStation":""}}} +<5>1 2021-03-04T19:11:23Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 04 11:11:23","IsoTimestamp":"2021-03-04T19:11:23Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"7","Desc":"Logon","Severity":"Info","Issuer":"Prov_COMPONENTS","Action":"Logon","SourceUser":"","TargetUser":"","Safe":"","File":"","Station":"10.0.1.20","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Logon","GatewayStation":""}}} +<5>1 2021-03-05T10:18:50Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 05 02:18:50","IsoTimestamp":"2021-03-05T10:18:50Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"7","Desc":"Logon","Severity":"Info","Issuer":"PVWAAppUser","Action":"Logon","SourceUser":"","TargetUser":"","Safe":"","File":"","Station":"10.0.1.20","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Logon","GatewayStation":""}}} +<5>1 2021-03-08T18:07:51Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 08 10:07:51","IsoTimestamp":"2021-03-08T18:07:51Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"7","Desc":"Logon","Severity":"Info","Issuer":"Administrator","Action":"Logon","SourceUser":"","TargetUser":"","Safe":"","File":"","Station":"127.0.0.1","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Logon","GatewayStation":"10.0.1.20"}}} +<5>1 2021-03-09T08:32:51Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 09 00:32:51","IsoTimestamp":"2021-03-09T08:32:51Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"7","Desc":"Logon","Severity":"Info","Issuer":"Administrator","Action":"Logon","SourceUser":"","TargetUser":"","Safe":"","File":"","Station":"81.32.170.205","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Logon","GatewayStation":"10.0.1.20"}}} +<5>1 2021-03-09T10:14:58Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 09 02:14:58","IsoTimestamp":"2021-03-09T10:14:58Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"7","Desc":"Logon","Severity":"Info","Issuer":"Administrator","Action":"Logon","SourceUser":"","TargetUser":"","Safe":"","File":"","Station":"37.223.7.45","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Logon","GatewayStation":"10.0.1.20"}}} +<5>1 2021-03-10T09:11:48Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 01:11:48","IsoTimestamp":"2021-03-10T09:11:48Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"7","Desc":"Logon","Severity":"Info","Issuer":"PSMP_ADB_localhost.localdomain","Action":"Logon","SourceUser":"","TargetUser":"","Safe":"","File":"","Station":"81.32.170.205","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Logon","GatewayStation":""}}} +<5>1 2021-03-10T09:11:48Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 01:11:48","IsoTimestamp":"2021-03-10T09:11:48Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"7","Desc":"Logon","Severity":"Info","Issuer":"PSMPApp_localhost.localdomain","Action":"Logon","SourceUser":"","TargetUser":"","Safe":"","File":"","Station":"81.32.170.205","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Logon","GatewayStation":""}}} +<5>1 2021-03-10T09:11:49Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 01:11:49","IsoTimestamp":"2021-03-10T09:11:49Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"7","Desc":"Logon","Severity":"Info","Issuer":"PSMPGW_localhost.localdomain","Action":"Logon","SourceUser":"","TargetUser":"","Safe":"","File":"","Station":"81.32.170.205","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Logon","GatewayStation":""}}} diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-7-logon.log-config.yml b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-7-logon.log-config.yml new file mode 100644 index 00000000000..5622947e4b8 --- /dev/null +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-7-logon.log-config.yml @@ -0,0 +1,5 @@ +dynamic_fields: + event.ingested: ".*" +fields: + tags: + - preserve_original_event diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-8-logoff.log b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-8-logoff.log new file mode 100644 index 00000000000..55eeab9c1a7 --- /dev/null +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-8-logoff.log @@ -0,0 +1,15 @@ +<5>1 2021-03-08T18:19:15Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 08 10:19:15","IsoTimestamp":"2021-03-08T18:19:15Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"8","Desc":"Logoff","Severity":"Info","Issuer":"Administrator","Action":"Logoff","SourceUser":"","TargetUser":"","Safe":"","File":"","Station":"10.0.1.20","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Logoff","GatewayStation":""}}} +<5>1 2021-03-08T18:59:23Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 08 10:59:23","IsoTimestamp":"2021-03-08T18:59:23Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"8","Desc":"Logoff","Severity":"Info","Issuer":"Administrator","Action":"Logoff","SourceUser":"","TargetUser":"","Safe":"","File":"","Station":"127.0.0.1","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Logoff","GatewayStation":""}}} +<5>1 2021-03-10T08:28:28Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 00:28:28","IsoTimestamp":"2021-03-10T08:28:28Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"8","Desc":"Logoff","Severity":"Info","Issuer":"PasswordManager","Action":"Logoff","SourceUser":"","TargetUser":"","Safe":"","File":"","Station":"10.0.1.20","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Logoff","GatewayStation":""}}} +<5>1 2021-03-10T08:28:29Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 00:28:29","IsoTimestamp":"2021-03-10T08:28:29Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"8","Desc":"Logoff","Severity":"Info","Issuer":"Prov_COMPONENTS","Action":"Logoff","SourceUser":"","TargetUser":"","Safe":"","File":"","Station":"10.0.1.20","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Logoff","GatewayStation":""}}} +<5>1 2021-03-10T08:28:30Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 00:28:30","IsoTimestamp":"2021-03-10T08:28:30Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"8","Desc":"Logoff","Severity":"Info","Issuer":"PVWAGWUser","Action":"Logoff","SourceUser":"","TargetUser":"","Safe":"","File":"","Station":"10.0.1.20","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Logoff","GatewayStation":""}}} +<5>1 2021-03-10T08:28:30Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 00:28:30","IsoTimestamp":"2021-03-10T08:28:30Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"8","Desc":"Logoff","Severity":"Info","Issuer":"PVWAAppUser","Action":"Logoff","SourceUser":"","TargetUser":"","Safe":"","File":"","Station":"10.0.1.20","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Logoff","GatewayStation":""}}} +<5>1 2021-03-10T09:11:33Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 01:11:33","IsoTimestamp":"2021-03-10T09:11:33Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"8","Desc":"Logoff","Severity":"Info","Issuer":"Administrator","Action":"Logoff","SourceUser":"","TargetUser":"","Safe":"","File":"","Station":"81.32.170.205","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Logoff","GatewayStation":""}}} +<5>1 2021-03-10T09:12:20Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 01:12:20","IsoTimestamp":"2021-03-10T09:12:20Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"8","Desc":"Logoff","Severity":"Info","Issuer":"PSMP_ADB_localhost.localdomain","Action":"Logoff","SourceUser":"","TargetUser":"","Safe":"","File":"","Station":"81.32.170.205","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Logoff","GatewayStation":""}}} +<5>1 2021-03-10T09:12:27Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 01:12:27","IsoTimestamp":"2021-03-10T09:12:27Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"8","Desc":"Logoff","Severity":"Info","Issuer":"PSMPGW_localhost.localdomain","Action":"Logoff","SourceUser":"","TargetUser":"","Safe":"","File":"","Station":"81.32.170.205","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Logoff","GatewayStation":""}}} +<5>1 2021-03-10T22:17:27Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 14:17:27","IsoTimestamp":"2021-03-10T22:17:27Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"8","Desc":"Logoff","Severity":"Info","Issuer":"Administrator","Action":"Logoff","SourceUser":"","TargetUser":"","Safe":"","File":"","Station":"35.192.121.42","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Logoff","GatewayStation":""}}} +<5>1 2021-03-11T17:38:13Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 11 09:38:13\n 2021-03-11T17:38:13Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 8\n Logoff\n Info\n Administrator\n Logoff\n \n \n \n \n 127.0.0.1\n \n \n \n \n \n Logoff\n 81.32.170.205\n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 11 09:38:13","IsoTimestamp":"2021-03-11T17:38:13Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"8","Desc":"Logoff","Severity":"Info","Issuer":"Administrator","Action":"Logoff","SourceUser":"","TargetUser":"","Safe":"","File":"","Station":"127.0.0.1","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Logoff","GatewayStation":"81.32.170.205"}}} +<5>1 2021-03-11T17:48:28Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 11 09:48:28\n 2021-03-11T17:48:28Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 8\n Logoff\n Info\n Administrator\n Logoff\n \n \n \n \n 10.0.2.2\n \n \n \n \n \n Logoff\n 81.32.170.205\n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 11 09:48:28","IsoTimestamp":"2021-03-11T17:48:28Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"8","Desc":"Logoff","Severity":"Info","Issuer":"Administrator","Action":"Logoff","SourceUser":"","TargetUser":"","Safe":"","File":"","Station":"10.0.2.2","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Logoff","GatewayStation":"81.32.170.205"}}} +<5>1 2021-03-11T17:49:06Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 11 09:49:06\n 2021-03-11T17:49:06Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 8\n Logoff\n Info\n PSMPGW_VAGRANT\n Logoff\n \n \n \n \n 81.32.170.205\n \n \n \n \n \n Logoff\n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 11 09:49:06","IsoTimestamp":"2021-03-11T17:49:06Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"8","Desc":"Logoff","Severity":"Info","Issuer":"PSMPGW_VAGRANT","Action":"Logoff","SourceUser":"","TargetUser":"","Safe":"","File":"","Station":"81.32.170.205","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Logoff","GatewayStation":""}}} +<5>1 2021-03-14T12:57:20Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 14 05:57:20\n 2021-03-14T12:57:20Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 8\n Logoff\n Info\n Administrator\n Logoff\n \n \n \n \n 34.71.250.247\n \n \n \n \n \n Logoff\n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 14 05:57:20","IsoTimestamp":"2021-03-14T12:57:20Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"8","Desc":"Logoff","Severity":"Info","Issuer":"Administrator","Action":"Logoff","SourceUser":"","TargetUser":"","Safe":"","File":"","Station":"34.71.250.247","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Logoff","GatewayStation":""}}} +<5>1 2021-03-14T13:49:36Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 14 06:49:36\n 2021-03-14T13:49:36Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 8\n Logoff\n Info\n Administrator\n Logoff\n \n \n \n \n 81.32.170.205\n \n \n \n \n \n Logoff\n 34.71.250.247\n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 14 06:49:36","IsoTimestamp":"2021-03-14T13:49:36Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"8","Desc":"Logoff","Severity":"Info","Issuer":"Administrator","Action":"Logoff","SourceUser":"","TargetUser":"","Safe":"","File":"","Station":"81.32.170.205","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Logoff","GatewayStation":"34.71.250.247"}}} diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-8-logoff.log-config.yml b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-8-logoff.log-config.yml new file mode 100644 index 00000000000..5622947e4b8 --- /dev/null +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-8-logoff.log-config.yml @@ -0,0 +1,5 @@ +dynamic_fields: + event.ingested: ".*" +fields: + tags: + - preserve_original_event diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-88-set-password.log b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-88-set-password.log new file mode 100644 index 00000000000..308e66ee8c0 --- /dev/null +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-88-set-password.log @@ -0,0 +1,18 @@ +<5>1 2021-03-04T19:16:19Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 04 11:16:19","IsoTimestamp":"2021-03-04T19:16:19Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"88","Desc":"Set Password","Severity":"Info","Issuer":"PVWAGWUser","Action":"Set Password","SourceUser":"","TargetUser":"","Safe":"","File":"","Station":"10.0.1.20","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Set Password","GatewayStation":""}}} +<5>1 2021-03-04T19:16:19Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 04 11:16:19","IsoTimestamp":"2021-03-04T19:16:19Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"88","Desc":"Set Password","Severity":"Info","Issuer":"PVWAAppUser","Action":"Set Password","SourceUser":"","TargetUser":"","Safe":"","File":"","Station":"10.0.1.20","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Set Password","GatewayStation":""}}} +Mar 08 02:54:46 VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"no","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"88","Desc":"Set Password","Severity":"Info","Issuer":"PVWAGWUser","Action":"Set Password","SourceUser":"","TargetUser":"","Safe":"","File":"","Station":"10.0.1.20","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Set Password","GatewayStation":""}}} +<5>1 2021-03-10T08:29:19Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 00:29:19","IsoTimestamp":"2021-03-10T08:29:19Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"88","Desc":"Set Password","Severity":"Info","Issuer":"Prov_COMPONENTS","Action":"Set Password","SourceUser":"","TargetUser":"","Safe":"","File":"","Station":"10.0.1.20","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Set Password","GatewayStation":""}}} +<5>1 2021-03-10T08:29:28Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 00:29:28","IsoTimestamp":"2021-03-10T08:29:28Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"88","Desc":"Set Password","Severity":"Info","Issuer":"PasswordManager","Action":"Set Password","SourceUser":"","TargetUser":"","Safe":"","File":"","Station":"10.0.1.20","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Set Password","GatewayStation":""}}} +<5>1 2021-03-10T09:11:52Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 01:11:52","IsoTimestamp":"2021-03-10T09:11:52Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"88","Desc":"Set Password","Severity":"Info","Issuer":"PSMPApp_localhost.localdomain","Action":"Set Password","SourceUser":"","TargetUser":"","Safe":"","File":"","Station":"81.32.170.205","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Set Password","GatewayStation":""}}} +<5>1 2021-03-10T09:11:52Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 01:11:52","IsoTimestamp":"2021-03-10T09:11:52Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"88","Desc":"Set Password","Severity":"Info","Issuer":"PSMPGW_localhost.localdomain","Action":"Set Password","SourceUser":"","TargetUser":"","Safe":"","File":"","Station":"81.32.170.205","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Set Password","GatewayStation":""}}} +<5>1 2021-03-10T09:11:55Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 01:11:55","IsoTimestamp":"2021-03-10T09:11:55Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"88","Desc":"Set Password","Severity":"Info","Issuer":"PSMP_ADB_localhost.localdomain","Action":"Set Password","SourceUser":"","TargetUser":"","Safe":"","File":"","Station":"81.32.170.205","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Set Password","GatewayStation":""}}} +<5>1 2021-03-10T18:46:47Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 10:46:47","IsoTimestamp":"2021-03-10T18:46:47Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"88","Desc":"Set Password","Severity":"Info","Issuer":"PSMApp_VAGRANT","Action":"Set Password","SourceUser":"","TargetUser":"","Safe":"","File":"","Station":"81.32.170.205","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Set Password","GatewayStation":""}}} +<5>1 2021-03-10T18:46:47Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 10:46:47","IsoTimestamp":"2021-03-10T18:46:47Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"88","Desc":"Set Password","Severity":"Info","Issuer":"PSMGw_VAGRANT","Action":"Set Password","SourceUser":"","TargetUser":"","Safe":"","File":"","Station":"81.32.170.205","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Set Password","GatewayStation":""}}} +<5>1 2021-03-10T22:20:12Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 14:20:12","IsoTimestamp":"2021-03-10T22:20:12Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"88","Desc":"Set Password","Severity":"Info","Issuer":"PSMApp_ASR-WIN","Action":"Set Password","SourceUser":"","TargetUser":"","Safe":"","File":"","Station":"35.192.121.42","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Set Password","GatewayStation":""}}} +<5>1 2021-03-10T22:20:12Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 14:20:12","IsoTimestamp":"2021-03-10T22:20:12Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"88","Desc":"Set Password","Severity":"Info","Issuer":"PSMGw_ASR-WIN","Action":"Set Password","SourceUser":"","TargetUser":"","Safe":"","File":"","Station":"35.192.121.42","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Set Password","GatewayStation":""}}} +<5>1 2021-03-11T16:59:54Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 11 08:59:54\n 2021-03-11T16:59:54Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 88\n Set Password\n Info\n PSMPApp_VAGRANT\n Set Password\n \n \n \n \n 81.32.170.205\n \n \n \n \n \n Set Password\n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 11 08:59:54","IsoTimestamp":"2021-03-11T16:59:54Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"88","Desc":"Set Password","Severity":"Info","Issuer":"PSMPApp_VAGRANT","Action":"Set Password","SourceUser":"","TargetUser":"","Safe":"","File":"","Station":"81.32.170.205","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Set Password","GatewayStation":""}}} +<5>1 2021-03-11T16:59:55Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 11 08:59:55\n 2021-03-11T16:59:55Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 88\n Set Password\n Info\n PSMPGW_VAGRANT\n Set Password\n \n \n \n \n 81.32.170.205\n \n \n \n \n \n Set Password\n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 11 08:59:55","IsoTimestamp":"2021-03-11T16:59:55Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"88","Desc":"Set Password","Severity":"Info","Issuer":"PSMPGW_VAGRANT","Action":"Set Password","SourceUser":"","TargetUser":"","Safe":"","File":"","Station":"81.32.170.205","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Set Password","GatewayStation":""}}} +<5>1 2021-03-11T20:10:33Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 11 12:10:33\n 2021-03-11T20:10:33Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 88\n Set Password\n Info\n PSMApp_ASR-WIN\n Set Password\n \n \n \n \n 34.66.114.180\n \n \n \n \n \n Set Password\n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 11 12:10:33","IsoTimestamp":"2021-03-11T20:10:33Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"88","Desc":"Set Password","Severity":"Info","Issuer":"PSMApp_ASR-WIN","Action":"Set Password","SourceUser":"","TargetUser":"","Safe":"","File":"","Station":"34.66.114.180","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Set Password","GatewayStation":""}}} +<5>1 2021-03-14T12:57:25Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 14 05:57:25\n 2021-03-14T12:57:25Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 88\n Set Password\n Info\n PSMPGW_SSH\n Set Password\n \n \n \n \n 34.71.250.247\n \n \n \n \n \n Set Password\n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 14 05:57:25","IsoTimestamp":"2021-03-14T12:57:25Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"88","Desc":"Set Password","Severity":"Info","Issuer":"PSMPGW_SSH","Action":"Set Password","SourceUser":"","TargetUser":"","Safe":"","File":"","Station":"34.71.250.247","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Set Password","GatewayStation":""}}} +<5>1 2021-03-14T12:57:25Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 14 05:57:25\n 2021-03-14T12:57:25Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 88\n Set Password\n Info\n PSMPApp_SSH\n Set Password\n \n \n \n \n 34.71.250.247\n \n \n \n \n \n Set Password\n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 14 05:57:25","IsoTimestamp":"2021-03-14T12:57:25Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"88","Desc":"Set Password","Severity":"Info","Issuer":"PSMPApp_SSH","Action":"Set Password","SourceUser":"","TargetUser":"","Safe":"","File":"","Station":"34.71.250.247","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Set Password","GatewayStation":""}}} +<5>1 2021-03-14T12:57:25Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 14 05:57:25\n 2021-03-14T12:57:25Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 88\n Set Password\n Info\n PSMP_ADB_asr-cyberark-psm-ssh\n Set Password\n \n \n \n \n 34.71.250.247\n \n \n \n \n \n Set Password\n \n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 14 05:57:25","IsoTimestamp":"2021-03-14T12:57:25Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"88","Desc":"Set Password","Severity":"Info","Issuer":"PSMP_ADB_asr-cyberark-psm-ssh","Action":"Set Password","SourceUser":"","TargetUser":"","Safe":"","File":"","Station":"34.71.250.247","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Set Password","GatewayStation":""}}} diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-88-set-password.log-config.yml b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-88-set-password.log-config.yml new file mode 100644 index 00000000000..5622947e4b8 --- /dev/null +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-88-set-password.log-config.yml @@ -0,0 +1,5 @@ +dynamic_fields: + event.ingested: ".*" +fields: + tags: + - preserve_original_event diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-98-open-file-write-only.log b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-98-open-file-write-only.log new file mode 100644 index 00000000000..f3062f7ea56 --- /dev/null +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-98-open-file-write-only.log @@ -0,0 +1,4 @@ +<5>1 2021-03-08T18:24:50Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 08 10:24:50","IsoTimestamp":"2021-03-08T18:24:50Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"98","Desc":"Open File (Write Only)","Severity":"Info","Issuer":"PVWAAppUser","Action":"Open File (Write Only)","SourceUser":"","TargetUser":"","Safe":"PVWAPrivateUserPrefs","File":"Root\\YWRtaW5pc3RyYXRvcg==","Station":"10.0.1.20","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Open File (Write Only)","GatewayStation":""}}} +<5>1 2021-03-10T18:44:08Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 10:44:08","IsoTimestamp":"2021-03-10T18:44:08Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"98","Desc":"Open File (Write Only)","Severity":"Info","Issuer":"Administrator","Action":"Open File (Write Only)","SourceUser":"","TargetUser":"","Safe":"PVWAConfig","File":"ROOT\\PVConfiguration.xml","Station":"81.32.170.205","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Open File (Write Only)","GatewayStation":""}}} +<5>1 2021-03-10T22:17:40Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 10 14:17:40","IsoTimestamp":"2021-03-10T22:17:40Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"98","Desc":"Open File (Write Only)","Severity":"Info","Issuer":"Administrator","Action":"Open File (Write Only)","SourceUser":"","TargetUser":"","Safe":"PVWAConfig","File":"ROOT\\PVConfiguration.xml","Station":"35.192.121.42","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Open File (Write Only)","GatewayStation":""}}} +<5>1 2021-03-11T19:45:26Z VAULT {"format":"elastic","version":"1.0","raw":"\n\n \n yes\n Mar 11 11:45:26\n 2021-03-11T19:45:26Z\n VAULT\n Cyber-Ark\n Vault\n 11.7.0000\n 98\n Open File (Write Only)\n Info\n Administrator\n Open File (Write Only)\n \n \n PVWAConfig\n Root\\PVConfiguration.xml\n 127.0.0.1\n \n \n \n \n \n Open File (Write Only)\n 10.0.1.20\n \n\n","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 11 11:45:26","IsoTimestamp":"2021-03-11T19:45:26Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"98","Desc":"Open File (Write Only)","Severity":"Info","Issuer":"Administrator","Action":"Open File (Write Only)","SourceUser":"","TargetUser":"","Safe":"PVWAConfig","File":"Root\\PVConfiguration.xml","Station":"127.0.0.1","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Open File (Write Only)","GatewayStation":"10.0.1.20"}}} diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-98-open-file-write-only.log-config.yml b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-98-open-file-write-only.log-config.yml new file mode 100644 index 00000000000..5622947e4b8 --- /dev/null +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-98-open-file-write-only.log-config.yml @@ -0,0 +1,5 @@ +dynamic_fields: + event.ingested: ".*" +fields: + tags: + - preserve_original_event diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-99-open-file.log b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-99-open-file.log new file mode 100644 index 00000000000..ad94c953cc7 --- /dev/null +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-99-open-file.log @@ -0,0 +1 @@ +<5>1 2021-03-04T19:10:05Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 04 11:10:05","IsoTimestamp":"2021-03-04T19:10:05Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"99","Desc":"Open File","Severity":"Info","Issuer":"PVWAAppUser","Action":"Open File","SourceUser":"","TargetUser":"","Safe":"PVWAConfig","File":"Root\\EPMConfiguration.xml","Station":"10.0.1.20","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Open File","GatewayStation":""}}} diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-99-open-file.log-config.yml b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-99-open-file.log-config.yml new file mode 100644 index 00000000000..5622947e4b8 --- /dev/null +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-99-open-file.log-config.yml @@ -0,0 +1,5 @@ +dynamic_fields: + event.ingested: ".*" +fields: + tags: + - preserve_original_event diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-legacysyslog.log b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-legacysyslog.log new file mode 100644 index 00000000000..e454ec622b8 --- /dev/null +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-legacysyslog.log @@ -0,0 +1 @@ +Mar 08 03:41:01 VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"no","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"51","Desc":"Retrieve File","Severity":"Info","Issuer":"PasswordManager","Action":"Retrieve File","SourceUser":"","TargetUser":"","Safe":"PasswordManagerShared","File":"Root\\Policies\\Policy-BusinessWebsite.ini","Station":"10.0.1.20","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Retrieve File","GatewayStation":""}}} diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-legacysyslog.log-config.yml b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-legacysyslog.log-config.yml new file mode 100644 index 00000000000..5622947e4b8 --- /dev/null +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-legacysyslog.log-config.yml @@ -0,0 +1,5 @@ +dynamic_fields: + event.ingested: ".*" +fields: + tags: + - preserve_original_event diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-rfc5424syslog.log b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-rfc5424syslog.log new file mode 100644 index 00000000000..f5774af5ef9 --- /dev/null +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-rfc5424syslog.log @@ -0,0 +1,4 @@ +<5>1 2021-03-04T17:27:14Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 04 09:27:14","IsoTimestamp":"2021-03-04T17:27:14Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"7","Desc":"Logon","Severity":"Info","Issuer":"PVWAGWUser","Action":"Logon","SourceUser":"","TargetUser":"","Safe":"","File":"","Station":"10.0.1.20","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Logon","GatewayStation":""}}} +<5>1 2021-03-04T17:27:21Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 04 09:27:21","IsoTimestamp":"2021-03-04T17:27:21Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"7","Desc":"Logon","Severity":"Info","Issuer":"PasswordManager","Action":"Logon","SourceUser":"","TargetUser":"","Safe":"","File":"","Station":"10.0.1.20","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Logon","GatewayStation":""}}} +<5>1 2021-03-04T17:27:21Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 04 09:27:21","IsoTimestamp":"2021-03-04T17:27:21Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"51","Desc":"Retrieve File","Severity":"Info","Issuer":"PasswordManager","Action":"Retrieve File","SourceUser":"","TargetUser":"","Safe":"PasswordManagerShared","File":"Root\\Policies\\Policy-GenericWebApp.ini","Station":"10.0.1.20","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Retrieve File","GatewayStation":""}}} +<5>1 2021-03-04T17:27:33Z VAULT {"format":"elastic","version":"1.0","syslog":{"audit_record":{"Rfc5424":"yes","Timestamp":"Mar 04 09:27:33","IsoTimestamp":"2021-03-04T17:27:33Z","Hostname":"VAULT","Vendor":"Cyber-Ark","Product":"Vault","Version":"11.7.0000","MessageID":"7","Desc":"Logon","Severity":"Info","Issuer":"PVWAAppUser","Action":"Logon","SourceUser":"","TargetUser":"","Safe":"","File":"","Station":"10.0.1.20","Location":"","Category":"","RequestId":"","Reason":"","ExtraDetails":"","Message":"Logon","GatewayStation":""}}} diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-rfc5424syslog.log-config.yml b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-rfc5424syslog.log-config.yml new file mode 100644 index 00000000000..5622947e4b8 --- /dev/null +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-rfc5424syslog.log-config.yml @@ -0,0 +1,5 @@ +dynamic_fields: + event.ingested: ".*" +fields: + tags: + - preserve_original_event diff --git a/packages/cyberarkpas/data_stream/audit/elasticsearch/ingest_pipeline/default.yml b/packages/cyberarkpas/data_stream/audit/elasticsearch/ingest_pipeline/default.yml index 3f490998b62..551e0d22aa0 100644 --- a/packages/cyberarkpas/data_stream/audit/elasticsearch/ingest_pipeline/default.yml +++ b/packages/cyberarkpas/data_stream/audit/elasticsearch/ingest_pipeline/default.yml @@ -10,7 +10,7 @@ processors: value: '{{{_ingest.timestamp}}}' - set: field: ecs.version - value: 1.9.0 + value: "1.10.0" # # Set event.original from message, unless reindexing. From c4e7bf4eb901998146f2f1f4a5727a9b4cb9c0d6 Mon Sep 17 00:00:00 2001 From: Marius Iversen Date: Mon, 31 May 2021 17:30:47 +0200 Subject: [PATCH 2/7] updating cyberarkpas ECS version and adding pipeline tests --- ...st-105-add-file-category.log-expected.json | 428 ++++ ...106-update-file-category.log-expected.json | 426 ++++ ...107-delete-file-category.log-expected.json | 74 + .../test-124-rename-file.log-expected.json | 72 + ...est-125-rename-file-cont.log-expected.json | 72 + .../test-126-unlock-file.log-expected.json | 62 + ...130-cpm-disable-password.log-expected.json | 106 + ...t-178-get-user-s-details.log-expected.json | 60 + .../test-180-add-user.log-expected.json | 982 ++++++++ .../test-181-update-safe.log-expected.json | 70 + .../test-185-add-safe.log-expected.json | 137 ++ .../test-187-add-folder.log-expected.json | 133 + ...-full-gateway-connection.log-expected.json | 834 +++++++ ...rtial-gateway-connection.log-expected.json | 59 + ...kup-files-deletion-start.log-expected.json | 57 + ...ackup-files-deletion-end.log-expected.json | 57 + ...t-22-cpm-verify-password.log-expected.json | 217 ++ ...23-action-on-closed-safe.log-expected.json | 192 ++ ...t-24-cpm-change-password.log-expected.json | 408 ++++ ...est-259-add-update-group.log-expected.json | 268 ++ ...est-265-add-group-member.log-expected.json | 935 +++++++ ...-266-remove-group-member.log-expected.json | 137 ++ .../test-273-remove-owner.log-expected.json | 71 + .../test-278-add-rule.log-expected.json | 65 + ...lear-users-history-start.log-expected.json | 103 + ...-clear-users-history-end.log-expected.json | 103 + ...lear-safes-history-start.log-expected.json | 57 + ...-clear-safes-history-end.log-expected.json | 57 + .../test-294-store-password.log-expected.json | 736 ++++++ ...st-295-retrieve-password.log-expected.json | 1244 ++++++++++ .../test-300-psm-connect.log-expected.json | 2162 +++++++++++++++++ .../test-302-psm-disconnect.log-expected.json | 2055 ++++++++++++++++ ...304-psm-upload-recording.log-expected.json | 75 + .../test-308-use-password.log-expected.json | 1249 ++++++++++ ...309-undefined-user-logon.log-expected.json | 418 ++++ ...1-cpm-reconcile-password.log-expected.json | 97 + ...tor-dr-replication-start.log-expected.json | 103 + ...nitor-dr-replication-end.log-expected.json | 103 + ...ord-detailed-information.log-expected.json | 71 + ...-317-reset-user-password.log-expected.json | 70 + .../test-32-add-owner.log-expected.json | 1363 +++++++++++ ...cpm-auto-detection-start.log-expected.json | 69 + ...7-cpm-auto-detection-end.log-expected.json | 69 + .../test-33-update-owner.log-expected.json | 599 +++++ ...se-expiration-date-start.log-expected.json | 57 + ...ense-expiration-date-end.log-expected.json | 57 + ...7-monitor-fw-rules-start.log-expected.json | 103 + ...358-monitor-fw-rules-end.log-expected.json | 103 + .../test-359-sql-command.log-expected.json | 1194 +++++++++ ...st-361-keystroke-logging.log-expected.json | 933 +++++++ ...m-verify-password-failed.log-expected.json | 1740 +++++++++++++ ...5-blservice-audit-record.log-expected.json | 324 +++ ...st-4-user-authentication.log-expected.json | 158 ++ .../test-411-window-title.log-expected.json | 116 + ...st-412-keystroke-logging.log-expected.json | 121 + ...t-414-cpm-verify-ssh-key.log-expected.json | 115 + .../test-427-store-ssh-key.log-expected.json | 72 + ...est-428-retrieve-ssh-key.log-expected.json | 357 +++ ...eate-discovery-succeeded.log-expected.json | 59 + .../test-459-general-audit.log-expected.json | 251 ++ ...thentication-was-updated.log-expected.json | 57 + ...ault-certificate-is-sha1.log-expected.json | 105 + ...bulk-operation-succeeded.log-expected.json | 57 + .../test-50-store-file.log-expected.json | 398 +++ .../test-51-retrieve-file.log-expected.json | 120 + .../test-52-delete-file.log-expected.json | 731 ++++++ ...m-change-password-failed.log-expected.json | 118 + ...st-59-clear-safe-history.log-expected.json | 159 ++ ...econcile-password-failed.log-expected.json | 1083 +++++++++ ...t-62-create-file-version.log-expected.json | 548 +++++ .../pipeline/test-7-logon.log-expected.json | 895 +++++++ .../pipeline/test-8-logoff.log-expected.json | 1154 +++++++++ .../test-88-set-password.log-expected.json | 1101 +++++++++ ...-98-open-file-write-only.log-expected.json | 269 ++ .../test-99-open-file.log-expected.json | 62 + .../test-legacysyslog.log-expected.json | 55 + .../test-rfc5424syslog.log-expected.json | 263 ++ 77 files changed, 29660 insertions(+) create mode 100644 packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-105-add-file-category.log-expected.json create mode 100644 packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-106-update-file-category.log-expected.json create mode 100644 packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-107-delete-file-category.log-expected.json create mode 100644 packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-124-rename-file.log-expected.json create mode 100644 packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-125-rename-file-cont.log-expected.json create mode 100644 packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-126-unlock-file.log-expected.json create mode 100644 packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-130-cpm-disable-password.log-expected.json create mode 100644 packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-178-get-user-s-details.log-expected.json create mode 100644 packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-180-add-user.log-expected.json create mode 100644 packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-181-update-safe.log-expected.json create mode 100644 packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-185-add-safe.log-expected.json create mode 100644 packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-187-add-folder.log-expected.json create mode 100644 packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-19-full-gateway-connection.log-expected.json create mode 100644 packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-20-partial-gateway-connection.log-expected.json create mode 100644 packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-202-old-backup-files-deletion-start.log-expected.json create mode 100644 packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-203-old-backup-files-deletion-end.log-expected.json create mode 100644 packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-22-cpm-verify-password.log-expected.json create mode 100644 packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-23-action-on-closed-safe.log-expected.json create mode 100644 packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-24-cpm-change-password.log-expected.json create mode 100644 packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-259-add-update-group.log-expected.json create mode 100644 packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-265-add-group-member.log-expected.json create mode 100644 packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-266-remove-group-member.log-expected.json create mode 100644 packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-273-remove-owner.log-expected.json create mode 100644 packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-278-add-rule.log-expected.json create mode 100644 packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-288-auto-clear-users-history-start.log-expected.json create mode 100644 packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-289-auto-clear-users-history-end.log-expected.json create mode 100644 packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-290-auto-clear-safes-history-start.log-expected.json create mode 100644 packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-291-auto-clear-safes-history-end.log-expected.json create mode 100644 packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-294-store-password.log-expected.json create mode 100644 packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-295-retrieve-password.log-expected.json create mode 100644 packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-300-psm-connect.log-expected.json create mode 100644 packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-302-psm-disconnect.log-expected.json create mode 100644 packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-304-psm-upload-recording.log-expected.json create mode 100644 packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-308-use-password.log-expected.json create mode 100644 packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-309-undefined-user-logon.log-expected.json create mode 100644 packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-31-cpm-reconcile-password.log-expected.json create mode 100644 packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-310-monitor-dr-replication-start.log-expected.json create mode 100644 packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-311-monitor-dr-replication-end.log-expected.json create mode 100644 packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-316-reset-user-password-detailed-information.log-expected.json create mode 100644 packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-317-reset-user-password.log-expected.json create mode 100644 packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-32-add-owner.log-expected.json create mode 100644 packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-326-cpm-auto-detection-start.log-expected.json create mode 100644 packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-327-cpm-auto-detection-end.log-expected.json create mode 100644 packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-33-update-owner.log-expected.json create mode 100644 packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-355-monitor-license-expiration-date-start.log-expected.json create mode 100644 packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-356-monitor-license-expiration-date-end.log-expected.json create mode 100644 packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-357-monitor-fw-rules-start.log-expected.json create mode 100644 packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-358-monitor-fw-rules-end.log-expected.json create mode 100644 packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-359-sql-command.log-expected.json create mode 100644 packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-361-keystroke-logging.log-expected.json create mode 100644 packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-38-cpm-verify-password-failed.log-expected.json create mode 100644 packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-385-blservice-audit-record.log-expected.json create mode 100644 packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-4-user-authentication.log-expected.json create mode 100644 packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-411-window-title.log-expected.json create mode 100644 packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-412-keystroke-logging.log-expected.json create mode 100644 packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-414-cpm-verify-ssh-key.log-expected.json create mode 100644 packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-427-store-ssh-key.log-expected.json create mode 100644 packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-428-retrieve-ssh-key.log-expected.json create mode 100644 packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-449-create-discovery-succeeded.log-expected.json create mode 100644 packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-459-general-audit.log-expected.json create mode 100644 packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-467-the-component-public-key-for-jwt-authentication-was-updated.log-expected.json create mode 100644 packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-479-security-warning-the-signature-hash-algorithm-of-the-vault-certificate-is-sha1.log-expected.json create mode 100644 packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-482-update-existing-add-account-bulk-operation-succeeded.log-expected.json create mode 100644 packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-50-store-file.log-expected.json create mode 100644 packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-51-retrieve-file.log-expected.json create mode 100644 packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-52-delete-file.log-expected.json create mode 100644 packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-57-cpm-change-password-failed.log-expected.json create mode 100644 packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-59-clear-safe-history.log-expected.json create mode 100644 packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-60-cpm-reconcile-password-failed.log-expected.json create mode 100644 packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-62-create-file-version.log-expected.json create mode 100644 packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-7-logon.log-expected.json create mode 100644 packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-8-logoff.log-expected.json create mode 100644 packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-88-set-password.log-expected.json create mode 100644 packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-98-open-file-write-only.log-expected.json create mode 100644 packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-99-open-file.log-expected.json create mode 100644 packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-legacysyslog.log-expected.json create mode 100644 packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-rfc5424syslog.log-expected.json diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-105-add-file-category.log-expected.json b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-105-add-file-category.log-expected.json new file mode 100644 index 00000000000..2a4991e7a2b --- /dev/null +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-105-add-file-category.log-expected.json @@ -0,0 +1,428 @@ +{ + "expected": [ + { + "log": { + "syslog": { + "priority": 5 + } + }, + "destination": { + "address": "10.0.1.20", + "ip": "10.0.1.20" + }, + "source": { + "address": "127.0.0.1", + "ip": "127.0.0.1" + }, + "tags": [ + "preserve_original_event" + ], + "network": { + "direction": "internal" + }, + "observer": { + "product": "Vault", + "hostname": "VAULT", + "version": "11.7.0000", + "vendor": "Cyber-Ark" + }, + "@timestamp": "2021-03-08T18:24:49.000Z", + "file": { + "path": "Root\\Operating System-WinDesktopLocal-Address-adriansr" + }, + "ecs": { + "version": "1.10.0" + }, + "related": { + "ip": [ + "127.0.0.1", + "10.0.1.20" + ] + }, + "cyberarkpas": { + "audit": { + "severity": "Info", + "reason": "Value=[Address]", + "iso_timestamp": "2021-03-08T18:24:49Z", + "gateway_station": "10.0.1.20", + "message": "Add File Category", + "issuer": "Administrator", + "rfc5424": true, + "file": "Root\\Operating System-WinDesktopLocal-Address-adriansr", + "safe": "Test", + "station": "127.0.0.1", + "action": "Add File Category", + "category": "Address", + "timestamp": "Mar 08 10:24:49", + "desc": "Add File Category" + } + }, + "host": { + "name": "VAULT" + }, + "event": { + "severity": 2, + "action": "add file category", + "ingested": "2021-05-31T15:30:15.911672800Z", + "original": "\u003c5\u003e1 2021-03-08T18:24:49Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 08 10:24:49\",\"IsoTimestamp\":\"2021-03-08T18:24:49Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"105\",\"Desc\":\"Add File Category\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Add File Category\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"Test\",\"File\":\"Root\\\\Operating System-WinDesktopLocal-Address-adriansr\",\"Station\":\"127.0.0.1\",\"Location\":\"\",\"Category\":\"Address\",\"RequestId\":\"\",\"Reason\":\"Value=[Address]\",\"ExtraDetails\":\"\",\"Message\":\"Add File Category\",\"GatewayStation\":\"10.0.1.20\"}}}", + "code": "105", + "kind": "event" + } + }, + { + "log": { + "syslog": { + "priority": 5 + } + }, + "source": { + "geo": { + "continent_name": "Europe", + "region_iso_code": "ES-B", + "city_name": "Barcelona", + "country_iso_code": "ES", + "country_name": "Spain", + "region_name": "Barcelona", + "location": { + "lon": 2.1611, + "lat": 41.3891 + } + }, + "address": "81.32.170.205", + "ip": "81.32.170.205" + }, + "tags": [ + "preserve_original_event" + ], + "observer": { + "product": "Vault", + "hostname": "VAULT", + "version": "11.7.0000", + "vendor": "Cyber-Ark" + }, + "@timestamp": "2021-03-10T09:11:54.000Z", + "file": { + "path": "Root\\PSMPApp_localhost.localdomain.LiveSessions" + }, + "ecs": { + "version": "1.10.0" + }, + "related": { + "ip": [ + "81.32.170.205" + ] + }, + "cyberarkpas": { + "audit": { + "severity": "Info", + "rfc5424": true, + "iso_timestamp": "2021-03-10T09:11:54Z", + "file": "Root\\PSMPApp_localhost.localdomain.LiveSessions", + "safe": "PSMPLiveSessions", + "station": "81.32.170.205", + "action": "Add File Category", + "message": "Add File Category", + "category": "_PSMLiveSessions_1", + "issuer": "PSMPApp_localhost.localdomain", + "timestamp": "Mar 10 01:11:54", + "desc": "Add File Category" + } + }, + "host": { + "name": "VAULT" + }, + "event": { + "severity": 2, + "action": "add file category", + "ingested": "2021-05-31T15:30:15.911698400Z", + "original": "\u003c5\u003e1 2021-03-10T09:11:54Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 01:11:54\",\"IsoTimestamp\":\"2021-03-10T09:11:54Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"105\",\"Desc\":\"Add File Category\",\"Severity\":\"Info\",\"Issuer\":\"PSMPApp_localhost.localdomain\",\"Action\":\"Add File Category\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"PSMPLiveSessions\",\"File\":\"Root\\\\PSMPApp_localhost.localdomain.LiveSessions\",\"Station\":\"81.32.170.205\",\"Location\":\"\",\"Category\":\"_PSMLiveSessions_1\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Add File Category\",\"GatewayStation\":\"\"}}}", + "code": "105", + "kind": "event" + } + }, + { + "log": { + "syslog": { + "priority": 5 + } + }, + "source": { + "geo": { + "continent_name": "Europe", + "region_iso_code": "ES-B", + "city_name": "Barcelona", + "country_iso_code": "ES", + "country_name": "Spain", + "region_name": "Barcelona", + "location": { + "lon": 2.1611, + "lat": 41.3891 + } + }, + "address": "81.32.170.205", + "ip": "81.32.170.205" + }, + "tags": [ + "preserve_original_event" + ], + "observer": { + "product": "Vault", + "hostname": "VAULT", + "version": "11.7.0000", + "vendor": "Cyber-Ark" + }, + "@timestamp": "2021-03-10T18:46:48.000Z", + "file": { + "path": "Root\\PSMServer.LiveSessions" + }, + "ecs": { + "version": "1.10.0" + }, + "related": { + "ip": [ + "81.32.170.205" + ] + }, + "cyberarkpas": { + "audit": { + "severity": "Info", + "rfc5424": true, + "iso_timestamp": "2021-03-10T18:46:48Z", + "file": "Root\\PSMServer.LiveSessions", + "safe": "PSMLiveSessions", + "station": "81.32.170.205", + "action": "Add File Category", + "message": "Add File Category", + "category": "_PSMLiveSessions_1", + "issuer": "PSMApp_VAGRANT", + "timestamp": "Mar 10 10:46:48", + "desc": "Add File Category" + } + }, + "host": { + "name": "VAULT" + }, + "event": { + "severity": 2, + "action": "add file category", + "ingested": "2021-05-31T15:30:15.911707400Z", + "original": "\u003c5\u003e1 2021-03-10T18:46:48Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 10:46:48\",\"IsoTimestamp\":\"2021-03-10T18:46:48Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"105\",\"Desc\":\"Add File Category\",\"Severity\":\"Info\",\"Issuer\":\"PSMApp_VAGRANT\",\"Action\":\"Add File Category\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"PSMLiveSessions\",\"File\":\"Root\\\\PSMServer.LiveSessions\",\"Station\":\"81.32.170.205\",\"Location\":\"\",\"Category\":\"_PSMLiveSessions_1\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Add File Category\",\"GatewayStation\":\"\"}}}", + "code": "105", + "kind": "event" + } + }, + { + "log": { + "syslog": { + "priority": 5 + } + }, + "source": { + "geo": { + "continent_name": "North America", + "region_iso_code": "US-VA", + "country_name": "United States", + "region_name": "Virginia", + "location": { + "lon": -77.2481, + "lat": 38.6583 + }, + "country_iso_code": "US" + }, + "address": "35.192.121.42", + "ip": "35.192.121.42" + }, + "tags": [ + "preserve_original_event" + ], + "observer": { + "product": "Vault", + "hostname": "VAULT", + "version": "11.7.0000", + "vendor": "Cyber-Ark" + }, + "@timestamp": "2021-03-10T22:17:26.000Z", + "file": { + "path": "Root\\PSM-ASR-CYBERARK-WI" + }, + "ecs": { + "version": "1.10.0" + }, + "related": { + "ip": [ + "35.192.121.42" + ] + }, + "cyberarkpas": { + "audit": { + "severity": "Info", + "reason": "Value=[ASR-CYBERARK-WI]", + "iso_timestamp": "2021-03-10T22:17:26Z", + "message": "Add File Category", + "issuer": "Administrator", + "rfc5424": true, + "file": "Root\\PSM-ASR-CYBERARK-WI", + "safe": "PSM", + "station": "35.192.121.42", + "action": "Add File Category", + "category": "LogonDomain", + "timestamp": "Mar 10 14:17:26", + "desc": "Add File Category" + } + }, + "host": { + "name": "VAULT" + }, + "event": { + "severity": 2, + "action": "add file category", + "ingested": "2021-05-31T15:30:15.911712900Z", + "original": "\u003c5\u003e1 2021-03-10T22:17:26Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 14:17:26\",\"IsoTimestamp\":\"2021-03-10T22:17:26Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"105\",\"Desc\":\"Add File Category\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Add File Category\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"PSM\",\"File\":\"Root\\\\PSM-ASR-CYBERARK-WI\",\"Station\":\"35.192.121.42\",\"Location\":\"\",\"Category\":\"LogonDomain\",\"RequestId\":\"\",\"Reason\":\"Value=[ASR-CYBERARK-WI]\",\"ExtraDetails\":\"\",\"Message\":\"Add File Category\",\"GatewayStation\":\"\"}}}", + "code": "105", + "kind": "event" + } + }, + { + "log": { + "syslog": { + "priority": 5 + } + }, + "source": { + "geo": { + "continent_name": "North America", + "region_iso_code": "US-VA", + "country_name": "United States", + "region_name": "Virginia", + "location": { + "lon": -77.2481, + "lat": 38.6583 + }, + "country_iso_code": "US" + }, + "address": "35.192.121.42", + "ip": "35.192.121.42" + }, + "tags": [ + "preserve_original_event" + ], + "observer": { + "product": "Vault", + "hostname": "VAULT", + "version": "11.7.0000", + "vendor": "Cyber-Ark" + }, + "@timestamp": "2021-03-10T22:20:12.000Z", + "file": { + "path": "Root\\PSM-ASR-CYBERARK-WI.LiveSessions" + }, + "ecs": { + "version": "1.10.0" + }, + "related": { + "ip": [ + "35.192.121.42" + ] + }, + "cyberarkpas": { + "audit": { + "severity": "Info", + "rfc5424": true, + "iso_timestamp": "2021-03-10T22:20:12Z", + "file": "Root\\PSM-ASR-CYBERARK-WI.LiveSessions", + "safe": "PSMLiveSessions", + "station": "35.192.121.42", + "action": "Add File Category", + "message": "Add File Category", + "category": "_PSMLiveSessions_1", + "issuer": "PSMApp_ASR-WIN", + "timestamp": "Mar 10 14:20:12", + "desc": "Add File Category" + } + }, + "host": { + "name": "VAULT" + }, + "event": { + "severity": 2, + "action": "add file category", + "ingested": "2021-05-31T15:30:15.911718Z", + "original": "\u003c5\u003e1 2021-03-10T22:20:12Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 14:20:12\",\"IsoTimestamp\":\"2021-03-10T22:20:12Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"105\",\"Desc\":\"Add File Category\",\"Severity\":\"Info\",\"Issuer\":\"PSMApp_ASR-WIN\",\"Action\":\"Add File Category\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"PSMLiveSessions\",\"File\":\"Root\\\\PSM-ASR-CYBERARK-WI.LiveSessions\",\"Station\":\"35.192.121.42\",\"Location\":\"\",\"Category\":\"_PSMLiveSessions_1\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Add File Category\",\"GatewayStation\":\"\"}}}", + "code": "105", + "kind": "event" + } + }, + { + "log": { + "syslog": { + "priority": 5 + } + }, + "source": { + "geo": { + "continent_name": "Europe", + "region_iso_code": "ES-B", + "city_name": "Barcelona", + "country_iso_code": "ES", + "country_name": "Spain", + "region_name": "Barcelona", + "location": { + "lon": 2.1611, + "lat": 41.3891 + } + }, + "address": "81.32.170.205", + "ip": "81.32.170.205" + }, + "tags": [ + "preserve_original_event" + ], + "observer": { + "product": "Vault", + "hostname": "VAULT", + "version": "11.7.0000", + "vendor": "Cyber-Ark" + }, + "@timestamp": "2021-03-11T16:59:58.000Z", + "file": { + "path": "Root\\PSMPApp_VAGRANT.LiveSessions" + }, + "ecs": { + "version": "1.10.0" + }, + "related": { + "ip": [ + "81.32.170.205" + ] + }, + "cyberarkpas": { + "audit": { + "severity": "Info", + "iso_timestamp": "2021-03-11T16:59:58Z", + "raw": "\u003csyslog\u003e\n\n \u003caudit_record\u003e\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\n \u003cTimestamp\u003eMar 11 08:59:58\u003c/Timestamp\u003e\n \u003cIsoTimestamp\u003e2021-03-11T16:59:58Z\u003c/IsoTimestamp\u003e\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\n \u003cProduct\u003eVault\u003c/Product\u003e\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\n \u003cMessageID\u003e105\u003c/MessageID\u003e\n \u003cDesc\u003eAdd File Category\u003c/Desc\u003e\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\n \u003cIssuer\u003ePSMPApp_VAGRANT\u003c/Issuer\u003e\n \u003cAction\u003eAdd File Category\u003c/Action\u003e\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\n \u003cSafe\u003ePSMPLiveSessions\u003c/Safe\u003e\n \u003cFile\u003eRoot\\PSMPApp_VAGRANT.LiveSessions\u003c/File\u003e\n \u003cStation\u003e81.32.170.205\u003c/Station\u003e\n \u003cLocation\u003e\u003c/Location\u003e\n \u003cCategory\u003e_PSMLiveSessions_1\u003c/Category\u003e\n \u003cRequestId\u003e\u003c/RequestId\u003e\n \u003cReason\u003e\u003c/Reason\u003e\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\n \u003cMessage\u003eAdd File Category\u003c/Message\u003e\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\n \u003c/audit_record\u003e\n\n\u003c/syslog\u003e", + "message": "Add File Category", + "issuer": "PSMPApp_VAGRANT", + "rfc5424": true, + "file": "Root\\PSMPApp_VAGRANT.LiveSessions", + "safe": "PSMPLiveSessions", + "station": "81.32.170.205", + "action": "Add File Category", + "category": "_PSMLiveSessions_1", + "timestamp": "Mar 11 08:59:58", + "desc": "Add File Category" + } + }, + "host": { + "name": "VAULT" + }, + "event": { + "severity": 2, + "action": "add file category", + "ingested": "2021-05-31T15:30:15.911723500Z", + "original": "\u003c5\u003e1 2021-03-11T16:59:58Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 11 08:59:58\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-11T16:59:58Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e105\u003c/MessageID\u003e\\n \u003cDesc\u003eAdd File Category\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003ePSMPApp_VAGRANT\u003c/Issuer\u003e\\n \u003cAction\u003eAdd File Category\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003ePSMPLiveSessions\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\PSMPApp_VAGRANT.LiveSessions\u003c/File\u003e\\n \u003cStation\u003e81.32.170.205\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e_PSMLiveSessions_1\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eAdd File Category\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 11 08:59:58\",\"IsoTimestamp\":\"2021-03-11T16:59:58Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"105\",\"Desc\":\"Add File Category\",\"Severity\":\"Info\",\"Issuer\":\"PSMPApp_VAGRANT\",\"Action\":\"Add File Category\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"PSMPLiveSessions\",\"File\":\"Root\\\\PSMPApp_VAGRANT.LiveSessions\",\"Station\":\"81.32.170.205\",\"Location\":\"\",\"Category\":\"_PSMLiveSessions_1\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Add File Category\",\"GatewayStation\":\"\"}}}", + "code": "105", + "kind": "event" + } + } + ] +} \ No newline at end of file diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-106-update-file-category.log-expected.json b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-106-update-file-category.log-expected.json new file mode 100644 index 00000000000..f6711e9a618 --- /dev/null +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-106-update-file-category.log-expected.json @@ -0,0 +1,426 @@ +{ + "expected": [ + { + "log": { + "syslog": { + "priority": 5 + } + }, + "destination": { + "address": "10.0.1.20", + "ip": "10.0.1.20" + }, + "source": { + "address": "127.0.0.1", + "ip": "127.0.0.1" + }, + "tags": [ + "preserve_original_event" + ], + "network": { + "direction": "internal" + }, + "observer": { + "product": "Vault", + "hostname": "VAULT", + "version": "11.7.0000", + "vendor": "Cyber-Ark" + }, + "@timestamp": "2021-03-08T18:25:52.000Z", + "file": { + "path": "Root\\Operating System-WinDesktopLocal-Address-adriansr" + }, + "ecs": { + "version": "1.10.0" + }, + "related": { + "ip": [ + "127.0.0.1", + "10.0.1.20" + ] + }, + "cyberarkpas": { + "audit": { + "severity": "Info", + "reason": "Value=[components] Old Value=[Address]", + "iso_timestamp": "2021-03-08T18:25:52Z", + "gateway_station": "10.0.1.20", + "message": "Update File Category", + "issuer": "Administrator", + "rfc5424": true, + "file": "Root\\Operating System-WinDesktopLocal-Address-adriansr", + "safe": "Test", + "station": "127.0.0.1", + "action": "Update File Category", + "category": "Address", + "timestamp": "Mar 08 10:25:52", + "desc": "Update File Category" + } + }, + "host": { + "name": "VAULT" + }, + "event": { + "severity": 2, + "action": "update file category", + "ingested": "2021-05-31T15:30:16.293054300Z", + "original": "\u003c5\u003e1 2021-03-08T18:25:52Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 08 10:25:52\",\"IsoTimestamp\":\"2021-03-08T18:25:52Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"106\",\"Desc\":\"Update File Category\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Update File Category\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"Test\",\"File\":\"Root\\\\Operating System-WinDesktopLocal-Address-adriansr\",\"Station\":\"127.0.0.1\",\"Location\":\"\",\"Category\":\"Address\",\"RequestId\":\"\",\"Reason\":\"Value=[components] Old Value=[Address]\",\"ExtraDetails\":\"\",\"Message\":\"Update File Category\",\"GatewayStation\":\"10.0.1.20\"}}}", + "code": "106", + "kind": "event" + } + }, + { + "log": { + "syslog": { + "priority": 5 + } + }, + "source": { + "geo": { + "continent_name": "Europe", + "region_iso_code": "ES-B", + "city_name": "Barcelona", + "country_iso_code": "ES", + "country_name": "Spain", + "region_name": "Barcelona", + "location": { + "lon": 2.1611, + "lat": 41.3891 + } + }, + "address": "81.32.170.205", + "ip": "81.32.170.205" + }, + "tags": [ + "preserve_original_event" + ], + "observer": { + "product": "Vault", + "hostname": "VAULT", + "version": "11.7.0000", + "vendor": "Cyber-Ark" + }, + "@timestamp": "2021-03-10T18:46:48.000Z", + "file": { + "path": "Root\\PSMServer.LiveSessions" + }, + "ecs": { + "version": "1.10.0" + }, + "related": { + "ip": [ + "81.32.170.205" + ] + }, + "cyberarkpas": { + "audit": { + "severity": "Info", + "rfc5424": true, + "iso_timestamp": "2021-03-10T18:46:48Z", + "file": "Root\\PSMServer.LiveSessions", + "safe": "PSMLiveSessions", + "station": "81.32.170.205", + "action": "Update File Category", + "message": "Update File Category", + "category": "_PSMLiveSessions_1", + "issuer": "PSMApp_VAGRANT", + "timestamp": "Mar 10 10:46:48", + "desc": "Update File Category" + } + }, + "host": { + "name": "VAULT" + }, + "event": { + "severity": 2, + "action": "update file category", + "ingested": "2021-05-31T15:30:16.293077600Z", + "original": "\u003c5\u003e1 2021-03-10T18:46:48Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 10:46:48\",\"IsoTimestamp\":\"2021-03-10T18:46:48Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"106\",\"Desc\":\"Update File Category\",\"Severity\":\"Info\",\"Issuer\":\"PSMApp_VAGRANT\",\"Action\":\"Update File Category\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"PSMLiveSessions\",\"File\":\"Root\\\\PSMServer.LiveSessions\",\"Station\":\"81.32.170.205\",\"Location\":\"\",\"Category\":\"_PSMLiveSessions_1\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Update File Category\",\"GatewayStation\":\"\"}}}", + "code": "106", + "kind": "event" + } + }, + { + "log": { + "syslog": { + "priority": 5 + } + }, + "source": { + "geo": { + "continent_name": "North America", + "region_iso_code": "US-VA", + "country_name": "United States", + "region_name": "Virginia", + "location": { + "lon": -77.2481, + "lat": 38.6583 + }, + "country_iso_code": "US" + }, + "address": "35.192.121.42", + "ip": "35.192.121.42" + }, + "tags": [ + "preserve_original_event" + ], + "observer": { + "product": "Vault", + "hostname": "VAULT", + "version": "11.7.0000", + "vendor": "Cyber-Ark" + }, + "@timestamp": "2021-03-10T22:20:12.000Z", + "file": { + "path": "Root\\PSM-ASR-CYBERARK-WI.LiveSessions" + }, + "ecs": { + "version": "1.10.0" + }, + "related": { + "ip": [ + "35.192.121.42" + ] + }, + "cyberarkpas": { + "audit": { + "severity": "Info", + "rfc5424": true, + "iso_timestamp": "2021-03-10T22:20:12Z", + "file": "Root\\PSM-ASR-CYBERARK-WI.LiveSessions", + "safe": "PSMLiveSessions", + "station": "35.192.121.42", + "action": "Update File Category", + "message": "Update File Category", + "category": "_PSMLiveSessions_1", + "issuer": "PSMApp_ASR-WIN", + "timestamp": "Mar 10 14:20:12", + "desc": "Update File Category" + } + }, + "host": { + "name": "VAULT" + }, + "event": { + "severity": 2, + "action": "update file category", + "ingested": "2021-05-31T15:30:16.293099700Z", + "original": "\u003c5\u003e1 2021-03-10T22:20:12Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 14:20:12\",\"IsoTimestamp\":\"2021-03-10T22:20:12Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"106\",\"Desc\":\"Update File Category\",\"Severity\":\"Info\",\"Issuer\":\"PSMApp_ASR-WIN\",\"Action\":\"Update File Category\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"PSMLiveSessions\",\"File\":\"Root\\\\PSM-ASR-CYBERARK-WI.LiveSessions\",\"Station\":\"35.192.121.42\",\"Location\":\"\",\"Category\":\"_PSMLiveSessions_1\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Update File Category\",\"GatewayStation\":\"\"}}}", + "code": "106", + "kind": "event" + } + }, + { + "log": { + "syslog": { + "priority": 5 + } + }, + "source": { + "geo": { + "continent_name": "Europe", + "region_iso_code": "ES-B", + "city_name": "Barcelona", + "country_iso_code": "ES", + "country_name": "Spain", + "region_name": "Barcelona", + "location": { + "lon": 2.1611, + "lat": 41.3891 + } + }, + "address": "81.32.170.205", + "ip": "81.32.170.205" + }, + "tags": [ + "preserve_original_event" + ], + "observer": { + "product": "Vault", + "hostname": "VAULT", + "version": "11.7.0000", + "vendor": "Cyber-Ark" + }, + "@timestamp": "2021-03-11T17:38:26.000Z", + "file": { + "path": "root\\87012dcc-8290-11eb-949e-080027efd402.session" + }, + "ecs": { + "version": "1.10.0" + }, + "related": { + "ip": [ + "81.32.170.205" + ] + }, + "cyberarkpas": { + "audit": { + "severity": "Info", + "iso_timestamp": "2021-03-11T17:38:26Z", + "raw": "\u003csyslog\u003e\n\n \u003caudit_record\u003e\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\n \u003cTimestamp\u003eMar 11 09:38:26\u003c/Timestamp\u003e\n \u003cIsoTimestamp\u003e2021-03-11T17:38:26Z\u003c/IsoTimestamp\u003e\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\n \u003cProduct\u003eVault\u003c/Product\u003e\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\n \u003cMessageID\u003e106\u003c/MessageID\u003e\n \u003cDesc\u003eUpdate File Category\u003c/Desc\u003e\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\n \u003cIssuer\u003ePSMPApp_VAGRANT\u003c/Issuer\u003e\n \u003cAction\u003eUpdate File Category\u003c/Action\u003e\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\n \u003cSafe\u003ePSMRecordings\u003c/Safe\u003e\n \u003cFile\u003eroot\\87012dcc-8290-11eb-949e-080027efd402.session\u003c/File\u003e\n \u003cStation\u003e81.32.170.205\u003c/Station\u003e\n \u003cLocation\u003e\u003c/Location\u003e\n \u003cCategory\u003ePSMStatus\u003c/Category\u003e\n \u003cRequestId\u003e\u003c/RequestId\u003e\n \u003cReason\u003e\u003c/Reason\u003e\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\n \u003cMessage\u003eUpdate File Category\u003c/Message\u003e\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\n \u003c/audit_record\u003e\n\n\u003c/syslog\u003e", + "message": "Update File Category", + "issuer": "PSMPApp_VAGRANT", + "rfc5424": true, + "file": "root\\87012dcc-8290-11eb-949e-080027efd402.session", + "safe": "PSMRecordings", + "station": "81.32.170.205", + "action": "Update File Category", + "category": "PSMStatus", + "timestamp": "Mar 11 09:38:26", + "desc": "Update File Category" + } + }, + "host": { + "name": "VAULT" + }, + "event": { + "severity": 2, + "action": "update file category", + "ingested": "2021-05-31T15:30:16.293106100Z", + "original": "\u003c5\u003e1 2021-03-11T17:38:26Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 11 09:38:26\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-11T17:38:26Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e106\u003c/MessageID\u003e\\n \u003cDesc\u003eUpdate File Category\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003ePSMPApp_VAGRANT\u003c/Issuer\u003e\\n \u003cAction\u003eUpdate File Category\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003ePSMRecordings\u003c/Safe\u003e\\n \u003cFile\u003eroot\\\\87012dcc-8290-11eb-949e-080027efd402.session\u003c/File\u003e\\n \u003cStation\u003e81.32.170.205\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003ePSMStatus\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eUpdate File Category\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 11 09:38:26\",\"IsoTimestamp\":\"2021-03-11T17:38:26Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"106\",\"Desc\":\"Update File Category\",\"Severity\":\"Info\",\"Issuer\":\"PSMPApp_VAGRANT\",\"Action\":\"Update File Category\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"PSMRecordings\",\"File\":\"root\\\\87012dcc-8290-11eb-949e-080027efd402.session\",\"Station\":\"81.32.170.205\",\"Location\":\"\",\"Category\":\"PSMStatus\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Update File Category\",\"GatewayStation\":\"\"}}}", + "code": "106", + "kind": "event" + } + }, + { + "log": { + "syslog": { + "priority": 5 + } + }, + "source": { + "geo": { + "continent_name": "North America", + "region_iso_code": "US-VA", + "country_name": "United States", + "region_name": "Virginia", + "location": { + "lon": -77.2481, + "lat": 38.6583 + }, + "country_iso_code": "US" + }, + "address": "34.66.114.180", + "ip": "34.66.114.180" + }, + "tags": [ + "preserve_original_event" + ], + "observer": { + "product": "Vault", + "hostname": "VAULT", + "version": "11.7.0000", + "vendor": "Cyber-Ark" + }, + "@timestamp": "2021-03-11T20:10:33.000Z", + "file": { + "path": "Root\\PSM-ASR-CYBERARK-WI.LiveSessions" + }, + "ecs": { + "version": "1.10.0" + }, + "related": { + "ip": [ + "34.66.114.180" + ] + }, + "cyberarkpas": { + "audit": { + "severity": "Info", + "iso_timestamp": "2021-03-11T20:10:33Z", + "raw": "\u003csyslog\u003e\n\n \u003caudit_record\u003e\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\n \u003cTimestamp\u003eMar 11 12:10:33\u003c/Timestamp\u003e\n \u003cIsoTimestamp\u003e2021-03-11T20:10:33Z\u003c/IsoTimestamp\u003e\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\n \u003cProduct\u003eVault\u003c/Product\u003e\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\n \u003cMessageID\u003e106\u003c/MessageID\u003e\n \u003cDesc\u003eUpdate File Category\u003c/Desc\u003e\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\n \u003cIssuer\u003ePSMApp_ASR-WIN\u003c/Issuer\u003e\n \u003cAction\u003eUpdate File Category\u003c/Action\u003e\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\n \u003cSafe\u003ePSMLiveSessions\u003c/Safe\u003e\n \u003cFile\u003eRoot\\PSM-ASR-CYBERARK-WI.LiveSessions\u003c/File\u003e\n \u003cStation\u003e34.66.114.180\u003c/Station\u003e\n \u003cLocation\u003e\u003c/Location\u003e\n \u003cCategory\u003e_PSMLiveSessions_1\u003c/Category\u003e\n \u003cRequestId\u003e\u003c/RequestId\u003e\n \u003cReason\u003e\u003c/Reason\u003e\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\n \u003cMessage\u003eUpdate File Category\u003c/Message\u003e\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\n \u003c/audit_record\u003e\n\n\u003c/syslog\u003e", + "message": "Update File Category", + "issuer": "PSMApp_ASR-WIN", + "rfc5424": true, + "file": "Root\\PSM-ASR-CYBERARK-WI.LiveSessions", + "safe": "PSMLiveSessions", + "station": "34.66.114.180", + "action": "Update File Category", + "category": "_PSMLiveSessions_1", + "timestamp": "Mar 11 12:10:33", + "desc": "Update File Category" + } + }, + "host": { + "name": "VAULT" + }, + "event": { + "severity": 2, + "action": "update file category", + "ingested": "2021-05-31T15:30:16.293111100Z", + "original": "\u003c5\u003e1 2021-03-11T20:10:33Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 11 12:10:33\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-11T20:10:33Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e106\u003c/MessageID\u003e\\n \u003cDesc\u003eUpdate File Category\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003ePSMApp_ASR-WIN\u003c/Issuer\u003e\\n \u003cAction\u003eUpdate File Category\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003ePSMLiveSessions\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\PSM-ASR-CYBERARK-WI.LiveSessions\u003c/File\u003e\\n \u003cStation\u003e34.66.114.180\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e_PSMLiveSessions_1\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eUpdate File Category\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 11 12:10:33\",\"IsoTimestamp\":\"2021-03-11T20:10:33Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"106\",\"Desc\":\"Update File Category\",\"Severity\":\"Info\",\"Issuer\":\"PSMApp_ASR-WIN\",\"Action\":\"Update File Category\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"PSMLiveSessions\",\"File\":\"Root\\\\PSM-ASR-CYBERARK-WI.LiveSessions\",\"Station\":\"34.66.114.180\",\"Location\":\"\",\"Category\":\"_PSMLiveSessions_1\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Update File Category\",\"GatewayStation\":\"\"}}}", + "code": "106", + "kind": "event" + } + }, + { + "log": { + "syslog": { + "priority": 5 + } + }, + "source": { + "geo": { + "continent_name": "North America", + "country_name": "United States", + "location": { + "lon": -97.822, + "lat": 37.751 + }, + "country_iso_code": "US" + }, + "address": "34.71.250.247", + "ip": "34.71.250.247" + }, + "tags": [ + "preserve_original_event" + ], + "observer": { + "product": "Vault", + "hostname": "VAULT", + "version": "11.7.0000", + "vendor": "Cyber-Ark" + }, + "@timestamp": "2021-03-14T13:49:38.000Z", + "file": { + "path": "Root\\PSMPApp_SSH.LiveSessions" + }, + "ecs": { + "version": "1.10.0" + }, + "related": { + "ip": [ + "34.71.250.247" + ] + }, + "cyberarkpas": { + "audit": { + "severity": "Info", + "iso_timestamp": "2021-03-14T13:49:38Z", + "raw": "\u003csyslog\u003e\n\n \u003caudit_record\u003e\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\n \u003cTimestamp\u003eMar 14 06:49:38\u003c/Timestamp\u003e\n \u003cIsoTimestamp\u003e2021-03-14T13:49:38Z\u003c/IsoTimestamp\u003e\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\n \u003cProduct\u003eVault\u003c/Product\u003e\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\n \u003cMessageID\u003e106\u003c/MessageID\u003e\n \u003cDesc\u003eUpdate File Category\u003c/Desc\u003e\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\n \u003cIssuer\u003ePSMPApp_SSH\u003c/Issuer\u003e\n \u003cAction\u003eUpdate File Category\u003c/Action\u003e\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\n \u003cSafe\u003ePSMPLiveSessions\u003c/Safe\u003e\n \u003cFile\u003eRoot\\PSMPApp_SSH.LiveSessions\u003c/File\u003e\n \u003cStation\u003e34.71.250.247\u003c/Station\u003e\n \u003cLocation\u003e\u003c/Location\u003e\n \u003cCategory\u003e_PSMLiveSessions_1\u003c/Category\u003e\n \u003cRequestId\u003e\u003c/RequestId\u003e\n \u003cReason\u003e\u003c/Reason\u003e\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\n \u003cMessage\u003eUpdate File Category\u003c/Message\u003e\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\n \u003c/audit_record\u003e\n\n\u003c/syslog\u003e", + "message": "Update File Category", + "issuer": "PSMPApp_SSH", + "rfc5424": true, + "file": "Root\\PSMPApp_SSH.LiveSessions", + "safe": "PSMPLiveSessions", + "station": "34.71.250.247", + "action": "Update File Category", + "category": "_PSMLiveSessions_1", + "timestamp": "Mar 14 06:49:38", + "desc": "Update File Category" + } + }, + "host": { + "name": "VAULT" + }, + "event": { + "severity": 2, + "action": "update file category", + "ingested": "2021-05-31T15:30:16.293115700Z", + "original": "\u003c5\u003e1 2021-03-14T13:49:38Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 14 06:49:38\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-14T13:49:38Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e106\u003c/MessageID\u003e\\n \u003cDesc\u003eUpdate File Category\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003ePSMPApp_SSH\u003c/Issuer\u003e\\n \u003cAction\u003eUpdate File Category\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003ePSMPLiveSessions\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\PSMPApp_SSH.LiveSessions\u003c/File\u003e\\n \u003cStation\u003e34.71.250.247\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e_PSMLiveSessions_1\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eUpdate File Category\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 14 06:49:38\",\"IsoTimestamp\":\"2021-03-14T13:49:38Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"106\",\"Desc\":\"Update File Category\",\"Severity\":\"Info\",\"Issuer\":\"PSMPApp_SSH\",\"Action\":\"Update File Category\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"PSMPLiveSessions\",\"File\":\"Root\\\\PSMPApp_SSH.LiveSessions\",\"Station\":\"34.71.250.247\",\"Location\":\"\",\"Category\":\"_PSMLiveSessions_1\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Update File Category\",\"GatewayStation\":\"\"}}}", + "code": "106", + "kind": "event" + } + } + ] +} \ No newline at end of file diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-107-delete-file-category.log-expected.json b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-107-delete-file-category.log-expected.json new file mode 100644 index 00000000000..65978555f97 --- /dev/null +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-107-delete-file-category.log-expected.json @@ -0,0 +1,74 @@ +{ + "expected": [ + { + "log": { + "syslog": { + "priority": 5 + } + }, + "destination": { + "address": "10.0.1.20", + "ip": "10.0.1.20" + }, + "source": { + "address": "127.0.0.1", + "ip": "127.0.0.1" + }, + "tags": [ + "preserve_original_event" + ], + "network": { + "direction": "internal" + }, + "observer": { + "product": "Vault", + "hostname": "VAULT", + "version": "11.7.0000", + "vendor": "Cyber-Ark" + }, + "@timestamp": "2021-03-15T10:22:24.000Z", + "file": { + "path": "Root\\Operating System-UnixSSH-34.123.103.115-testark" + }, + "ecs": { + "version": "1.10.0" + }, + "related": { + "ip": [ + "127.0.0.1", + "10.0.1.20" + ] + }, + "cyberarkpas": { + "audit": { + "severity": "Info", + "reason": "Old Value=[1615803137]", + "iso_timestamp": "2021-03-15T10:22:24Z", + "gateway_station": "10.0.1.20", + "raw": "\u003csyslog\u003e\n\n \u003caudit_record\u003e\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\n \u003cTimestamp\u003eMar 15 03:22:24\u003c/Timestamp\u003e\n \u003cIsoTimestamp\u003e2021-03-15T10:22:24Z\u003c/IsoTimestamp\u003e\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\n \u003cProduct\u003eVault\u003c/Product\u003e\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\n \u003cMessageID\u003e107\u003c/MessageID\u003e\n \u003cDesc\u003eDelete File Category\u003c/Desc\u003e\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\n \u003cAction\u003eDelete File Category\u003c/Action\u003e\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\n \u003cSafe\u003epartner\u003c/Safe\u003e\n \u003cFile\u003eRoot\\Operating System-UnixSSH-34.123.103.115-testark\u003c/File\u003e\n \u003cStation\u003e127.0.0.1\u003c/Station\u003e\n \u003cLocation\u003e\u003c/Location\u003e\n \u003cCategory\u003eLastFailDate\u003c/Category\u003e\n \u003cRequestId\u003e\u003c/RequestId\u003e\n \u003cReason\u003eOld Value=[1615803137]\u003c/Reason\u003e\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\n \u003cMessage\u003eDelete File Category\u003c/Message\u003e\n \u003cGatewayStation\u003e10.0.1.20\u003c/GatewayStation\u003e\n \u003c/audit_record\u003e\n\n\u003c/syslog\u003e", + "message": "Delete File Category", + "issuer": "Administrator", + "rfc5424": true, + "file": "Root\\Operating System-UnixSSH-34.123.103.115-testark", + "safe": "partner", + "station": "127.0.0.1", + "action": "Delete File Category", + "category": "LastFailDate", + "timestamp": "Mar 15 03:22:24", + "desc": "Delete File Category" + } + }, + "host": { + "name": "VAULT" + }, + "event": { + "severity": 2, + "action": "delete file category", + "ingested": "2021-05-31T15:30:16.448225100Z", + "original": "\u003c5\u003e1 2021-03-15T10:22:24Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 15 03:22:24\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-15T10:22:24Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e107\u003c/MessageID\u003e\\n \u003cDesc\u003eDelete File Category\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003eDelete File Category\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003epartner\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Operating System-UnixSSH-34.123.103.115-testark\u003c/File\u003e\\n \u003cStation\u003e127.0.0.1\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003eLastFailDate\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003eOld Value=[1615803137]\u003c/Reason\u003e\\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eDelete File Category\u003c/Message\u003e\\n \u003cGatewayStation\u003e10.0.1.20\u003c/GatewayStation\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 15 03:22:24\",\"IsoTimestamp\":\"2021-03-15T10:22:24Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"107\",\"Desc\":\"Delete File Category\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Delete File Category\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"partner\",\"File\":\"Root\\\\Operating System-UnixSSH-34.123.103.115-testark\",\"Station\":\"127.0.0.1\",\"Location\":\"\",\"Category\":\"LastFailDate\",\"RequestId\":\"\",\"Reason\":\"Old Value=[1615803137]\",\"ExtraDetails\":\"\",\"Message\":\"Delete File Category\",\"GatewayStation\":\"10.0.1.20\"}}}", + "code": "107", + "kind": "event" + } + } + ] +} \ No newline at end of file diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-124-rename-file.log-expected.json b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-124-rename-file.log-expected.json new file mode 100644 index 00000000000..bd7666633a4 --- /dev/null +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-124-rename-file.log-expected.json @@ -0,0 +1,72 @@ +{ + "expected": [ + { + "log": { + "syslog": { + "priority": 5 + } + }, + "destination": { + "address": "10.0.1.20", + "ip": "10.0.1.20" + }, + "source": { + "address": "127.0.0.1", + "ip": "127.0.0.1" + }, + "tags": [ + "preserve_original_event" + ], + "network": { + "direction": "internal" + }, + "observer": { + "product": "Vault", + "hostname": "VAULT", + "version": "11.7.0000", + "vendor": "Cyber-Ark" + }, + "@timestamp": "2021-03-14T13:42:20.000Z", + "file": { + "path": "Root\\Operating System-UnixSSH-34.123.103.115-PSMConnect" + }, + "ecs": { + "version": "1.10.0" + }, + "related": { + "ip": [ + "127.0.0.1", + "10.0.1.20" + ] + }, + "cyberarkpas": { + "audit": { + "severity": "Info", + "iso_timestamp": "2021-03-14T13:42:20Z", + "gateway_station": "10.0.1.20", + "raw": "\u003csyslog\u003e\n\n \u003caudit_record\u003e\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\n \u003cTimestamp\u003eMar 14 06:42:20\u003c/Timestamp\u003e\n \u003cIsoTimestamp\u003e2021-03-14T13:42:20Z\u003c/IsoTimestamp\u003e\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\n \u003cProduct\u003eVault\u003c/Product\u003e\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\n \u003cMessageID\u003e124\u003c/MessageID\u003e\n \u003cDesc\u003eRename File\u003c/Desc\u003e\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\n \u003cAction\u003eRename File\u003c/Action\u003e\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\n \u003cSafe\u003ePSM\u003c/Safe\u003e\n \u003cFile\u003eRoot\\Operating System-UnixSSH-34.123.103.115-PSMConnect\u003c/File\u003e\n \u003cStation\u003e127.0.0.1\u003c/Station\u003e\n \u003cLocation\u003e\u003c/Location\u003e\n \u003cCategory\u003e\u003c/Category\u003e\n \u003cRequestId\u003e\u003c/RequestId\u003e\n \u003cReason\u003e\u003c/Reason\u003e\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\n \u003cMessage\u003eRename File\u003c/Message\u003e\n \u003cGatewayStation\u003e10.0.1.20\u003c/GatewayStation\u003e\n \u003c/audit_record\u003e\n\n\u003c/syslog\u003e", + "message": "Rename File", + "issuer": "Administrator", + "rfc5424": true, + "file": "Root\\Operating System-UnixSSH-34.123.103.115-PSMConnect", + "safe": "PSM", + "station": "127.0.0.1", + "action": "Rename File", + "timestamp": "Mar 14 06:42:20", + "desc": "Rename File" + } + }, + "host": { + "name": "VAULT" + }, + "event": { + "severity": 2, + "action": "rename file", + "ingested": "2021-05-31T15:30:16.483910300Z", + "original": "\u003c5\u003e1 2021-03-14T13:42:20Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 14 06:42:20\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-14T13:42:20Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e124\u003c/MessageID\u003e\\n \u003cDesc\u003eRename File\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003eRename File\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003ePSM\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Operating System-UnixSSH-34.123.103.115-PSMConnect\u003c/File\u003e\\n \u003cStation\u003e127.0.0.1\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eRename File\u003c/Message\u003e\\n \u003cGatewayStation\u003e10.0.1.20\u003c/GatewayStation\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 14 06:42:20\",\"IsoTimestamp\":\"2021-03-14T13:42:20Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"124\",\"Desc\":\"Rename File\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Rename File\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"PSM\",\"File\":\"Root\\\\Operating System-UnixSSH-34.123.103.115-PSMConnect\",\"Station\":\"127.0.0.1\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Rename File\",\"GatewayStation\":\"10.0.1.20\"}}}", + "code": "124", + "kind": "event" + } + } + ] +} \ No newline at end of file diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-125-rename-file-cont.log-expected.json b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-125-rename-file-cont.log-expected.json new file mode 100644 index 00000000000..42a90fe6421 --- /dev/null +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-125-rename-file-cont.log-expected.json @@ -0,0 +1,72 @@ +{ + "expected": [ + { + "log": { + "syslog": { + "priority": 5 + } + }, + "destination": { + "address": "10.0.1.20", + "ip": "10.0.1.20" + }, + "source": { + "address": "127.0.0.1", + "ip": "127.0.0.1" + }, + "tags": [ + "preserve_original_event" + ], + "network": { + "direction": "internal" + }, + "observer": { + "product": "Vault", + "hostname": "VAULT", + "version": "11.7.0000", + "vendor": "Cyber-Ark" + }, + "@timestamp": "2021-03-14T13:42:20.000Z", + "file": { + "path": "Operating System-UnixSSH-34.71.250.247-PSMConnect" + }, + "ecs": { + "version": "1.10.0" + }, + "related": { + "ip": [ + "127.0.0.1", + "10.0.1.20" + ] + }, + "cyberarkpas": { + "audit": { + "severity": "Info", + "iso_timestamp": "2021-03-14T13:42:20Z", + "gateway_station": "10.0.1.20", + "raw": "\u003csyslog\u003e\n\n \u003caudit_record\u003e\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\n \u003cTimestamp\u003eMar 14 06:42:20\u003c/Timestamp\u003e\n \u003cIsoTimestamp\u003e2021-03-14T13:42:20Z\u003c/IsoTimestamp\u003e\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\n \u003cProduct\u003eVault\u003c/Product\u003e\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\n \u003cMessageID\u003e125\u003c/MessageID\u003e\n \u003cDesc\u003eRename File (Cont.)\u003c/Desc\u003e\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\n \u003cAction\u003eRename File (Cont.)\u003c/Action\u003e\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\n \u003cSafe\u003ePSM\u003c/Safe\u003e\n \u003cFile\u003eOperating System-UnixSSH-34.71.250.247-PSMConnect\u003c/File\u003e\n \u003cStation\u003e127.0.0.1\u003c/Station\u003e\n \u003cLocation\u003e\u003c/Location\u003e\n \u003cCategory\u003e\u003c/Category\u003e\n \u003cRequestId\u003e\u003c/RequestId\u003e\n \u003cReason\u003e\u003c/Reason\u003e\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\n \u003cMessage\u003eRename File (Cont.)\u003c/Message\u003e\n \u003cGatewayStation\u003e10.0.1.20\u003c/GatewayStation\u003e\n \u003c/audit_record\u003e\n\n\u003c/syslog\u003e", + "message": "Rename File (Cont.)", + "issuer": "Administrator", + "rfc5424": true, + "file": "Operating System-UnixSSH-34.71.250.247-PSMConnect", + "safe": "PSM", + "station": "127.0.0.1", + "action": "Rename File (Cont.)", + "timestamp": "Mar 14 06:42:20", + "desc": "Rename File (Cont.)" + } + }, + "host": { + "name": "VAULT" + }, + "event": { + "severity": 2, + "action": "rename file (cont.)", + "ingested": "2021-05-31T15:30:16.518188800Z", + "original": "\u003c5\u003e1 2021-03-14T13:42:20Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 14 06:42:20\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-14T13:42:20Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e125\u003c/MessageID\u003e\\n \u003cDesc\u003eRename File (Cont.)\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003eRename File (Cont.)\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003ePSM\u003c/Safe\u003e\\n \u003cFile\u003eOperating System-UnixSSH-34.71.250.247-PSMConnect\u003c/File\u003e\\n \u003cStation\u003e127.0.0.1\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eRename File (Cont.)\u003c/Message\u003e\\n \u003cGatewayStation\u003e10.0.1.20\u003c/GatewayStation\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 14 06:42:20\",\"IsoTimestamp\":\"2021-03-14T13:42:20Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"125\",\"Desc\":\"Rename File (Cont.)\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Rename File (Cont.)\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"PSM\",\"File\":\"Operating System-UnixSSH-34.71.250.247-PSMConnect\",\"Station\":\"127.0.0.1\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Rename File (Cont.)\",\"GatewayStation\":\"10.0.1.20\"}}}", + "code": "125", + "kind": "event" + } + } + ] +} \ No newline at end of file diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-126-unlock-file.log-expected.json b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-126-unlock-file.log-expected.json new file mode 100644 index 00000000000..9b109c08816 --- /dev/null +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-126-unlock-file.log-expected.json @@ -0,0 +1,62 @@ +{ + "expected": [ + { + "log": { + "syslog": { + "priority": 5 + } + }, + "source": { + "address": "127.0.0.1", + "ip": "127.0.0.1" + }, + "tags": [ + "preserve_original_event" + ], + "observer": { + "product": "Vault", + "hostname": "VAULT", + "version": "11.7.0000", + "vendor": "Cyber-Ark" + }, + "@timestamp": "2021-03-10T18:33:34.000Z", + "file": { + "path": "Root\\PVConfiguration.xml" + }, + "ecs": { + "version": "1.10.0" + }, + "related": { + "ip": [ + "127.0.0.1" + ] + }, + "cyberarkpas": { + "audit": { + "severity": "Info", + "rfc5424": true, + "iso_timestamp": "2021-03-10T18:33:34Z", + "file": "Root\\PVConfiguration.xml", + "safe": "PVWAConfig", + "station": "127.0.0.1", + "action": "Unlock File", + "message": "Unlock File", + "issuer": "Administrator", + "timestamp": "Mar 10 10:33:34", + "desc": "Unlock File" + } + }, + "host": { + "name": "VAULT" + }, + "event": { + "severity": 2, + "action": "unlock file", + "ingested": "2021-05-31T15:30:16.550492500Z", + "original": "\u003c5\u003e1 2021-03-10T18:33:34Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 10:33:34\",\"IsoTimestamp\":\"2021-03-10T18:33:34Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"126\",\"Desc\":\"Unlock File\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Unlock File\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"PVWAConfig\",\"File\":\"Root\\\\PVConfiguration.xml\",\"Station\":\"127.0.0.1\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Unlock File\",\"GatewayStation\":\"\"}}}", + "code": "126", + "kind": "event" + } + } + ] +} \ No newline at end of file diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-130-cpm-disable-password.log-expected.json b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-130-cpm-disable-password.log-expected.json new file mode 100644 index 00000000000..2bdd97b9e0f --- /dev/null +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-130-cpm-disable-password.log-expected.json @@ -0,0 +1,106 @@ +{ + "expected": [ + { + "log": { + "syslog": { + "priority": 7 + } + }, + "source": { + "address": "10.0.1.20", + "ip": "10.0.1.20" + }, + "tags": [ + "preserve_original_event" + ], + "observer": { + "product": "Vault", + "hostname": "VAULT", + "version": "11.7.0000", + "vendor": "Cyber-Ark" + }, + "@timestamp": "2021-03-15T12:57:13.000Z", + "file": { + "path": "Root\\Operating System-WinDomain-35.192.121.42-ELASTICbart" + }, + "ecs": { + "version": "1.10.0" + }, + "related": { + "user": [ + "PasswordManager", + "ELASTIC\\bart" + ], + "ip": [ + "10.0.1.20" + ] + }, + "cyberarkpas": { + "audit": { + "severity": "Error", + "reason": "MaxRetries. Failure Description: CACPM406E Reconciling Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-35.192.121.42-ELASTICbart failed (try #5). Code: 2101, Error: Parameter Reconcile account is mandatory but has an empty value or is not defined\n", + "iso_timestamp": "2021-03-15T12:57:13Z", + "raw": "\u003csyslog\u003e\n\n \u003caudit_record\u003e\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\n \u003cTimestamp\u003eMar 15 05:57:13\u003c/Timestamp\u003e\n \u003cIsoTimestamp\u003e2021-03-15T12:57:13Z\u003c/IsoTimestamp\u003e\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\n \u003cProduct\u003eVault\u003c/Product\u003e\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\n \u003cMessageID\u003e130\u003c/MessageID\u003e\n \u003cDesc\u003eCPM Disable Password\u003c/Desc\u003e\n \u003cSeverity\u003eError\u003c/Severity\u003e\n \u003cIssuer\u003ePasswordManager\u003c/Issuer\u003e\n \u003cAction\u003eCPM Disable Password\u003c/Action\u003e\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\n \u003cSafe\u003epartner\u003c/Safe\u003e\n \u003cFile\u003eRoot\\Operating System-WinDomain-35.192.121.42-ELASTICbart\u003c/File\u003e\n \u003cStation\u003e10.0.1.20\u003c/Station\u003e\n \u003cLocation\u003e\u003c/Location\u003e\n \u003cCategory\u003e\u003c/Category\u003e\n \u003cRequestId\u003e\u003c/RequestId\u003e\n \u003cReason\u003eMaxRetries. Failure Description: CACPM406E Reconciling Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-35.192.121.42-ELASTICbart failed (try #5). Code: 2101, Error: Parameter Reconcile account is mandatory but has an empty value or is not defined\n\u003c/Reason\u003e\n \u003cExtraDetails\u003eaddress=34.66.114.180;retriescount=5;username=ELASTIC\\bart;\u003c/ExtraDetails\u003e\n \u003cMessage\u003eCPM Disable Password\u003c/Message\u003e\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\n \u003cCAProperties\u003e\n \u003cCAProperty Name=\"PolicyID\" Value=\"WinDomain\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"UserName\" Value=\"ELASTIC\\bart\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"Address\" Value=\"34.66.114.180\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"ResetImmediately\" Value=\"ReconcileTask\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"CPMStatus\" Value=\"failure\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"CPMDisabled\" Value=\"(CPM)MaxRetries\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"RetriesCount\" Value=\"5\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"LastFailDate\" Value=\"1615813031\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"LastTask\" Value=\"ReconcileTask\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"LogonDomain\" Value=\"34.66.114.180\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"CPMErrorDetails\" Value=\"Parameter Reconcile account is mandatory but has an empty value or is not defined\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"CreationMethod\" Value=\"PVWA\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"DeviceType\" Value=\"Operating System\"\u003e\u003c/CAProperty\u003e\n \u003c/CAProperties\u003e\n \u003c/audit_record\u003e\n\n\u003c/syslog\u003e", + "message": "CPM Disable Password", + "issuer": "PasswordManager", + "extra_details": { + "other": { + "retriescount": "5", + "address": "34.66.114.180" + }, + "username": "ELASTIC\\bart" + }, + "rfc5424": true, + "ca_properties": { + "other": {}, + "address": "34.66.114.180", + "creation_method": "PVWA", + "cpm_status": "failure", + "policy_id": "WinDomain", + "user_name": "ELASTIC\\bart", + "cpm_disabled": "(CPM)MaxRetries", + "device_type": "Operating System", + "retries_count": "5", + "reset_immediately": "ReconcileTask", + "last_task": "ReconcileTask", + "cpm_error_details": "Parameter Reconcile account is mandatory but has an empty value or is not defined", + "last_fail_date": "1615813031", + "logon_domain": "34.66.114.180" + }, + "file": "Root\\Operating System-WinDomain-35.192.121.42-ELASTICbart", + "safe": "partner", + "station": "10.0.1.20", + "action": "CPM Disable Password", + "timestamp": "Mar 15 05:57:13", + "desc": "CPM Disable Password" + } + }, + "host": { + "name": "VAULT" + }, + "event": { + "severity": 7, + "reason": "Parameter Reconcile account is mandatory but has an empty value or is not defined", + "ingested": "2021-05-31T15:30:16.608141700Z", + "original": "\u003c7\u003e1 2021-03-15T12:57:13Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 15 05:57:13\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-15T12:57:13Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e130\u003c/MessageID\u003e\\n \u003cDesc\u003eCPM Disable Password\u003c/Desc\u003e\\n \u003cSeverity\u003eError\u003c/Severity\u003e\\n \u003cIssuer\u003ePasswordManager\u003c/Issuer\u003e\\n \u003cAction\u003eCPM Disable Password\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003epartner\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Operating System-WinDomain-35.192.121.42-ELASTICbart\u003c/File\u003e\\n \u003cStation\u003e10.0.1.20\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003eMaxRetries. Failure Description: CACPM406E Reconciling Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-35.192.121.42-ELASTICbart failed (try #5). Code: 2101, Error: Parameter Reconcile account is mandatory but has an empty value or is not defined\\n\u003c/Reason\u003e\\n \u003cExtraDetails\u003eaddress=34.66.114.180;retriescount=5;username=ELASTIC\\\\bart;\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eCPM Disable Password\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"WinDomain\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"ELASTIC\\\\bart\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"34.66.114.180\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"ResetImmediately\\\" Value=\\\"ReconcileTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMStatus\\\" Value=\\\"failure\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMDisabled\\\" Value=\\\"(CPM)MaxRetries\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"RetriesCount\\\" Value=\\\"5\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastFailDate\\\" Value=\\\"1615813031\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastTask\\\" Value=\\\"ReconcileTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LogonDomain\\\" Value=\\\"34.66.114.180\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMErrorDetails\\\" Value=\\\"Parameter Reconcile account is mandatory but has an empty value or is not defined\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Operating System\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 15 05:57:13\",\"IsoTimestamp\":\"2021-03-15T12:57:13Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"130\",\"Desc\":\"CPM Disable Password\",\"Severity\":\"Error\",\"Issuer\":\"PasswordManager\",\"Action\":\"CPM Disable Password\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"partner\",\"File\":\"Root\\\\Operating System-WinDomain-35.192.121.42-ELASTICbart\",\"Station\":\"10.0.1.20\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"MaxRetries. Failure Description: CACPM406E Reconciling Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-35.192.121.42-ELASTICbart failed (try #5). Code: 2101, Error: Parameter Reconcile account is mandatory but has an empty value or is not defined\\n\",\"ExtraDetails\":\"address=34.66.114.180;retriescount=5;username=ELASTIC\\\\bart;\",\"Message\":\"CPM Disable Password\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"WinDomain\"},{\"Name\":\"UserName\",\"Value\":\"ELASTIC\\\\bart\"},{\"Name\":\"Address\",\"Value\":\"34.66.114.180\"},{\"Name\":\"ResetImmediately\",\"Value\":\"ReconcileTask\"},{\"Name\":\"CPMStatus\",\"Value\":\"failure\"},{\"Name\":\"CPMDisabled\",\"Value\":\"(CPM)MaxRetries\"},{\"Name\":\"RetriesCount\",\"Value\":\"5\"},{\"Name\":\"LastFailDate\",\"Value\":\"1615813031\"},{\"Name\":\"LastTask\",\"Value\":\"ReconcileTask\"},{\"Name\":\"LogonDomain\",\"Value\":\"34.66.114.180\"},{\"Name\":\"CPMErrorDetails\",\"Value\":\"Parameter Reconcile account is mandatory but has an empty value or is not defined\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"}]}}}}", + "code": "130", + "kind": "event", + "action": "cpm disable password", + "type": [ + "user", + "change" + ], + "category": [ + "iam" + ], + "outcome": "failure" + }, + "user": { + "name": "PasswordManager", + "target": { + "name": "ELASTIC\\bart" + } + } + } + ] +} \ No newline at end of file diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-178-get-user-s-details.log-expected.json b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-178-get-user-s-details.log-expected.json new file mode 100644 index 00000000000..910df9b470a --- /dev/null +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-178-get-user-s-details.log-expected.json @@ -0,0 +1,60 @@ +{ + "expected": [ + { + "log": { + "syslog": { + "priority": 7 + } + }, + "source": { + "address": "127.0.0.1", + "ip": "127.0.0.1" + }, + "tags": [ + "preserve_original_event" + ], + "observer": { + "product": "Vault", + "hostname": "VAULT", + "version": "11.7.0000", + "vendor": "Cyber-Ark" + }, + "@timestamp": "2021-03-11T18:45:23.000Z", + "ecs": { + "version": "1.10.0" + }, + "related": { + "ip": [ + "127.0.0.1" + ] + }, + "cyberarkpas": { + "audit": { + "severity": "Error", + "rfc5424": true, + "iso_timestamp": "2021-03-11T18:45:23Z", + "station": "127.0.0.1", + "raw": "\u003csyslog\u003e\n\n \u003caudit_record\u003e\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\n \u003cTimestamp\u003eMar 11 10:45:23\u003c/Timestamp\u003e\n \u003cIsoTimestamp\u003e2021-03-11T18:45:23Z\u003c/IsoTimestamp\u003e\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\n \u003cProduct\u003eVault\u003c/Product\u003e\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\n \u003cMessageID\u003e178\u003c/MessageID\u003e\n \u003cDesc\u003eGet User's Details\u003c/Desc\u003e\n \u003cSeverity\u003eError\u003c/Severity\u003e\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\n \u003cAction\u003eGet User's Details\u003c/Action\u003e\n \u003cSourceUser\u003eMaster\u003c/SourceUser\u003e\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\n \u003cSafe\u003e\u003c/Safe\u003e\n \u003cFile\u003e\u003c/File\u003e\n \u003cStation\u003e127.0.0.1\u003c/Station\u003e\n \u003cLocation\u003e\u003c/Location\u003e\n \u003cCategory\u003e\u003c/Category\u003e\n \u003cRequestId\u003e\u003c/RequestId\u003e\n \u003cReason\u003e\u003c/Reason\u003e\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\n \u003cMessage\u003eGet User's Details\u003c/Message\u003e\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\n \u003c/audit_record\u003e\n\n\u003c/syslog\u003e", + "action": "Get User's Details", + "source_user": "Master", + "message": "Get User's Details", + "issuer": "Administrator", + "timestamp": "Mar 11 10:45:23", + "desc": "Get User's Details" + } + }, + "host": { + "name": "VAULT" + }, + "event": { + "severity": 7, + "ingested": "2021-05-31T15:30:16.687003100Z", + "original": "\u003c7\u003e1 2021-03-11T18:45:23Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 11 10:45:23\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-11T18:45:23Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e178\u003c/MessageID\u003e\\n \u003cDesc\u003eGet User's Details\u003c/Desc\u003e\\n \u003cSeverity\u003eError\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003eGet User's Details\u003c/Action\u003e\\n \u003cSourceUser\u003eMaster\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003e\u003c/Safe\u003e\\n \u003cFile\u003e\u003c/File\u003e\\n \u003cStation\u003e127.0.0.1\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eGet User's Details\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 11 10:45:23\",\"IsoTimestamp\":\"2021-03-11T18:45:23Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"178\",\"Desc\":\"Get User's Details\",\"Severity\":\"Error\",\"Issuer\":\"Administrator\",\"Action\":\"Get User's Details\",\"SourceUser\":\"Master\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"127.0.0.1\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Get User's Details\",\"GatewayStation\":\"\"}}}", + "code": "178", + "kind": "event", + "action": "get user's details", + "type": "error" + } + } + ] +} \ No newline at end of file diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-180-add-user.log-expected.json b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-180-add-user.log-expected.json new file mode 100644 index 00000000000..387f05f800f --- /dev/null +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-180-add-user.log-expected.json @@ -0,0 +1,982 @@ +{ + "expected": [ + { + "log": { + "syslog": { + "priority": 5 + } + }, + "source": { + "geo": { + "continent_name": "Europe", + "region_iso_code": "ES-B", + "city_name": "Barcelona", + "country_iso_code": "ES", + "country_name": "Spain", + "region_name": "Barcelona", + "location": { + "lon": 2.1611, + "lat": 41.3891 + } + }, + "address": "81.32.170.205", + "ip": "81.32.170.205" + }, + "tags": [ + "preserve_original_event" + ], + "observer": { + "product": "Vault", + "hostname": "VAULT", + "version": "11.7.0000", + "vendor": "Cyber-Ark" + }, + "@timestamp": "2021-03-10T09:11:20.000Z", + "ecs": { + "version": "1.10.0" + }, + "related": { + "user": [ + "PSMPApp_localhost.localdomain" + ], + "ip": [ + "81.32.170.205" + ] + }, + "cyberarkpas": { + "audit": { + "severity": "Info", + "rfc5424": true, + "iso_timestamp": "2021-03-10T09:11:20Z", + "station": "81.32.170.205", + "action": "Add User", + "source_user": "PSMPApp_localhost.localdomain", + "message": "Add User", + "issuer": "Administrator", + "timestamp": "Mar 10 01:11:20", + "desc": "Add User" + } + }, + "host": { + "name": "VAULT" + }, + "event": { + "severity": 2, + "ingested": "2021-05-31T15:30:16.714782500Z", + "original": "\u003c5\u003e1 2021-03-10T09:11:20Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 01:11:20\",\"IsoTimestamp\":\"2021-03-10T09:11:20Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"180\",\"Desc\":\"Add User\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Add User\",\"SourceUser\":\"PSMPApp_localhost.localdomain\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"81.32.170.205\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Add User\",\"GatewayStation\":\"\"}}}", + "code": "180", + "kind": "event", + "action": "add user", + "type": [ + "user", + "creation" + ], + "category": [ + "iam" + ], + "outcome": "success" + }, + "user": { + "target": { + "name": "PSMPApp_localhost.localdomain" + } + } + }, + { + "log": { + "syslog": { + "priority": 5 + } + }, + "source": { + "geo": { + "continent_name": "Europe", + "region_iso_code": "ES-B", + "city_name": "Barcelona", + "country_iso_code": "ES", + "country_name": "Spain", + "region_name": "Barcelona", + "location": { + "lon": 2.1611, + "lat": 41.3891 + } + }, + "address": "81.32.170.205", + "ip": "81.32.170.205" + }, + "tags": [ + "preserve_original_event" + ], + "observer": { + "product": "Vault", + "hostname": "VAULT", + "version": "11.7.0000", + "vendor": "Cyber-Ark" + }, + "@timestamp": "2021-03-10T09:11:20.000Z", + "ecs": { + "version": "1.10.0" + }, + "related": { + "user": [ + "PSMPGW_localhost.localdomain" + ], + "ip": [ + "81.32.170.205" + ] + }, + "cyberarkpas": { + "audit": { + "severity": "Info", + "rfc5424": true, + "iso_timestamp": "2021-03-10T09:11:20Z", + "station": "81.32.170.205", + "action": "Add User", + "source_user": "PSMPGW_localhost.localdomain", + "message": "Add User", + "issuer": "Administrator", + "timestamp": "Mar 10 01:11:20", + "desc": "Add User" + } + }, + "host": { + "name": "VAULT" + }, + "event": { + "severity": 2, + "ingested": "2021-05-31T15:30:16.714810800Z", + "original": "\u003c5\u003e1 2021-03-10T09:11:20Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 01:11:20\",\"IsoTimestamp\":\"2021-03-10T09:11:20Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"180\",\"Desc\":\"Add User\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Add User\",\"SourceUser\":\"PSMPGW_localhost.localdomain\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"81.32.170.205\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Add User\",\"GatewayStation\":\"\"}}}", + "code": "180", + "kind": "event", + "action": "add user", + "type": [ + "user", + "creation" + ], + "category": [ + "iam" + ], + "outcome": "success" + }, + "user": { + "target": { + "name": "PSMPGW_localhost.localdomain" + } + } + }, + { + "log": { + "syslog": { + "priority": 5 + } + }, + "source": { + "geo": { + "continent_name": "Europe", + "region_iso_code": "ES-B", + "city_name": "Barcelona", + "country_iso_code": "ES", + "country_name": "Spain", + "region_name": "Barcelona", + "location": { + "lon": 2.1611, + "lat": 41.3891 + } + }, + "address": "81.32.170.205", + "ip": "81.32.170.205" + }, + "tags": [ + "preserve_original_event" + ], + "observer": { + "product": "Vault", + "hostname": "VAULT", + "version": "11.7.0000", + "vendor": "Cyber-Ark" + }, + "@timestamp": "2021-03-10T09:11:35.000Z", + "ecs": { + "version": "1.10.0" + }, + "related": { + "user": [ + "PSMP_ADB_localhost.localdomain" + ], + "ip": [ + "81.32.170.205" + ] + }, + "cyberarkpas": { + "audit": { + "severity": "Info", + "rfc5424": true, + "iso_timestamp": "2021-03-10T09:11:35Z", + "station": "81.32.170.205", + "action": "Add User", + "source_user": "PSMP_ADB_localhost.localdomain", + "message": "Add User", + "issuer": "Administrator", + "timestamp": "Mar 10 01:11:35", + "desc": "Add User" + } + }, + "host": { + "name": "VAULT" + }, + "event": { + "severity": 2, + "ingested": "2021-05-31T15:30:16.714816900Z", + "original": "\u003c5\u003e1 2021-03-10T09:11:35Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 01:11:35\",\"IsoTimestamp\":\"2021-03-10T09:11:35Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"180\",\"Desc\":\"Add User\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Add User\",\"SourceUser\":\"PSMP_ADB_localhost.localdomain\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"81.32.170.205\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Add User\",\"GatewayStation\":\"\"}}}", + "code": "180", + "kind": "event", + "action": "add user", + "type": [ + "user", + "creation" + ], + "category": [ + "iam" + ], + "outcome": "success" + }, + "user": { + "target": { + "name": "PSMP_ADB_localhost.localdomain" + } + } + }, + { + "log": { + "syslog": { + "priority": 5 + } + }, + "source": { + "geo": { + "continent_name": "Europe", + "region_iso_code": "ES-B", + "city_name": "Barcelona", + "country_iso_code": "ES", + "country_name": "Spain", + "region_name": "Barcelona", + "location": { + "lon": 2.1611, + "lat": 41.3891 + } + }, + "address": "81.32.170.205", + "ip": "81.32.170.205" + }, + "tags": [ + "preserve_original_event" + ], + "observer": { + "product": "Vault", + "hostname": "VAULT", + "version": "11.7.0000", + "vendor": "Cyber-Ark" + }, + "@timestamp": "2021-03-10T17:59:19.000Z", + "ecs": { + "version": "1.10.0" + }, + "related": { + "user": [ + "PSMApp_VAGRANT" + ], + "ip": [ + "81.32.170.205" + ] + }, + "cyberarkpas": { + "audit": { + "severity": "Info", + "rfc5424": true, + "iso_timestamp": "2021-03-10T17:59:19Z", + "station": "81.32.170.205", + "action": "Add User", + "source_user": "PSMApp_VAGRANT", + "message": "Add User", + "issuer": "Administrator", + "timestamp": "Mar 10 09:59:19", + "desc": "Add User" + } + }, + "host": { + "name": "VAULT" + }, + "event": { + "severity": 2, + "ingested": "2021-05-31T15:30:16.714821500Z", + "original": "\u003c5\u003e1 2021-03-10T17:59:19Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 09:59:19\",\"IsoTimestamp\":\"2021-03-10T17:59:19Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"180\",\"Desc\":\"Add User\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Add User\",\"SourceUser\":\"PSMApp_VAGRANT\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"81.32.170.205\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Add User\",\"GatewayStation\":\"\"}}}", + "code": "180", + "kind": "event", + "action": "add user", + "type": [ + "user", + "creation" + ], + "category": [ + "iam" + ], + "outcome": "success" + }, + "user": { + "target": { + "name": "PSMApp_VAGRANT" + } + } + }, + { + "log": { + "syslog": { + "priority": 5 + } + }, + "source": { + "geo": { + "continent_name": "Europe", + "region_iso_code": "ES-B", + "city_name": "Barcelona", + "country_iso_code": "ES", + "country_name": "Spain", + "region_name": "Barcelona", + "location": { + "lon": 2.1611, + "lat": 41.3891 + } + }, + "address": "81.32.170.205", + "ip": "81.32.170.205" + }, + "tags": [ + "preserve_original_event" + ], + "observer": { + "product": "Vault", + "hostname": "VAULT", + "version": "11.7.0000", + "vendor": "Cyber-Ark" + }, + "@timestamp": "2021-03-10T17:59:27.000Z", + "ecs": { + "version": "1.10.0" + }, + "related": { + "user": [ + "PSMGw_VAGRANT" + ], + "ip": [ + "81.32.170.205" + ] + }, + "cyberarkpas": { + "audit": { + "severity": "Info", + "rfc5424": true, + "iso_timestamp": "2021-03-10T17:59:27Z", + "station": "81.32.170.205", + "action": "Add User", + "source_user": "PSMGw_VAGRANT", + "message": "Add User", + "issuer": "Administrator", + "timestamp": "Mar 10 09:59:27", + "desc": "Add User" + } + }, + "host": { + "name": "VAULT" + }, + "event": { + "severity": 2, + "ingested": "2021-05-31T15:30:16.714825700Z", + "original": "\u003c5\u003e1 2021-03-10T17:59:27Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 09:59:27\",\"IsoTimestamp\":\"2021-03-10T17:59:27Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"180\",\"Desc\":\"Add User\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Add User\",\"SourceUser\":\"PSMGw_VAGRANT\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"81.32.170.205\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Add User\",\"GatewayStation\":\"\"}}}", + "code": "180", + "kind": "event", + "action": "add user", + "type": [ + "user", + "creation" + ], + "category": [ + "iam" + ], + "outcome": "success" + }, + "user": { + "target": { + "name": "PSMGw_VAGRANT" + } + } + }, + { + "log": { + "syslog": { + "priority": 5 + } + }, + "source": { + "geo": { + "continent_name": "North America", + "region_iso_code": "US-VA", + "country_name": "United States", + "region_name": "Virginia", + "location": { + "lon": -77.2481, + "lat": 38.6583 + }, + "country_iso_code": "US" + }, + "address": "35.192.121.42", + "ip": "35.192.121.42" + }, + "tags": [ + "preserve_original_event" + ], + "observer": { + "product": "Vault", + "hostname": "VAULT", + "version": "11.7.0000", + "vendor": "Cyber-Ark" + }, + "@timestamp": "2021-03-10T22:19:06.000Z", + "ecs": { + "version": "1.10.0" + }, + "related": { + "user": [ + "PSMApp_ASR-WIN" + ], + "ip": [ + "35.192.121.42" + ] + }, + "cyberarkpas": { + "audit": { + "severity": "Info", + "rfc5424": true, + "iso_timestamp": "2021-03-10T22:19:06Z", + "station": "35.192.121.42", + "action": "Add User", + "source_user": "PSMApp_ASR-WIN", + "message": "Add User", + "issuer": "Administrator", + "timestamp": "Mar 10 14:19:06", + "desc": "Add User" + } + }, + "host": { + "name": "VAULT" + }, + "event": { + "severity": 2, + "ingested": "2021-05-31T15:30:16.714829600Z", + "original": "\u003c5\u003e1 2021-03-10T22:19:06Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 14:19:06\",\"IsoTimestamp\":\"2021-03-10T22:19:06Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"180\",\"Desc\":\"Add User\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Add User\",\"SourceUser\":\"PSMApp_ASR-WIN\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"35.192.121.42\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Add User\",\"GatewayStation\":\"\"}}}", + "code": "180", + "kind": "event", + "action": "add user", + "type": [ + "user", + "creation" + ], + "category": [ + "iam" + ], + "outcome": "success" + }, + "user": { + "target": { + "name": "PSMApp_ASR-WIN" + } + } + }, + { + "log": { + "syslog": { + "priority": 5 + } + }, + "source": { + "geo": { + "continent_name": "North America", + "region_iso_code": "US-VA", + "country_name": "United States", + "region_name": "Virginia", + "location": { + "lon": -77.2481, + "lat": 38.6583 + }, + "country_iso_code": "US" + }, + "address": "35.192.121.42", + "ip": "35.192.121.42" + }, + "tags": [ + "preserve_original_event" + ], + "observer": { + "product": "Vault", + "hostname": "VAULT", + "version": "11.7.0000", + "vendor": "Cyber-Ark" + }, + "@timestamp": "2021-03-10T22:19:15.000Z", + "ecs": { + "version": "1.10.0" + }, + "related": { + "user": [ + "PSMGw_ASR-WIN" + ], + "ip": [ + "35.192.121.42" + ] + }, + "cyberarkpas": { + "audit": { + "severity": "Info", + "rfc5424": true, + "iso_timestamp": "2021-03-10T22:19:15Z", + "station": "35.192.121.42", + "action": "Add User", + "source_user": "PSMGw_ASR-WIN", + "message": "Add User", + "issuer": "Administrator", + "timestamp": "Mar 10 14:19:15", + "desc": "Add User" + } + }, + "host": { + "name": "VAULT" + }, + "event": { + "severity": 2, + "ingested": "2021-05-31T15:30:16.714833500Z", + "original": "\u003c5\u003e1 2021-03-10T22:19:15Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 14:19:15\",\"IsoTimestamp\":\"2021-03-10T22:19:15Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"180\",\"Desc\":\"Add User\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Add User\",\"SourceUser\":\"PSMGw_ASR-WIN\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"35.192.121.42\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Add User\",\"GatewayStation\":\"\"}}}", + "code": "180", + "kind": "event", + "action": "add user", + "type": [ + "user", + "creation" + ], + "category": [ + "iam" + ], + "outcome": "success" + }, + "user": { + "target": { + "name": "PSMGw_ASR-WIN" + } + } + }, + { + "log": { + "syslog": { + "priority": 5 + } + }, + "source": { + "geo": { + "continent_name": "Europe", + "region_iso_code": "ES-B", + "city_name": "Barcelona", + "country_iso_code": "ES", + "country_name": "Spain", + "region_name": "Barcelona", + "location": { + "lon": 2.1611, + "lat": 41.3891 + } + }, + "address": "81.32.170.205", + "ip": "81.32.170.205" + }, + "tags": [ + "preserve_original_event" + ], + "observer": { + "product": "Vault", + "hostname": "VAULT", + "version": "11.7.0000", + "vendor": "Cyber-Ark" + }, + "@timestamp": "2021-03-11T16:59:36.000Z", + "ecs": { + "version": "1.10.0" + }, + "related": { + "user": [ + "PSMPApp_VAGRANT" + ], + "ip": [ + "81.32.170.205" + ] + }, + "cyberarkpas": { + "audit": { + "severity": "Info", + "rfc5424": true, + "iso_timestamp": "2021-03-11T16:59:36Z", + "station": "81.32.170.205", + "raw": "\u003csyslog\u003e\n\n \u003caudit_record\u003e\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\n \u003cTimestamp\u003eMar 11 08:59:36\u003c/Timestamp\u003e\n \u003cIsoTimestamp\u003e2021-03-11T16:59:36Z\u003c/IsoTimestamp\u003e\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\n \u003cProduct\u003eVault\u003c/Product\u003e\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\n \u003cMessageID\u003e180\u003c/MessageID\u003e\n \u003cDesc\u003eAdd User\u003c/Desc\u003e\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\n \u003cAction\u003eAdd User\u003c/Action\u003e\n \u003cSourceUser\u003ePSMPApp_VAGRANT\u003c/SourceUser\u003e\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\n \u003cSafe\u003e\u003c/Safe\u003e\n \u003cFile\u003e\u003c/File\u003e\n \u003cStation\u003e81.32.170.205\u003c/Station\u003e\n \u003cLocation\u003e\u003c/Location\u003e\n \u003cCategory\u003e\u003c/Category\u003e\n \u003cRequestId\u003e\u003c/RequestId\u003e\n \u003cReason\u003e\u003c/Reason\u003e\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\n \u003cMessage\u003eAdd User\u003c/Message\u003e\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\n \u003c/audit_record\u003e\n\n\u003c/syslog\u003e", + "action": "Add User", + "source_user": "PSMPApp_VAGRANT", + "message": "Add User", + "issuer": "Administrator", + "timestamp": "Mar 11 08:59:36", + "desc": "Add User" + } + }, + "host": { + "name": "VAULT" + }, + "event": { + "severity": 2, + "ingested": "2021-05-31T15:30:16.714837600Z", + "original": "\u003c5\u003e1 2021-03-11T16:59:36Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 11 08:59:36\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-11T16:59:36Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e180\u003c/MessageID\u003e\\n \u003cDesc\u003eAdd User\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003eAdd User\u003c/Action\u003e\\n \u003cSourceUser\u003ePSMPApp_VAGRANT\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003e\u003c/Safe\u003e\\n \u003cFile\u003e\u003c/File\u003e\\n \u003cStation\u003e81.32.170.205\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eAdd User\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 11 08:59:36\",\"IsoTimestamp\":\"2021-03-11T16:59:36Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"180\",\"Desc\":\"Add User\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Add User\",\"SourceUser\":\"PSMPApp_VAGRANT\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"81.32.170.205\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Add User\",\"GatewayStation\":\"\"}}}", + "code": "180", + "kind": "event", + "action": "add user", + "type": [ + "user", + "creation" + ], + "category": [ + "iam" + ], + "outcome": "success" + }, + "user": { + "target": { + "name": "PSMPApp_VAGRANT" + } + } + }, + { + "log": { + "syslog": { + "priority": 5 + } + }, + "source": { + "geo": { + "continent_name": "Europe", + "region_iso_code": "ES-B", + "city_name": "Barcelona", + "country_iso_code": "ES", + "country_name": "Spain", + "region_name": "Barcelona", + "location": { + "lon": 2.1611, + "lat": 41.3891 + } + }, + "address": "81.32.170.205", + "ip": "81.32.170.205" + }, + "tags": [ + "preserve_original_event" + ], + "observer": { + "product": "Vault", + "hostname": "VAULT", + "version": "11.7.0000", + "vendor": "Cyber-Ark" + }, + "@timestamp": "2021-03-11T16:59:36.000Z", + "ecs": { + "version": "1.10.0" + }, + "related": { + "user": [ + "PSMPGW_VAGRANT" + ], + "ip": [ + "81.32.170.205" + ] + }, + "cyberarkpas": { + "audit": { + "severity": "Info", + "rfc5424": true, + "iso_timestamp": "2021-03-11T16:59:36Z", + "station": "81.32.170.205", + "raw": "\u003csyslog\u003e\n\n \u003caudit_record\u003e\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\n \u003cTimestamp\u003eMar 11 08:59:36\u003c/Timestamp\u003e\n \u003cIsoTimestamp\u003e2021-03-11T16:59:36Z\u003c/IsoTimestamp\u003e\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\n \u003cProduct\u003eVault\u003c/Product\u003e\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\n \u003cMessageID\u003e180\u003c/MessageID\u003e\n \u003cDesc\u003eAdd User\u003c/Desc\u003e\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\n \u003cAction\u003eAdd User\u003c/Action\u003e\n \u003cSourceUser\u003ePSMPGW_VAGRANT\u003c/SourceUser\u003e\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\n \u003cSafe\u003e\u003c/Safe\u003e\n \u003cFile\u003e\u003c/File\u003e\n \u003cStation\u003e81.32.170.205\u003c/Station\u003e\n \u003cLocation\u003e\u003c/Location\u003e\n \u003cCategory\u003e\u003c/Category\u003e\n \u003cRequestId\u003e\u003c/RequestId\u003e\n \u003cReason\u003e\u003c/Reason\u003e\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\n \u003cMessage\u003eAdd User\u003c/Message\u003e\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\n \u003c/audit_record\u003e\n\n\u003c/syslog\u003e", + "action": "Add User", + "source_user": "PSMPGW_VAGRANT", + "message": "Add User", + "issuer": "Administrator", + "timestamp": "Mar 11 08:59:36", + "desc": "Add User" + } + }, + "host": { + "name": "VAULT" + }, + "event": { + "severity": 2, + "ingested": "2021-05-31T15:30:16.714841900Z", + "original": "\u003c5\u003e1 2021-03-11T16:59:36Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 11 08:59:36\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-11T16:59:36Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e180\u003c/MessageID\u003e\\n \u003cDesc\u003eAdd User\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003eAdd User\u003c/Action\u003e\\n \u003cSourceUser\u003ePSMPGW_VAGRANT\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003e\u003c/Safe\u003e\\n \u003cFile\u003e\u003c/File\u003e\\n \u003cStation\u003e81.32.170.205\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eAdd User\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 11 08:59:36\",\"IsoTimestamp\":\"2021-03-11T16:59:36Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"180\",\"Desc\":\"Add User\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Add User\",\"SourceUser\":\"PSMPGW_VAGRANT\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"81.32.170.205\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Add User\",\"GatewayStation\":\"\"}}}", + "code": "180", + "kind": "event", + "action": "add user", + "type": [ + "user", + "creation" + ], + "category": [ + "iam" + ], + "outcome": "success" + }, + "user": { + "target": { + "name": "PSMPGW_VAGRANT" + } + } + }, + { + "log": { + "syslog": { + "priority": 5 + } + }, + "source": { + "geo": { + "continent_name": "North America", + "country_name": "United States", + "location": { + "lon": -97.822, + "lat": 37.751 + }, + "country_iso_code": "US" + }, + "address": "34.71.250.247", + "ip": "34.71.250.247" + }, + "tags": [ + "preserve_original_event" + ], + "observer": { + "product": "Vault", + "hostname": "VAULT", + "version": "11.7.0000", + "vendor": "Cyber-Ark" + }, + "@timestamp": "2021-03-14T12:57:16.000Z", + "ecs": { + "version": "1.10.0" + }, + "related": { + "user": [ + "PSMPGW_SSH" + ], + "ip": [ + "34.71.250.247" + ] + }, + "cyberarkpas": { + "audit": { + "severity": "Info", + "rfc5424": true, + "iso_timestamp": "2021-03-14T12:57:16Z", + "station": "34.71.250.247", + "raw": "\u003csyslog\u003e\n\n \u003caudit_record\u003e\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\n \u003cTimestamp\u003eMar 14 05:57:16\u003c/Timestamp\u003e\n \u003cIsoTimestamp\u003e2021-03-14T12:57:16Z\u003c/IsoTimestamp\u003e\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\n \u003cProduct\u003eVault\u003c/Product\u003e\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\n \u003cMessageID\u003e180\u003c/MessageID\u003e\n \u003cDesc\u003eAdd User\u003c/Desc\u003e\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\n \u003cAction\u003eAdd User\u003c/Action\u003e\n \u003cSourceUser\u003ePSMPGW_SSH\u003c/SourceUser\u003e\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\n \u003cSafe\u003e\u003c/Safe\u003e\n \u003cFile\u003e\u003c/File\u003e\n \u003cStation\u003e34.71.250.247\u003c/Station\u003e\n \u003cLocation\u003e\u003c/Location\u003e\n \u003cCategory\u003e\u003c/Category\u003e\n \u003cRequestId\u003e\u003c/RequestId\u003e\n \u003cReason\u003e\u003c/Reason\u003e\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\n \u003cMessage\u003eAdd User\u003c/Message\u003e\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\n \u003c/audit_record\u003e\n\n\u003c/syslog\u003e", + "action": "Add User", + "source_user": "PSMPGW_SSH", + "message": "Add User", + "issuer": "Administrator", + "timestamp": "Mar 14 05:57:16", + "desc": "Add User" + } + }, + "host": { + "name": "VAULT" + }, + "event": { + "severity": 2, + "ingested": "2021-05-31T15:30:16.714845700Z", + "original": "\u003c5\u003e1 2021-03-14T12:57:16Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 14 05:57:16\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-14T12:57:16Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e180\u003c/MessageID\u003e\\n \u003cDesc\u003eAdd User\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003eAdd User\u003c/Action\u003e\\n \u003cSourceUser\u003ePSMPGW_SSH\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003e\u003c/Safe\u003e\\n \u003cFile\u003e\u003c/File\u003e\\n \u003cStation\u003e34.71.250.247\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eAdd User\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 14 05:57:16\",\"IsoTimestamp\":\"2021-03-14T12:57:16Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"180\",\"Desc\":\"Add User\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Add User\",\"SourceUser\":\"PSMPGW_SSH\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"34.71.250.247\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Add User\",\"GatewayStation\":\"\"}}}", + "code": "180", + "kind": "event", + "action": "add user", + "type": [ + "user", + "creation" + ], + "category": [ + "iam" + ], + "outcome": "success" + }, + "user": { + "target": { + "name": "PSMPGW_SSH" + } + } + }, + { + "log": { + "syslog": { + "priority": 5 + } + }, + "source": { + "geo": { + "continent_name": "North America", + "country_name": "United States", + "location": { + "lon": -97.822, + "lat": 37.751 + }, + "country_iso_code": "US" + }, + "address": "34.71.250.247", + "ip": "34.71.250.247" + }, + "tags": [ + "preserve_original_event" + ], + "observer": { + "product": "Vault", + "hostname": "VAULT", + "version": "11.7.0000", + "vendor": "Cyber-Ark" + }, + "@timestamp": "2021-03-14T12:57:16.000Z", + "ecs": { + "version": "1.10.0" + }, + "related": { + "user": [ + "PSMPApp_SSH" + ], + "ip": [ + "34.71.250.247" + ] + }, + "cyberarkpas": { + "audit": { + "severity": "Info", + "rfc5424": true, + "iso_timestamp": "2021-03-14T12:57:16Z", + "station": "34.71.250.247", + "raw": "\u003csyslog\u003e\n\n \u003caudit_record\u003e\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\n \u003cTimestamp\u003eMar 14 05:57:16\u003c/Timestamp\u003e\n \u003cIsoTimestamp\u003e2021-03-14T12:57:16Z\u003c/IsoTimestamp\u003e\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\n \u003cProduct\u003eVault\u003c/Product\u003e\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\n \u003cMessageID\u003e180\u003c/MessageID\u003e\n \u003cDesc\u003eAdd User\u003c/Desc\u003e\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\n \u003cAction\u003eAdd User\u003c/Action\u003e\n \u003cSourceUser\u003ePSMPApp_SSH\u003c/SourceUser\u003e\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\n \u003cSafe\u003e\u003c/Safe\u003e\n \u003cFile\u003e\u003c/File\u003e\n \u003cStation\u003e34.71.250.247\u003c/Station\u003e\n \u003cLocation\u003e\u003c/Location\u003e\n \u003cCategory\u003e\u003c/Category\u003e\n \u003cRequestId\u003e\u003c/RequestId\u003e\n \u003cReason\u003e\u003c/Reason\u003e\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\n \u003cMessage\u003eAdd User\u003c/Message\u003e\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\n \u003c/audit_record\u003e\n\n\u003c/syslog\u003e", + "action": "Add User", + "source_user": "PSMPApp_SSH", + "message": "Add User", + "issuer": "Administrator", + "timestamp": "Mar 14 05:57:16", + "desc": "Add User" + } + }, + "host": { + "name": "VAULT" + }, + "event": { + "severity": 2, + "ingested": "2021-05-31T15:30:16.714850900Z", + "original": "\u003c5\u003e1 2021-03-14T12:57:16Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 14 05:57:16\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-14T12:57:16Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e180\u003c/MessageID\u003e\\n \u003cDesc\u003eAdd User\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003eAdd User\u003c/Action\u003e\\n \u003cSourceUser\u003ePSMPApp_SSH\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003e\u003c/Safe\u003e\\n \u003cFile\u003e\u003c/File\u003e\\n \u003cStation\u003e34.71.250.247\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eAdd User\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 14 05:57:16\",\"IsoTimestamp\":\"2021-03-14T12:57:16Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"180\",\"Desc\":\"Add User\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Add User\",\"SourceUser\":\"PSMPApp_SSH\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"34.71.250.247\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Add User\",\"GatewayStation\":\"\"}}}", + "code": "180", + "kind": "event", + "action": "add user", + "type": [ + "user", + "creation" + ], + "category": [ + "iam" + ], + "outcome": "success" + }, + "user": { + "target": { + "name": "PSMPApp_SSH" + } + } + }, + { + "log": { + "syslog": { + "priority": 5 + } + }, + "source": { + "geo": { + "continent_name": "North America", + "country_name": "United States", + "location": { + "lon": -97.822, + "lat": 37.751 + }, + "country_iso_code": "US" + }, + "address": "34.71.250.247", + "ip": "34.71.250.247" + }, + "tags": [ + "preserve_original_event" + ], + "observer": { + "product": "Vault", + "hostname": "VAULT", + "version": "11.7.0000", + "vendor": "Cyber-Ark" + }, + "@timestamp": "2021-03-14T12:57:21.000Z", + "ecs": { + "version": "1.10.0" + }, + "related": { + "user": [ + "PSMP_ADB_asr-cyberark-psm-ssh" + ], + "ip": [ + "34.71.250.247" + ] + }, + "cyberarkpas": { + "audit": { + "severity": "Info", + "rfc5424": true, + "iso_timestamp": "2021-03-14T12:57:21Z", + "station": "34.71.250.247", + "raw": "\u003csyslog\u003e\n\n \u003caudit_record\u003e\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\n \u003cTimestamp\u003eMar 14 05:57:21\u003c/Timestamp\u003e\n \u003cIsoTimestamp\u003e2021-03-14T12:57:21Z\u003c/IsoTimestamp\u003e\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\n \u003cProduct\u003eVault\u003c/Product\u003e\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\n \u003cMessageID\u003e180\u003c/MessageID\u003e\n \u003cDesc\u003eAdd User\u003c/Desc\u003e\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\n \u003cAction\u003eAdd User\u003c/Action\u003e\n \u003cSourceUser\u003ePSMP_ADB_asr-cyberark-psm-ssh\u003c/SourceUser\u003e\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\n \u003cSafe\u003e\u003c/Safe\u003e\n \u003cFile\u003e\u003c/File\u003e\n \u003cStation\u003e34.71.250.247\u003c/Station\u003e\n \u003cLocation\u003e\u003c/Location\u003e\n \u003cCategory\u003e\u003c/Category\u003e\n \u003cRequestId\u003e\u003c/RequestId\u003e\n \u003cReason\u003e\u003c/Reason\u003e\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\n \u003cMessage\u003eAdd User\u003c/Message\u003e\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\n \u003c/audit_record\u003e\n\n\u003c/syslog\u003e", + "action": "Add User", + "source_user": "PSMP_ADB_asr-cyberark-psm-ssh", + "message": "Add User", + "issuer": "Administrator", + "timestamp": "Mar 14 05:57:21", + "desc": "Add User" + } + }, + "host": { + "name": "VAULT" + }, + "event": { + "severity": 2, + "ingested": "2021-05-31T15:30:16.714855200Z", + "original": "\u003c5\u003e1 2021-03-14T12:57:21Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 14 05:57:21\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-14T12:57:21Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e180\u003c/MessageID\u003e\\n \u003cDesc\u003eAdd User\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003eAdd User\u003c/Action\u003e\\n \u003cSourceUser\u003ePSMP_ADB_asr-cyberark-psm-ssh\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003e\u003c/Safe\u003e\\n \u003cFile\u003e\u003c/File\u003e\\n \u003cStation\u003e34.71.250.247\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eAdd User\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 14 05:57:21\",\"IsoTimestamp\":\"2021-03-14T12:57:21Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"180\",\"Desc\":\"Add User\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Add User\",\"SourceUser\":\"PSMP_ADB_asr-cyberark-psm-ssh\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"34.71.250.247\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Add User\",\"GatewayStation\":\"\"}}}", + "code": "180", + "kind": "event", + "action": "add user", + "type": [ + "user", + "creation" + ], + "category": [ + "iam" + ], + "outcome": "success" + }, + "user": { + "target": { + "name": "PSMP_ADB_asr-cyberark-psm-ssh" + } + } + } + ] +} \ No newline at end of file diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-181-update-safe.log-expected.json b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-181-update-safe.log-expected.json new file mode 100644 index 00000000000..d6a164557d7 --- /dev/null +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-181-update-safe.log-expected.json @@ -0,0 +1,70 @@ +{ + "expected": [ + { + "log": { + "syslog": { + "priority": 5 + } + }, + "source": { + "geo": { + "continent_name": "Europe", + "region_iso_code": "ES-B", + "city_name": "Barcelona", + "country_iso_code": "ES", + "country_name": "Spain", + "region_name": "Barcelona", + "location": { + "lon": 2.1611, + "lat": 41.3891 + } + }, + "address": "81.32.170.205", + "ip": "81.32.170.205" + }, + "tags": [ + "preserve_original_event" + ], + "observer": { + "product": "Vault", + "hostname": "VAULT", + "version": "11.7.0000", + "vendor": "Cyber-Ark" + }, + "@timestamp": "2021-03-10T18:15:44.000Z", + "ecs": { + "version": "1.10.0" + }, + "related": { + "ip": [ + "81.32.170.205" + ] + }, + "cyberarkpas": { + "audit": { + "severity": "Info", + "rfc5424": true, + "iso_timestamp": "2021-03-10T18:15:44Z", + "safe": "PSM", + "station": "81.32.170.205", + "action": "Update Safe", + "message": "Update Safe", + "issuer": "Administrator", + "timestamp": "Mar 10 10:15:44", + "desc": "Update Safe" + } + }, + "host": { + "name": "VAULT" + }, + "event": { + "severity": 2, + "action": "update safe", + "ingested": "2021-05-31T15:30:17.020127900Z", + "original": "\u003c5\u003e1 2021-03-10T18:15:44Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 10:15:44\",\"IsoTimestamp\":\"2021-03-10T18:15:44Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"181\",\"Desc\":\"Update Safe\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Update Safe\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"PSM\",\"File\":\"\",\"Station\":\"81.32.170.205\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Update Safe\",\"GatewayStation\":\"\"}}}", + "code": "181", + "kind": "event" + } + } + ] +} \ No newline at end of file diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-185-add-safe.log-expected.json b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-185-add-safe.log-expected.json new file mode 100644 index 00000000000..00d17811329 --- /dev/null +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-185-add-safe.log-expected.json @@ -0,0 +1,137 @@ +{ + "expected": [ + { + "log": { + "syslog": { + "priority": 5 + } + }, + "source": { + "geo": { + "continent_name": "Europe", + "region_iso_code": "ES-B", + "city_name": "Barcelona", + "country_iso_code": "ES", + "country_name": "Spain", + "region_name": "Barcelona", + "location": { + "lon": 2.1611, + "lat": 41.3891 + } + }, + "address": "81.32.170.205", + "ip": "81.32.170.205" + }, + "tags": [ + "preserve_original_event" + ], + "observer": { + "product": "Vault", + "hostname": "VAULT", + "version": "11.7.0000", + "vendor": "Cyber-Ark" + }, + "@timestamp": "2021-03-10T09:11:20.000Z", + "ecs": { + "version": "1.10.0" + }, + "related": { + "ip": [ + "81.32.170.205" + ] + }, + "cyberarkpas": { + "audit": { + "severity": "Info", + "rfc5424": true, + "iso_timestamp": "2021-03-10T09:11:20Z", + "safe": "PSMPConf", + "station": "81.32.170.205", + "action": "Add Safe", + "message": "Add Safe", + "issuer": "Administrator", + "timestamp": "Mar 10 01:11:20", + "desc": "Add Safe" + } + }, + "host": { + "name": "VAULT" + }, + "event": { + "severity": 2, + "action": "add safe", + "ingested": "2021-05-31T15:30:17.056870700Z", + "original": "\u003c5\u003e1 2021-03-10T09:11:20Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 01:11:20\",\"IsoTimestamp\":\"2021-03-10T09:11:20Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"185\",\"Desc\":\"Add Safe\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Add Safe\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"PSMPConf\",\"File\":\"\",\"Station\":\"81.32.170.205\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Add Safe\",\"GatewayStation\":\"\"}}}", + "code": "185", + "kind": "event" + } + }, + { + "log": { + "syslog": { + "priority": 5 + } + }, + "source": { + "geo": { + "continent_name": "Europe", + "region_iso_code": "ES-B", + "city_name": "Barcelona", + "country_iso_code": "ES", + "country_name": "Spain", + "region_name": "Barcelona", + "location": { + "lon": 2.1611, + "lat": 41.3891 + } + }, + "address": "81.32.170.205", + "ip": "81.32.170.205" + }, + "tags": [ + "preserve_original_event" + ], + "observer": { + "product": "Vault", + "hostname": "VAULT", + "version": "11.7.0000", + "vendor": "Cyber-Ark" + }, + "@timestamp": "2021-03-11T17:38:13.000Z", + "ecs": { + "version": "1.10.0" + }, + "related": { + "ip": [ + "81.32.170.205" + ] + }, + "cyberarkpas": { + "audit": { + "severity": "Info", + "rfc5424": true, + "iso_timestamp": "2021-03-11T17:38:13Z", + "safe": "PSMRecordings", + "station": "81.32.170.205", + "raw": "\u003csyslog\u003e\n\n \u003caudit_record\u003e\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\n \u003cTimestamp\u003eMar 11 09:38:13\u003c/Timestamp\u003e\n \u003cIsoTimestamp\u003e2021-03-11T17:38:13Z\u003c/IsoTimestamp\u003e\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\n \u003cProduct\u003eVault\u003c/Product\u003e\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\n \u003cMessageID\u003e185\u003c/MessageID\u003e\n \u003cDesc\u003eAdd Safe\u003c/Desc\u003e\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\n \u003cIssuer\u003ePSMPApp_VAGRANT\u003c/Issuer\u003e\n \u003cAction\u003eAdd Safe\u003c/Action\u003e\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\n \u003cSafe\u003ePSMRecordings\u003c/Safe\u003e\n \u003cFile\u003e\u003c/File\u003e\n \u003cStation\u003e81.32.170.205\u003c/Station\u003e\n \u003cLocation\u003e\u003c/Location\u003e\n \u003cCategory\u003e\u003c/Category\u003e\n \u003cRequestId\u003e\u003c/RequestId\u003e\n \u003cReason\u003e\u003c/Reason\u003e\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\n \u003cMessage\u003eAdd Safe\u003c/Message\u003e\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\n \u003c/audit_record\u003e\n\n\u003c/syslog\u003e", + "action": "Add Safe", + "message": "Add Safe", + "issuer": "PSMPApp_VAGRANT", + "timestamp": "Mar 11 09:38:13", + "desc": "Add Safe" + } + }, + "host": { + "name": "VAULT" + }, + "event": { + "severity": 2, + "action": "add safe", + "ingested": "2021-05-31T15:30:17.056892300Z", + "original": "\u003c5\u003e1 2021-03-11T17:38:13Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 11 09:38:13\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-11T17:38:13Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e185\u003c/MessageID\u003e\\n \u003cDesc\u003eAdd Safe\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003ePSMPApp_VAGRANT\u003c/Issuer\u003e\\n \u003cAction\u003eAdd Safe\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003ePSMRecordings\u003c/Safe\u003e\\n \u003cFile\u003e\u003c/File\u003e\\n \u003cStation\u003e81.32.170.205\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eAdd Safe\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 11 09:38:13\",\"IsoTimestamp\":\"2021-03-11T17:38:13Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"185\",\"Desc\":\"Add Safe\",\"Severity\":\"Info\",\"Issuer\":\"PSMPApp_VAGRANT\",\"Action\":\"Add Safe\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"PSMRecordings\",\"File\":\"\",\"Station\":\"81.32.170.205\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Add Safe\",\"GatewayStation\":\"\"}}}", + "code": "185", + "kind": "event" + } + } + ] +} \ No newline at end of file diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-187-add-folder.log-expected.json b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-187-add-folder.log-expected.json new file mode 100644 index 00000000000..0c77139f49d --- /dev/null +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-187-add-folder.log-expected.json @@ -0,0 +1,133 @@ +{ + "expected": [ + { + "log": { + "syslog": { + "priority": 5 + } + }, + "source": { + "geo": { + "continent_name": "Europe", + "region_iso_code": "ES-B", + "city_name": "Barcelona", + "country_iso_code": "ES", + "country_name": "Spain", + "region_name": "Barcelona", + "location": { + "lon": 2.1611, + "lat": 41.3891 + } + }, + "address": "81.32.170.205", + "ip": "81.32.170.205" + }, + "tags": [ + "preserve_original_event" + ], + "observer": { + "product": "Vault", + "hostname": "VAULT", + "version": "11.7.0000", + "vendor": "Cyber-Ark" + }, + "@timestamp": "2021-03-10T09:11:40.000Z", + "file": { + "path": "Root\\Scripts\\" + }, + "ecs": { + "version": "1.10.0" + }, + "related": { + "ip": [ + "81.32.170.205" + ] + }, + "cyberarkpas": { + "audit": { + "severity": "Info", + "rfc5424": true, + "iso_timestamp": "2021-03-10T09:11:40Z", + "file": "Root\\Scripts\\", + "safe": "PSMPADBridgeConf", + "station": "81.32.170.205", + "action": "Add Folder", + "message": "Add Folder", + "issuer": "Administrator", + "timestamp": "Mar 10 01:11:40", + "desc": "Add Folder" + } + }, + "host": { + "name": "VAULT" + }, + "event": { + "severity": 2, + "action": "add folder", + "ingested": "2021-05-31T15:30:17.112776900Z", + "original": "\u003c5\u003e1 2021-03-10T09:11:40Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 01:11:40\",\"IsoTimestamp\":\"2021-03-10T09:11:40Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"187\",\"Desc\":\"Add Folder\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Add Folder\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"PSMPADBridgeConf\",\"File\":\"Root\\\\Scripts\\\\\",\"Station\":\"81.32.170.205\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Add Folder\",\"GatewayStation\":\"\"}}}", + "code": "187", + "kind": "event" + } + }, + { + "log": { + "syslog": { + "priority": 5 + } + }, + "source": { + "address": "10.0.1.20", + "ip": "10.0.1.20" + }, + "tags": [ + "preserve_original_event" + ], + "observer": { + "product": "Vault", + "hostname": "VAULT", + "version": "11.7.0000", + "vendor": "Cyber-Ark" + }, + "@timestamp": "2021-03-11T18:01:14.000Z", + "file": { + "path": "Root\\2\\" + }, + "ecs": { + "version": "1.10.0" + }, + "related": { + "ip": [ + "10.0.1.20" + ] + }, + "cyberarkpas": { + "audit": { + "severity": "Info", + "rfc5424": true, + "iso_timestamp": "2021-03-11T18:01:14Z", + "file": "Root\\2\\", + "safe": "PSMUnmanagedSessionAccounts", + "station": "10.0.1.20", + "raw": "\u003csyslog\u003e\n\n \u003caudit_record\u003e\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\n \u003cTimestamp\u003eMar 11 10:01:14\u003c/Timestamp\u003e\n \u003cIsoTimestamp\u003e2021-03-11T18:01:14Z\u003c/IsoTimestamp\u003e\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\n \u003cProduct\u003eVault\u003c/Product\u003e\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\n \u003cMessageID\u003e187\u003c/MessageID\u003e\n \u003cDesc\u003eAdd Folder\u003c/Desc\u003e\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\n \u003cIssuer\u003ePVWAAppUser\u003c/Issuer\u003e\n \u003cAction\u003eAdd Folder\u003c/Action\u003e\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\n \u003cSafe\u003ePSMUnmanagedSessionAccounts\u003c/Safe\u003e\n \u003cFile\u003eRoot\\2\\\u003c/File\u003e\n \u003cStation\u003e10.0.1.20\u003c/Station\u003e\n \u003cLocation\u003e\u003c/Location\u003e\n \u003cCategory\u003e\u003c/Category\u003e\n \u003cRequestId\u003e\u003c/RequestId\u003e\n \u003cReason\u003e\u003c/Reason\u003e\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\n \u003cMessage\u003eAdd Folder\u003c/Message\u003e\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\n \u003c/audit_record\u003e\n\n\u003c/syslog\u003e", + "action": "Add Folder", + "message": "Add Folder", + "issuer": "PVWAAppUser", + "timestamp": "Mar 11 10:01:14", + "desc": "Add Folder" + } + }, + "host": { + "name": "VAULT" + }, + "event": { + "severity": 2, + "action": "add folder", + "ingested": "2021-05-31T15:30:17.112797300Z", + "original": "\u003c5\u003e1 2021-03-11T18:01:14Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 11 10:01:14\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-11T18:01:14Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e187\u003c/MessageID\u003e\\n \u003cDesc\u003eAdd Folder\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003ePVWAAppUser\u003c/Issuer\u003e\\n \u003cAction\u003eAdd Folder\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003ePSMUnmanagedSessionAccounts\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\2\\\\\u003c/File\u003e\\n \u003cStation\u003e10.0.1.20\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eAdd Folder\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 11 10:01:14\",\"IsoTimestamp\":\"2021-03-11T18:01:14Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"187\",\"Desc\":\"Add Folder\",\"Severity\":\"Info\",\"Issuer\":\"PVWAAppUser\",\"Action\":\"Add Folder\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"PSMUnmanagedSessionAccounts\",\"File\":\"Root\\\\2\\\\\",\"Station\":\"10.0.1.20\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Add Folder\",\"GatewayStation\":\"\"}}}", + "code": "187", + "kind": "event" + } + } + ] +} \ No newline at end of file diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-19-full-gateway-connection.log-expected.json b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-19-full-gateway-connection.log-expected.json new file mode 100644 index 00000000000..1784f6e09b9 --- /dev/null +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-19-full-gateway-connection.log-expected.json @@ -0,0 +1,834 @@ +{ + "expected": [ + { + "log": { + "syslog": { + "priority": 5 + } + }, + "destination": { + "user": { + "name": "Administrator" + }, + "address": "10.0.1.20", + "ip": "10.0.1.20" + }, + "source": { + "user": { + "name": "PVWAGWUser" + }, + "address": "127.0.0.1", + "ip": "127.0.0.1" + }, + "tags": [ + "preserve_original_event" + ], + "network": { + "direction": "internal" + }, + "observer": { + "product": "Vault", + "hostname": "VAULT", + "version": "11.7.0000", + "vendor": "Cyber-Ark" + }, + "@timestamp": "2021-03-08T18:07:51.000Z", + "ecs": { + "version": "1.10.0" + }, + "related": { + "user": [ + "PVWAGWUser", + "Administrator" + ], + "ip": [ + "127.0.0.1", + "10.0.1.20" + ] + }, + "cyberarkpas": { + "audit": { + "severity": "Info", + "rfc5424": true, + "iso_timestamp": "2021-03-08T18:07:51Z", + "gateway_station": "10.0.1.20", + "station": "127.0.0.1", + "action": "Full Gateway Connection", + "source_user": "PVWAGWUser", + "message": "Full Gateway Connection", + "issuer": "Administrator", + "timestamp": "Mar 08 10:07:51", + "desc": "Full Gateway Connection" + } + }, + "host": { + "name": "VAULT" + }, + "event": { + "severity": 2, + "ingested": "2021-05-31T15:30:17.169527500Z", + "original": "\u003c5\u003e1 2021-03-08T18:07:51Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 08 10:07:51\",\"IsoTimestamp\":\"2021-03-08T18:07:51Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"19\",\"Desc\":\"Full Gateway Connection\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Full Gateway Connection\",\"SourceUser\":\"PVWAGWUser\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"127.0.0.1\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Full Gateway Connection\",\"GatewayStation\":\"10.0.1.20\"}}}", + "code": "19", + "kind": "event", + "action": "full gateway connection", + "category": [ + "network" + ], + "type": [ + "start" + ], + "outcome": "success" + }, + "user": { + "name": "PVWAGWUser" + } + }, + { + "log": { + "syslog": { + "priority": 5 + } + }, + "destination": { + "user": { + "name": "Administrator" + }, + "address": "10.0.1.20", + "ip": "10.0.1.20" + }, + "source": { + "geo": { + "continent_name": "Europe", + "region_iso_code": "ES-B", + "city_name": "Barcelona", + "country_iso_code": "ES", + "country_name": "Spain", + "region_name": "Barcelona", + "location": { + "lon": 2.1611, + "lat": 41.3891 + } + }, + "address": "81.32.170.205", + "user": { + "name": "PVWAGWUser" + }, + "ip": "81.32.170.205" + }, + "tags": [ + "preserve_original_event" + ], + "network": { + "direction": "inbound" + }, + "observer": { + "product": "Vault", + "hostname": "VAULT", + "version": "11.7.0000", + "vendor": "Cyber-Ark" + }, + "@timestamp": "2021-03-09T08:32:51.000Z", + "ecs": { + "version": "1.10.0" + }, + "related": { + "user": [ + "PVWAGWUser", + "Administrator" + ], + "ip": [ + "81.32.170.205", + "10.0.1.20" + ] + }, + "cyberarkpas": { + "audit": { + "severity": "Info", + "rfc5424": true, + "iso_timestamp": "2021-03-09T08:32:51Z", + "gateway_station": "10.0.1.20", + "station": "81.32.170.205", + "action": "Full Gateway Connection", + "source_user": "PVWAGWUser", + "message": "Full Gateway Connection", + "issuer": "Administrator", + "timestamp": "Mar 09 00:32:51", + "desc": "Full Gateway Connection" + } + }, + "host": { + "name": "VAULT" + }, + "event": { + "severity": 2, + "ingested": "2021-05-31T15:30:17.169546900Z", + "original": "\u003c5\u003e1 2021-03-09T08:32:51Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 09 00:32:51\",\"IsoTimestamp\":\"2021-03-09T08:32:51Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"19\",\"Desc\":\"Full Gateway Connection\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Full Gateway Connection\",\"SourceUser\":\"PVWAGWUser\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"81.32.170.205\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Full Gateway Connection\",\"GatewayStation\":\"10.0.1.20\"}}}", + "code": "19", + "kind": "event", + "action": "full gateway connection", + "category": [ + "network" + ], + "type": [ + "start" + ], + "outcome": "success" + }, + "user": { + "name": "PVWAGWUser" + } + }, + { + "log": { + "syslog": { + "priority": 5 + } + }, + "destination": { + "user": { + "name": "Administrator" + }, + "address": "10.0.1.20", + "ip": "10.0.1.20" + }, + "source": { + "geo": { + "continent_name": "Europe", + "region_iso_code": "ES-B", + "city_name": "Barcelona", + "country_iso_code": "ES", + "country_name": "Spain", + "region_name": "Barcelona", + "location": { + "lon": 2.1611, + "lat": 41.3891 + } + }, + "address": "37.223.7.45", + "user": { + "name": "PVWAGWUser" + }, + "ip": "37.223.7.45" + }, + "tags": [ + "preserve_original_event" + ], + "network": { + "direction": "inbound" + }, + "observer": { + "product": "Vault", + "hostname": "VAULT", + "version": "11.7.0000", + "vendor": "Cyber-Ark" + }, + "@timestamp": "2021-03-09T10:14:58.000Z", + "ecs": { + "version": "1.10.0" + }, + "related": { + "user": [ + "PVWAGWUser", + "Administrator" + ], + "ip": [ + "37.223.7.45", + "10.0.1.20" + ] + }, + "cyberarkpas": { + "audit": { + "severity": "Info", + "rfc5424": true, + "iso_timestamp": "2021-03-09T10:14:58Z", + "gateway_station": "10.0.1.20", + "station": "37.223.7.45", + "action": "Full Gateway Connection", + "source_user": "PVWAGWUser", + "message": "Full Gateway Connection", + "issuer": "Administrator", + "timestamp": "Mar 09 02:14:58", + "desc": "Full Gateway Connection" + } + }, + "host": { + "name": "VAULT" + }, + "event": { + "severity": 2, + "ingested": "2021-05-31T15:30:17.169552400Z", + "original": "\u003c5\u003e1 2021-03-09T10:14:58Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 09 02:14:58\",\"IsoTimestamp\":\"2021-03-09T10:14:58Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"19\",\"Desc\":\"Full Gateway Connection\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Full Gateway Connection\",\"SourceUser\":\"PVWAGWUser\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"37.223.7.45\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Full Gateway Connection\",\"GatewayStation\":\"10.0.1.20\"}}}", + "code": "19", + "kind": "event", + "action": "full gateway connection", + "category": [ + "network" + ], + "type": [ + "start" + ], + "outcome": "success" + }, + "user": { + "name": "PVWAGWUser" + } + }, + { + "log": { + "syslog": { + "priority": 5 + } + }, + "destination": { + "user": { + "name": "PasswordManager" + }, + "address": "10.0.1.20", + "ip": "10.0.1.20" + }, + "source": { + "user": { + "name": "PVWAGWUser" + }, + "address": "10.0.1.20", + "ip": "10.0.1.20" + }, + "tags": [ + "preserve_original_event" + ], + "network": { + "direction": "internal" + }, + "observer": { + "product": "Vault", + "hostname": "VAULT", + "version": "11.7.0000", + "vendor": "Cyber-Ark" + }, + "@timestamp": "2021-03-10T08:31:50.000Z", + "ecs": { + "version": "1.10.0" + }, + "related": { + "user": [ + "PVWAGWUser", + "PasswordManager" + ], + "ip": [ + "10.0.1.20" + ] + }, + "cyberarkpas": { + "audit": { + "severity": "Info", + "rfc5424": true, + "iso_timestamp": "2021-03-10T08:31:50Z", + "gateway_station": "10.0.1.20", + "station": "10.0.1.20", + "action": "Full Gateway Connection", + "source_user": "PVWAGWUser", + "message": "Full Gateway Connection", + "issuer": "PasswordManager", + "timestamp": "Mar 10 00:31:50", + "desc": "Full Gateway Connection" + } + }, + "host": { + "name": "VAULT" + }, + "event": { + "severity": 2, + "ingested": "2021-05-31T15:30:17.169557200Z", + "original": "\u003c5\u003e1 2021-03-10T08:31:50Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 00:31:50\",\"IsoTimestamp\":\"2021-03-10T08:31:50Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"19\",\"Desc\":\"Full Gateway Connection\",\"Severity\":\"Info\",\"Issuer\":\"PasswordManager\",\"Action\":\"Full Gateway Connection\",\"SourceUser\":\"PVWAGWUser\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"10.0.1.20\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Full Gateway Connection\",\"GatewayStation\":\"10.0.1.20\"}}}", + "code": "19", + "kind": "event", + "action": "full gateway connection", + "category": [ + "network" + ], + "type": [ + "start" + ], + "outcome": "success" + }, + "user": { + "name": "PVWAGWUser" + } + }, + { + "log": { + "syslog": { + "priority": 5 + } + }, + "destination": { + "user": { + "name": "Administrator" + }, + "address": "10.0.1.20", + "ip": "10.0.1.20" + }, + "source": { + "user": { + "name": "PVWAGWUser" + }, + "address": "10.0.1.10", + "ip": "10.0.1.10" + }, + "tags": [ + "preserve_original_event" + ], + "network": { + "direction": "internal" + }, + "observer": { + "product": "Vault", + "hostname": "VAULT", + "version": "11.7.0000", + "vendor": "Cyber-Ark" + }, + "@timestamp": "2021-03-10T22:37:00.000Z", + "ecs": { + "version": "1.10.0" + }, + "related": { + "user": [ + "PVWAGWUser", + "Administrator" + ], + "ip": [ + "10.0.1.10", + "10.0.1.20" + ] + }, + "cyberarkpas": { + "audit": { + "severity": "Info", + "rfc5424": true, + "iso_timestamp": "2021-03-10T22:37:00Z", + "gateway_station": "10.0.1.20", + "station": "10.0.1.10", + "action": "Full Gateway Connection", + "source_user": "PVWAGWUser", + "message": "Full Gateway Connection", + "issuer": "Administrator", + "timestamp": "Mar 10 14:37:00", + "desc": "Full Gateway Connection" + } + }, + "host": { + "name": "VAULT" + }, + "event": { + "severity": 2, + "ingested": "2021-05-31T15:30:17.169561700Z", + "original": "\u003c5\u003e1 2021-03-10T22:37:00Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 14:37:00\",\"IsoTimestamp\":\"2021-03-10T22:37:00Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"19\",\"Desc\":\"Full Gateway Connection\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Full Gateway Connection\",\"SourceUser\":\"PVWAGWUser\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"10.0.1.10\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Full Gateway Connection\",\"GatewayStation\":\"10.0.1.20\"}}}", + "code": "19", + "kind": "event", + "action": "full gateway connection", + "category": [ + "network" + ], + "type": [ + "start" + ], + "outcome": "success" + }, + "user": { + "name": "PVWAGWUser" + } + }, + { + "log": { + "syslog": { + "priority": 5 + } + }, + "destination": { + "geo": { + "continent_name": "Europe", + "region_iso_code": "ES-B", + "city_name": "Barcelona", + "country_iso_code": "ES", + "country_name": "Spain", + "region_name": "Barcelona", + "location": { + "lon": 2.1611, + "lat": 41.3891 + } + }, + "address": "81.32.170.205", + "user": { + "name": "Administrator" + }, + "ip": "81.32.170.205" + }, + "source": { + "user": { + "name": "PSMPGW_VAGRANT" + }, + "address": "127.0.0.1", + "ip": "127.0.0.1" + }, + "tags": [ + "preserve_original_event" + ], + "network": { + "direction": "outbound" + }, + "observer": { + "product": "Vault", + "hostname": "VAULT", + "version": "11.7.0000", + "vendor": "Cyber-Ark" + }, + "@timestamp": "2021-03-11T17:38:05.000Z", + "ecs": { + "version": "1.10.0" + }, + "related": { + "user": [ + "PSMPGW_VAGRANT", + "Administrator" + ], + "ip": [ + "127.0.0.1", + "81.32.170.205" + ] + }, + "cyberarkpas": { + "audit": { + "severity": "Info", + "rfc5424": true, + "iso_timestamp": "2021-03-11T17:38:05Z", + "gateway_station": "81.32.170.205", + "station": "127.0.0.1", + "raw": "\u003csyslog\u003e\n\n \u003caudit_record\u003e\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\n \u003cTimestamp\u003eMar 11 09:38:05\u003c/Timestamp\u003e\n \u003cIsoTimestamp\u003e2021-03-11T17:38:05Z\u003c/IsoTimestamp\u003e\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\n \u003cProduct\u003eVault\u003c/Product\u003e\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\n \u003cMessageID\u003e19\u003c/MessageID\u003e\n \u003cDesc\u003eFull Gateway Connection\u003c/Desc\u003e\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\n \u003cAction\u003eFull Gateway Connection\u003c/Action\u003e\n \u003cSourceUser\u003ePSMPGW_VAGRANT\u003c/SourceUser\u003e\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\n \u003cSafe\u003e\u003c/Safe\u003e\n \u003cFile\u003e\u003c/File\u003e\n \u003cStation\u003e127.0.0.1\u003c/Station\u003e\n \u003cLocation\u003e\u003c/Location\u003e\n \u003cCategory\u003e\u003c/Category\u003e\n \u003cRequestId\u003e\u003c/RequestId\u003e\n \u003cReason\u003e\u003c/Reason\u003e\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\n \u003cMessage\u003eFull Gateway Connection\u003c/Message\u003e\n \u003cGatewayStation\u003e81.32.170.205\u003c/GatewayStation\u003e\n \u003c/audit_record\u003e\n\n\u003c/syslog\u003e", + "action": "Full Gateway Connection", + "source_user": "PSMPGW_VAGRANT", + "message": "Full Gateway Connection", + "issuer": "Administrator", + "timestamp": "Mar 11 09:38:05", + "desc": "Full Gateway Connection" + } + }, + "host": { + "name": "VAULT" + }, + "event": { + "severity": 2, + "ingested": "2021-05-31T15:30:17.169565600Z", + "original": "\u003c5\u003e1 2021-03-11T17:38:05Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 11 09:38:05\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-11T17:38:05Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e19\u003c/MessageID\u003e\\n \u003cDesc\u003eFull Gateway Connection\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003eFull Gateway Connection\u003c/Action\u003e\\n \u003cSourceUser\u003ePSMPGW_VAGRANT\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003e\u003c/Safe\u003e\\n \u003cFile\u003e\u003c/File\u003e\\n \u003cStation\u003e127.0.0.1\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eFull Gateway Connection\u003c/Message\u003e\\n \u003cGatewayStation\u003e81.32.170.205\u003c/GatewayStation\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 11 09:38:05\",\"IsoTimestamp\":\"2021-03-11T17:38:05Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"19\",\"Desc\":\"Full Gateway Connection\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Full Gateway Connection\",\"SourceUser\":\"PSMPGW_VAGRANT\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"127.0.0.1\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Full Gateway Connection\",\"GatewayStation\":\"81.32.170.205\"}}}", + "code": "19", + "kind": "event", + "action": "full gateway connection", + "category": [ + "network" + ], + "type": [ + "start" + ], + "outcome": "success" + }, + "user": { + "name": "PSMPGW_VAGRANT" + } + }, + { + "log": { + "syslog": { + "priority": 5 + } + }, + "destination": { + "geo": { + "continent_name": "Europe", + "region_iso_code": "ES-B", + "city_name": "Barcelona", + "country_iso_code": "ES", + "country_name": "Spain", + "region_name": "Barcelona", + "location": { + "lon": 2.1611, + "lat": 41.3891 + } + }, + "address": "81.32.170.205", + "user": { + "name": "Administrator" + }, + "ip": "81.32.170.205" + }, + "source": { + "user": { + "name": "PSMPGW_VAGRANT" + }, + "address": "10.0.2.2", + "ip": "10.0.2.2" + }, + "tags": [ + "preserve_original_event" + ], + "network": { + "direction": "outbound" + }, + "observer": { + "product": "Vault", + "hostname": "VAULT", + "version": "11.7.0000", + "vendor": "Cyber-Ark" + }, + "@timestamp": "2021-03-11T17:48:22.000Z", + "ecs": { + "version": "1.10.0" + }, + "related": { + "user": [ + "PSMPGW_VAGRANT", + "Administrator" + ], + "ip": [ + "10.0.2.2", + "81.32.170.205" + ] + }, + "cyberarkpas": { + "audit": { + "severity": "Info", + "rfc5424": true, + "iso_timestamp": "2021-03-11T17:48:22Z", + "gateway_station": "81.32.170.205", + "station": "10.0.2.2", + "raw": "\u003csyslog\u003e\n\n \u003caudit_record\u003e\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\n \u003cTimestamp\u003eMar 11 09:48:22\u003c/Timestamp\u003e\n \u003cIsoTimestamp\u003e2021-03-11T17:48:22Z\u003c/IsoTimestamp\u003e\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\n \u003cProduct\u003eVault\u003c/Product\u003e\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\n \u003cMessageID\u003e19\u003c/MessageID\u003e\n \u003cDesc\u003eFull Gateway Connection\u003c/Desc\u003e\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\n \u003cAction\u003eFull Gateway Connection\u003c/Action\u003e\n \u003cSourceUser\u003ePSMPGW_VAGRANT\u003c/SourceUser\u003e\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\n \u003cSafe\u003e\u003c/Safe\u003e\n \u003cFile\u003e\u003c/File\u003e\n \u003cStation\u003e10.0.2.2\u003c/Station\u003e\n \u003cLocation\u003e\u003c/Location\u003e\n \u003cCategory\u003e\u003c/Category\u003e\n \u003cRequestId\u003e\u003c/RequestId\u003e\n \u003cReason\u003e\u003c/Reason\u003e\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\n \u003cMessage\u003eFull Gateway Connection\u003c/Message\u003e\n \u003cGatewayStation\u003e81.32.170.205\u003c/GatewayStation\u003e\n \u003c/audit_record\u003e\n\n\u003c/syslog\u003e", + "action": "Full Gateway Connection", + "source_user": "PSMPGW_VAGRANT", + "message": "Full Gateway Connection", + "issuer": "Administrator", + "timestamp": "Mar 11 09:48:22", + "desc": "Full Gateway Connection" + } + }, + "host": { + "name": "VAULT" + }, + "event": { + "severity": 2, + "ingested": "2021-05-31T15:30:17.169569600Z", + "original": "\u003c5\u003e1 2021-03-11T17:48:22Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 11 09:48:22\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-11T17:48:22Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e19\u003c/MessageID\u003e\\n \u003cDesc\u003eFull Gateway Connection\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003eFull Gateway Connection\u003c/Action\u003e\\n \u003cSourceUser\u003ePSMPGW_VAGRANT\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003e\u003c/Safe\u003e\\n \u003cFile\u003e\u003c/File\u003e\\n \u003cStation\u003e10.0.2.2\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eFull Gateway Connection\u003c/Message\u003e\\n \u003cGatewayStation\u003e81.32.170.205\u003c/GatewayStation\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 11 09:48:22\",\"IsoTimestamp\":\"2021-03-11T17:48:22Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"19\",\"Desc\":\"Full Gateway Connection\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Full Gateway Connection\",\"SourceUser\":\"PSMPGW_VAGRANT\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"10.0.2.2\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Full Gateway Connection\",\"GatewayStation\":\"81.32.170.205\"}}}", + "code": "19", + "kind": "event", + "action": "full gateway connection", + "category": [ + "network" + ], + "type": [ + "start" + ], + "outcome": "success" + }, + "user": { + "name": "PSMPGW_VAGRANT" + } + }, + { + "log": { + "syslog": { + "priority": 5 + } + }, + "destination": { + "user": { + "name": "Administrator" + }, + "address": "10.0.1.20", + "ip": "10.0.1.20" + }, + "source": { + "geo": { + "continent_name": "North America", + "region_iso_code": "US-VA", + "country_name": "United States", + "region_name": "Virginia", + "location": { + "lon": -77.2481, + "lat": 38.6583 + }, + "country_iso_code": "US" + }, + "address": "35.192.121.42", + "user": { + "name": "PVWAGWUser" + }, + "ip": "35.192.121.42" + }, + "tags": [ + "preserve_original_event" + ], + "network": { + "direction": "inbound" + }, + "observer": { + "product": "Vault", + "hostname": "VAULT", + "version": "11.7.0000", + "vendor": "Cyber-Ark" + }, + "@timestamp": "2021-03-11T18:02:57.000Z", + "ecs": { + "version": "1.10.0" + }, + "related": { + "user": [ + "PVWAGWUser", + "Administrator" + ], + "ip": [ + "35.192.121.42", + "10.0.1.20" + ] + }, + "cyberarkpas": { + "audit": { + "severity": "Info", + "rfc5424": true, + "iso_timestamp": "2021-03-11T18:02:57Z", + "gateway_station": "10.0.1.20", + "station": "35.192.121.42", + "raw": "\u003csyslog\u003e\n\n \u003caudit_record\u003e\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\n \u003cTimestamp\u003eMar 11 10:02:57\u003c/Timestamp\u003e\n \u003cIsoTimestamp\u003e2021-03-11T18:02:57Z\u003c/IsoTimestamp\u003e\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\n \u003cProduct\u003eVault\u003c/Product\u003e\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\n \u003cMessageID\u003e19\u003c/MessageID\u003e\n \u003cDesc\u003eFull Gateway Connection\u003c/Desc\u003e\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\n \u003cAction\u003eFull Gateway Connection\u003c/Action\u003e\n \u003cSourceUser\u003ePVWAGWUser\u003c/SourceUser\u003e\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\n \u003cSafe\u003e\u003c/Safe\u003e\n \u003cFile\u003e\u003c/File\u003e\n \u003cStation\u003e35.192.121.42\u003c/Station\u003e\n \u003cLocation\u003e\u003c/Location\u003e\n \u003cCategory\u003e\u003c/Category\u003e\n \u003cRequestId\u003e\u003c/RequestId\u003e\n \u003cReason\u003e\u003c/Reason\u003e\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\n \u003cMessage\u003eFull Gateway Connection\u003c/Message\u003e\n \u003cGatewayStation\u003e10.0.1.20\u003c/GatewayStation\u003e\n \u003c/audit_record\u003e\n\n\u003c/syslog\u003e", + "action": "Full Gateway Connection", + "source_user": "PVWAGWUser", + "message": "Full Gateway Connection", + "issuer": "Administrator", + "timestamp": "Mar 11 10:02:57", + "desc": "Full Gateway Connection" + } + }, + "host": { + "name": "VAULT" + }, + "event": { + "severity": 2, + "ingested": "2021-05-31T15:30:17.169574200Z", + "original": "\u003c5\u003e1 2021-03-11T18:02:57Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 11 10:02:57\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-11T18:02:57Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e19\u003c/MessageID\u003e\\n \u003cDesc\u003eFull Gateway Connection\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003eFull Gateway Connection\u003c/Action\u003e\\n \u003cSourceUser\u003ePVWAGWUser\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003e\u003c/Safe\u003e\\n \u003cFile\u003e\u003c/File\u003e\\n \u003cStation\u003e35.192.121.42\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eFull Gateway Connection\u003c/Message\u003e\\n \u003cGatewayStation\u003e10.0.1.20\u003c/GatewayStation\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 11 10:02:57\",\"IsoTimestamp\":\"2021-03-11T18:02:57Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"19\",\"Desc\":\"Full Gateway Connection\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Full Gateway Connection\",\"SourceUser\":\"PVWAGWUser\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"35.192.121.42\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Full Gateway Connection\",\"GatewayStation\":\"10.0.1.20\"}}}", + "code": "19", + "kind": "event", + "action": "full gateway connection", + "category": [ + "network" + ], + "type": [ + "start" + ], + "outcome": "success" + }, + "user": { + "name": "PVWAGWUser" + } + }, + { + "log": { + "syslog": { + "priority": 5 + } + }, + "destination": { + "geo": { + "continent_name": "North America", + "country_name": "United States", + "location": { + "lon": -97.822, + "lat": 37.751 + }, + "country_iso_code": "US" + }, + "address": "34.71.250.247", + "user": { + "name": "Administrator" + }, + "ip": "34.71.250.247" + }, + "source": { + "geo": { + "continent_name": "Europe", + "region_iso_code": "ES-B", + "city_name": "Barcelona", + "country_iso_code": "ES", + "country_name": "Spain", + "region_name": "Barcelona", + "location": { + "lon": 2.1611, + "lat": 41.3891 + } + }, + "address": "81.32.170.205", + "user": { + "name": "PSMPGW_SSH" + }, + "ip": "81.32.170.205" + }, + "tags": [ + "preserve_original_event" + ], + "network": { + "direction": "external" + }, + "observer": { + "product": "Vault", + "hostname": "VAULT", + "version": "11.7.0000", + "vendor": "Cyber-Ark" + }, + "@timestamp": "2021-03-14T13:49:35.000Z", + "ecs": { + "version": "1.10.0" + }, + "related": { + "user": [ + "PSMPGW_SSH", + "Administrator" + ], + "ip": [ + "81.32.170.205", + "34.71.250.247" + ] + }, + "cyberarkpas": { + "audit": { + "severity": "Info", + "rfc5424": true, + "iso_timestamp": "2021-03-14T13:49:35Z", + "gateway_station": "34.71.250.247", + "station": "81.32.170.205", + "raw": "\u003csyslog\u003e\n\n \u003caudit_record\u003e\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\n \u003cTimestamp\u003eMar 14 06:49:35\u003c/Timestamp\u003e\n \u003cIsoTimestamp\u003e2021-03-14T13:49:35Z\u003c/IsoTimestamp\u003e\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\n \u003cProduct\u003eVault\u003c/Product\u003e\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\n \u003cMessageID\u003e19\u003c/MessageID\u003e\n \u003cDesc\u003eFull Gateway Connection\u003c/Desc\u003e\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\n \u003cAction\u003eFull Gateway Connection\u003c/Action\u003e\n \u003cSourceUser\u003ePSMPGW_SSH\u003c/SourceUser\u003e\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\n \u003cSafe\u003e\u003c/Safe\u003e\n \u003cFile\u003e\u003c/File\u003e\n \u003cStation\u003e81.32.170.205\u003c/Station\u003e\n \u003cLocation\u003e\u003c/Location\u003e\n \u003cCategory\u003e\u003c/Category\u003e\n \u003cRequestId\u003e\u003c/RequestId\u003e\n \u003cReason\u003e\u003c/Reason\u003e\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\n \u003cMessage\u003eFull Gateway Connection\u003c/Message\u003e\n \u003cGatewayStation\u003e34.71.250.247\u003c/GatewayStation\u003e\n \u003c/audit_record\u003e\n\n\u003c/syslog\u003e", + "action": "Full Gateway Connection", + "source_user": "PSMPGW_SSH", + "message": "Full Gateway Connection", + "issuer": "Administrator", + "timestamp": "Mar 14 06:49:35", + "desc": "Full Gateway Connection" + } + }, + "host": { + "name": "VAULT" + }, + "event": { + "severity": 2, + "ingested": "2021-05-31T15:30:17.169578300Z", + "original": "\u003c5\u003e1 2021-03-14T13:49:35Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 14 06:49:35\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-14T13:49:35Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e19\u003c/MessageID\u003e\\n \u003cDesc\u003eFull Gateway Connection\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003eFull Gateway Connection\u003c/Action\u003e\\n \u003cSourceUser\u003ePSMPGW_SSH\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003e\u003c/Safe\u003e\\n \u003cFile\u003e\u003c/File\u003e\\n \u003cStation\u003e81.32.170.205\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eFull Gateway Connection\u003c/Message\u003e\\n \u003cGatewayStation\u003e34.71.250.247\u003c/GatewayStation\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 14 06:49:35\",\"IsoTimestamp\":\"2021-03-14T13:49:35Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"19\",\"Desc\":\"Full Gateway Connection\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Full Gateway Connection\",\"SourceUser\":\"PSMPGW_SSH\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"81.32.170.205\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Full Gateway Connection\",\"GatewayStation\":\"34.71.250.247\"}}}", + "code": "19", + "kind": "event", + "action": "full gateway connection", + "category": [ + "network" + ], + "type": [ + "start" + ], + "outcome": "success" + }, + "user": { + "name": "PSMPGW_SSH" + } + } + ] +} \ No newline at end of file diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-20-partial-gateway-connection.log-expected.json b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-20-partial-gateway-connection.log-expected.json new file mode 100644 index 00000000000..6941b57a37d --- /dev/null +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-20-partial-gateway-connection.log-expected.json @@ -0,0 +1,59 @@ +{ + "expected": [ + { + "log": { + "syslog": { + "priority": 5 + } + }, + "source": { + "address": "10.0.0.15", + "ip": "10.0.0.15" + }, + "tags": [ + "preserve_original_event" + ], + "observer": { + "product": "Vault", + "hostname": "VLT01", + "version": "12.0.0000", + "vendor": "Cyber-Ark" + }, + "@timestamp": "2021-03-25T09:20:07.000Z", + "ecs": { + "version": "1.10.0" + }, + "related": { + "ip": [ + "10.0.0.15" + ] + }, + "cyberarkpas": { + "audit": { + "severity": "Info", + "rfc5424": true, + "iso_timestamp": "2021-03-25T09:20:07Z", + "station": "10.0.0.15", + "raw": "\u003csyslog\u003e\n\n \u003caudit_record\u003e\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\n \u003cTimestamp\u003eMar 25 05:20:07\u003c/Timestamp\u003e\n \u003cIsoTimestamp\u003e2021-03-25T09:20:07Z\u003c/IsoTimestamp\u003e\n \u003cHostname\u003eVLT01\u003c/Hostname\u003e\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\n \u003cProduct\u003eVault\u003c/Product\u003e\n \u003cVersion\u003e12.0.0000\u003c/Version\u003e\n \u003cMessageID\u003e20\u003c/MessageID\u003e\n \u003cDesc\u003ePartial Gateway Connection\u003c/Desc\u003e\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\n \u003cIssuer\u003ePSMGw_COMP01\u003c/Issuer\u003e\n \u003cAction\u003ePartial Gateway Connection\u003c/Action\u003e\n \u003cSourceUser\u003eAdministrator\u003c/SourceUser\u003e\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\n \u003cSafe\u003e\u003c/Safe\u003e\n \u003cFile\u003e\u003c/File\u003e\n \u003cStation\u003e10.0.0.15\u003c/Station\u003e\n \u003cLocation\u003e\u003c/Location\u003e\n \u003cCategory\u003e\u003c/Category\u003e\n \u003cRequestId\u003e\u003c/RequestId\u003e\n \u003cReason\u003e\u003c/Reason\u003e\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\n \u003cMessage\u003ePartial Gateway Connection\u003c/Message\u003e\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\n \u003c/audit_record\u003e\n\n\u003c/syslog\u003e", + "action": "Partial Gateway Connection", + "source_user": "Administrator", + "message": "Partial Gateway Connection", + "issuer": "PSMGw_COMP01", + "timestamp": "Mar 25 05:20:07", + "desc": "Partial Gateway Connection" + } + }, + "host": { + "name": "VLT01" + }, + "event": { + "severity": 2, + "action": "partial gateway connection", + "ingested": "2021-05-31T15:30:17.406591400Z", + "original": "\u003c5\u003e1 2021-03-25T09:20:07Z VLT01 {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 25 05:20:07\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-25T09:20:07Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVLT01\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e12.0.0000\u003c/Version\u003e\\n \u003cMessageID\u003e20\u003c/MessageID\u003e\\n \u003cDesc\u003ePartial Gateway Connection\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003ePSMGw_COMP01\u003c/Issuer\u003e\\n \u003cAction\u003ePartial Gateway Connection\u003c/Action\u003e\\n \u003cSourceUser\u003eAdministrator\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003e\u003c/Safe\u003e\\n \u003cFile\u003e\u003c/File\u003e\\n \u003cStation\u003e10.0.0.15\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\\n \u003cMessage\u003ePartial Gateway Connection\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 25 05:20:07\",\"IsoTimestamp\":\"2021-03-25T09:20:07Z\",\"Hostname\":\"VLT01\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"12.0.0000\",\"MessageID\":\"20\",\"Desc\":\"Partial Gateway Connection\",\"Severity\":\"Info\",\"Issuer\":\"PSMGw_COMP01\",\"Action\":\"Partial Gateway Connection\",\"SourceUser\":\"Administrator\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"10.0.0.15\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Partial Gateway Connection\",\"GatewayStation\":\"\"}}}", + "code": "20", + "kind": "event" + } + } + ] +} \ No newline at end of file diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-202-old-backup-files-deletion-start.log-expected.json b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-202-old-backup-files-deletion-start.log-expected.json new file mode 100644 index 00000000000..6d6f5015c96 --- /dev/null +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-202-old-backup-files-deletion-start.log-expected.json @@ -0,0 +1,57 @@ +{ + "expected": [ + { + "log": { + "syslog": { + "priority": 5 + } + }, + "source": { + "address": "0.0.0.0", + "ip": "0.0.0.0" + }, + "tags": [ + "preserve_original_event" + ], + "observer": { + "product": "Vault", + "hostname": "VAULT", + "version": "11.7.0000", + "vendor": "Cyber-Ark" + }, + "@timestamp": "2021-03-09T10:17:54.000Z", + "ecs": { + "version": "1.10.0" + }, + "related": { + "ip": [ + "0.0.0.0" + ] + }, + "cyberarkpas": { + "audit": { + "severity": "Info", + "rfc5424": true, + "iso_timestamp": "2021-03-09T10:17:54Z", + "station": "0.0.0.0", + "action": "Old Backup Files Deletion Start", + "message": "Old Backup Files Deletion Start", + "issuer": "Batch", + "timestamp": "Mar 09 02:17:54", + "desc": "Old Backup Files Deletion Start" + } + }, + "host": { + "name": "VAULT" + }, + "event": { + "severity": 2, + "action": "old backup files deletion start", + "ingested": "2021-05-31T15:30:17.436108900Z", + "original": "\u003c5\u003e1 2021-03-09T10:17:54Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 09 02:17:54\",\"IsoTimestamp\":\"2021-03-09T10:17:54Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"202\",\"Desc\":\"Old Backup Files Deletion Start\",\"Severity\":\"Info\",\"Issuer\":\"Batch\",\"Action\":\"Old Backup Files Deletion Start\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"0.0.0.0\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Old Backup Files Deletion Start\",\"GatewayStation\":\"\"}}}", + "code": "202", + "kind": "event" + } + } + ] +} \ No newline at end of file diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-203-old-backup-files-deletion-end.log-expected.json b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-203-old-backup-files-deletion-end.log-expected.json new file mode 100644 index 00000000000..ef84a29db62 --- /dev/null +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-203-old-backup-files-deletion-end.log-expected.json @@ -0,0 +1,57 @@ +{ + "expected": [ + { + "log": { + "syslog": { + "priority": 5 + } + }, + "source": { + "address": "0.0.0.0", + "ip": "0.0.0.0" + }, + "tags": [ + "preserve_original_event" + ], + "observer": { + "product": "Vault", + "hostname": "VAULT", + "version": "11.7.0000", + "vendor": "Cyber-Ark" + }, + "@timestamp": "2021-03-09T10:17:54.000Z", + "ecs": { + "version": "1.10.0" + }, + "related": { + "ip": [ + "0.0.0.0" + ] + }, + "cyberarkpas": { + "audit": { + "severity": "Info", + "rfc5424": true, + "iso_timestamp": "2021-03-09T10:17:54Z", + "station": "0.0.0.0", + "action": "Old Backup Files Deletion End", + "message": "Old Backup Files Deletion End", + "issuer": "Batch", + "timestamp": "Mar 09 02:17:54", + "desc": "Old Backup Files Deletion End" + } + }, + "host": { + "name": "VAULT" + }, + "event": { + "severity": 2, + "action": "old backup files deletion end", + "ingested": "2021-05-31T15:30:17.459457400Z", + "original": "\u003c5\u003e1 2021-03-09T10:17:54Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 09 02:17:54\",\"IsoTimestamp\":\"2021-03-09T10:17:54Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"203\",\"Desc\":\"Old Backup Files Deletion End\",\"Severity\":\"Info\",\"Issuer\":\"Batch\",\"Action\":\"Old Backup Files Deletion End\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"0.0.0.0\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Old Backup Files Deletion End\",\"GatewayStation\":\"\"}}}", + "code": "203", + "kind": "event" + } + } + ] +} \ No newline at end of file diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-22-cpm-verify-password.log-expected.json b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-22-cpm-verify-password.log-expected.json new file mode 100644 index 00000000000..ea6a2f7d1c6 --- /dev/null +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-22-cpm-verify-password.log-expected.json @@ -0,0 +1,217 @@ +{ + "expected": [ + { + "destination": { + "user": { + "name": "test12" + }, + "address": "radiussrv.cyberark.local", + "domain": "radiussrv.cyberark.local" + }, + "source": { + "user": { + "name": "PasswordManager" + }, + "address": "10.2.0.4", + "ip": "10.2.0.4" + }, + "tags": [ + "preserve_original_event" + ], + "observer": { + "product": "Vault", + "hostname": "VAULT", + "version": "11.6.0000", + "vendor": "Cyber-Ark" + }, + "@timestamp": "2021-03-16T15:01:00.000Z", + "file": { + "path": "Root\\Operating System-LINUX-SSH-radiussrv.cyberark.local-test12" + }, + "ecs": { + "version": "1.10.0" + }, + "related": { + "user": [ + "PasswordManager", + "test12" + ], + "ip": [ + "10.2.0.4" + ] + }, + "cyberarkpas": { + "audit": { + "severity": "Info", + "reason": "ImmediateTask", + "iso_timestamp": "2021-03-16T15:01:00Z", + "raw": "\u003csyslog\u003e\n \u003caudit_record\u003e\n \u003cRfc5424\u003eno\u003c/Rfc5424\u003e\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\n \u003cProduct\u003eVault\u003c/Product\u003e\n \u003cVersion\u003e11.6.0000\u003c/Version\u003e\n \u003cMessageID\u003e22\u003c/MessageID\u003e\n \u003cDesc\u003eCPM Verify Password\u003c/Desc\u003e\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\n \u003cIssuer\u003ePasswordManager\u003c/Issuer\u003e\n \u003cAction\u003eCPM Verify Password\u003c/Action\u003e\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\n \u003cSafe\u003eLinux\u003c/Safe\u003e\n \u003cFile\u003eRoot\\Operating System-LINUX-SSH-radiussrv.cyberark.local-test12\u003c/File\u003e\n \u003cStation\u003e10.2.0.4\u003c/Station\u003e\n \u003cLocation\u003e\u003c/Location\u003e\n \u003cCategory\u003e\u003c/Category\u003e\n \u003cRequestId\u003e\u003c/RequestId\u003e\n \u003cReason\u003eImmediateTask\u003c/Reason\u003e\n \u003cExtraDetails\u003eaddress=radiussrv.cyberark.local;username=test12;\u003c/ExtraDetails\u003e\n \u003cMessage\u003eCPM Verify Password\u003c/Message\u003e\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\n \u003cCAProperties\u003e\n \u003cCAProperty Name=\"PolicyID\" Value=\"LINUX-SSH\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"UserName\" Value=\"test12\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"Address\" Value=\"radiussrv.cyberark.local\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"DeviceType\" Value=\"Operating System\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"RetriesCount\" Value=\"-1\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"LastSuccessVerification\" Value=\"1604943844\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"LastTask\" Value=\"VerifyTask\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"CPMStatus\" Value=\"success\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"CreationMethod\" Value=\"PVWA\"\u003e\u003c/CAProperty\u003e\n \u003c/CAProperties\u003e\n \u003c/audit_record\u003e\n\u003c/syslog\u003e", + "message": "CPM Verify Password", + "issuer": "PasswordManager", + "rfc5424": false, + "extra_details": { + "other": { + "address": "radiussrv.cyberark.local" + }, + "username": "test12" + }, + "file": "Root\\Operating System-LINUX-SSH-radiussrv.cyberark.local-test12", + "ca_properties": { + "other": {}, + "address": "radiussrv.cyberark.local", + "creation_method": "PVWA", + "cpm_status": "success", + "policy_id": "LINUX-SSH", + "user_name": "test12", + "device_type": "Operating System", + "retries_count": "-1", + "last_success_verification": "1604943844", + "last_task": "VerifyTask" + }, + "safe": "Linux", + "station": "10.2.0.4", + "action": "CPM Verify Password", + "desc": "CPM Verify Password" + } + }, + "host": { + "name": "VAULT" + }, + "event": { + "severity": 2, + "ingested": "2021-05-31T15:30:17.486140100Z", + "original": "Apr 07 09:51:42 VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eno\u003c/Rfc5424\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.6.0000\u003c/Version\u003e\\n \u003cMessageID\u003e22\u003c/MessageID\u003e\\n \u003cDesc\u003eCPM Verify Password\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003ePasswordManager\u003c/Issuer\u003e\\n \u003cAction\u003eCPM Verify Password\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003eLinux\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Operating System-LINUX-SSH-radiussrv.cyberark.local-test12\u003c/File\u003e\\n \u003cStation\u003e10.2.0.4\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003eImmediateTask\u003c/Reason\u003e\\n \u003cExtraDetails\u003eaddress=radiussrv.cyberark.local;username=test12;\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eCPM Verify Password\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"LINUX-SSH\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"test12\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"radiussrv.cyberark.local\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Operating System\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"RetriesCount\\\" Value=\\\"-1\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastSuccessVerification\\\" Value=\\\"1604943844\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastTask\\\" Value=\\\"VerifyTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMStatus\\\" Value=\\\"success\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"no\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.6.0000\",\"MessageID\":\"22\",\"Desc\":\"CPM Verify Password\",\"Severity\":\"Info\",\"Issuer\":\"PasswordManager\",\"Action\":\"CPM Verify Password\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"IsoTimestamp\":\"2021-03-16T15:01:00Z\",\"Safe\":\"Linux\",\"File\":\"Root\\\\Operating System-LINUX-SSH-radiussrv.cyberark.local-test12\",\"Station\":\"10.2.0.4\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"ImmediateTask\",\"ExtraDetails\":\"address=radiussrv.cyberark.local;username=test12;\",\"Message\":\"CPM Verify Password\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"LINUX-SSH\"},{\"Name\":\"UserName\",\"Value\":\"test12\"},{\"Name\":\"Address\",\"Value\":\"radiussrv.cyberark.local\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"},{\"Name\":\"RetriesCount\",\"Value\":\"-1\"},{\"Name\":\"LastSuccessVerification\",\"Value\":\"1604943844\"},{\"Name\":\"LastTask\",\"Value\":\"VerifyTask\"},{\"Name\":\"CPMStatus\",\"Value\":\"success\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"}]}}}}", + "code": "22", + "kind": "event", + "action": "cpm verify password", + "category": [ + "iam" + ], + "type": [ + "admin", + "info" + ], + "outcome": "success" + }, + "user": { + "name": "PasswordManager" + } + }, + { + "log": { + "syslog": { + "priority": 5 + } + }, + "destination": { + "geo": { + "continent_name": "North America", + "country_name": "United States", + "location": { + "lon": -97.822, + "lat": 37.751 + }, + "country_iso_code": "US" + }, + "address": "34.123.103.115", + "user": { + "name": "testark" + }, + "ip": "34.123.103.115" + }, + "source": { + "user": { + "name": "PasswordManager" + }, + "address": "10.0.1.20", + "ip": "10.0.1.20" + }, + "tags": [ + "preserve_original_event" + ], + "network": { + "direction": "outbound" + }, + "observer": { + "product": "Vault", + "hostname": "VAULT", + "version": "11.7.0000", + "vendor": "Cyber-Ark" + }, + "@timestamp": "2021-03-15T10:22:44.000Z", + "file": { + "path": "Root\\Operating System-UnixSSH-34.123.103.115-testark" + }, + "ecs": { + "version": "1.10.0" + }, + "related": { + "user": [ + "PasswordManager", + "testark" + ], + "ip": [ + "10.0.1.20", + "34.123.103.115" + ] + }, + "cyberarkpas": { + "audit": { + "severity": "Info", + "reason": "ImmediateTask", + "iso_timestamp": "2021-03-15T10:22:44Z", + "raw": "\u003csyslog\u003e\n\n \u003caudit_record\u003e\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\n \u003cTimestamp\u003eMar 15 03:22:44\u003c/Timestamp\u003e\n \u003cIsoTimestamp\u003e2021-03-15T10:22:44Z\u003c/IsoTimestamp\u003e\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\n \u003cProduct\u003eVault\u003c/Product\u003e\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\n \u003cMessageID\u003e22\u003c/MessageID\u003e\n \u003cDesc\u003eCPM Verify Password\u003c/Desc\u003e\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\n \u003cIssuer\u003ePasswordManager\u003c/Issuer\u003e\n \u003cAction\u003eCPM Verify Password\u003c/Action\u003e\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\n \u003cSafe\u003epartner\u003c/Safe\u003e\n \u003cFile\u003eRoot\\Operating System-UnixSSH-34.123.103.115-testark\u003c/File\u003e\n \u003cStation\u003e10.0.1.20\u003c/Station\u003e\n \u003cLocation\u003e\u003c/Location\u003e\n \u003cCategory\u003e\u003c/Category\u003e\n \u003cRequestId\u003e\u003c/RequestId\u003e\n \u003cReason\u003eImmediateTask\u003c/Reason\u003e\n \u003cExtraDetails\u003eaddress=34.123.103.115;username=testark;\u003c/ExtraDetails\u003e\n \u003cMessage\u003eCPM Verify Password\u003c/Message\u003e\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\n \u003cCAProperties\u003e\n \u003cCAProperty Name=\"PolicyID\" Value=\"UnixSSH\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"UserName\" Value=\"testark\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"Address\" Value=\"34.123.103.115\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"CPMStatus\" Value=\"success\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"RetriesCount\" Value=\"-1\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"LastTask\" Value=\"VerifyTask\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"LastSuccessVerification\" Value=\"1615803764\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"CreationMethod\" Value=\"PVWA\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"DeviceType\" Value=\"Operating System\"\u003e\u003c/CAProperty\u003e\n \u003c/CAProperties\u003e\n \u003c/audit_record\u003e\n\n\u003c/syslog\u003e", + "message": "CPM Verify Password", + "issuer": "PasswordManager", + "extra_details": { + "other": { + "address": "34.123.103.115" + }, + "username": "testark" + }, + "rfc5424": true, + "ca_properties": { + "other": {}, + "address": "34.123.103.115", + "creation_method": "PVWA", + "cpm_status": "success", + "policy_id": "UnixSSH", + "user_name": "testark", + "device_type": "Operating System", + "retries_count": "-1", + "last_success_verification": "1615803764", + "last_task": "VerifyTask" + }, + "file": "Root\\Operating System-UnixSSH-34.123.103.115-testark", + "safe": "partner", + "station": "10.0.1.20", + "action": "CPM Verify Password", + "timestamp": "Mar 15 03:22:44", + "desc": "CPM Verify Password" + } + }, + "host": { + "name": "VAULT" + }, + "event": { + "severity": 2, + "ingested": "2021-05-31T15:30:17.486170800Z", + "original": "\u003c5\u003e1 2021-03-15T10:22:44Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 15 03:22:44\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-15T10:22:44Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e22\u003c/MessageID\u003e\\n \u003cDesc\u003eCPM Verify Password\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003ePasswordManager\u003c/Issuer\u003e\\n \u003cAction\u003eCPM Verify Password\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003epartner\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Operating System-UnixSSH-34.123.103.115-testark\u003c/File\u003e\\n \u003cStation\u003e10.0.1.20\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003eImmediateTask\u003c/Reason\u003e\\n \u003cExtraDetails\u003eaddress=34.123.103.115;username=testark;\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eCPM Verify Password\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"UnixSSH\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"testark\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"34.123.103.115\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMStatus\\\" Value=\\\"success\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"RetriesCount\\\" Value=\\\"-1\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastTask\\\" Value=\\\"VerifyTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastSuccessVerification\\\" Value=\\\"1615803764\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Operating System\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 15 03:22:44\",\"IsoTimestamp\":\"2021-03-15T10:22:44Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"22\",\"Desc\":\"CPM Verify Password\",\"Severity\":\"Info\",\"Issuer\":\"PasswordManager\",\"Action\":\"CPM Verify Password\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"partner\",\"File\":\"Root\\\\Operating System-UnixSSH-34.123.103.115-testark\",\"Station\":\"10.0.1.20\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"ImmediateTask\",\"ExtraDetails\":\"address=34.123.103.115;username=testark;\",\"Message\":\"CPM Verify Password\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"UnixSSH\"},{\"Name\":\"UserName\",\"Value\":\"testark\"},{\"Name\":\"Address\",\"Value\":\"34.123.103.115\"},{\"Name\":\"CPMStatus\",\"Value\":\"success\"},{\"Name\":\"RetriesCount\",\"Value\":\"-1\"},{\"Name\":\"LastTask\",\"Value\":\"VerifyTask\"},{\"Name\":\"LastSuccessVerification\",\"Value\":\"1615803764\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"}]}}}}", + "code": "22", + "kind": "event", + "action": "cpm verify password", + "category": [ + "iam" + ], + "type": [ + "admin", + "info" + ], + "outcome": "success" + }, + "user": { + "name": "PasswordManager" + } + } + ] +} \ No newline at end of file diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-23-action-on-closed-safe.log-expected.json b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-23-action-on-closed-safe.log-expected.json new file mode 100644 index 00000000000..09a7b43ab2e --- /dev/null +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-23-action-on-closed-safe.log-expected.json @@ -0,0 +1,192 @@ +{ + "expected": [ + { + "log": { + "syslog": { + "priority": 7 + } + }, + "source": { + "geo": { + "continent_name": "Europe", + "region_iso_code": "ES-B", + "city_name": "Barcelona", + "country_iso_code": "ES", + "country_name": "Spain", + "region_name": "Barcelona", + "location": { + "lon": 2.1611, + "lat": 41.3891 + } + }, + "address": "81.32.170.205", + "ip": "81.32.170.205" + }, + "tags": [ + "preserve_original_event" + ], + "observer": { + "product": "Vault", + "hostname": "VAULT", + "version": "11.7.0000", + "vendor": "Cyber-Ark" + }, + "@timestamp": "2021-03-10T09:11:20.000Z", + "ecs": { + "version": "1.10.0" + }, + "related": { + "ip": [ + "81.32.170.205" + ] + }, + "cyberarkpas": { + "audit": { + "severity": "Error", + "rfc5424": true, + "iso_timestamp": "2021-03-10T09:11:20Z", + "safe": "PSMPConf", + "station": "81.32.170.205", + "action": "Action On Closed Safe", + "message": "Action On Closed Safe", + "issuer": "Administrator", + "timestamp": "Mar 10 01:11:20", + "desc": "Action On Closed Safe" + } + }, + "host": { + "name": "VAULT" + }, + "event": { + "severity": 7, + "ingested": "2021-05-31T15:30:17.560759100Z", + "original": "\u003c7\u003e1 2021-03-10T09:11:20Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 01:11:20\",\"IsoTimestamp\":\"2021-03-10T09:11:20Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"23\",\"Desc\":\"Action On Closed Safe\",\"Severity\":\"Error\",\"Issuer\":\"Administrator\",\"Action\":\"Action On Closed Safe\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"PSMPConf\",\"File\":\"\",\"Station\":\"81.32.170.205\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Action On Closed Safe\",\"GatewayStation\":\"\"}}}", + "code": "23", + "kind": "event", + "action": "action on closed safe", + "type": "error" + } + }, + { + "log": { + "syslog": { + "priority": 7 + } + }, + "source": { + "address": "10.0.1.20", + "ip": "10.0.1.20" + }, + "tags": [ + "preserve_original_event" + ], + "observer": { + "product": "Vault", + "hostname": "VAULT", + "version": "11.7.0000", + "vendor": "Cyber-Ark" + }, + "@timestamp": "2021-03-14T12:07:27.000Z", + "ecs": { + "version": "1.10.0" + }, + "related": { + "ip": [ + "10.0.1.20" + ] + }, + "cyberarkpas": { + "audit": { + "severity": "Error", + "rfc5424": true, + "iso_timestamp": "2021-03-14T12:07:27Z", + "safe": "AccountsFeedADAccounts", + "station": "10.0.1.20", + "raw": "\u003csyslog\u003e\n\n \u003caudit_record\u003e\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\n \u003cTimestamp\u003eMar 14 05:07:27\u003c/Timestamp\u003e\n \u003cIsoTimestamp\u003e2021-03-14T12:07:27Z\u003c/IsoTimestamp\u003e\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\n \u003cProduct\u003eVault\u003c/Product\u003e\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\n \u003cMessageID\u003e23\u003c/MessageID\u003e\n \u003cDesc\u003eAction On Closed Safe\u003c/Desc\u003e\n \u003cSeverity\u003eError\u003c/Severity\u003e\n \u003cIssuer\u003ePasswordManager\u003c/Issuer\u003e\n \u003cAction\u003eAction On Closed Safe\u003c/Action\u003e\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\n \u003cSafe\u003eAccountsFeedADAccounts\u003c/Safe\u003e\n \u003cFile\u003e\u003c/File\u003e\n \u003cStation\u003e10.0.1.20\u003c/Station\u003e\n \u003cLocation\u003e\u003c/Location\u003e\n \u003cCategory\u003e\u003c/Category\u003e\n \u003cRequestId\u003e\u003c/RequestId\u003e\n \u003cReason\u003e\u003c/Reason\u003e\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\n \u003cMessage\u003eAction On Closed Safe\u003c/Message\u003e\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\n \u003c/audit_record\u003e\n\n\u003c/syslog\u003e", + "action": "Action On Closed Safe", + "message": "Action On Closed Safe", + "issuer": "PasswordManager", + "timestamp": "Mar 14 05:07:27", + "desc": "Action On Closed Safe" + } + }, + "host": { + "name": "VAULT" + }, + "event": { + "severity": 7, + "ingested": "2021-05-31T15:30:17.560798600Z", + "original": "\u003c7\u003e1 2021-03-14T12:07:27Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 14 05:07:27\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-14T12:07:27Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e23\u003c/MessageID\u003e\\n \u003cDesc\u003eAction On Closed Safe\u003c/Desc\u003e\\n \u003cSeverity\u003eError\u003c/Severity\u003e\\n \u003cIssuer\u003ePasswordManager\u003c/Issuer\u003e\\n \u003cAction\u003eAction On Closed Safe\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003eAccountsFeedADAccounts\u003c/Safe\u003e\\n \u003cFile\u003e\u003c/File\u003e\\n \u003cStation\u003e10.0.1.20\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eAction On Closed Safe\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 14 05:07:27\",\"IsoTimestamp\":\"2021-03-14T12:07:27Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"23\",\"Desc\":\"Action On Closed Safe\",\"Severity\":\"Error\",\"Issuer\":\"PasswordManager\",\"Action\":\"Action On Closed Safe\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"AccountsFeedADAccounts\",\"File\":\"\",\"Station\":\"10.0.1.20\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Action On Closed Safe\",\"GatewayStation\":\"\"}}}", + "code": "23", + "kind": "event", + "action": "action on closed safe", + "type": "error" + } + }, + { + "log": { + "syslog": { + "priority": 7 + } + }, + "source": { + "geo": { + "continent_name": "North America", + "country_name": "United States", + "location": { + "lon": -97.822, + "lat": 37.751 + }, + "country_iso_code": "US" + }, + "address": "34.71.250.247", + "ip": "34.71.250.247" + }, + "tags": [ + "preserve_original_event" + ], + "observer": { + "product": "Vault", + "hostname": "VAULT", + "version": "11.7.0000", + "vendor": "Cyber-Ark" + }, + "@timestamp": "2021-03-14T12:57:16.000Z", + "ecs": { + "version": "1.10.0" + }, + "related": { + "ip": [ + "34.71.250.247" + ] + }, + "cyberarkpas": { + "audit": { + "severity": "Error", + "rfc5424": true, + "iso_timestamp": "2021-03-14T12:57:16Z", + "safe": "PSMPConf", + "station": "34.71.250.247", + "raw": "\u003csyslog\u003e\n\n \u003caudit_record\u003e\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\n \u003cTimestamp\u003eMar 14 05:57:16\u003c/Timestamp\u003e\n \u003cIsoTimestamp\u003e2021-03-14T12:57:16Z\u003c/IsoTimestamp\u003e\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\n \u003cProduct\u003eVault\u003c/Product\u003e\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\n \u003cMessageID\u003e23\u003c/MessageID\u003e\n \u003cDesc\u003eAction On Closed Safe\u003c/Desc\u003e\n \u003cSeverity\u003eError\u003c/Severity\u003e\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\n \u003cAction\u003eAction On Closed Safe\u003c/Action\u003e\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\n \u003cSafe\u003ePSMPConf\u003c/Safe\u003e\n \u003cFile\u003e\u003c/File\u003e\n \u003cStation\u003e34.71.250.247\u003c/Station\u003e\n \u003cLocation\u003e\u003c/Location\u003e\n \u003cCategory\u003e\u003c/Category\u003e\n \u003cRequestId\u003e\u003c/RequestId\u003e\n \u003cReason\u003e\u003c/Reason\u003e\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\n \u003cMessage\u003eAction On Closed Safe\u003c/Message\u003e\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\n \u003c/audit_record\u003e\n\n\u003c/syslog\u003e", + "action": "Action On Closed Safe", + "message": "Action On Closed Safe", + "issuer": "Administrator", + "timestamp": "Mar 14 05:57:16", + "desc": "Action On Closed Safe" + } + }, + "host": { + "name": "VAULT" + }, + "event": { + "severity": 7, + "ingested": "2021-05-31T15:30:17.560806300Z", + "original": "\u003c7\u003e1 2021-03-14T12:57:16Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 14 05:57:16\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-14T12:57:16Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e23\u003c/MessageID\u003e\\n \u003cDesc\u003eAction On Closed Safe\u003c/Desc\u003e\\n \u003cSeverity\u003eError\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003eAction On Closed Safe\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003ePSMPConf\u003c/Safe\u003e\\n \u003cFile\u003e\u003c/File\u003e\\n \u003cStation\u003e34.71.250.247\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eAction On Closed Safe\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 14 05:57:16\",\"IsoTimestamp\":\"2021-03-14T12:57:16Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"23\",\"Desc\":\"Action On Closed Safe\",\"Severity\":\"Error\",\"Issuer\":\"Administrator\",\"Action\":\"Action On Closed Safe\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"PSMPConf\",\"File\":\"\",\"Station\":\"34.71.250.247\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Action On Closed Safe\",\"GatewayStation\":\"\"}}}", + "code": "23", + "kind": "event", + "action": "action on closed safe", + "type": "error" + } + } + ] +} \ No newline at end of file diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-24-cpm-change-password.log-expected.json b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-24-cpm-change-password.log-expected.json new file mode 100644 index 00000000000..3840114c658 --- /dev/null +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-24-cpm-change-password.log-expected.json @@ -0,0 +1,408 @@ +{ + "expected": [ + { + "destination": { + "address": "radiussrv.cyberark.local", + "domain": "radiussrv.cyberark.local" + }, + "source": { + "address": "10.2.0.4", + "ip": "10.2.0.4" + }, + "tags": [ + "preserve_original_event" + ], + "observer": { + "version": "11.6.0000", + "product": "Vault", + "vendor": "Cyber-Ark" + }, + "@timestamp": "2021-03-16T15:01:00.000Z", + "file": { + "path": "Root\\Operating System-LINUX-SSH-radiussrv.cyberark.local-test12" + }, + "ecs": { + "version": "1.10.0" + }, + "related": { + "user": [ + "PasswordManager", + "test12" + ], + "ip": [ + "10.2.0.4" + ] + }, + "cyberarkpas": { + "audit": { + "severity": "Info", + "reason": "ImmediateTask", + "iso_timestamp": "2021-03-16T15:01:00Z", + "raw": "\u003csyslog\u003e\n \u003caudit_record\u003e\n \u003cRfc5424\u003eno\u003c/Rfc5424\u003e\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\n \u003cProduct\u003eVault\u003c/Product\u003e\n \u003cVersion\u003e11.6.0000\u003c/Version\u003e\n \u003cMessageID\u003e24\u003c/MessageID\u003e\n \u003cDesc\u003eCPM Change Password\u003c/Desc\u003e\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\n \u003cIssuer\u003ePasswordManager\u003c/Issuer\u003e\n \u003cAction\u003eCPM Change Password\u003c/Action\u003e\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\n \u003cSafe\u003eLinux\u003c/Safe\u003e\n \u003cFile\u003eRoot\\Operating System-LINUX-SSH-radiussrv.cyberark.local-test12\u003c/File\u003e\n \u003cStation\u003e10.2.0.4\u003c/Station\u003e\n \u003cLocation\u003e\u003c/Location\u003e\n \u003cCategory\u003e\u003c/Category\u003e\n \u003cRequestId\u003e\u003c/RequestId\u003e\n \u003cReason\u003eImmediateTask\u003c/Reason\u003e\n \u003cExtraDetails\u003eaddress=radiussrv.cyberark.local;username=test12;\u003c/ExtraDetails\u003e\n \u003cMessage\u003eCPM Change Password\u003c/Message\u003e\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\n \u003cCAProperties\u003e\n \u003cCAProperty Name=\"PolicyID\" Value=\"LINUX-SSH\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"UserName\" Value=\"test12\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"Address\" Value=\"radiussrv.cyberark.local\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"DeviceType\" Value=\"Operating System\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"RetriesCount\" Value=\"-1\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"LastSuccessVerification\" Value=\"1604943844\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"LastTask\" Value=\"ChangeTask\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"CPMStatus\" Value=\"success\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"CreationMethod\" Value=\"PVWA\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"LastSuccessChange\" Value=\"1604944158\"\u003e\u003c/CAProperty\u003e\n \u003c/CAProperties\u003e\n \u003c/audit_record\u003e\n\u003c/syslog\u003e", + "message": "CPM Change Password", + "issuer": "PasswordManager", + "rfc5424": false, + "extra_details": { + "other": { + "address": "radiussrv.cyberark.local" + }, + "username": "test12" + }, + "file": "Root\\Operating System-LINUX-SSH-radiussrv.cyberark.local-test12", + "ca_properties": { + "other": {}, + "address": "radiussrv.cyberark.local", + "creation_method": "PVWA", + "cpm_status": "success", + "policy_id": "LINUX-SSH", + "user_name": "test12", + "device_type": "Operating System", + "retries_count": "-1", + "last_success_verification": "1604943844", + "last_success_change": "1604944158", + "last_task": "ChangeTask" + }, + "safe": "Linux", + "station": "10.2.0.4", + "action": "CPM Change Password", + "desc": "CPM Change Password" + } + }, + "event": { + "severity": 2, + "ingested": "2021-05-31T15:30:17.633768800Z", + "original": "{\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eno\u003c/Rfc5424\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.6.0000\u003c/Version\u003e\\n \u003cMessageID\u003e24\u003c/MessageID\u003e\\n \u003cDesc\u003eCPM Change Password\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003ePasswordManager\u003c/Issuer\u003e\\n \u003cAction\u003eCPM Change Password\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003eLinux\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Operating System-LINUX-SSH-radiussrv.cyberark.local-test12\u003c/File\u003e\\n \u003cStation\u003e10.2.0.4\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003eImmediateTask\u003c/Reason\u003e\\n \u003cExtraDetails\u003eaddress=radiussrv.cyberark.local;username=test12;\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eCPM Change Password\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"LINUX-SSH\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"test12\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"radiussrv.cyberark.local\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Operating System\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"RetriesCount\\\" Value=\\\"-1\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastSuccessVerification\\\" Value=\\\"1604943844\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastTask\\\" Value=\\\"ChangeTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMStatus\\\" Value=\\\"success\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastSuccessChange\\\" Value=\\\"1604944158\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"no\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.6.0000\",\"MessageID\":\"24\",\"Desc\":\"CPM Change Password\",\"Severity\":\"Info\",\"IsoTimestamp\":\"2021-03-16T15:01:00Z\",\"Issuer\":\"PasswordManager\",\"Action\":\"CPM Change Password\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"Linux\",\"File\":\"Root\\\\Operating System-LINUX-SSH-radiussrv.cyberark.local-test12\",\"Station\":\"10.2.0.4\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"ImmediateTask\",\"ExtraDetails\":\"address=radiussrv.cyberark.local;username=test12;\",\"Message\":\"CPM Change Password\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"LINUX-SSH\"},{\"Name\":\"UserName\",\"Value\":\"test12\"},{\"Name\":\"Address\",\"Value\":\"radiussrv.cyberark.local\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"},{\"Name\":\"RetriesCount\",\"Value\":\"-1\"},{\"Name\":\"LastSuccessVerification\",\"Value\":\"1604943844\"},{\"Name\":\"LastTask\",\"Value\":\"ChangeTask\"},{\"Name\":\"CPMStatus\",\"Value\":\"success\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"LastSuccessChange\",\"Value\":\"1604944158\"}]}}}}", + "code": "24", + "kind": "event", + "action": "cpm change password", + "category": [ + "iam" + ], + "type": [ + "user", + "change" + ], + "outcome": "success" + }, + "user": { + "name": "PasswordManager", + "target": { + "name": "test12" + } + } + }, + { + "log": { + "syslog": { + "priority": 5 + } + }, + "destination": { + "address": "components", + "domain": "components" + }, + "source": { + "address": "10.0.1.20", + "ip": "10.0.1.20" + }, + "tags": [ + "preserve_original_event" + ], + "observer": { + "product": "Vault", + "hostname": "VAULT", + "version": "11.7.0000", + "vendor": "Cyber-Ark" + }, + "@timestamp": "2021-03-08T19:20:05.000Z", + "file": { + "path": "Root\\Operating System-WindowsDesktopLocalAccountsRotationalPolicy-10.0.1.20-x_accountA" + }, + "ecs": { + "version": "1.10.0" + }, + "related": { + "user": [ + "PasswordManager", + "x_accountA" + ], + "ip": [ + "10.0.1.20" + ] + }, + "cyberarkpas": { + "audit": { + "severity": "Info", + "reason": "ImmediateTask", + "iso_timestamp": "2021-03-08T19:20:05Z", + "message": "CPM Change Password", + "issuer": "PasswordManager", + "extra_details": { + "other": { + "address": "components" + }, + "username": "x_accountA" + }, + "rfc5424": true, + "ca_properties": { + "other": {}, + "address": "components", + "creation_method": "PVWA", + "cpm_status": "success", + "policy_id": "WinDesktopLocal", + "group_name": "WindowsGroup", + "user_name": "x_accountA", + "index": "1", + "device_type": "Operating System", + "virtual_username": "virtual", + "retries_count": "-1", + "last_task": "ChangeTask", + "sequence_id": "27", + "dual_account_status": "Inactive", + "last_success_change": "1615231204" + }, + "file": "Root\\Operating System-WindowsDesktopLocalAccountsRotationalPolicy-10.0.1.20-x_accountA", + "safe": "Test", + "station": "10.0.1.20", + "action": "CPM Change Password", + "timestamp": "Mar 08 11:20:05", + "desc": "CPM Change Password" + } + }, + "host": { + "name": "VAULT" + }, + "event": { + "severity": 2, + "ingested": "2021-05-31T15:30:17.633787300Z", + "original": "\u003c5\u003e1 2021-03-08T19:20:05Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 08 11:20:05\",\"IsoTimestamp\":\"2021-03-08T19:20:05Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"24\",\"Desc\":\"CPM Change Password\",\"Severity\":\"Info\",\"Issuer\":\"PasswordManager\",\"Action\":\"CPM Change Password\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"Test\",\"File\":\"Root\\\\Operating System-WindowsDesktopLocalAccountsRotationalPolicy-10.0.1.20-x_accountA\",\"Station\":\"10.0.1.20\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"ImmediateTask\",\"ExtraDetails\":\"address=components;username=x_accountA;\",\"Message\":\"CPM Change Password\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"WinDesktopLocal\"},{\"Name\":\"UserName\",\"Value\":\"x_accountA\"},{\"Name\":\"Address\",\"Value\":\"components\"},{\"Name\":\"SequenceID\",\"Value\":\"27\"},{\"Name\":\"CPMStatus\",\"Value\":\"success\"},{\"Name\":\"RetriesCount\",\"Value\":\"-1\"},{\"Name\":\"LastTask\",\"Value\":\"ChangeTask\"},{\"Name\":\"GroupName\",\"Value\":\"WindowsGroup\"},{\"Name\":\"LastSuccessChange\",\"Value\":\"1615231204\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"},{\"Name\":\"Index\",\"Value\":\"1\"},{\"Name\":\"DualAccountStatus\",\"Value\":\"Inactive\"},{\"Name\":\"VirtualUsername\",\"Value\":\"virtual\"}]}}}}", + "code": "24", + "kind": "event", + "action": "cpm change password", + "category": [ + "iam" + ], + "type": [ + "user", + "change" + ], + "outcome": "success" + }, + "user": { + "name": "PasswordManager", + "target": { + "name": "x_accountA" + } + } + }, + { + "log": { + "syslog": { + "priority": 5 + } + }, + "destination": { + "address": "components", + "domain": "components" + }, + "source": { + "address": "10.0.1.20", + "ip": "10.0.1.20" + }, + "tags": [ + "preserve_original_event" + ], + "observer": { + "product": "Vault", + "hostname": "VAULT", + "version": "11.7.0000", + "vendor": "Cyber-Ark" + }, + "@timestamp": "2021-03-10T23:39:28.000Z", + "file": { + "path": "Root\\Operating System-WindowsDesktopLocalAccountsRotationalPolicy-10.0.1.20-x_accountB" + }, + "ecs": { + "version": "1.10.0" + }, + "related": { + "user": [ + "PasswordManager", + "x_accountB" + ], + "ip": [ + "10.0.1.20" + ] + }, + "cyberarkpas": { + "audit": { + "severity": "Info", + "reason": "ImmediateTask", + "iso_timestamp": "2021-03-10T23:39:28Z", + "message": "CPM Change Password", + "issuer": "PasswordManager", + "extra_details": { + "other": { + "address": "components" + }, + "username": "x_accountB" + }, + "rfc5424": true, + "ca_properties": { + "other": {}, + "address": "components", + "creation_method": "PVWA", + "cpm_status": "success", + "policy_id": "WinDesktopLocal", + "group_name": "WindowsGroup", + "user_name": "x_accountB", + "index": "2", + "device_type": "Operating System", + "virtual_username": "virtual", + "retries_count": "-1", + "last_task": "ChangeTask", + "sequence_id": "25", + "dual_account_status": "Inactive", + "last_success_change": "1615419568" + }, + "file": "Root\\Operating System-WindowsDesktopLocalAccountsRotationalPolicy-10.0.1.20-x_accountB", + "safe": "Test", + "station": "10.0.1.20", + "action": "CPM Change Password", + "timestamp": "Mar 10 15:39:28", + "desc": "CPM Change Password" + } + }, + "host": { + "name": "VAULT" + }, + "event": { + "severity": 2, + "ingested": "2021-05-31T15:30:17.633792700Z", + "original": "\u003c5\u003e1 2021-03-10T23:39:28Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 15:39:28\",\"IsoTimestamp\":\"2021-03-10T23:39:28Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"24\",\"Desc\":\"CPM Change Password\",\"Severity\":\"Info\",\"Issuer\":\"PasswordManager\",\"Action\":\"CPM Change Password\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"Test\",\"File\":\"Root\\\\Operating System-WindowsDesktopLocalAccountsRotationalPolicy-10.0.1.20-x_accountB\",\"Station\":\"10.0.1.20\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"ImmediateTask\",\"ExtraDetails\":\"address=components;username=x_accountB;\",\"Message\":\"CPM Change Password\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"WinDesktopLocal\"},{\"Name\":\"UserName\",\"Value\":\"x_accountB\"},{\"Name\":\"Address\",\"Value\":\"components\"},{\"Name\":\"SequenceID\",\"Value\":\"25\"},{\"Name\":\"CPMStatus\",\"Value\":\"success\"},{\"Name\":\"RetriesCount\",\"Value\":\"-1\"},{\"Name\":\"LastTask\",\"Value\":\"ChangeTask\"},{\"Name\":\"GroupName\",\"Value\":\"WindowsGroup\"},{\"Name\":\"LastSuccessChange\",\"Value\":\"1615419568\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"},{\"Name\":\"Index\",\"Value\":\"2\"},{\"Name\":\"DualAccountStatus\",\"Value\":\"Inactive\"},{\"Name\":\"VirtualUsername\",\"Value\":\"virtual\"}]}}}}", + "code": "24", + "kind": "event", + "action": "cpm change password", + "category": [ + "iam" + ], + "type": [ + "user", + "change" + ], + "outcome": "success" + }, + "user": { + "name": "PasswordManager", + "target": { + "name": "x_accountB" + } + } + }, + { + "log": { + "syslog": { + "priority": 5 + } + }, + "destination": { + "address": "components", + "domain": "components" + }, + "source": { + "address": "10.0.1.20", + "ip": "10.0.1.20" + }, + "tags": [ + "preserve_original_event" + ], + "observer": { + "product": "Vault", + "hostname": "VAULT", + "version": "11.7.0000", + "vendor": "Cyber-Ark" + }, + "@timestamp": "2021-03-15T10:12:24.000Z", + "file": { + "path": "Root\\Operating System-WindowsDesktopLocalAccountsRotationalPolicy-10.0.1.20-x_accountA" + }, + "ecs": { + "version": "1.10.0" + }, + "related": { + "user": [ + "PasswordManager", + "x_accountA" + ], + "ip": [ + "10.0.1.20" + ] + }, + "cyberarkpas": { + "audit": { + "severity": "Info", + "reason": "ImmediateTask", + "iso_timestamp": "2021-03-15T10:12:24Z", + "raw": "\u003csyslog\u003e\n\n \u003caudit_record\u003e\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\n \u003cTimestamp\u003eMar 15 03:12:24\u003c/Timestamp\u003e\n \u003cIsoTimestamp\u003e2021-03-15T10:12:24Z\u003c/IsoTimestamp\u003e\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\n \u003cProduct\u003eVault\u003c/Product\u003e\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\n \u003cMessageID\u003e24\u003c/MessageID\u003e\n \u003cDesc\u003eCPM Change Password\u003c/Desc\u003e\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\n \u003cIssuer\u003ePasswordManager\u003c/Issuer\u003e\n \u003cAction\u003eCPM Change Password\u003c/Action\u003e\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\n \u003cSafe\u003eTest\u003c/Safe\u003e\n \u003cFile\u003eRoot\\Operating System-WindowsDesktopLocalAccountsRotationalPolicy-10.0.1.20-x_accountA\u003c/File\u003e\n \u003cStation\u003e10.0.1.20\u003c/Station\u003e\n \u003cLocation\u003e\u003c/Location\u003e\n \u003cCategory\u003e\u003c/Category\u003e\n \u003cRequestId\u003e\u003c/RequestId\u003e\n \u003cReason\u003eImmediateTask\u003c/Reason\u003e\n \u003cExtraDetails\u003eaddress=components;username=x_accountA;\u003c/ExtraDetails\u003e\n \u003cMessage\u003eCPM Change Password\u003c/Message\u003e\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\n \u003cCAProperties\u003e\n \u003cCAProperty Name=\"PolicyID\" Value=\"WinDesktopLocal\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"UserName\" Value=\"x_accountA\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"Address\" Value=\"components\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"SequenceID\" Value=\"28\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"CPMStatus\" Value=\"success\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"RetriesCount\" Value=\"-1\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"LastTask\" Value=\"ChangeTask\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"GroupName\" Value=\"WindowsGroup\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"LastSuccessChange\" Value=\"1615803143\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"CreationMethod\" Value=\"PVWA\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"DeviceType\" Value=\"Operating System\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"Index\" Value=\"1\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"DualAccountStatus\" Value=\"Inactive\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"VirtualUsername\" Value=\"virtual\"\u003e\u003c/CAProperty\u003e\n \u003c/CAProperties\u003e\n \u003c/audit_record\u003e\n\n\u003c/syslog\u003e", + "message": "CPM Change Password", + "issuer": "PasswordManager", + "extra_details": { + "other": { + "address": "components" + }, + "username": "x_accountA" + }, + "rfc5424": true, + "ca_properties": { + "other": {}, + "address": "components", + "creation_method": "PVWA", + "cpm_status": "success", + "policy_id": "WinDesktopLocal", + "group_name": "WindowsGroup", + "user_name": "x_accountA", + "index": "1", + "device_type": "Operating System", + "virtual_username": "virtual", + "retries_count": "-1", + "last_task": "ChangeTask", + "sequence_id": "28", + "dual_account_status": "Inactive", + "last_success_change": "1615803143" + }, + "file": "Root\\Operating System-WindowsDesktopLocalAccountsRotationalPolicy-10.0.1.20-x_accountA", + "safe": "Test", + "station": "10.0.1.20", + "action": "CPM Change Password", + "timestamp": "Mar 15 03:12:24", + "desc": "CPM Change Password" + } + }, + "host": { + "name": "VAULT" + }, + "event": { + "severity": 2, + "ingested": "2021-05-31T15:30:17.633796700Z", + "original": "\u003c5\u003e1 2021-03-15T10:12:24Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 15 03:12:24\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-15T10:12:24Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e24\u003c/MessageID\u003e\\n \u003cDesc\u003eCPM Change Password\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003ePasswordManager\u003c/Issuer\u003e\\n \u003cAction\u003eCPM Change Password\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003eTest\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Operating System-WindowsDesktopLocalAccountsRotationalPolicy-10.0.1.20-x_accountA\u003c/File\u003e\\n \u003cStation\u003e10.0.1.20\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003eImmediateTask\u003c/Reason\u003e\\n \u003cExtraDetails\u003eaddress=components;username=x_accountA;\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eCPM Change Password\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"WinDesktopLocal\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"x_accountA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"components\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"SequenceID\\\" Value=\\\"28\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMStatus\\\" Value=\\\"success\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"RetriesCount\\\" Value=\\\"-1\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastTask\\\" Value=\\\"ChangeTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"GroupName\\\" Value=\\\"WindowsGroup\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastSuccessChange\\\" Value=\\\"1615803143\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Operating System\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Index\\\" Value=\\\"1\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DualAccountStatus\\\" Value=\\\"Inactive\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"VirtualUsername\\\" Value=\\\"virtual\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 15 03:12:24\",\"IsoTimestamp\":\"2021-03-15T10:12:24Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"24\",\"Desc\":\"CPM Change Password\",\"Severity\":\"Info\",\"Issuer\":\"PasswordManager\",\"Action\":\"CPM Change Password\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"Test\",\"File\":\"Root\\\\Operating System-WindowsDesktopLocalAccountsRotationalPolicy-10.0.1.20-x_accountA\",\"Station\":\"10.0.1.20\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"ImmediateTask\",\"ExtraDetails\":\"address=components;username=x_accountA;\",\"Message\":\"CPM Change Password\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"WinDesktopLocal\"},{\"Name\":\"UserName\",\"Value\":\"x_accountA\"},{\"Name\":\"Address\",\"Value\":\"components\"},{\"Name\":\"SequenceID\",\"Value\":\"28\"},{\"Name\":\"CPMStatus\",\"Value\":\"success\"},{\"Name\":\"RetriesCount\",\"Value\":\"-1\"},{\"Name\":\"LastTask\",\"Value\":\"ChangeTask\"},{\"Name\":\"GroupName\",\"Value\":\"WindowsGroup\"},{\"Name\":\"LastSuccessChange\",\"Value\":\"1615803143\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"},{\"Name\":\"Index\",\"Value\":\"1\"},{\"Name\":\"DualAccountStatus\",\"Value\":\"Inactive\"},{\"Name\":\"VirtualUsername\",\"Value\":\"virtual\"}]}}}}", + "code": "24", + "kind": "event", + "action": "cpm change password", + "category": [ + "iam" + ], + "type": [ + "user", + "change" + ], + "outcome": "success" + }, + "user": { + "name": "PasswordManager", + "target": { + "name": "x_accountA" + } + } + } + ] +} \ No newline at end of file diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-259-add-update-group.log-expected.json b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-259-add-update-group.log-expected.json new file mode 100644 index 00000000000..8d5ea132e8b --- /dev/null +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-259-add-update-group.log-expected.json @@ -0,0 +1,268 @@ +{ + "expected": [ + { + "log": { + "syslog": { + "priority": 5 + } + }, + "source": { + "geo": { + "continent_name": "Europe", + "region_iso_code": "ES-B", + "city_name": "Barcelona", + "country_iso_code": "ES", + "country_name": "Spain", + "region_name": "Barcelona", + "location": { + "lon": 2.1611, + "lat": 41.3891 + } + }, + "address": "81.32.170.205", + "ip": "81.32.170.205" + }, + "tags": [ + "preserve_original_event" + ], + "observer": { + "product": "Vault", + "hostname": "VAULT", + "version": "11.7.0000", + "vendor": "Cyber-Ark" + }, + "@timestamp": "2021-03-10T09:11:21.000Z", + "ecs": { + "version": "1.10.0" + }, + "related": { + "ip": [ + "81.32.170.205" + ] + }, + "cyberarkpas": { + "audit": { + "severity": "Info", + "rfc5424": true, + "iso_timestamp": "2021-03-10T09:11:21Z", + "station": "81.32.170.205", + "action": "Add/Update Group", + "source_user": "PSMMaster", + "message": "Add/Update Group", + "issuer": "Administrator", + "timestamp": "Mar 10 01:11:21", + "desc": "Add/Update Group" + } + }, + "host": { + "name": "VAULT" + }, + "event": { + "severity": 2, + "action": "add/update group", + "ingested": "2021-05-31T15:30:17.777210400Z", + "original": "\u003c5\u003e1 2021-03-10T09:11:21Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 01:11:21\",\"IsoTimestamp\":\"2021-03-10T09:11:21Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"259\",\"Desc\":\"Add/Update Group\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Add/Update Group\",\"SourceUser\":\"PSMMaster\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"81.32.170.205\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Add/Update Group\",\"GatewayStation\":\"\"}}}", + "code": "259", + "kind": "event" + } + }, + { + "log": { + "syslog": { + "priority": 5 + } + }, + "source": { + "geo": { + "continent_name": "Europe", + "region_iso_code": "ES-B", + "city_name": "Barcelona", + "country_iso_code": "ES", + "country_name": "Spain", + "region_name": "Barcelona", + "location": { + "lon": 2.1611, + "lat": 41.3891 + } + }, + "address": "81.32.170.205", + "ip": "81.32.170.205" + }, + "tags": [ + "preserve_original_event" + ], + "observer": { + "product": "Vault", + "hostname": "VAULT", + "version": "11.7.0000", + "vendor": "Cyber-Ark" + }, + "@timestamp": "2021-03-10T09:11:21.000Z", + "ecs": { + "version": "1.10.0" + }, + "related": { + "ip": [ + "81.32.170.205" + ] + }, + "cyberarkpas": { + "audit": { + "severity": "Info", + "rfc5424": true, + "iso_timestamp": "2021-03-10T09:11:21Z", + "station": "81.32.170.205", + "action": "Add/Update Group", + "source_user": "PSMAppUsers", + "message": "Add/Update Group", + "issuer": "Administrator", + "timestamp": "Mar 10 01:11:21", + "desc": "Add/Update Group" + } + }, + "host": { + "name": "VAULT" + }, + "event": { + "severity": 2, + "action": "add/update group", + "ingested": "2021-05-31T15:30:17.777229Z", + "original": "\u003c5\u003e1 2021-03-10T09:11:21Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 01:11:21\",\"IsoTimestamp\":\"2021-03-10T09:11:21Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"259\",\"Desc\":\"Add/Update Group\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Add/Update Group\",\"SourceUser\":\"PSMAppUsers\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"81.32.170.205\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Add/Update Group\",\"GatewayStation\":\"\"}}}", + "code": "259", + "kind": "event" + } + }, + { + "log": { + "syslog": { + "priority": 5 + } + }, + "source": { + "geo": { + "continent_name": "Europe", + "region_iso_code": "ES-B", + "city_name": "Barcelona", + "country_iso_code": "ES", + "country_name": "Spain", + "region_name": "Barcelona", + "location": { + "lon": 2.1611, + "lat": 41.3891 + } + }, + "address": "81.32.170.205", + "ip": "81.32.170.205" + }, + "tags": [ + "preserve_original_event" + ], + "observer": { + "product": "Vault", + "hostname": "VAULT", + "version": "11.7.0000", + "vendor": "Cyber-Ark" + }, + "@timestamp": "2021-03-10T09:11:35.000Z", + "ecs": { + "version": "1.10.0" + }, + "related": { + "ip": [ + "81.32.170.205" + ] + }, + "cyberarkpas": { + "audit": { + "severity": "Info", + "rfc5424": true, + "iso_timestamp": "2021-03-10T09:11:35Z", + "station": "81.32.170.205", + "action": "Add/Update Group", + "source_user": "PSMP_ADB_AppUsers", + "message": "Add/Update Group", + "issuer": "Administrator", + "timestamp": "Mar 10 01:11:35", + "desc": "Add/Update Group" + } + }, + "host": { + "name": "VAULT" + }, + "event": { + "severity": 2, + "action": "add/update group", + "ingested": "2021-05-31T15:30:17.777233900Z", + "original": "\u003c5\u003e1 2021-03-10T09:11:35Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 01:11:35\",\"IsoTimestamp\":\"2021-03-10T09:11:35Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"259\",\"Desc\":\"Add/Update Group\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Add/Update Group\",\"SourceUser\":\"PSMP_ADB_AppUsers\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"81.32.170.205\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Add/Update Group\",\"GatewayStation\":\"\"}}}", + "code": "259", + "kind": "event" + } + }, + { + "log": { + "syslog": { + "priority": 5 + } + }, + "source": { + "geo": { + "continent_name": "Europe", + "region_iso_code": "ES-B", + "city_name": "Barcelona", + "country_iso_code": "ES", + "country_name": "Spain", + "region_name": "Barcelona", + "location": { + "lon": 2.1611, + "lat": 41.3891 + } + }, + "address": "81.32.170.205", + "ip": "81.32.170.205" + }, + "tags": [ + "preserve_original_event" + ], + "observer": { + "product": "Vault", + "hostname": "VAULT", + "version": "11.7.0000", + "vendor": "Cyber-Ark" + }, + "@timestamp": "2021-03-10T17:59:29.000Z", + "ecs": { + "version": "1.10.0" + }, + "related": { + "ip": [ + "81.32.170.205" + ] + }, + "cyberarkpas": { + "audit": { + "severity": "Info", + "rfc5424": true, + "iso_timestamp": "2021-03-10T17:59:29Z", + "station": "81.32.170.205", + "action": "Add/Update Group", + "source_user": "PSMLiveSessionTerminators", + "message": "Add/Update Group", + "issuer": "Administrator", + "timestamp": "Mar 10 09:59:29", + "desc": "Add/Update Group" + } + }, + "host": { + "name": "VAULT" + }, + "event": { + "severity": 2, + "action": "add/update group", + "ingested": "2021-05-31T15:30:17.777237700Z", + "original": "\u003c5\u003e1 2021-03-10T17:59:29Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 09:59:29\",\"IsoTimestamp\":\"2021-03-10T17:59:29Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"259\",\"Desc\":\"Add/Update Group\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Add/Update Group\",\"SourceUser\":\"PSMLiveSessionTerminators\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"81.32.170.205\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Add/Update Group\",\"GatewayStation\":\"\"}}}", + "code": "259", + "kind": "event" + } + } + ] +} \ No newline at end of file diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-265-add-group-member.log-expected.json b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-265-add-group-member.log-expected.json new file mode 100644 index 00000000000..1c7ecce0ffa --- /dev/null +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-265-add-group-member.log-expected.json @@ -0,0 +1,935 @@ +{ + "expected": [ + { + "log": { + "syslog": { + "priority": 5 + } + }, + "source": { + "geo": { + "continent_name": "Europe", + "region_iso_code": "ES-B", + "city_name": "Barcelona", + "country_iso_code": "ES", + "country_name": "Spain", + "region_name": "Barcelona", + "location": { + "lon": 2.1611, + "lat": 41.3891 + } + }, + "address": "81.32.170.205", + "ip": "81.32.170.205" + }, + "tags": [ + "preserve_original_event" + ], + "observer": { + "product": "Vault", + "hostname": "VAULT", + "version": "11.7.0000", + "vendor": "Cyber-Ark" + }, + "@timestamp": "2021-03-10T09:11:22.000Z", + "ecs": { + "version": "1.10.0" + }, + "related": { + "ip": [ + "81.32.170.205" + ] + }, + "cyberarkpas": { + "audit": { + "severity": "Info", + "rfc5424": true, + "iso_timestamp": "2021-03-10T09:11:22Z", + "station": "81.32.170.205", + "action": "Add Group Member", + "target_user": "PSMPApp_localhost.localdomain", + "source_user": "PSMAppUsers", + "message": "Add Group Member", + "issuer": "Administrator", + "timestamp": "Mar 10 01:11:22", + "desc": "Add Group Member" + } + }, + "host": { + "name": "VAULT" + }, + "event": { + "severity": 2, + "action": "add group member", + "ingested": "2021-05-31T15:30:17.878014100Z", + "original": "\u003c5\u003e1 2021-03-10T09:11:22Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 01:11:22\",\"IsoTimestamp\":\"2021-03-10T09:11:22Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"265\",\"Desc\":\"Add Group Member\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Add Group Member\",\"SourceUser\":\"PSMAppUsers\",\"TargetUser\":\"PSMPApp_localhost.localdomain\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"81.32.170.205\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Add Group Member\",\"GatewayStation\":\"\"}}}", + "code": "265", + "kind": "event" + } + }, + { + "log": { + "syslog": { + "priority": 5 + } + }, + "source": { + "geo": { + "continent_name": "Europe", + "region_iso_code": "ES-B", + "city_name": "Barcelona", + "country_iso_code": "ES", + "country_name": "Spain", + "region_name": "Barcelona", + "location": { + "lon": 2.1611, + "lat": 41.3891 + } + }, + "address": "81.32.170.205", + "ip": "81.32.170.205" + }, + "tags": [ + "preserve_original_event" + ], + "observer": { + "product": "Vault", + "hostname": "VAULT", + "version": "11.7.0000", + "vendor": "Cyber-Ark" + }, + "@timestamp": "2021-03-10T09:11:22.000Z", + "ecs": { + "version": "1.10.0" + }, + "related": { + "ip": [ + "81.32.170.205" + ] + }, + "cyberarkpas": { + "audit": { + "severity": "Info", + "rfc5424": true, + "iso_timestamp": "2021-03-10T09:11:22Z", + "station": "81.32.170.205", + "action": "Add Group Member", + "target_user": "PSMPGW_localhost.localdomain", + "source_user": "PVWAGWAccounts", + "message": "Add Group Member", + "issuer": "Administrator", + "timestamp": "Mar 10 01:11:22", + "desc": "Add Group Member" + } + }, + "host": { + "name": "VAULT" + }, + "event": { + "severity": 2, + "action": "add group member", + "ingested": "2021-05-31T15:30:17.878032900Z", + "original": "\u003c5\u003e1 2021-03-10T09:11:22Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 01:11:22\",\"IsoTimestamp\":\"2021-03-10T09:11:22Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"265\",\"Desc\":\"Add Group Member\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Add Group Member\",\"SourceUser\":\"PVWAGWAccounts\",\"TargetUser\":\"PSMPGW_localhost.localdomain\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"81.32.170.205\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Add Group Member\",\"GatewayStation\":\"\"}}}", + "code": "265", + "kind": "event" + } + }, + { + "log": { + "syslog": { + "priority": 5 + } + }, + "source": { + "geo": { + "continent_name": "Europe", + "region_iso_code": "ES-B", + "city_name": "Barcelona", + "country_iso_code": "ES", + "country_name": "Spain", + "region_name": "Barcelona", + "location": { + "lon": 2.1611, + "lat": 41.3891 + } + }, + "address": "81.32.170.205", + "ip": "81.32.170.205" + }, + "tags": [ + "preserve_original_event" + ], + "observer": { + "product": "Vault", + "hostname": "VAULT", + "version": "11.7.0000", + "vendor": "Cyber-Ark" + }, + "@timestamp": "2021-03-10T09:11:35.000Z", + "ecs": { + "version": "1.10.0" + }, + "related": { + "ip": [ + "81.32.170.205" + ] + }, + "cyberarkpas": { + "audit": { + "severity": "Info", + "rfc5424": true, + "iso_timestamp": "2021-03-10T09:11:35Z", + "station": "81.32.170.205", + "action": "Add Group Member", + "target_user": "PSMP_ADB_localhost.localdomain", + "source_user": "PSMP_ADB_AppUsers", + "message": "Add Group Member", + "issuer": "Administrator", + "timestamp": "Mar 10 01:11:35", + "desc": "Add Group Member" + } + }, + "host": { + "name": "VAULT" + }, + "event": { + "severity": 2, + "action": "add group member", + "ingested": "2021-05-31T15:30:17.878038200Z", + "original": "\u003c5\u003e1 2021-03-10T09:11:35Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 01:11:35\",\"IsoTimestamp\":\"2021-03-10T09:11:35Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"265\",\"Desc\":\"Add Group Member\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Add Group Member\",\"SourceUser\":\"PSMP_ADB_AppUsers\",\"TargetUser\":\"PSMP_ADB_localhost.localdomain\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"81.32.170.205\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Add Group Member\",\"GatewayStation\":\"\"}}}", + "code": "265", + "kind": "event" + } + }, + { + "log": { + "syslog": { + "priority": 5 + } + }, + "source": { + "geo": { + "continent_name": "Europe", + "region_iso_code": "ES-B", + "city_name": "Barcelona", + "country_iso_code": "ES", + "country_name": "Spain", + "region_name": "Barcelona", + "location": { + "lon": 2.1611, + "lat": 41.3891 + } + }, + "address": "81.32.170.205", + "ip": "81.32.170.205" + }, + "tags": [ + "preserve_original_event" + ], + "observer": { + "product": "Vault", + "hostname": "VAULT", + "version": "11.7.0000", + "vendor": "Cyber-Ark" + }, + "@timestamp": "2021-03-10T17:58:01.000Z", + "ecs": { + "version": "1.10.0" + }, + "related": { + "ip": [ + "81.32.170.205" + ] + }, + "cyberarkpas": { + "audit": { + "severity": "Info", + "rfc5424": true, + "iso_timestamp": "2021-03-10T17:58:01Z", + "station": "81.32.170.205", + "action": "Add Group Member", + "target_user": "Administrator", + "source_user": "PSMMaster", + "message": "Add Group Member", + "issuer": "Administrator", + "timestamp": "Mar 10 09:58:01", + "desc": "Add Group Member" + } + }, + "host": { + "name": "VAULT" + }, + "event": { + "severity": 2, + "action": "add group member", + "ingested": "2021-05-31T15:30:17.878068500Z", + "original": "\u003c5\u003e1 2021-03-10T17:58:01Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 09:58:01\",\"IsoTimestamp\":\"2021-03-10T17:58:01Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"265\",\"Desc\":\"Add Group Member\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Add Group Member\",\"SourceUser\":\"PSMMaster\",\"TargetUser\":\"Administrator\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"81.32.170.205\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Add Group Member\",\"GatewayStation\":\"\"}}}", + "code": "265", + "kind": "event" + } + }, + { + "log": { + "syslog": { + "priority": 5 + } + }, + "source": { + "geo": { + "continent_name": "Europe", + "region_iso_code": "ES-B", + "city_name": "Barcelona", + "country_iso_code": "ES", + "country_name": "Spain", + "region_name": "Barcelona", + "location": { + "lon": 2.1611, + "lat": 41.3891 + } + }, + "address": "81.32.170.205", + "ip": "81.32.170.205" + }, + "tags": [ + "preserve_original_event" + ], + "observer": { + "product": "Vault", + "hostname": "VAULT", + "version": "11.7.0000", + "vendor": "Cyber-Ark" + }, + "@timestamp": "2021-03-10T17:59:29.000Z", + "ecs": { + "version": "1.10.0" + }, + "related": { + "ip": [ + "81.32.170.205" + ] + }, + "cyberarkpas": { + "audit": { + "severity": "Info", + "rfc5424": true, + "iso_timestamp": "2021-03-10T17:59:29Z", + "station": "81.32.170.205", + "action": "Add Group Member", + "target_user": "PSMApp_VAGRANT", + "source_user": "PSMAppUsers", + "message": "Add Group Member", + "issuer": "Administrator", + "timestamp": "Mar 10 09:59:29", + "desc": "Add Group Member" + } + }, + "host": { + "name": "VAULT" + }, + "event": { + "severity": 2, + "action": "add group member", + "ingested": "2021-05-31T15:30:17.878073900Z", + "original": "\u003c5\u003e1 2021-03-10T17:59:29Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 09:59:29\",\"IsoTimestamp\":\"2021-03-10T17:59:29Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"265\",\"Desc\":\"Add Group Member\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Add Group Member\",\"SourceUser\":\"PSMAppUsers\",\"TargetUser\":\"PSMApp_VAGRANT\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"81.32.170.205\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Add Group Member\",\"GatewayStation\":\"\"}}}", + "code": "265", + "kind": "event" + } + }, + { + "log": { + "syslog": { + "priority": 5 + } + }, + "source": { + "geo": { + "continent_name": "Europe", + "region_iso_code": "ES-B", + "city_name": "Barcelona", + "country_iso_code": "ES", + "country_name": "Spain", + "region_name": "Barcelona", + "location": { + "lon": 2.1611, + "lat": 41.3891 + } + }, + "address": "81.32.170.205", + "ip": "81.32.170.205" + }, + "tags": [ + "preserve_original_event" + ], + "observer": { + "product": "Vault", + "hostname": "VAULT", + "version": "11.7.0000", + "vendor": "Cyber-Ark" + }, + "@timestamp": "2021-03-10T17:59:30.000Z", + "ecs": { + "version": "1.10.0" + }, + "related": { + "ip": [ + "81.32.170.205" + ] + }, + "cyberarkpas": { + "audit": { + "severity": "Info", + "rfc5424": true, + "iso_timestamp": "2021-03-10T17:59:30Z", + "station": "81.32.170.205", + "action": "Add Group Member", + "target_user": "PSMGw_VAGRANT", + "source_user": "PVWAGWAccounts", + "message": "Add Group Member", + "issuer": "Administrator", + "timestamp": "Mar 10 09:59:30", + "desc": "Add Group Member" + } + }, + "host": { + "name": "VAULT" + }, + "event": { + "severity": 2, + "action": "add group member", + "ingested": "2021-05-31T15:30:17.878078100Z", + "original": "\u003c5\u003e1 2021-03-10T17:59:30Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 09:59:30\",\"IsoTimestamp\":\"2021-03-10T17:59:30Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"265\",\"Desc\":\"Add Group Member\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Add Group Member\",\"SourceUser\":\"PVWAGWAccounts\",\"TargetUser\":\"PSMGw_VAGRANT\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"81.32.170.205\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Add Group Member\",\"GatewayStation\":\"\"}}}", + "code": "265", + "kind": "event" + } + }, + { + "log": { + "syslog": { + "priority": 5 + } + }, + "source": { + "geo": { + "continent_name": "North America", + "region_iso_code": "US-VA", + "country_name": "United States", + "region_name": "Virginia", + "location": { + "lon": -77.2481, + "lat": 38.6583 + }, + "country_iso_code": "US" + }, + "address": "35.192.121.42", + "ip": "35.192.121.42" + }, + "tags": [ + "preserve_original_event" + ], + "observer": { + "product": "Vault", + "hostname": "VAULT", + "version": "11.7.0000", + "vendor": "Cyber-Ark" + }, + "@timestamp": "2021-03-10T22:17:15.000Z", + "ecs": { + "version": "1.10.0" + }, + "related": { + "ip": [ + "35.192.121.42" + ] + }, + "cyberarkpas": { + "audit": { + "severity": "Info", + "rfc5424": true, + "iso_timestamp": "2021-03-10T22:17:15Z", + "station": "35.192.121.42", + "action": "Add Group Member", + "target_user": "Administrator", + "source_user": "PSMMaster", + "message": "Add Group Member", + "issuer": "Administrator", + "timestamp": "Mar 10 14:17:15", + "desc": "Add Group Member" + } + }, + "host": { + "name": "VAULT" + }, + "event": { + "severity": 2, + "action": "add group member", + "ingested": "2021-05-31T15:30:17.878081800Z", + "original": "\u003c5\u003e1 2021-03-10T22:17:15Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 14:17:15\",\"IsoTimestamp\":\"2021-03-10T22:17:15Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"265\",\"Desc\":\"Add Group Member\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Add Group Member\",\"SourceUser\":\"PSMMaster\",\"TargetUser\":\"Administrator\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"35.192.121.42\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Add Group Member\",\"GatewayStation\":\"\"}}}", + "code": "265", + "kind": "event" + } + }, + { + "log": { + "syslog": { + "priority": 5 + } + }, + "source": { + "geo": { + "continent_name": "North America", + "region_iso_code": "US-VA", + "country_name": "United States", + "region_name": "Virginia", + "location": { + "lon": -77.2481, + "lat": 38.6583 + }, + "country_iso_code": "US" + }, + "address": "35.192.121.42", + "ip": "35.192.121.42" + }, + "tags": [ + "preserve_original_event" + ], + "observer": { + "product": "Vault", + "hostname": "VAULT", + "version": "11.7.0000", + "vendor": "Cyber-Ark" + }, + "@timestamp": "2021-03-10T22:19:16.000Z", + "ecs": { + "version": "1.10.0" + }, + "related": { + "ip": [ + "35.192.121.42" + ] + }, + "cyberarkpas": { + "audit": { + "severity": "Info", + "rfc5424": true, + "iso_timestamp": "2021-03-10T22:19:16Z", + "station": "35.192.121.42", + "action": "Add Group Member", + "target_user": "PSMApp_ASR-WIN", + "source_user": "PSMAppUsers", + "message": "Add Group Member", + "issuer": "Administrator", + "timestamp": "Mar 10 14:19:16", + "desc": "Add Group Member" + } + }, + "host": { + "name": "VAULT" + }, + "event": { + "severity": 2, + "action": "add group member", + "ingested": "2021-05-31T15:30:17.878085500Z", + "original": "\u003c5\u003e1 2021-03-10T22:19:16Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 14:19:16\",\"IsoTimestamp\":\"2021-03-10T22:19:16Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"265\",\"Desc\":\"Add Group Member\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Add Group Member\",\"SourceUser\":\"PSMAppUsers\",\"TargetUser\":\"PSMApp_ASR-WIN\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"35.192.121.42\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Add Group Member\",\"GatewayStation\":\"\"}}}", + "code": "265", + "kind": "event" + } + }, + { + "log": { + "syslog": { + "priority": 5 + } + }, + "source": { + "geo": { + "continent_name": "North America", + "region_iso_code": "US-VA", + "country_name": "United States", + "region_name": "Virginia", + "location": { + "lon": -77.2481, + "lat": 38.6583 + }, + "country_iso_code": "US" + }, + "address": "35.192.121.42", + "ip": "35.192.121.42" + }, + "tags": [ + "preserve_original_event" + ], + "observer": { + "product": "Vault", + "hostname": "VAULT", + "version": "11.7.0000", + "vendor": "Cyber-Ark" + }, + "@timestamp": "2021-03-10T22:19:16.000Z", + "ecs": { + "version": "1.10.0" + }, + "related": { + "ip": [ + "35.192.121.42" + ] + }, + "cyberarkpas": { + "audit": { + "severity": "Info", + "rfc5424": true, + "iso_timestamp": "2021-03-10T22:19:16Z", + "station": "35.192.121.42", + "action": "Add Group Member", + "target_user": "PSMGw_ASR-WIN", + "source_user": "PVWAGWAccounts", + "message": "Add Group Member", + "issuer": "Administrator", + "timestamp": "Mar 10 14:19:16", + "desc": "Add Group Member" + } + }, + "host": { + "name": "VAULT" + }, + "event": { + "severity": 2, + "action": "add group member", + "ingested": "2021-05-31T15:30:17.878089100Z", + "original": "\u003c5\u003e1 2021-03-10T22:19:16Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 14:19:16\",\"IsoTimestamp\":\"2021-03-10T22:19:16Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"265\",\"Desc\":\"Add Group Member\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Add Group Member\",\"SourceUser\":\"PVWAGWAccounts\",\"TargetUser\":\"PSMGw_ASR-WIN\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"35.192.121.42\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Add Group Member\",\"GatewayStation\":\"\"}}}", + "code": "265", + "kind": "event" + } + }, + { + "log": { + "syslog": { + "priority": 5 + } + }, + "source": { + "geo": { + "continent_name": "Europe", + "region_iso_code": "ES-B", + "city_name": "Barcelona", + "country_iso_code": "ES", + "country_name": "Spain", + "region_name": "Barcelona", + "location": { + "lon": 2.1611, + "lat": 41.3891 + } + }, + "address": "81.32.170.205", + "ip": "81.32.170.205" + }, + "tags": [ + "preserve_original_event" + ], + "observer": { + "product": "Vault", + "hostname": "VAULT", + "version": "11.7.0000", + "vendor": "Cyber-Ark" + }, + "@timestamp": "2021-03-11T16:59:38.000Z", + "ecs": { + "version": "1.10.0" + }, + "related": { + "ip": [ + "81.32.170.205" + ] + }, + "cyberarkpas": { + "audit": { + "severity": "Info", + "rfc5424": true, + "iso_timestamp": "2021-03-11T16:59:38Z", + "station": "81.32.170.205", + "raw": "\u003csyslog\u003e\n\n \u003caudit_record\u003e\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\n \u003cTimestamp\u003eMar 11 08:59:38\u003c/Timestamp\u003e\n \u003cIsoTimestamp\u003e2021-03-11T16:59:38Z\u003c/IsoTimestamp\u003e\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\n \u003cProduct\u003eVault\u003c/Product\u003e\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\n \u003cMessageID\u003e265\u003c/MessageID\u003e\n \u003cDesc\u003eAdd Group Member\u003c/Desc\u003e\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\n \u003cAction\u003eAdd Group Member\u003c/Action\u003e\n \u003cSourceUser\u003ePSMAppUsers\u003c/SourceUser\u003e\n \u003cTargetUser\u003ePSMPApp_VAGRANT\u003c/TargetUser\u003e\n \u003cSafe\u003e\u003c/Safe\u003e\n \u003cFile\u003e\u003c/File\u003e\n \u003cStation\u003e81.32.170.205\u003c/Station\u003e\n \u003cLocation\u003e\u003c/Location\u003e\n \u003cCategory\u003e\u003c/Category\u003e\n \u003cRequestId\u003e\u003c/RequestId\u003e\n \u003cReason\u003e\u003c/Reason\u003e\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\n \u003cMessage\u003eAdd Group Member\u003c/Message\u003e\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\n \u003c/audit_record\u003e\n\n\u003c/syslog\u003e", + "action": "Add Group Member", + "target_user": "PSMPApp_VAGRANT", + "source_user": "PSMAppUsers", + "message": "Add Group Member", + "issuer": "Administrator", + "timestamp": "Mar 11 08:59:38", + "desc": "Add Group Member" + } + }, + "host": { + "name": "VAULT" + }, + "event": { + "severity": 2, + "action": "add group member", + "ingested": "2021-05-31T15:30:17.878092700Z", + "original": "\u003c5\u003e1 2021-03-11T16:59:38Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 11 08:59:38\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-11T16:59:38Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e265\u003c/MessageID\u003e\\n \u003cDesc\u003eAdd Group Member\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003eAdd Group Member\u003c/Action\u003e\\n \u003cSourceUser\u003ePSMAppUsers\u003c/SourceUser\u003e\\n \u003cTargetUser\u003ePSMPApp_VAGRANT\u003c/TargetUser\u003e\\n \u003cSafe\u003e\u003c/Safe\u003e\\n \u003cFile\u003e\u003c/File\u003e\\n \u003cStation\u003e81.32.170.205\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eAdd Group Member\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 11 08:59:38\",\"IsoTimestamp\":\"2021-03-11T16:59:38Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"265\",\"Desc\":\"Add Group Member\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Add Group Member\",\"SourceUser\":\"PSMAppUsers\",\"TargetUser\":\"PSMPApp_VAGRANT\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"81.32.170.205\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Add Group Member\",\"GatewayStation\":\"\"}}}", + "code": "265", + "kind": "event" + } + }, + { + "log": { + "syslog": { + "priority": 5 + } + }, + "source": { + "geo": { + "continent_name": "Europe", + "region_iso_code": "ES-B", + "city_name": "Barcelona", + "country_iso_code": "ES", + "country_name": "Spain", + "region_name": "Barcelona", + "location": { + "lon": 2.1611, + "lat": 41.3891 + } + }, + "address": "81.32.170.205", + "ip": "81.32.170.205" + }, + "tags": [ + "preserve_original_event" + ], + "observer": { + "product": "Vault", + "hostname": "VAULT", + "version": "11.7.0000", + "vendor": "Cyber-Ark" + }, + "@timestamp": "2021-03-11T16:59:38.000Z", + "ecs": { + "version": "1.10.0" + }, + "related": { + "ip": [ + "81.32.170.205" + ] + }, + "cyberarkpas": { + "audit": { + "severity": "Info", + "rfc5424": true, + "iso_timestamp": "2021-03-11T16:59:38Z", + "station": "81.32.170.205", + "raw": "\u003csyslog\u003e\n\n \u003caudit_record\u003e\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\n \u003cTimestamp\u003eMar 11 08:59:38\u003c/Timestamp\u003e\n \u003cIsoTimestamp\u003e2021-03-11T16:59:38Z\u003c/IsoTimestamp\u003e\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\n \u003cProduct\u003eVault\u003c/Product\u003e\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\n \u003cMessageID\u003e265\u003c/MessageID\u003e\n \u003cDesc\u003eAdd Group Member\u003c/Desc\u003e\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\n \u003cAction\u003eAdd Group Member\u003c/Action\u003e\n \u003cSourceUser\u003ePVWAGWAccounts\u003c/SourceUser\u003e\n \u003cTargetUser\u003ePSMPGW_VAGRANT\u003c/TargetUser\u003e\n \u003cSafe\u003e\u003c/Safe\u003e\n \u003cFile\u003e\u003c/File\u003e\n \u003cStation\u003e81.32.170.205\u003c/Station\u003e\n \u003cLocation\u003e\u003c/Location\u003e\n \u003cCategory\u003e\u003c/Category\u003e\n \u003cRequestId\u003e\u003c/RequestId\u003e\n \u003cReason\u003e\u003c/Reason\u003e\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\n \u003cMessage\u003eAdd Group Member\u003c/Message\u003e\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\n \u003c/audit_record\u003e\n\n\u003c/syslog\u003e", + "action": "Add Group Member", + "target_user": "PSMPGW_VAGRANT", + "source_user": "PVWAGWAccounts", + "message": "Add Group Member", + "issuer": "Administrator", + "timestamp": "Mar 11 08:59:38", + "desc": "Add Group Member" + } + }, + "host": { + "name": "VAULT" + }, + "event": { + "severity": 2, + "action": "add group member", + "ingested": "2021-05-31T15:30:17.878109700Z", + "original": "\u003c5\u003e1 2021-03-11T16:59:38Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 11 08:59:38\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-11T16:59:38Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e265\u003c/MessageID\u003e\\n \u003cDesc\u003eAdd Group Member\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003eAdd Group Member\u003c/Action\u003e\\n \u003cSourceUser\u003ePVWAGWAccounts\u003c/SourceUser\u003e\\n \u003cTargetUser\u003ePSMPGW_VAGRANT\u003c/TargetUser\u003e\\n \u003cSafe\u003e\u003c/Safe\u003e\\n \u003cFile\u003e\u003c/File\u003e\\n \u003cStation\u003e81.32.170.205\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eAdd Group Member\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 11 08:59:38\",\"IsoTimestamp\":\"2021-03-11T16:59:38Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"265\",\"Desc\":\"Add Group Member\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Add Group Member\",\"SourceUser\":\"PVWAGWAccounts\",\"TargetUser\":\"PSMPGW_VAGRANT\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"81.32.170.205\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Add Group Member\",\"GatewayStation\":\"\"}}}", + "code": "265", + "kind": "event" + } + }, + { + "log": { + "syslog": { + "priority": 5 + } + }, + "source": { + "geo": { + "continent_name": "North America", + "country_name": "United States", + "location": { + "lon": -97.822, + "lat": 37.751 + }, + "country_iso_code": "US" + }, + "address": "34.71.250.247", + "ip": "34.71.250.247" + }, + "tags": [ + "preserve_original_event" + ], + "observer": { + "product": "Vault", + "hostname": "VAULT", + "version": "11.7.0000", + "vendor": "Cyber-Ark" + }, + "@timestamp": "2021-03-14T12:57:17.000Z", + "ecs": { + "version": "1.10.0" + }, + "related": { + "ip": [ + "34.71.250.247" + ] + }, + "cyberarkpas": { + "audit": { + "severity": "Info", + "rfc5424": true, + "iso_timestamp": "2021-03-14T12:57:17Z", + "station": "34.71.250.247", + "raw": "\u003csyslog\u003e\n\n \u003caudit_record\u003e\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\n \u003cTimestamp\u003eMar 14 05:57:17\u003c/Timestamp\u003e\n \u003cIsoTimestamp\u003e2021-03-14T12:57:17Z\u003c/IsoTimestamp\u003e\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\n \u003cProduct\u003eVault\u003c/Product\u003e\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\n \u003cMessageID\u003e265\u003c/MessageID\u003e\n \u003cDesc\u003eAdd Group Member\u003c/Desc\u003e\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\n \u003cAction\u003eAdd Group Member\u003c/Action\u003e\n \u003cSourceUser\u003ePVWAGWAccounts\u003c/SourceUser\u003e\n \u003cTargetUser\u003ePSMPGW_SSH\u003c/TargetUser\u003e\n \u003cSafe\u003e\u003c/Safe\u003e\n \u003cFile\u003e\u003c/File\u003e\n \u003cStation\u003e34.71.250.247\u003c/Station\u003e\n \u003cLocation\u003e\u003c/Location\u003e\n \u003cCategory\u003e\u003c/Category\u003e\n \u003cRequestId\u003e\u003c/RequestId\u003e\n \u003cReason\u003e\u003c/Reason\u003e\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\n \u003cMessage\u003eAdd Group Member\u003c/Message\u003e\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\n \u003c/audit_record\u003e\n\n\u003c/syslog\u003e", + "action": "Add Group Member", + "target_user": "PSMPGW_SSH", + "source_user": "PVWAGWAccounts", + "message": "Add Group Member", + "issuer": "Administrator", + "timestamp": "Mar 14 05:57:17", + "desc": "Add Group Member" + } + }, + "host": { + "name": "VAULT" + }, + "event": { + "severity": 2, + "action": "add group member", + "ingested": "2021-05-31T15:30:17.878115800Z", + "original": "\u003c5\u003e1 2021-03-14T12:57:17Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 14 05:57:17\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-14T12:57:17Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e265\u003c/MessageID\u003e\\n \u003cDesc\u003eAdd Group Member\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003eAdd Group Member\u003c/Action\u003e\\n \u003cSourceUser\u003ePVWAGWAccounts\u003c/SourceUser\u003e\\n \u003cTargetUser\u003ePSMPGW_SSH\u003c/TargetUser\u003e\\n \u003cSafe\u003e\u003c/Safe\u003e\\n \u003cFile\u003e\u003c/File\u003e\\n \u003cStation\u003e34.71.250.247\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eAdd Group Member\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 14 05:57:17\",\"IsoTimestamp\":\"2021-03-14T12:57:17Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"265\",\"Desc\":\"Add Group Member\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Add Group Member\",\"SourceUser\":\"PVWAGWAccounts\",\"TargetUser\":\"PSMPGW_SSH\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"34.71.250.247\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Add Group Member\",\"GatewayStation\":\"\"}}}", + "code": "265", + "kind": "event" + } + }, + { + "log": { + "syslog": { + "priority": 5 + } + }, + "source": { + "geo": { + "continent_name": "North America", + "country_name": "United States", + "location": { + "lon": -97.822, + "lat": 37.751 + }, + "country_iso_code": "US" + }, + "address": "34.71.250.247", + "ip": "34.71.250.247" + }, + "tags": [ + "preserve_original_event" + ], + "observer": { + "product": "Vault", + "hostname": "VAULT", + "version": "11.7.0000", + "vendor": "Cyber-Ark" + }, + "@timestamp": "2021-03-14T12:57:17.000Z", + "ecs": { + "version": "1.10.0" + }, + "related": { + "ip": [ + "34.71.250.247" + ] + }, + "cyberarkpas": { + "audit": { + "severity": "Info", + "rfc5424": true, + "iso_timestamp": "2021-03-14T12:57:17Z", + "station": "34.71.250.247", + "raw": "\u003csyslog\u003e\n\n \u003caudit_record\u003e\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\n \u003cTimestamp\u003eMar 14 05:57:17\u003c/Timestamp\u003e\n \u003cIsoTimestamp\u003e2021-03-14T12:57:17Z\u003c/IsoTimestamp\u003e\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\n \u003cProduct\u003eVault\u003c/Product\u003e\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\n \u003cMessageID\u003e265\u003c/MessageID\u003e\n \u003cDesc\u003eAdd Group Member\u003c/Desc\u003e\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\n \u003cAction\u003eAdd Group Member\u003c/Action\u003e\n \u003cSourceUser\u003ePSMAppUsers\u003c/SourceUser\u003e\n \u003cTargetUser\u003ePSMPApp_SSH\u003c/TargetUser\u003e\n \u003cSafe\u003e\u003c/Safe\u003e\n \u003cFile\u003e\u003c/File\u003e\n \u003cStation\u003e34.71.250.247\u003c/Station\u003e\n \u003cLocation\u003e\u003c/Location\u003e\n \u003cCategory\u003e\u003c/Category\u003e\n \u003cRequestId\u003e\u003c/RequestId\u003e\n \u003cReason\u003e\u003c/Reason\u003e\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\n \u003cMessage\u003eAdd Group Member\u003c/Message\u003e\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\n \u003c/audit_record\u003e\n\n\u003c/syslog\u003e", + "action": "Add Group Member", + "target_user": "PSMPApp_SSH", + "source_user": "PSMAppUsers", + "message": "Add Group Member", + "issuer": "Administrator", + "timestamp": "Mar 14 05:57:17", + "desc": "Add Group Member" + } + }, + "host": { + "name": "VAULT" + }, + "event": { + "severity": 2, + "action": "add group member", + "ingested": "2021-05-31T15:30:17.878120100Z", + "original": "\u003c5\u003e1 2021-03-14T12:57:17Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 14 05:57:17\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-14T12:57:17Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e265\u003c/MessageID\u003e\\n \u003cDesc\u003eAdd Group Member\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003eAdd Group Member\u003c/Action\u003e\\n \u003cSourceUser\u003ePSMAppUsers\u003c/SourceUser\u003e\\n \u003cTargetUser\u003ePSMPApp_SSH\u003c/TargetUser\u003e\\n \u003cSafe\u003e\u003c/Safe\u003e\\n \u003cFile\u003e\u003c/File\u003e\\n \u003cStation\u003e34.71.250.247\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eAdd Group Member\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 14 05:57:17\",\"IsoTimestamp\":\"2021-03-14T12:57:17Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"265\",\"Desc\":\"Add Group Member\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Add Group Member\",\"SourceUser\":\"PSMAppUsers\",\"TargetUser\":\"PSMPApp_SSH\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"34.71.250.247\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Add Group Member\",\"GatewayStation\":\"\"}}}", + "code": "265", + "kind": "event" + } + }, + { + "log": { + "syslog": { + "priority": 5 + } + }, + "source": { + "geo": { + "continent_name": "North America", + "country_name": "United States", + "location": { + "lon": -97.822, + "lat": 37.751 + }, + "country_iso_code": "US" + }, + "address": "34.71.250.247", + "ip": "34.71.250.247" + }, + "tags": [ + "preserve_original_event" + ], + "observer": { + "product": "Vault", + "hostname": "VAULT", + "version": "11.7.0000", + "vendor": "Cyber-Ark" + }, + "@timestamp": "2021-03-14T12:57:21.000Z", + "ecs": { + "version": "1.10.0" + }, + "related": { + "ip": [ + "34.71.250.247" + ] + }, + "cyberarkpas": { + "audit": { + "severity": "Info", + "rfc5424": true, + "iso_timestamp": "2021-03-14T12:57:21Z", + "station": "34.71.250.247", + "raw": "\u003csyslog\u003e\n\n \u003caudit_record\u003e\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\n \u003cTimestamp\u003eMar 14 05:57:21\u003c/Timestamp\u003e\n \u003cIsoTimestamp\u003e2021-03-14T12:57:21Z\u003c/IsoTimestamp\u003e\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\n \u003cProduct\u003eVault\u003c/Product\u003e\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\n \u003cMessageID\u003e265\u003c/MessageID\u003e\n \u003cDesc\u003eAdd Group Member\u003c/Desc\u003e\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\n \u003cAction\u003eAdd Group Member\u003c/Action\u003e\n \u003cSourceUser\u003ePSMP_ADB_AppUsers\u003c/SourceUser\u003e\n \u003cTargetUser\u003ePSMP_ADB_asr-cyberark-psm-ssh\u003c/TargetUser\u003e\n \u003cSafe\u003e\u003c/Safe\u003e\n \u003cFile\u003e\u003c/File\u003e\n \u003cStation\u003e34.71.250.247\u003c/Station\u003e\n \u003cLocation\u003e\u003c/Location\u003e\n \u003cCategory\u003e\u003c/Category\u003e\n \u003cRequestId\u003e\u003c/RequestId\u003e\n \u003cReason\u003e\u003c/Reason\u003e\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\n \u003cMessage\u003eAdd Group Member\u003c/Message\u003e\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\n \u003c/audit_record\u003e\n\n\u003c/syslog\u003e", + "action": "Add Group Member", + "target_user": "PSMP_ADB_asr-cyberark-psm-ssh", + "source_user": "PSMP_ADB_AppUsers", + "message": "Add Group Member", + "issuer": "Administrator", + "timestamp": "Mar 14 05:57:21", + "desc": "Add Group Member" + } + }, + "host": { + "name": "VAULT" + }, + "event": { + "severity": 2, + "action": "add group member", + "ingested": "2021-05-31T15:30:17.878124200Z", + "original": "\u003c5\u003e1 2021-03-14T12:57:21Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 14 05:57:21\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-14T12:57:21Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e265\u003c/MessageID\u003e\\n \u003cDesc\u003eAdd Group Member\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003eAdd Group Member\u003c/Action\u003e\\n \u003cSourceUser\u003ePSMP_ADB_AppUsers\u003c/SourceUser\u003e\\n \u003cTargetUser\u003ePSMP_ADB_asr-cyberark-psm-ssh\u003c/TargetUser\u003e\\n \u003cSafe\u003e\u003c/Safe\u003e\\n \u003cFile\u003e\u003c/File\u003e\\n \u003cStation\u003e34.71.250.247\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eAdd Group Member\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 14 05:57:21\",\"IsoTimestamp\":\"2021-03-14T12:57:21Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"265\",\"Desc\":\"Add Group Member\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Add Group Member\",\"SourceUser\":\"PSMP_ADB_AppUsers\",\"TargetUser\":\"PSMP_ADB_asr-cyberark-psm-ssh\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"34.71.250.247\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Add Group Member\",\"GatewayStation\":\"\"}}}", + "code": "265", + "kind": "event" + } + } + ] +} \ No newline at end of file diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-266-remove-group-member.log-expected.json b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-266-remove-group-member.log-expected.json new file mode 100644 index 00000000000..d2d050933f4 --- /dev/null +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-266-remove-group-member.log-expected.json @@ -0,0 +1,137 @@ +{ + "expected": [ + { + "log": { + "syslog": { + "priority": 5 + } + }, + "source": { + "geo": { + "continent_name": "Europe", + "region_iso_code": "ES-B", + "city_name": "Barcelona", + "country_iso_code": "ES", + "country_name": "Spain", + "region_name": "Barcelona", + "location": { + "lon": 2.1611, + "lat": 41.3891 + } + }, + "address": "81.32.170.205", + "ip": "81.32.170.205" + }, + "tags": [ + "preserve_original_event" + ], + "observer": { + "product": "Vault", + "hostname": "VAULT", + "version": "11.7.0000", + "vendor": "Cyber-Ark" + }, + "@timestamp": "2021-03-10T17:59:48.000Z", + "ecs": { + "version": "1.10.0" + }, + "related": { + "ip": [ + "81.32.170.205" + ] + }, + "cyberarkpas": { + "audit": { + "severity": "Info", + "rfc5424": true, + "iso_timestamp": "2021-03-10T17:59:48Z", + "station": "81.32.170.205", + "action": "Remove Group Member", + "target_user": "Administrator", + "source_user": "PSMMaster", + "message": "Remove Group Member", + "issuer": "Administrator", + "timestamp": "Mar 10 09:59:48", + "desc": "Remove Group Member" + } + }, + "host": { + "name": "VAULT" + }, + "event": { + "severity": 2, + "action": "remove group member", + "ingested": "2021-05-31T15:30:18.201329900Z", + "original": "\u003c5\u003e1 2021-03-10T17:59:48Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 09:59:48\",\"IsoTimestamp\":\"2021-03-10T17:59:48Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"266\",\"Desc\":\"Remove Group Member\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Remove Group Member\",\"SourceUser\":\"PSMMaster\",\"TargetUser\":\"Administrator\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"81.32.170.205\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Remove Group Member\",\"GatewayStation\":\"\"}}}", + "code": "266", + "kind": "event" + } + }, + { + "log": { + "syslog": { + "priority": 5 + } + }, + "source": { + "geo": { + "continent_name": "North America", + "region_iso_code": "US-VA", + "country_name": "United States", + "region_name": "Virginia", + "location": { + "lon": -77.2481, + "lat": 38.6583 + }, + "country_iso_code": "US" + }, + "address": "35.192.121.42", + "ip": "35.192.121.42" + }, + "tags": [ + "preserve_original_event" + ], + "observer": { + "product": "Vault", + "hostname": "VAULT", + "version": "11.7.0000", + "vendor": "Cyber-Ark" + }, + "@timestamp": "2021-03-10T22:19:23.000Z", + "ecs": { + "version": "1.10.0" + }, + "related": { + "ip": [ + "35.192.121.42" + ] + }, + "cyberarkpas": { + "audit": { + "severity": "Info", + "rfc5424": true, + "iso_timestamp": "2021-03-10T22:19:23Z", + "station": "35.192.121.42", + "action": "Remove Group Member", + "target_user": "Administrator", + "source_user": "PSMMaster", + "message": "Remove Group Member", + "issuer": "Administrator", + "timestamp": "Mar 10 14:19:23", + "desc": "Remove Group Member" + } + }, + "host": { + "name": "VAULT" + }, + "event": { + "severity": 2, + "action": "remove group member", + "ingested": "2021-05-31T15:30:18.201348Z", + "original": "\u003c5\u003e1 2021-03-10T22:19:23Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 14:19:23\",\"IsoTimestamp\":\"2021-03-10T22:19:23Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"266\",\"Desc\":\"Remove Group Member\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Remove Group Member\",\"SourceUser\":\"PSMMaster\",\"TargetUser\":\"Administrator\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"35.192.121.42\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Remove Group Member\",\"GatewayStation\":\"\"}}}", + "code": "266", + "kind": "event" + } + } + ] +} \ No newline at end of file diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-273-remove-owner.log-expected.json b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-273-remove-owner.log-expected.json new file mode 100644 index 00000000000..1e8b47a569d --- /dev/null +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-273-remove-owner.log-expected.json @@ -0,0 +1,71 @@ +{ + "expected": [ + { + "log": { + "syslog": { + "priority": 5 + } + }, + "source": { + "geo": { + "continent_name": "Europe", + "region_iso_code": "ES-B", + "city_name": "Barcelona", + "country_iso_code": "ES", + "country_name": "Spain", + "region_name": "Barcelona", + "location": { + "lon": 2.1611, + "lat": 41.3891 + } + }, + "address": "81.32.170.205", + "ip": "81.32.170.205" + }, + "tags": [ + "preserve_original_event" + ], + "observer": { + "product": "Vault", + "hostname": "VAULT", + "version": "11.7.0000", + "vendor": "Cyber-Ark" + }, + "@timestamp": "2021-03-10T17:59:33.000Z", + "ecs": { + "version": "1.10.0" + }, + "related": { + "ip": [ + "81.32.170.205" + ] + }, + "cyberarkpas": { + "audit": { + "severity": "Info", + "rfc5424": true, + "iso_timestamp": "2021-03-10T17:59:33Z", + "safe": "PSMSessions", + "station": "81.32.170.205", + "action": "Remove Owner", + "source_user": "Administrator", + "message": "Remove Owner", + "issuer": "Administrator", + "timestamp": "Mar 10 09:59:33", + "desc": "Remove Owner" + } + }, + "host": { + "name": "VAULT" + }, + "event": { + "severity": 2, + "action": "remove owner", + "ingested": "2021-05-31T15:30:18.264087900Z", + "original": "\u003c5\u003e1 2021-03-10T17:59:33Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 09:59:33\",\"IsoTimestamp\":\"2021-03-10T17:59:33Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"273\",\"Desc\":\"Remove Owner\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Remove Owner\",\"SourceUser\":\"Administrator\",\"TargetUser\":\"\",\"Safe\":\"PSMSessions\",\"File\":\"\",\"Station\":\"81.32.170.205\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Remove Owner\",\"GatewayStation\":\"\"}}}", + "code": "273", + "kind": "event" + } + } + ] +} \ No newline at end of file diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-278-add-rule.log-expected.json b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-278-add-rule.log-expected.json new file mode 100644 index 00000000000..f2b2c0925f7 --- /dev/null +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-278-add-rule.log-expected.json @@ -0,0 +1,65 @@ +{ + "expected": [ + { + "log": { + "syslog": { + "priority": 5 + } + }, + "source": { + "address": "10.0.1.20", + "ip": "10.0.1.20" + }, + "tags": [ + "preserve_original_event" + ], + "observer": { + "product": "Vault", + "hostname": "VAULT", + "version": "11.7.0000", + "vendor": "Cyber-Ark" + }, + "@timestamp": "2021-03-11T18:01:14.000Z", + "file": { + "path": "Root\\2" + }, + "ecs": { + "version": "1.10.0" + }, + "related": { + "ip": [ + "10.0.1.20" + ] + }, + "cyberarkpas": { + "audit": { + "severity": "Info", + "reason": "Allow", + "iso_timestamp": "2021-03-11T18:01:14Z", + "raw": "\u003csyslog\u003e\n\n \u003caudit_record\u003e\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\n \u003cTimestamp\u003eMar 11 10:01:14\u003c/Timestamp\u003e\n \u003cIsoTimestamp\u003e2021-03-11T18:01:14Z\u003c/IsoTimestamp\u003e\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\n \u003cProduct\u003eVault\u003c/Product\u003e\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\n \u003cMessageID\u003e278\u003c/MessageID\u003e\n \u003cDesc\u003eAdd Rule\u003c/Desc\u003e\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\n \u003cIssuer\u003ePVWAAppUser\u003c/Issuer\u003e\n \u003cAction\u003eAdd Rule\u003c/Action\u003e\n \u003cSourceUser\u003eAdministrator\u003c/SourceUser\u003e\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\n \u003cSafe\u003ePSMUnmanagedSessionAccounts\u003c/Safe\u003e\n \u003cFile\u003eRoot\\2\u003c/File\u003e\n \u003cStation\u003e10.0.1.20\u003c/Station\u003e\n \u003cLocation\u003e\u003c/Location\u003e\n \u003cCategory\u003e\u003c/Category\u003e\n \u003cRequestId\u003e\u003c/RequestId\u003e\n \u003cReason\u003eAllow\u003c/Reason\u003e\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\n \u003cMessage\u003eAdd Rule\u003c/Message\u003e\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\n \u003c/audit_record\u003e\n\n\u003c/syslog\u003e", + "message": "Add Rule", + "issuer": "PVWAAppUser", + "rfc5424": true, + "file": "Root\\2", + "safe": "PSMUnmanagedSessionAccounts", + "station": "10.0.1.20", + "action": "Add Rule", + "source_user": "Administrator", + "timestamp": "Mar 11 10:01:14", + "desc": "Add Rule" + } + }, + "host": { + "name": "VAULT" + }, + "event": { + "severity": 2, + "action": "add rule", + "ingested": "2021-05-31T15:30:18.318037500Z", + "original": "\u003c5\u003e1 2021-03-11T18:01:14Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 11 10:01:14\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-11T18:01:14Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e278\u003c/MessageID\u003e\\n \u003cDesc\u003eAdd Rule\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003ePVWAAppUser\u003c/Issuer\u003e\\n \u003cAction\u003eAdd Rule\u003c/Action\u003e\\n \u003cSourceUser\u003eAdministrator\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003ePSMUnmanagedSessionAccounts\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\2\u003c/File\u003e\\n \u003cStation\u003e10.0.1.20\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003eAllow\u003c/Reason\u003e\\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eAdd Rule\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 11 10:01:14\",\"IsoTimestamp\":\"2021-03-11T18:01:14Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"278\",\"Desc\":\"Add Rule\",\"Severity\":\"Info\",\"Issuer\":\"PVWAAppUser\",\"Action\":\"Add Rule\",\"SourceUser\":\"Administrator\",\"TargetUser\":\"\",\"Safe\":\"PSMUnmanagedSessionAccounts\",\"File\":\"Root\\\\2\",\"Station\":\"10.0.1.20\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"Allow\",\"ExtraDetails\":\"\",\"Message\":\"Add Rule\",\"GatewayStation\":\"\"}}}", + "code": "278", + "kind": "event" + } + } + ] +} \ No newline at end of file diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-288-auto-clear-users-history-start.log-expected.json b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-288-auto-clear-users-history-start.log-expected.json new file mode 100644 index 00000000000..a794fb8de5e --- /dev/null +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-288-auto-clear-users-history-start.log-expected.json @@ -0,0 +1,103 @@ +{ + "expected": [ + { + "log": { + "syslog": { + "priority": 5 + } + }, + "source": { + "address": "0.0.0.0", + "ip": "0.0.0.0" + }, + "tags": [ + "preserve_original_event" + ], + "observer": { + "product": "Vault", + "hostname": "VAULT", + "version": "11.7.0000", + "vendor": "Cyber-Ark" + }, + "@timestamp": "2021-03-05T11:00:06.000Z", + "ecs": { + "version": "1.10.0" + }, + "related": { + "ip": [ + "0.0.0.0" + ] + }, + "cyberarkpas": { + "audit": { + "severity": "Info", + "rfc5424": true, + "iso_timestamp": "2021-03-05T11:00:06Z", + "station": "0.0.0.0", + "action": "Auto Clear Users History start", + "message": "Auto Clear Users History start", + "issuer": "Batch", + "timestamp": "Mar 05 03:00:06", + "desc": "Auto Clear Users History start" + } + }, + "host": { + "name": "VAULT" + }, + "event": { + "severity": 2, + "action": "auto clear users history start", + "ingested": "2021-05-31T15:30:18.346643100Z", + "original": "\u003c5\u003e1 2021-03-05T11:00:06Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 05 03:00:06\",\"IsoTimestamp\":\"2021-03-05T11:00:06Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"288\",\"Desc\":\"Auto Clear Users History start\",\"Severity\":\"Info\",\"Issuer\":\"Batch\",\"Action\":\"Auto Clear Users History start\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"0.0.0.0\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Auto Clear Users History start\",\"GatewayStation\":\"\"}}}", + "code": "288", + "kind": "event" + } + }, + { + "observer": { + "product": "Vault", + "hostname": "VAULT", + "version": "11.7.0000", + "vendor": "Cyber-Ark" + }, + "@timestamp": "2021-03-08T03:00:20.000Z", + "ecs": { + "version": "1.10.0" + }, + "related": { + "ip": [ + "0.0.0.0" + ] + }, + "cyberarkpas": { + "audit": { + "rfc5424": false, + "severity": "Info", + "station": "0.0.0.0", + "action": "Auto Clear Users History start", + "message": "Auto Clear Users History start", + "issuer": "Batch", + "desc": "Auto Clear Users History start" + } + }, + "host": { + "name": "VAULT" + }, + "source": { + "address": "0.0.0.0", + "ip": "0.0.0.0" + }, + "event": { + "severity": 2, + "action": "auto clear users history start", + "ingested": "2021-05-31T15:30:18.346669900Z", + "original": "Mar 08 03:00:20 VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"no\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"288\",\"Desc\":\"Auto Clear Users History start\",\"Severity\":\"Info\",\"Issuer\":\"Batch\",\"Action\":\"Auto Clear Users History start\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"0.0.0.0\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Auto Clear Users History start\",\"GatewayStation\":\"\"}}}", + "code": "288", + "kind": "event" + }, + "tags": [ + "preserve_original_event" + ] + } + ] +} \ No newline at end of file diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-289-auto-clear-users-history-end.log-expected.json b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-289-auto-clear-users-history-end.log-expected.json new file mode 100644 index 00000000000..2610c72f1d2 --- /dev/null +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-289-auto-clear-users-history-end.log-expected.json @@ -0,0 +1,103 @@ +{ + "expected": [ + { + "log": { + "syslog": { + "priority": 5 + } + }, + "source": { + "address": "0.0.0.0", + "ip": "0.0.0.0" + }, + "tags": [ + "preserve_original_event" + ], + "observer": { + "product": "Vault", + "hostname": "VAULT", + "version": "11.7.0000", + "vendor": "Cyber-Ark" + }, + "@timestamp": "2021-03-05T11:00:06.000Z", + "ecs": { + "version": "1.10.0" + }, + "related": { + "ip": [ + "0.0.0.0" + ] + }, + "cyberarkpas": { + "audit": { + "severity": "Info", + "rfc5424": true, + "iso_timestamp": "2021-03-05T11:00:06Z", + "station": "0.0.0.0", + "action": "Auto Clear Users History end", + "message": "Auto Clear Users History end", + "issuer": "Batch", + "timestamp": "Mar 05 03:00:06", + "desc": "Auto Clear Users History end" + } + }, + "host": { + "name": "VAULT" + }, + "event": { + "severity": 2, + "action": "auto clear users history end", + "ingested": "2021-05-31T15:30:18.420015400Z", + "original": "\u003c5\u003e1 2021-03-05T11:00:06Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 05 03:00:06\",\"IsoTimestamp\":\"2021-03-05T11:00:06Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"289\",\"Desc\":\"Auto Clear Users History end\",\"Severity\":\"Info\",\"Issuer\":\"Batch\",\"Action\":\"Auto Clear Users History end\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"0.0.0.0\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Auto Clear Users History end\",\"GatewayStation\":\"\"}}}", + "code": "289", + "kind": "event" + } + }, + { + "observer": { + "product": "Vault", + "hostname": "VAULT", + "version": "11.7.0000", + "vendor": "Cyber-Ark" + }, + "@timestamp": "2021-03-08T03:00:20.000Z", + "ecs": { + "version": "1.10.0" + }, + "related": { + "ip": [ + "0.0.0.0" + ] + }, + "cyberarkpas": { + "audit": { + "rfc5424": false, + "severity": "Info", + "station": "0.0.0.0", + "action": "Auto Clear Users History end", + "message": "Auto Clear Users History end", + "issuer": "Batch", + "desc": "Auto Clear Users History end" + } + }, + "host": { + "name": "VAULT" + }, + "source": { + "address": "0.0.0.0", + "ip": "0.0.0.0" + }, + "event": { + "severity": 2, + "action": "auto clear users history end", + "ingested": "2021-05-31T15:30:18.420031500Z", + "original": "Mar 08 03:00:20 VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"no\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"289\",\"Desc\":\"Auto Clear Users History end\",\"Severity\":\"Info\",\"Issuer\":\"Batch\",\"Action\":\"Auto Clear Users History end\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"0.0.0.0\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Auto Clear Users History end\",\"GatewayStation\":\"\"}}}", + "code": "289", + "kind": "event" + }, + "tags": [ + "preserve_original_event" + ] + } + ] +} \ No newline at end of file diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-290-auto-clear-safes-history-start.log-expected.json b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-290-auto-clear-safes-history-start.log-expected.json new file mode 100644 index 00000000000..d90b2d424e9 --- /dev/null +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-290-auto-clear-safes-history-start.log-expected.json @@ -0,0 +1,57 @@ +{ + "expected": [ + { + "log": { + "syslog": { + "priority": 5 + } + }, + "source": { + "address": "0.0.0.0", + "ip": "0.0.0.0" + }, + "tags": [ + "preserve_original_event" + ], + "observer": { + "product": "Vault", + "hostname": "VAULT", + "version": "11.7.0000", + "vendor": "Cyber-Ark" + }, + "@timestamp": "2021-03-09T09:00:47.000Z", + "ecs": { + "version": "1.10.0" + }, + "related": { + "ip": [ + "0.0.0.0" + ] + }, + "cyberarkpas": { + "audit": { + "severity": "Info", + "rfc5424": true, + "iso_timestamp": "2021-03-09T09:00:47Z", + "station": "0.0.0.0", + "action": "Auto Clear Safes History start", + "message": "Auto Clear Safes History start", + "issuer": "Batch", + "timestamp": "Mar 09 01:00:47", + "desc": "Auto Clear Safes History start" + } + }, + "host": { + "name": "VAULT" + }, + "event": { + "severity": 2, + "action": "auto clear safes history start", + "ingested": "2021-05-31T15:30:18.460922600Z", + "original": "\u003c5\u003e1 2021-03-09T09:00:47Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 09 01:00:47\",\"IsoTimestamp\":\"2021-03-09T09:00:47Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"290\",\"Desc\":\"Auto Clear Safes History start\",\"Severity\":\"Info\",\"Issuer\":\"Batch\",\"Action\":\"Auto Clear Safes History start\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"0.0.0.0\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Auto Clear Safes History start\",\"GatewayStation\":\"\"}}}", + "code": "290", + "kind": "event" + } + } + ] +} \ No newline at end of file diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-291-auto-clear-safes-history-end.log-expected.json b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-291-auto-clear-safes-history-end.log-expected.json new file mode 100644 index 00000000000..0f228aa361a --- /dev/null +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-291-auto-clear-safes-history-end.log-expected.json @@ -0,0 +1,57 @@ +{ + "expected": [ + { + "log": { + "syslog": { + "priority": 5 + } + }, + "source": { + "address": "0.0.0.0", + "ip": "0.0.0.0" + }, + "tags": [ + "preserve_original_event" + ], + "observer": { + "product": "Vault", + "hostname": "VAULT", + "version": "11.7.0000", + "vendor": "Cyber-Ark" + }, + "@timestamp": "2021-03-09T09:00:47.000Z", + "ecs": { + "version": "1.10.0" + }, + "related": { + "ip": [ + "0.0.0.0" + ] + }, + "cyberarkpas": { + "audit": { + "severity": "Info", + "rfc5424": true, + "iso_timestamp": "2021-03-09T09:00:47Z", + "station": "0.0.0.0", + "action": "Auto Clear Safes History end", + "message": "Auto Clear Safes History end", + "issuer": "Batch", + "timestamp": "Mar 09 01:00:47", + "desc": "Auto Clear Safes History end" + } + }, + "host": { + "name": "VAULT" + }, + "event": { + "severity": 2, + "action": "auto clear safes history end", + "ingested": "2021-05-31T15:30:18.485427900Z", + "original": "\u003c5\u003e1 2021-03-09T09:00:47Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 09 01:00:47\",\"IsoTimestamp\":\"2021-03-09T09:00:47Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"291\",\"Desc\":\"Auto Clear Safes History end\",\"Severity\":\"Info\",\"Issuer\":\"Batch\",\"Action\":\"Auto Clear Safes History end\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"0.0.0.0\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Auto Clear Safes History end\",\"GatewayStation\":\"\"}}}", + "code": "291", + "kind": "event" + } + } + ] +} \ No newline at end of file diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-294-store-password.log-expected.json b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-294-store-password.log-expected.json new file mode 100644 index 00000000000..1e2be9bedf2 --- /dev/null +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-294-store-password.log-expected.json @@ -0,0 +1,736 @@ +{ + "expected": [ + { + "log": { + "syslog": { + "priority": 5 + } + }, + "source": { + "address": "10.0.1.20", + "ip": "10.0.1.20" + }, + "tags": [ + "preserve_original_event" + ], + "observer": { + "product": "Vault", + "hostname": "VAULT", + "version": "11.7.0000", + "vendor": "Cyber-Ark" + }, + "@timestamp": "2021-03-08T10:19:42.000Z", + "file": { + "path": "Root\\Groups\\WindowsGroup" + }, + "ecs": { + "version": "1.10.0" + }, + "related": { + "ip": [ + "10.0.1.20" + ] + }, + "cyberarkpas": { + "audit": { + "severity": "Info", + "rfc5424": true, + "iso_timestamp": "2021-03-08T10:19:42Z", + "ca_properties": { + "other": { + "curr_ind": "2" + }, + "cpm_status": "failure", + "policy_id": "WindowsDesktopLocalAccountsRotationalPolicy", + "last_success_change": "1615198782", + "in_process": "ChangeTask", + "last_task": "ChangeTask" + }, + "file": "Root\\Groups\\WindowsGroup", + "safe": "Test", + "station": "10.0.1.20", + "action": "Store password", + "message": "Store password", + "issuer": "PasswordManager", + "timestamp": "Mar 08 02:19:42", + "desc": "Store password" + } + }, + "host": { + "name": "VAULT" + }, + "event": { + "severity": 2, + "action": "store password", + "ingested": "2021-05-31T15:30:18.510911600Z", + "original": "\u003c5\u003e1 2021-03-08T10:19:42Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 08 02:19:42\",\"IsoTimestamp\":\"2021-03-08T10:19:42Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"294\",\"Desc\":\"Store password\",\"Severity\":\"Info\",\"Issuer\":\"PasswordManager\",\"Action\":\"Store password\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"Test\",\"File\":\"Root\\\\Groups\\\\WindowsGroup\",\"Station\":\"10.0.1.20\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Store password\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"WindowsDesktopLocalAccountsRotationalPolicy\"},{\"Name\":\"InProcess\",\"Value\":\"ChangeTask\"},{\"Name\":\"CPMStatus\",\"Value\":\"failure\"},{\"Name\":\"LastTask\",\"Value\":\"ChangeTask\"},{\"Name\":\"LastSuccessChange\",\"Value\":\"1615198782\"},{\"Name\":\"CurrInd\",\"Value\":\"2\"}]}}}}", + "code": "294", + "kind": "event" + } + }, + { + "log": { + "syslog": { + "priority": 5 + } + }, + "destination": { + "address": "10.0.1.20", + "ip": "10.0.1.20" + }, + "source": { + "address": "127.0.0.1", + "ip": "127.0.0.1" + }, + "tags": [ + "preserve_original_event" + ], + "network": { + "direction": "internal" + }, + "observer": { + "product": "Vault", + "hostname": "VAULT", + "version": "11.7.0000", + "vendor": "Cyber-Ark" + }, + "@timestamp": "2021-03-08T18:24:49.000Z", + "file": { + "path": "Root\\Operating System-WinDesktopLocal-Address-adriansr" + }, + "ecs": { + "version": "1.10.0" + }, + "related": { + "ip": [ + "127.0.0.1", + "10.0.1.20" + ] + }, + "cyberarkpas": { + "audit": { + "severity": "Info", + "rfc5424": true, + "iso_timestamp": "2021-03-08T18:24:49Z", + "file": "Root\\Operating System-WinDesktopLocal-Address-adriansr", + "gateway_station": "10.0.1.20", + "safe": "Test", + "station": "127.0.0.1", + "action": "Store password", + "message": "Store password", + "issuer": "Administrator", + "timestamp": "Mar 08 10:24:49", + "desc": "Store password" + } + }, + "host": { + "name": "VAULT" + }, + "event": { + "severity": 2, + "action": "store password", + "ingested": "2021-05-31T15:30:18.510931Z", + "original": "\u003c5\u003e1 2021-03-08T18:24:49Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 08 10:24:49\",\"IsoTimestamp\":\"2021-03-08T18:24:49Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"294\",\"Desc\":\"Store password\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Store password\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"Test\",\"File\":\"Root\\\\Operating System-WinDesktopLocal-Address-adriansr\",\"Station\":\"127.0.0.1\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Store password\",\"GatewayStation\":\"10.0.1.20\"}}}", + "code": "294", + "kind": "event" + } + }, + { + "log": { + "syslog": { + "priority": 5 + } + }, + "source": { + "address": "10.0.1.20", + "ip": "10.0.1.20" + }, + "tags": [ + "preserve_original_event" + ], + "observer": { + "product": "Vault", + "hostname": "VAULT", + "version": "11.7.0000", + "vendor": "Cyber-Ark" + }, + "@timestamp": "2021-03-08T19:20:02.000Z", + "file": { + "path": "Root\\Operating System-WindowsDesktopLocalAccountsRotationalPolicy-10.0.1.20-x_accountA" + }, + "ecs": { + "version": "1.10.0" + }, + "related": { + "ip": [ + "10.0.1.20" + ] + }, + "cyberarkpas": { + "audit": { + "severity": "Info", + "rfc5424": true, + "iso_timestamp": "2021-03-08T19:20:02Z", + "ca_properties": { + "other": { + "start_change_not_before": "1615231182" + }, + "address": "components", + "creation_method": "PVWA", + "cpm_status": "failure", + "policy_id": "WinDesktopLocal", + "group_name": "WindowsGroup", + "user_name": "x_accountA", + "index": "1", + "device_type": "Operating System", + "virtual_username": "virtual", + "retries_count": "0", + "reset_immediately": "ChangeTask", + "last_task": "ChangeTask", + "in_process": "ChangeTask", + "sequence_id": "26", + "dual_account_status": "Inactive", + "last_success_change": "1614785704" + }, + "file": "Root\\Operating System-WindowsDesktopLocalAccountsRotationalPolicy-10.0.1.20-x_accountA", + "safe": "Test", + "station": "10.0.1.20", + "action": "Store password", + "message": "Store password", + "issuer": "PasswordManager", + "timestamp": "Mar 08 11:20:02", + "desc": "Store password" + } + }, + "host": { + "name": "VAULT" + }, + "event": { + "severity": 2, + "action": "store password", + "ingested": "2021-05-31T15:30:18.510935300Z", + "original": "\u003c5\u003e1 2021-03-08T19:20:02Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 08 11:20:02\",\"IsoTimestamp\":\"2021-03-08T19:20:02Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"294\",\"Desc\":\"Store password\",\"Severity\":\"Info\",\"Issuer\":\"PasswordManager\",\"Action\":\"Store password\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"Test\",\"File\":\"Root\\\\Operating System-WindowsDesktopLocalAccountsRotationalPolicy-10.0.1.20-x_accountA\",\"Station\":\"10.0.1.20\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Store password\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"WinDesktopLocal\"},{\"Name\":\"UserName\",\"Value\":\"x_accountA\"},{\"Name\":\"Address\",\"Value\":\"components\"},{\"Name\":\"ResetImmediately\",\"Value\":\"ChangeTask\"},{\"Name\":\"InProcess\",\"Value\":\"ChangeTask\"},{\"Name\":\"SequenceID\",\"Value\":\"26\"},{\"Name\":\"CPMStatus\",\"Value\":\"failure\"},{\"Name\":\"RetriesCount\",\"Value\":\"0\"},{\"Name\":\"LastTask\",\"Value\":\"ChangeTask\"},{\"Name\":\"StartChangeNotBefore\",\"Value\":\"1615231182\"},{\"Name\":\"GroupName\",\"Value\":\"WindowsGroup\"},{\"Name\":\"LastSuccessChange\",\"Value\":\"1614785704\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"},{\"Name\":\"Index\",\"Value\":\"1\"},{\"Name\":\"DualAccountStatus\",\"Value\":\"Inactive\"},{\"Name\":\"VirtualUsername\",\"Value\":\"virtual\"}]}}}}", + "code": "294", + "kind": "event" + } + }, + { + "log": { + "syslog": { + "priority": 5 + } + }, + "source": { + "address": "10.0.1.20", + "ip": "10.0.1.20" + }, + "tags": [ + "preserve_original_event" + ], + "observer": { + "product": "Vault", + "hostname": "VAULT", + "version": "11.7.0000", + "vendor": "Cyber-Ark" + }, + "@timestamp": "2021-03-10T14:38:57.000Z", + "file": { + "path": "Root\\Groups\\WindowsGroup" + }, + "ecs": { + "version": "1.10.0" + }, + "related": { + "ip": [ + "10.0.1.20" + ] + }, + "cyberarkpas": { + "audit": { + "severity": "Info", + "rfc5424": true, + "iso_timestamp": "2021-03-10T14:38:57Z", + "ca_properties": { + "other": { + "curr_ind": "1" + }, + "cpm_status": "failure", + "policy_id": "WindowsDesktopLocalAccountsRotationalPolicy", + "last_success_change": "1615387136", + "in_process": "ChangeTask", + "last_task": "ChangeTask" + }, + "file": "Root\\Groups\\WindowsGroup", + "safe": "Test", + "station": "10.0.1.20", + "action": "Store password", + "message": "Store password", + "issuer": "PasswordManager", + "timestamp": "Mar 10 06:38:57", + "desc": "Store password" + } + }, + "host": { + "name": "VAULT" + }, + "event": { + "severity": 2, + "action": "store password", + "ingested": "2021-05-31T15:30:18.510938700Z", + "original": "\u003c5\u003e1 2021-03-10T14:38:57Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 06:38:57\",\"IsoTimestamp\":\"2021-03-10T14:38:57Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"294\",\"Desc\":\"Store password\",\"Severity\":\"Info\",\"Issuer\":\"PasswordManager\",\"Action\":\"Store password\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"Test\",\"File\":\"Root\\\\Groups\\\\WindowsGroup\",\"Station\":\"10.0.1.20\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Store password\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"WindowsDesktopLocalAccountsRotationalPolicy\"},{\"Name\":\"InProcess\",\"Value\":\"ChangeTask\"},{\"Name\":\"CPMStatus\",\"Value\":\"failure\"},{\"Name\":\"LastTask\",\"Value\":\"ChangeTask\"},{\"Name\":\"LastSuccessChange\",\"Value\":\"1615387136\"},{\"Name\":\"CurrInd\",\"Value\":\"1\"}]}}}}", + "code": "294", + "kind": "event" + } + }, + { + "log": { + "syslog": { + "priority": 5 + } + }, + "source": { + "geo": { + "continent_name": "Europe", + "region_iso_code": "ES-B", + "city_name": "Barcelona", + "country_iso_code": "ES", + "country_name": "Spain", + "region_name": "Barcelona", + "location": { + "lon": 2.1611, + "lat": 41.3891 + } + }, + "address": "81.32.170.205", + "ip": "81.32.170.205" + }, + "tags": [ + "preserve_original_event" + ], + "observer": { + "product": "Vault", + "hostname": "VAULT", + "version": "11.7.0000", + "vendor": "Cyber-Ark" + }, + "@timestamp": "2021-03-10T17:58:06.000Z", + "file": { + "path": "Root\\PSMServer" + }, + "ecs": { + "version": "1.10.0" + }, + "related": { + "ip": [ + "81.32.170.205" + ] + }, + "cyberarkpas": { + "audit": { + "severity": "Info", + "rfc5424": true, + "iso_timestamp": "2021-03-10T17:58:06Z", + "file": "Root\\PSMServer", + "safe": "PSM", + "station": "81.32.170.205", + "action": "Store password", + "message": "Store password", + "issuer": "Administrator", + "timestamp": "Mar 10 09:58:06", + "desc": "Store password" + } + }, + "host": { + "name": "VAULT" + }, + "event": { + "severity": 2, + "action": "store password", + "ingested": "2021-05-31T15:30:18.510941900Z", + "original": "\u003c5\u003e1 2021-03-10T17:58:06Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 09:58:06\",\"IsoTimestamp\":\"2021-03-10T17:58:06Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"294\",\"Desc\":\"Store password\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Store password\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"PSM\",\"File\":\"Root\\\\PSMServer\",\"Station\":\"81.32.170.205\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Store password\",\"GatewayStation\":\"\"}}}", + "code": "294", + "kind": "event" + } + }, + { + "log": { + "syslog": { + "priority": 5 + } + }, + "source": { + "geo": { + "continent_name": "North America", + "region_iso_code": "US-VA", + "country_name": "United States", + "region_name": "Virginia", + "location": { + "lon": -77.2481, + "lat": 38.6583 + }, + "country_iso_code": "US" + }, + "address": "35.192.121.42", + "ip": "35.192.121.42" + }, + "tags": [ + "preserve_original_event" + ], + "observer": { + "product": "Vault", + "hostname": "VAULT", + "version": "11.7.0000", + "vendor": "Cyber-Ark" + }, + "@timestamp": "2021-03-10T22:17:26.000Z", + "file": { + "path": "Root\\PSM-ASR-CYBERARK-WI" + }, + "ecs": { + "version": "1.10.0" + }, + "related": { + "ip": [ + "35.192.121.42" + ] + }, + "cyberarkpas": { + "audit": { + "severity": "Info", + "rfc5424": true, + "iso_timestamp": "2021-03-10T22:17:26Z", + "file": "Root\\PSM-ASR-CYBERARK-WI", + "safe": "PSM", + "station": "35.192.121.42", + "action": "Store password", + "message": "Store password", + "issuer": "Administrator", + "timestamp": "Mar 10 14:17:26", + "desc": "Store password" + } + }, + "host": { + "name": "VAULT" + }, + "event": { + "severity": 2, + "action": "store password", + "ingested": "2021-05-31T15:30:18.510945100Z", + "original": "\u003c5\u003e1 2021-03-10T22:17:26Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 14:17:26\",\"IsoTimestamp\":\"2021-03-10T22:17:26Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"294\",\"Desc\":\"Store password\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Store password\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"PSM\",\"File\":\"Root\\\\PSM-ASR-CYBERARK-WI\",\"Station\":\"35.192.121.42\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Store password\",\"GatewayStation\":\"\"}}}", + "code": "294", + "kind": "event" + } + }, + { + "log": { + "syslog": { + "priority": 5 + } + }, + "source": { + "address": "10.0.1.20", + "ip": "10.0.1.20" + }, + "tags": [ + "preserve_original_event" + ], + "observer": { + "product": "Vault", + "hostname": "VAULT", + "version": "11.7.0000", + "vendor": "Cyber-Ark" + }, + "@timestamp": "2021-03-10T23:39:25.000Z", + "file": { + "path": "Root\\Operating System-WindowsDesktopLocalAccountsRotationalPolicy-10.0.1.20-x_accountB" + }, + "ecs": { + "version": "1.10.0" + }, + "related": { + "ip": [ + "10.0.1.20" + ] + }, + "cyberarkpas": { + "audit": { + "severity": "Info", + "rfc5424": true, + "iso_timestamp": "2021-03-10T23:39:25Z", + "ca_properties": { + "other": { + "start_change_not_before": "1615419536" + }, + "address": "components", + "creation_method": "PVWA", + "cpm_status": "failure", + "policy_id": "WinDesktopLocal", + "group_name": "WindowsGroup", + "user_name": "x_accountB", + "index": "2", + "device_type": "Operating System", + "virtual_username": "virtual", + "retries_count": "0", + "reset_immediately": "ChangeTask", + "last_task": "ChangeTask", + "in_process": "ChangeTask", + "sequence_id": "24", + "dual_account_status": "Inactive", + "last_success_change": "1614868762" + }, + "file": "Root\\Operating System-WindowsDesktopLocalAccountsRotationalPolicy-10.0.1.20-x_accountB", + "safe": "Test", + "station": "10.0.1.20", + "action": "Store password", + "message": "Store password", + "issuer": "PasswordManager", + "timestamp": "Mar 10 15:39:25", + "desc": "Store password" + } + }, + "host": { + "name": "VAULT" + }, + "event": { + "severity": 2, + "action": "store password", + "ingested": "2021-05-31T15:30:18.510948100Z", + "original": "\u003c5\u003e1 2021-03-10T23:39:25Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 15:39:25\",\"IsoTimestamp\":\"2021-03-10T23:39:25Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"294\",\"Desc\":\"Store password\",\"Severity\":\"Info\",\"Issuer\":\"PasswordManager\",\"Action\":\"Store password\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"Test\",\"File\":\"Root\\\\Operating System-WindowsDesktopLocalAccountsRotationalPolicy-10.0.1.20-x_accountB\",\"Station\":\"10.0.1.20\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Store password\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"WinDesktopLocal\"},{\"Name\":\"UserName\",\"Value\":\"x_accountB\"},{\"Name\":\"Address\",\"Value\":\"components\"},{\"Name\":\"ResetImmediately\",\"Value\":\"ChangeTask\"},{\"Name\":\"InProcess\",\"Value\":\"ChangeTask\"},{\"Name\":\"SequenceID\",\"Value\":\"24\"},{\"Name\":\"CPMStatus\",\"Value\":\"failure\"},{\"Name\":\"RetriesCount\",\"Value\":\"0\"},{\"Name\":\"LastTask\",\"Value\":\"ChangeTask\"},{\"Name\":\"StartChangeNotBefore\",\"Value\":\"1615419536\"},{\"Name\":\"GroupName\",\"Value\":\"WindowsGroup\"},{\"Name\":\"LastSuccessChange\",\"Value\":\"1614868762\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"},{\"Name\":\"Index\",\"Value\":\"2\"},{\"Name\":\"DualAccountStatus\",\"Value\":\"Inactive\"},{\"Name\":\"VirtualUsername\",\"Value\":\"virtual\"}]}}}}", + "code": "294", + "kind": "event" + } + }, + { + "log": { + "syslog": { + "priority": 5 + } + }, + "source": { + "address": "10.0.1.20", + "ip": "10.0.1.20" + }, + "tags": [ + "preserve_original_event" + ], + "observer": { + "product": "Vault", + "hostname": "VAULT", + "version": "11.7.0000", + "vendor": "Cyber-Ark" + }, + "@timestamp": "2021-03-14T11:48:26.000Z", + "file": { + "path": "Root\\Groups\\WindowsGroup" + }, + "ecs": { + "version": "1.10.0" + }, + "related": { + "ip": [ + "10.0.1.20" + ] + }, + "cyberarkpas": { + "audit": { + "severity": "Info", + "iso_timestamp": "2021-03-14T11:48:26Z", + "raw": "\u003csyslog\u003e\n\n \u003caudit_record\u003e\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\n \u003cTimestamp\u003eMar 14 04:48:26\u003c/Timestamp\u003e\n \u003cIsoTimestamp\u003e2021-03-14T11:48:26Z\u003c/IsoTimestamp\u003e\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\n \u003cProduct\u003eVault\u003c/Product\u003e\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\n \u003cMessageID\u003e294\u003c/MessageID\u003e\n \u003cDesc\u003eStore password\u003c/Desc\u003e\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\n \u003cIssuer\u003ePasswordManager\u003c/Issuer\u003e\n \u003cAction\u003eStore password\u003c/Action\u003e\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\n \u003cSafe\u003eTest\u003c/Safe\u003e\n \u003cFile\u003eRoot\\Groups\\WindowsGroup\u003c/File\u003e\n \u003cStation\u003e10.0.1.20\u003c/Station\u003e\n \u003cLocation\u003e\u003c/Location\u003e\n \u003cCategory\u003e\u003c/Category\u003e\n \u003cRequestId\u003e\u003c/RequestId\u003e\n \u003cReason\u003e\u003c/Reason\u003e\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\n \u003cMessage\u003eStore password\u003c/Message\u003e\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\n \u003cCAProperties\u003e\n \u003cCAProperty Name=\"PolicyID\" Value=\"WindowsDesktopLocalAccountsRotationalPolicy\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"InProcess\" Value=\"ChangeTask\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"CPMStatus\" Value=\"failure\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"LastTask\" Value=\"ChangeTask\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"LastSuccessChange\" Value=\"1615722505\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"CurrInd\" Value=\"2\"\u003e\u003c/CAProperty\u003e\n \u003c/CAProperties\u003e\n \u003c/audit_record\u003e\n\n\u003c/syslog\u003e", + "message": "Store password", + "issuer": "PasswordManager", + "rfc5424": true, + "ca_properties": { + "other": { + "curr_ind": "2" + }, + "cpm_status": "failure", + "policy_id": "WindowsDesktopLocalAccountsRotationalPolicy", + "last_success_change": "1615722505", + "in_process": "ChangeTask", + "last_task": "ChangeTask" + }, + "file": "Root\\Groups\\WindowsGroup", + "safe": "Test", + "station": "10.0.1.20", + "action": "Store password", + "timestamp": "Mar 14 04:48:26", + "desc": "Store password" + } + }, + "host": { + "name": "VAULT" + }, + "event": { + "severity": 2, + "action": "store password", + "ingested": "2021-05-31T15:30:18.510951300Z", + "original": "\u003c5\u003e1 2021-03-14T11:48:26Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 14 04:48:26\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-14T11:48:26Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e294\u003c/MessageID\u003e\\n \u003cDesc\u003eStore password\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003ePasswordManager\u003c/Issuer\u003e\\n \u003cAction\u003eStore password\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003eTest\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Groups\\\\WindowsGroup\u003c/File\u003e\\n \u003cStation\u003e10.0.1.20\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eStore password\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"WindowsDesktopLocalAccountsRotationalPolicy\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"InProcess\\\" Value=\\\"ChangeTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMStatus\\\" Value=\\\"failure\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastTask\\\" Value=\\\"ChangeTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastSuccessChange\\\" Value=\\\"1615722505\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CurrInd\\\" Value=\\\"2\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 14 04:48:26\",\"IsoTimestamp\":\"2021-03-14T11:48:26Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"294\",\"Desc\":\"Store password\",\"Severity\":\"Info\",\"Issuer\":\"PasswordManager\",\"Action\":\"Store password\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"Test\",\"File\":\"Root\\\\Groups\\\\WindowsGroup\",\"Station\":\"10.0.1.20\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Store password\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"WindowsDesktopLocalAccountsRotationalPolicy\"},{\"Name\":\"InProcess\",\"Value\":\"ChangeTask\"},{\"Name\":\"CPMStatus\",\"Value\":\"failure\"},{\"Name\":\"LastTask\",\"Value\":\"ChangeTask\"},{\"Name\":\"LastSuccessChange\",\"Value\":\"1615722505\"},{\"Name\":\"CurrInd\",\"Value\":\"2\"}]}}}}", + "code": "294", + "kind": "event" + } + }, + { + "log": { + "syslog": { + "priority": 5 + } + }, + "source": { + "address": "10.0.1.20", + "ip": "10.0.1.20" + }, + "tags": [ + "preserve_original_event" + ], + "observer": { + "product": "Vault", + "hostname": "VAULT", + "version": "11.7.0000", + "vendor": "Cyber-Ark" + }, + "@timestamp": "2021-03-15T10:12:21.000Z", + "file": { + "path": "Root\\Operating System-WindowsDesktopLocalAccountsRotationalPolicy-10.0.1.20-x_accountA" + }, + "ecs": { + "version": "1.10.0" + }, + "related": { + "ip": [ + "10.0.1.20" + ] + }, + "cyberarkpas": { + "audit": { + "severity": "Info", + "iso_timestamp": "2021-03-15T10:12:21Z", + "raw": "\u003csyslog\u003e\n\n \u003caudit_record\u003e\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\n \u003cTimestamp\u003eMar 15 03:12:21\u003c/Timestamp\u003e\n \u003cIsoTimestamp\u003e2021-03-15T10:12:21Z\u003c/IsoTimestamp\u003e\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\n \u003cProduct\u003eVault\u003c/Product\u003e\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\n \u003cMessageID\u003e294\u003c/MessageID\u003e\n \u003cDesc\u003eStore password\u003c/Desc\u003e\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\n \u003cIssuer\u003ePasswordManager\u003c/Issuer\u003e\n \u003cAction\u003eStore password\u003c/Action\u003e\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\n \u003cSafe\u003eTest\u003c/Safe\u003e\n \u003cFile\u003eRoot\\Operating System-WindowsDesktopLocalAccountsRotationalPolicy-10.0.1.20-x_accountA\u003c/File\u003e\n \u003cStation\u003e10.0.1.20\u003c/Station\u003e\n \u003cLocation\u003e\u003c/Location\u003e\n \u003cCategory\u003e\u003c/Category\u003e\n \u003cRequestId\u003e\u003c/RequestId\u003e\n \u003cReason\u003e\u003c/Reason\u003e\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\n \u003cMessage\u003eStore password\u003c/Message\u003e\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\n \u003cCAProperties\u003e\n \u003cCAProperty Name=\"PolicyID\" Value=\"WinDesktopLocal\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"UserName\" Value=\"x_accountA\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"Address\" Value=\"components\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"ResetImmediately\" Value=\"ChangeTask\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"InProcess\" Value=\"ChangeTask\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"SequenceID\" Value=\"27\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"CPMStatus\" Value=\"failure\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"RetriesCount\" Value=\"0\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"LastTask\" Value=\"ChangeTask\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"StartChangeNotBefore\" Value=\"1615754905\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"GroupName\" Value=\"WindowsGroup\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"LastSuccessChange\" Value=\"1615231204\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"CreationMethod\" Value=\"PVWA\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"DeviceType\" Value=\"Operating System\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"Index\" Value=\"1\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"DualAccountStatus\" Value=\"Inactive\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"VirtualUsername\" Value=\"virtual\"\u003e\u003c/CAProperty\u003e\n \u003c/CAProperties\u003e\n \u003c/audit_record\u003e\n\n\u003c/syslog\u003e", + "message": "Store password", + "issuer": "PasswordManager", + "rfc5424": true, + "ca_properties": { + "other": { + "start_change_not_before": "1615754905" + }, + "address": "components", + "creation_method": "PVWA", + "cpm_status": "failure", + "policy_id": "WinDesktopLocal", + "group_name": "WindowsGroup", + "user_name": "x_accountA", + "index": "1", + "device_type": "Operating System", + "virtual_username": "virtual", + "retries_count": "0", + "reset_immediately": "ChangeTask", + "last_task": "ChangeTask", + "in_process": "ChangeTask", + "sequence_id": "27", + "dual_account_status": "Inactive", + "last_success_change": "1615231204" + }, + "file": "Root\\Operating System-WindowsDesktopLocalAccountsRotationalPolicy-10.0.1.20-x_accountA", + "safe": "Test", + "station": "10.0.1.20", + "action": "Store password", + "timestamp": "Mar 15 03:12:21", + "desc": "Store password" + } + }, + "host": { + "name": "VAULT" + }, + "event": { + "severity": 2, + "action": "store password", + "ingested": "2021-05-31T15:30:18.510954200Z", + "original": "\u003c5\u003e1 2021-03-15T10:12:21Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 15 03:12:21\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-15T10:12:21Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e294\u003c/MessageID\u003e\\n \u003cDesc\u003eStore password\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003ePasswordManager\u003c/Issuer\u003e\\n \u003cAction\u003eStore password\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003eTest\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Operating System-WindowsDesktopLocalAccountsRotationalPolicy-10.0.1.20-x_accountA\u003c/File\u003e\\n \u003cStation\u003e10.0.1.20\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eStore password\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"WinDesktopLocal\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"x_accountA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"components\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"ResetImmediately\\\" Value=\\\"ChangeTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"InProcess\\\" Value=\\\"ChangeTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"SequenceID\\\" Value=\\\"27\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMStatus\\\" Value=\\\"failure\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"RetriesCount\\\" Value=\\\"0\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastTask\\\" Value=\\\"ChangeTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"StartChangeNotBefore\\\" Value=\\\"1615754905\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"GroupName\\\" Value=\\\"WindowsGroup\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastSuccessChange\\\" Value=\\\"1615231204\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Operating System\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Index\\\" Value=\\\"1\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DualAccountStatus\\\" Value=\\\"Inactive\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"VirtualUsername\\\" Value=\\\"virtual\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 15 03:12:21\",\"IsoTimestamp\":\"2021-03-15T10:12:21Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"294\",\"Desc\":\"Store password\",\"Severity\":\"Info\",\"Issuer\":\"PasswordManager\",\"Action\":\"Store password\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"Test\",\"File\":\"Root\\\\Operating System-WindowsDesktopLocalAccountsRotationalPolicy-10.0.1.20-x_accountA\",\"Station\":\"10.0.1.20\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Store password\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"WinDesktopLocal\"},{\"Name\":\"UserName\",\"Value\":\"x_accountA\"},{\"Name\":\"Address\",\"Value\":\"components\"},{\"Name\":\"ResetImmediately\",\"Value\":\"ChangeTask\"},{\"Name\":\"InProcess\",\"Value\":\"ChangeTask\"},{\"Name\":\"SequenceID\",\"Value\":\"27\"},{\"Name\":\"CPMStatus\",\"Value\":\"failure\"},{\"Name\":\"RetriesCount\",\"Value\":\"0\"},{\"Name\":\"LastTask\",\"Value\":\"ChangeTask\"},{\"Name\":\"StartChangeNotBefore\",\"Value\":\"1615754905\"},{\"Name\":\"GroupName\",\"Value\":\"WindowsGroup\"},{\"Name\":\"LastSuccessChange\",\"Value\":\"1615231204\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"},{\"Name\":\"Index\",\"Value\":\"1\"},{\"Name\":\"DualAccountStatus\",\"Value\":\"Inactive\"},{\"Name\":\"VirtualUsername\",\"Value\":\"virtual\"}]}}}}", + "code": "294", + "kind": "event" + } + }, + { + "log": { + "syslog": { + "priority": 5 + } + }, + "destination": { + "address": "10.0.1.20", + "ip": "10.0.1.20" + }, + "source": { + "address": "127.0.0.1", + "ip": "127.0.0.1" + }, + "tags": [ + "preserve_original_event" + ], + "network": { + "direction": "internal" + }, + "observer": { + "product": "Vault", + "hostname": "VAULT", + "version": "11.7.0000", + "vendor": "Cyber-Ark" + }, + "@timestamp": "2021-03-15T13:13:01.000Z", + "file": { + "path": "Root\\Operating System-UnixSSH-34.123.103.115-testark" + }, + "ecs": { + "version": "1.10.0" + }, + "related": { + "ip": [ + "127.0.0.1", + "10.0.1.20" + ] + }, + "cyberarkpas": { + "audit": { + "severity": "Info", + "iso_timestamp": "2021-03-15T13:13:01Z", + "gateway_station": "10.0.1.20", + "raw": "\u003csyslog\u003e\n\n \u003caudit_record\u003e\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\n \u003cTimestamp\u003eMar 15 06:13:01\u003c/Timestamp\u003e\n \u003cIsoTimestamp\u003e2021-03-15T13:13:01Z\u003c/IsoTimestamp\u003e\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\n \u003cProduct\u003eVault\u003c/Product\u003e\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\n \u003cMessageID\u003e294\u003c/MessageID\u003e\n \u003cDesc\u003eStore password\u003c/Desc\u003e\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\n \u003cAction\u003eStore password\u003c/Action\u003e\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\n \u003cSafe\u003epartner\u003c/Safe\u003e\n \u003cFile\u003eRoot\\Operating System-UnixSSH-34.123.103.115-testark\u003c/File\u003e\n \u003cStation\u003e127.0.0.1\u003c/Station\u003e\n \u003cLocation\u003e\u003c/Location\u003e\n \u003cCategory\u003e\u003c/Category\u003e\n \u003cRequestId\u003e\u003c/RequestId\u003e\n \u003cReason\u003e\u003c/Reason\u003e\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\n \u003cMessage\u003eStore password\u003c/Message\u003e\n \u003cGatewayStation\u003e10.0.1.20\u003c/GatewayStation\u003e\n \u003cCAProperties\u003e\n \u003cCAProperty Name=\"PolicyID\" Value=\"UnixSSH\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"UserName\" Value=\"testark\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"Address\" Value=\"34.123.103.115\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"ResetImmediately\" Value=\"ReconcileTask\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"CPMStatus\" Value=\"failure\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"RetriesCount\" Value=\"0\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"LastFailDate\" Value=\"1615813465\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"LastTask\" Value=\"ReconcileTask\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"LastSuccessVerification\" Value=\"1615803764\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"CPMErrorDetails\" Value=\"First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"CreationMethod\" Value=\"PVWA\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"DeviceType\" Value=\"Operating System\"\u003e\u003c/CAProperty\u003e\n \u003c/CAProperties\u003e\n \u003c/audit_record\u003e\n\n\u003c/syslog\u003e", + "message": "Store password", + "issuer": "Administrator", + "rfc5424": true, + "ca_properties": { + "other": {}, + "address": "34.123.103.115", + "creation_method": "PVWA", + "cpm_status": "failure", + "policy_id": "UnixSSH", + "user_name": "testark", + "device_type": "Operating System", + "retries_count": "0", + "last_success_verification": "1615803764", + "reset_immediately": "ReconcileTask", + "last_task": "ReconcileTask", + "cpm_error_details": "First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031", + "last_fail_date": "1615813465" + }, + "file": "Root\\Operating System-UnixSSH-34.123.103.115-testark", + "safe": "partner", + "station": "127.0.0.1", + "action": "Store password", + "timestamp": "Mar 15 06:13:01", + "desc": "Store password" + } + }, + "host": { + "name": "VAULT" + }, + "event": { + "severity": 2, + "action": "store password", + "ingested": "2021-05-31T15:30:18.510957200Z", + "original": "\u003c5\u003e1 2021-03-15T13:13:01Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 15 06:13:01\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-15T13:13:01Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e294\u003c/MessageID\u003e\\n \u003cDesc\u003eStore password\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003eStore password\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003epartner\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Operating System-UnixSSH-34.123.103.115-testark\u003c/File\u003e\\n \u003cStation\u003e127.0.0.1\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eStore password\u003c/Message\u003e\\n \u003cGatewayStation\u003e10.0.1.20\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"UnixSSH\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"testark\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"34.123.103.115\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"ResetImmediately\\\" Value=\\\"ReconcileTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMStatus\\\" Value=\\\"failure\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"RetriesCount\\\" Value=\\\"0\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastFailDate\\\" Value=\\\"1615813465\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastTask\\\" Value=\\\"ReconcileTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastSuccessVerification\\\" Value=\\\"1615803764\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMErrorDetails\\\" Value=\\\"First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Operating System\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 15 06:13:01\",\"IsoTimestamp\":\"2021-03-15T13:13:01Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"294\",\"Desc\":\"Store password\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Store password\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"partner\",\"File\":\"Root\\\\Operating System-UnixSSH-34.123.103.115-testark\",\"Station\":\"127.0.0.1\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Store password\",\"GatewayStation\":\"10.0.1.20\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"UnixSSH\"},{\"Name\":\"UserName\",\"Value\":\"testark\"},{\"Name\":\"Address\",\"Value\":\"34.123.103.115\"},{\"Name\":\"ResetImmediately\",\"Value\":\"ReconcileTask\"},{\"Name\":\"CPMStatus\",\"Value\":\"failure\"},{\"Name\":\"RetriesCount\",\"Value\":\"0\"},{\"Name\":\"LastFailDate\",\"Value\":\"1615813465\"},{\"Name\":\"LastTask\",\"Value\":\"ReconcileTask\"},{\"Name\":\"LastSuccessVerification\",\"Value\":\"1615803764\"},{\"Name\":\"CPMErrorDetails\",\"Value\":\"First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"}]}}}}", + "code": "294", + "kind": "event" + } + } + ] +} \ No newline at end of file diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-295-retrieve-password.log-expected.json b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-295-retrieve-password.log-expected.json new file mode 100644 index 00000000000..96a954e2485 --- /dev/null +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-295-retrieve-password.log-expected.json @@ -0,0 +1,1244 @@ +{ + "expected": [ + { + "destination": { + "user": { + "name": "admin2" + }, + "address": "radiussrv.cyberark.local", + "domain": "radiussrv.cyberark.local" + }, + "source": { + "user": { + "name": "Prov_PVWA" + }, + "address": "10.2.0.3", + "ip": "10.2.0.3" + }, + "tags": [ + "preserve_original_event" + ], + "observer": { + "version": "11.6.0000", + "product": "Vault", + "vendor": "Cyber-Ark" + }, + "@timestamp": "2021-03-16T15:01:00.000Z", + "file": { + "path": "Root\\Operating System-LINUX-SSH-radiussrv.cyberark.local-admin2" + }, + "ecs": { + "version": "1.10.0" + }, + "related": { + "user": [ + "Prov_PVWA", + "admin2" + ], + "ip": [ + "10.2.0.3" + ] + }, + "cyberarkpas": { + "audit": { + "severity": "Info", + "reason": "AIM password request", + "iso_timestamp": "2021-03-16T15:01:00Z", + "raw": "\u003csyslog\u003e\n \u003caudit_record\u003e\n \u003cRfc5424\u003eno\u003c/Rfc5424\u003e\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\n \u003cProduct\u003eVault\u003c/Product\u003e\n \u003cVersion\u003e11.6.0000\u003c/Version\u003e\n \u003cMessageID\u003e295\u003c/MessageID\u003e\n \u003cDesc\u003eRetrieve password\u003c/Desc\u003e\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\n \u003cIssuer\u003eProv_PVWA\u003c/Issuer\u003e\n \u003cAction\u003eRetrieve password\u003c/Action\u003e\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\n \u003cSafe\u003eLinux\u003c/Safe\u003e\n \u003cFile\u003eRoot\\Operating System-LINUX-SSH-radiussrv.cyberark.local-admin2\u003c/File\u003e\n \u003cStation\u003e10.2.0.3\u003c/Station\u003e\n \u003cLocation\u003e\u003c/Location\u003e\n \u003cCategory\u003e\u003c/Category\u003e\n \u003cRequestId\u003e\u003c/RequestId\u003e\n \u003cReason\u003eAIM password request\u003c/Reason\u003e\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\n \u003cMessage\u003eRetrieve password\u003c/Message\u003e\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\n \u003cCAProperties\u003e\n \u003cCAProperty Name=\"PolicyID\" Value=\"LINUX-SSH\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"UserName\" Value=\"admin2\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"Address\" Value=\"radiussrv.cyberark.local\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"DeviceType\" Value=\"Operating System\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"CPMDisabled\" Value=\"No Reason\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"CreationMethod\" Value=\"PVWA\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"Customer\" Value=\"Nobody\"\u003e\u003c/CAProperty\u003e\n \u003c/CAProperties\u003e\n \u003c/audit_record\u003e\n\u003c/syslog\u003e", + "message": "Retrieve password", + "issuer": "Prov_PVWA", + "rfc5424": false, + "file": "Root\\Operating System-LINUX-SSH-radiussrv.cyberark.local-admin2", + "ca_properties": { + "other": {}, + "address": "radiussrv.cyberark.local", + "creation_method": "PVWA", + "policy_id": "LINUX-SSH", + "user_name": "admin2", + "cpm_disabled": "No Reason", + "device_type": "Operating System", + "customer": "Nobody" + }, + "safe": "Linux", + "station": "10.2.0.3", + "action": "Retrieve password", + "desc": "Retrieve password" + } + }, + "event": { + "severity": 2, + "reason": "AIM password request", + "ingested": "2021-05-31T15:30:18.767877400Z", + "original": "{\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eno\u003c/Rfc5424\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.6.0000\u003c/Version\u003e\\n \u003cMessageID\u003e295\u003c/MessageID\u003e\\n \u003cDesc\u003eRetrieve password\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eProv_PVWA\u003c/Issuer\u003e\\n \u003cAction\u003eRetrieve password\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003eLinux\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Operating System-LINUX-SSH-radiussrv.cyberark.local-admin2\u003c/File\u003e\\n \u003cStation\u003e10.2.0.3\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003eAIM password request\u003c/Reason\u003e\\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eRetrieve password\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"LINUX-SSH\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"admin2\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"radiussrv.cyberark.local\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Operating System\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMDisabled\\\" Value=\\\"No Reason\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Customer\\\" Value=\\\"Nobody\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"no\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.6.0000\",\"MessageID\":\"295\",\"IsoTimestamp\":\"2021-03-16T15:01:00Z\",\"Desc\":\"Retrieve password\",\"Severity\":\"Info\",\"Issuer\":\"Prov_PVWA\",\"Action\":\"Retrieve password\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"Linux\",\"File\":\"Root\\\\Operating System-LINUX-SSH-radiussrv.cyberark.local-admin2\",\"Station\":\"10.2.0.3\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"AIM password request\",\"ExtraDetails\":\"\",\"Message\":\"Retrieve password\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"LINUX-SSH\"},{\"Name\":\"UserName\",\"Value\":\"admin2\"},{\"Name\":\"Address\",\"Value\":\"radiussrv.cyberark.local\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"},{\"Name\":\"CPMDisabled\",\"Value\":\"No Reason\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"Customer\",\"Value\":\"Nobody\"}]}}}}", + "code": "295", + "kind": "event", + "action": "retrieve password", + "category": [ + "iam" + ], + "type": [ + "admin", + "access" + ], + "outcome": "success" + }, + "user": { + "name": "Prov_PVWA" + } + }, + { + "destination": { + "user": { + "name": "Administrator2" + }, + "address": "dbserver.cyberark.local", + "domain": "dbserver.cyberark.local" + }, + "source": { + "user": { + "name": "adm2" + }, + "address": "10.2.0.6", + "ip": "10.2.0.6" + }, + "tags": [ + "preserve_original_event" + ], + "observer": { + "version": "11.6.0000", + "product": "Vault", + "vendor": "Cyber-Ark" + }, + "@timestamp": "2021-03-16T15:01:00.000Z", + "file": { + "path": "Root\\Operating System-WIN-SERVER-LOCAL-dbserver.cyberark.local-Administrator2" + }, + "ecs": { + "version": "1.10.0" + }, + "related": { + "user": [ + "adm2", + "Administrator2" + ], + "ip": [ + "10.2.0.6", + "10.2.0.3" + ] + }, + "cyberarkpas": { + "audit": { + "severity": "Info", + "reason": "(Action: Show Password)", + "iso_timestamp": "2021-03-16T15:01:00Z", + "gateway_station": "10.2.0.3", + "raw": "\u003csyslog\u003e\n \u003caudit_record\u003e\n \u003cRfc5424\u003eno\u003c/Rfc5424\u003e\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\n \u003cProduct\u003eVault\u003c/Product\u003e\n \u003cVersion\u003e11.6.0000\u003c/Version\u003e\n \u003cMessageID\u003e295\u003c/MessageID\u003e\n \u003cDesc\u003eRetrieve password\u003c/Desc\u003e\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\n \u003cIssuer\u003eadm2\u003c/Issuer\u003e\n \u003cAction\u003eRetrieve password\u003c/Action\u003e\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\n \u003cSafe\u003eWindows\u003c/Safe\u003e\n \u003cFile\u003eRoot\\Operating System-WIN-SERVER-LOCAL-dbserver.cyberark.local-Administrator2\u003c/File\u003e\n \u003cStation\u003e10.2.0.6\u003c/Station\u003e\n \u003cLocation\u003e\u003c/Location\u003e\n \u003cCategory\u003e\u003c/Category\u003e\n \u003cRequestId\u003e\u003c/RequestId\u003e\n \u003cReason\u003e(Action: Show Password)\u003c/Reason\u003e\n \u003cPvwaDetails\u003e\u003cRetrieveReason\u003e\n \u003cGeneral\u003e\n \u003cRetrieveAction\u003eShow Password\u003c/RetrieveAction\u003e\n \u003c/General\u003e\n\u003c/RetrieveReason\u003e\u003c/PvwaDetails\u003e\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\n \u003cMessage\u003eRetrieve password\u003c/Message\u003e\n \u003cGatewayStation\u003e10.2.0.3\u003c/GatewayStation\u003e\n \u003cCAProperties\u003e\n \u003cCAProperty Name=\"PolicyID\" Value=\"WIN-SERVER-LOCAL\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"UserName\" Value=\"Administrator2\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"Address\" Value=\"dbserver.cyberark.local\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"DeviceType\" Value=\"Operating System\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"LogonDomain\" Value=\"DBServer\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"SequenceID\" Value=\"1\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"RetriesCount\" Value=\"-1\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"LastTask\" Value=\"ReconcileTask\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"CPMStatus\" Value=\"success\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"CreationMethod\" Value=\"PVWA\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"LastSuccessReconciliation\" Value=\"1604944215\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"Customer\" Value=\"EvilCorp\"\u003e\u003c/CAProperty\u003e\n \u003c/CAProperties\u003e\n \u003c/audit_record\u003e\n\u003c/syslog\u003e", + "message": "Retrieve password", + "issuer": "adm2", + "pvwa_details": { + "retrieve_reason": { + "general": { + "retrieve_action": "Show Password" + } + } + }, + "rfc5424": false, + "file": "Root\\Operating System-WIN-SERVER-LOCAL-dbserver.cyberark.local-Administrator2", + "ca_properties": { + "other": {}, + "address": "dbserver.cyberark.local", + "creation_method": "PVWA", + "cpm_status": "success", + "policy_id": "WIN-SERVER-LOCAL", + "last_success_reconciliation": "1604944215", + "user_name": "Administrator2", + "device_type": "Operating System", + "retries_count": "-1", + "last_task": "ReconcileTask", + "sequence_id": "1", + "logon_domain": "DBServer", + "customer": "EvilCorp" + }, + "safe": "Windows", + "station": "10.2.0.6", + "action": "Retrieve password", + "desc": "Retrieve password" + } + }, + "event": { + "severity": 2, + "reason": "(Action: Show Password)", + "ingested": "2021-05-31T15:30:18.767937100Z", + "original": "{\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eno\u003c/Rfc5424\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.6.0000\u003c/Version\u003e\\n \u003cMessageID\u003e295\u003c/MessageID\u003e\\n \u003cDesc\u003eRetrieve password\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eadm2\u003c/Issuer\u003e\\n \u003cAction\u003eRetrieve password\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003eWindows\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Operating System-WIN-SERVER-LOCAL-dbserver.cyberark.local-Administrator2\u003c/File\u003e\\n \u003cStation\u003e10.2.0.6\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e(Action: Show Password)\u003c/Reason\u003e\\n \u003cPvwaDetails\u003e\u003cRetrieveReason\u003e\\n \u003cGeneral\u003e\\n \u003cRetrieveAction\u003eShow Password\u003c/RetrieveAction\u003e\\n \u003c/General\u003e\\n\u003c/RetrieveReason\u003e\u003c/PvwaDetails\u003e\\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eRetrieve password\u003c/Message\u003e\\n \u003cGatewayStation\u003e10.2.0.3\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"WIN-SERVER-LOCAL\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"Administrator2\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"dbserver.cyberark.local\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Operating System\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LogonDomain\\\" Value=\\\"DBServer\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"SequenceID\\\" Value=\\\"1\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"RetriesCount\\\" Value=\\\"-1\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastTask\\\" Value=\\\"ReconcileTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMStatus\\\" Value=\\\"success\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastSuccessReconciliation\\\" Value=\\\"1604944215\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Customer\\\" Value=\\\"EvilCorp\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"no\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.6.0000\",\"MessageID\":\"295\",\"IsoTimestamp\":\"2021-03-16T15:01:00Z\",\"Desc\":\"Retrieve password\",\"Severity\":\"Info\",\"Issuer\":\"adm2\",\"Action\":\"Retrieve password\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"Windows\",\"File\":\"Root\\\\Operating System-WIN-SERVER-LOCAL-dbserver.cyberark.local-Administrator2\",\"Station\":\"10.2.0.6\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"(Action: Show Password)\",\"PvwaDetails\":{\"RetrieveReason\":{\"General\":{\"RetrieveAction\":\"Show Password\"}}},\"ExtraDetails\":\"\",\"Message\":\"Retrieve password\",\"GatewayStation\":\"10.2.0.3\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"WIN-SERVER-LOCAL\"},{\"Name\":\"UserName\",\"Value\":\"Administrator2\"},{\"Name\":\"Address\",\"Value\":\"dbserver.cyberark.local\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"},{\"Name\":\"LogonDomain\",\"Value\":\"DBServer\"},{\"Name\":\"SequenceID\",\"Value\":\"1\"},{\"Name\":\"RetriesCount\",\"Value\":\"-1\"},{\"Name\":\"LastTask\",\"Value\":\"ReconcileTask\"},{\"Name\":\"CPMStatus\",\"Value\":\"success\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"LastSuccessReconciliation\",\"Value\":\"1604944215\"},{\"Name\":\"Customer\",\"Value\":\"EvilCorp\"}]}}}}", + "code": "295", + "kind": "event", + "action": "retrieve password", + "category": [ + "iam" + ], + "type": [ + "admin", + "access" + ], + "outcome": "success" + }, + "user": { + "name": "adm2" + } + }, + { + "log": { + "syslog": { + "priority": 5 + } + }, + "destination": { + "user": { + "name": "test" + }, + "address": "test", + "domain": "test" + }, + "source": { + "user": { + "name": "Administrator" + }, + "address": "10.0.1.20", + "ip": "10.0.1.20" + }, + "tags": [ + "preserve_original_event" + ], + "observer": { + "product": "Vault", + "hostname": "VAULT", + "version": "11.7.0000", + "vendor": "Cyber-Ark" + }, + "@timestamp": "2021-03-08T18:16:51.000Z", + "file": { + "path": "Root\\testobject" + }, + "ecs": { + "version": "1.10.0" + }, + "related": { + "user": [ + "Administrator", + "test" + ], + "ip": [ + "10.0.1.20" + ] + }, + "cyberarkpas": { + "audit": { + "severity": "Info", + "reason": "testing", + "iso_timestamp": "2021-03-08T18:16:51Z", + "message": "Retrieve password", + "issuer": "Administrator", + "rfc5424": true, + "ca_properties": { + "other": {}, + "address": "test", + "creation_method": "PVWA", + "policy_id": "WinDesktopLocal", + "user_name": "test", + "cpm_disabled": "testing", + "device_type": "Operating System" + }, + "file": "Root\\testobject", + "safe": "Test", + "station": "10.0.1.20", + "action": "Retrieve password", + "timestamp": "Mar 08 10:16:51", + "desc": "Retrieve password" + } + }, + "host": { + "name": "VAULT" + }, + "event": { + "severity": 2, + "reason": "testing", + "ingested": "2021-05-31T15:30:18.767946Z", + "original": "\u003c5\u003e1 2021-03-08T18:16:51Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 08 10:16:51\",\"IsoTimestamp\":\"2021-03-08T18:16:51Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"295\",\"Desc\":\"Retrieve password\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Retrieve password\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"Test\",\"File\":\"Root\\\\testobject\",\"Station\":\"10.0.1.20\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"testing\",\"ExtraDetails\":\"\",\"Message\":\"Retrieve password\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"WinDesktopLocal\"},{\"Name\":\"UserName\",\"Value\":\"test\"},{\"Name\":\"Address\",\"Value\":\"test\"},{\"Name\":\"CPMDisabled\",\"Value\":\"testing\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"}]}}}}", + "code": "295", + "kind": "event", + "action": "retrieve password", + "category": [ + "iam" + ], + "type": [ + "admin", + "access" + ], + "outcome": "success" + }, + "user": { + "name": "Administrator" + } + }, + { + "log": { + "syslog": { + "priority": 5 + } + }, + "destination": { + "user": { + "name": "x_accountA" + }, + "address": "components", + "domain": "components" + }, + "source": { + "user": { + "name": "PasswordManager" + }, + "address": "10.0.1.20", + "ip": "10.0.1.20" + }, + "tags": [ + "preserve_original_event" + ], + "observer": { + "product": "Vault", + "hostname": "VAULT", + "version": "11.7.0000", + "vendor": "Cyber-Ark" + }, + "@timestamp": "2021-03-08T19:19:59.000Z", + "file": { + "path": "Root\\Operating System-WindowsDesktopLocalAccountsRotationalPolicy-10.0.1.20-x_accountA" + }, + "ecs": { + "version": "1.10.0" + }, + "related": { + "user": [ + "PasswordManager", + "x_accountA" + ], + "ip": [ + "10.0.1.20" + ] + }, + "cyberarkpas": { + "audit": { + "severity": "Info", + "reason": "CPM", + "iso_timestamp": "2021-03-08T19:19:59Z", + "message": "Retrieve password", + "issuer": "PasswordManager", + "rfc5424": true, + "ca_properties": { + "other": { + "start_change_not_before": "1615231182" + }, + "address": "components", + "creation_method": "PVWA", + "cpm_status": "failure", + "policy_id": "WinDesktopLocal", + "group_name": "WindowsGroup", + "user_name": "x_accountA", + "index": "1", + "device_type": "Operating System", + "virtual_username": "virtual", + "retries_count": "0", + "reset_immediately": "ChangeTask", + "last_task": "ChangeTask", + "in_process": "ChangeTask", + "sequence_id": "26", + "dual_account_status": "Inactive", + "last_success_change": "1614785704" + }, + "file": "Root\\Operating System-WindowsDesktopLocalAccountsRotationalPolicy-10.0.1.20-x_accountA", + "safe": "Test", + "station": "10.0.1.20", + "action": "Retrieve password", + "timestamp": "Mar 08 11:19:59", + "desc": "Retrieve password" + } + }, + "host": { + "name": "VAULT" + }, + "event": { + "severity": 2, + "reason": "CPM", + "ingested": "2021-05-31T15:30:18.767950600Z", + "original": "\u003c5\u003e1 2021-03-08T19:19:59Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 08 11:19:59\",\"IsoTimestamp\":\"2021-03-08T19:19:59Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"295\",\"Desc\":\"Retrieve password\",\"Severity\":\"Info\",\"Issuer\":\"PasswordManager\",\"Action\":\"Retrieve password\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"Test\",\"File\":\"Root\\\\Operating System-WindowsDesktopLocalAccountsRotationalPolicy-10.0.1.20-x_accountA\",\"Station\":\"10.0.1.20\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"CPM\",\"ExtraDetails\":\"\",\"Message\":\"Retrieve password\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"WinDesktopLocal\"},{\"Name\":\"UserName\",\"Value\":\"x_accountA\"},{\"Name\":\"Address\",\"Value\":\"components\"},{\"Name\":\"ResetImmediately\",\"Value\":\"ChangeTask\"},{\"Name\":\"InProcess\",\"Value\":\"ChangeTask\"},{\"Name\":\"SequenceID\",\"Value\":\"26\"},{\"Name\":\"CPMStatus\",\"Value\":\"failure\"},{\"Name\":\"RetriesCount\",\"Value\":\"0\"},{\"Name\":\"LastTask\",\"Value\":\"ChangeTask\"},{\"Name\":\"StartChangeNotBefore\",\"Value\":\"1615231182\"},{\"Name\":\"GroupName\",\"Value\":\"WindowsGroup\"},{\"Name\":\"LastSuccessChange\",\"Value\":\"1614785704\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"},{\"Name\":\"Index\",\"Value\":\"1\"},{\"Name\":\"DualAccountStatus\",\"Value\":\"Inactive\"},{\"Name\":\"VirtualUsername\",\"Value\":\"virtual\"}]}}}}", + "code": "295", + "kind": "event", + "action": "retrieve password", + "category": [ + "iam" + ], + "type": [ + "admin", + "access" + ], + "outcome": "success" + }, + "user": { + "name": "PasswordManager" + } + }, + { + "log": { + "syslog": { + "priority": 5 + } + }, + "source": { + "user": { + "name": "PasswordManager" + }, + "address": "10.0.1.20", + "ip": "10.0.1.20" + }, + "tags": [ + "preserve_original_event" + ], + "observer": { + "product": "Vault", + "hostname": "VAULT", + "version": "11.7.0000", + "vendor": "Cyber-Ark" + }, + "@timestamp": "2021-03-08T19:20:02.000Z", + "file": { + "path": "Root\\Groups\\WindowsGroup" + }, + "ecs": { + "version": "1.10.0" + }, + "related": { + "user": [ + "PasswordManager" + ], + "ip": [ + "10.0.1.20" + ] + }, + "cyberarkpas": { + "audit": { + "severity": "Info", + "reason": "CPM", + "iso_timestamp": "2021-03-08T19:20:02Z", + "message": "Retrieve password", + "issuer": "PasswordManager", + "rfc5424": true, + "ca_properties": { + "other": { + "curr_ind": "2" + }, + "cpm_status": "success", + "policy_id": "WindowsDesktopLocalAccountsRotationalPolicy", + "last_success_change": "1615198782", + "last_task": "ChangeTask" + }, + "file": "Root\\Groups\\WindowsGroup", + "safe": "Test", + "station": "10.0.1.20", + "action": "Retrieve password", + "timestamp": "Mar 08 11:20:02", + "desc": "Retrieve password" + } + }, + "host": { + "name": "VAULT" + }, + "event": { + "severity": 2, + "reason": "CPM", + "ingested": "2021-05-31T15:30:18.767953800Z", + "original": "\u003c5\u003e1 2021-03-08T19:20:02Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 08 11:20:02\",\"IsoTimestamp\":\"2021-03-08T19:20:02Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"295\",\"Desc\":\"Retrieve password\",\"Severity\":\"Info\",\"Issuer\":\"PasswordManager\",\"Action\":\"Retrieve password\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"Test\",\"File\":\"Root\\\\Groups\\\\WindowsGroup\",\"Station\":\"10.0.1.20\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"CPM\",\"ExtraDetails\":\"\",\"Message\":\"Retrieve password\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"WindowsDesktopLocalAccountsRotationalPolicy\"},{\"Name\":\"CPMStatus\",\"Value\":\"success\"},{\"Name\":\"LastTask\",\"Value\":\"ChangeTask\"},{\"Name\":\"LastSuccessChange\",\"Value\":\"1615198782\"},{\"Name\":\"CurrInd\",\"Value\":\"2\"}]}}}}", + "code": "295", + "kind": "event", + "action": "retrieve password", + "category": [ + "iam" + ], + "type": [ + "admin", + "access" + ], + "outcome": "success" + }, + "user": { + "name": "PasswordManager" + } + }, + { + "log": { + "syslog": { + "priority": 5 + } + }, + "destination": { + "user": { + "name": "x_accountA" + }, + "address": "components", + "domain": "components" + }, + "source": { + "user": { + "name": "Prov_COMPONENTS" + }, + "address": "10.0.1.20", + "ip": "10.0.1.20" + }, + "tags": [ + "preserve_original_event" + ], + "observer": { + "product": "Vault", + "hostname": "VAULT", + "version": "11.7.0000", + "vendor": "Cyber-Ark" + }, + "@timestamp": "2021-03-10T14:40:37.000Z", + "file": { + "path": "Root\\Operating System-WindowsDesktopLocalAccountsRotationalPolicy-10.0.1.20-x_accountA" + }, + "ecs": { + "version": "1.10.0" + }, + "related": { + "user": [ + "Prov_COMPONENTS", + "x_accountA" + ], + "ip": [ + "10.0.1.20" + ] + }, + "cyberarkpas": { + "audit": { + "severity": "Info", + "reason": "Application provider background refresh job", + "iso_timestamp": "2021-03-10T14:40:37Z", + "message": "Retrieve password", + "issuer": "Prov_COMPONENTS", + "rfc5424": true, + "ca_properties": { + "other": {}, + "address": "components", + "creation_method": "PVWA", + "cpm_status": "success", + "policy_id": "WinDesktopLocal", + "group_name": "WindowsGroup", + "user_name": "x_accountA", + "index": "1", + "device_type": "Operating System", + "virtual_username": "virtual", + "retries_count": "-1", + "last_task": "ChangeTask", + "sequence_id": "27", + "dual_account_status": "Active", + "last_success_change": "1615231204" + }, + "file": "Root\\Operating System-WindowsDesktopLocalAccountsRotationalPolicy-10.0.1.20-x_accountA", + "safe": "Test", + "station": "10.0.1.20", + "action": "Retrieve password", + "timestamp": "Mar 10 06:40:37", + "desc": "Retrieve password" + } + }, + "host": { + "name": "VAULT" + }, + "event": { + "severity": 2, + "reason": "Application provider background refresh job", + "ingested": "2021-05-31T15:30:18.767956900Z", + "original": "\u003c5\u003e1 2021-03-10T14:40:37Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 06:40:37\",\"IsoTimestamp\":\"2021-03-10T14:40:37Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"295\",\"Desc\":\"Retrieve password\",\"Severity\":\"Info\",\"Issuer\":\"Prov_COMPONENTS\",\"Action\":\"Retrieve password\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"Test\",\"File\":\"Root\\\\Operating System-WindowsDesktopLocalAccountsRotationalPolicy-10.0.1.20-x_accountA\",\"Station\":\"10.0.1.20\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"Application provider background refresh job\",\"ExtraDetails\":\"\",\"Message\":\"Retrieve password\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"WinDesktopLocal\"},{\"Name\":\"UserName\",\"Value\":\"x_accountA\"},{\"Name\":\"Address\",\"Value\":\"components\"},{\"Name\":\"SequenceID\",\"Value\":\"27\"},{\"Name\":\"CPMStatus\",\"Value\":\"success\"},{\"Name\":\"RetriesCount\",\"Value\":\"-1\"},{\"Name\":\"LastTask\",\"Value\":\"ChangeTask\"},{\"Name\":\"GroupName\",\"Value\":\"WindowsGroup\"},{\"Name\":\"LastSuccessChange\",\"Value\":\"1615231204\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"},{\"Name\":\"Index\",\"Value\":\"1\"},{\"Name\":\"DualAccountStatus\",\"Value\":\"Active\"},{\"Name\":\"VirtualUsername\",\"Value\":\"virtual\"}]}}}}", + "code": "295", + "kind": "event", + "action": "retrieve password", + "category": [ + "iam" + ], + "type": [ + "admin", + "access" + ], + "outcome": "success" + }, + "user": { + "name": "Prov_COMPONENTS" + } + }, + { + "log": { + "syslog": { + "priority": 5 + } + }, + "destination": { + "user": { + "name": "PSMAdminConnect" + }, + "address": "169.254.180.25", + "ip": "169.254.180.25" + }, + "source": { + "user": { + "name": "Administrator" + }, + "address": "127.0.0.1", + "ip": "127.0.0.1" + }, + "tags": [ + "preserve_original_event" + ], + "network": { + "direction": "outbound" + }, + "observer": { + "product": "Vault", + "hostname": "VAULT", + "version": "11.7.0000", + "vendor": "Cyber-Ark" + }, + "@timestamp": "2021-03-10T18:27:57.000Z", + "file": { + "path": "Root\\PSMAdmin" + }, + "ecs": { + "version": "1.10.0" + }, + "related": { + "user": [ + "Administrator", + "PSMAdminConnect" + ], + "ip": [ + "127.0.0.1", + "169.254.180.25" + ] + }, + "cyberarkpas": { + "audit": { + "severity": "Info", + "reason": "test", + "iso_timestamp": "2021-03-10T18:27:57Z", + "message": "Retrieve password", + "issuer": "Administrator", + "rfc5424": true, + "ca_properties": { + "logon_domain": "VAGRANT-2012-R2", + "other": {}, + "address": "169.254.180.25", + "user_name": "PSMAdminConnect" + }, + "file": "Root\\PSMAdmin", + "safe": "PSM", + "station": "127.0.0.1", + "action": "Retrieve password", + "timestamp": "Mar 10 10:27:57", + "desc": "Retrieve password" + } + }, + "host": { + "name": "VAULT" + }, + "event": { + "severity": 2, + "reason": "test", + "ingested": "2021-05-31T15:30:18.767960Z", + "original": "\u003c5\u003e1 2021-03-10T18:27:57Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 10:27:57\",\"IsoTimestamp\":\"2021-03-10T18:27:57Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"295\",\"Desc\":\"Retrieve password\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Retrieve password\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"PSM\",\"File\":\"Root\\\\PSMAdmin\",\"Station\":\"127.0.0.1\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"test\",\"ExtraDetails\":\"\",\"Message\":\"Retrieve password\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"UserName\",\"Value\":\"PSMAdminConnect\"},{\"Name\":\"Address\",\"Value\":\"169.254.180.25\"},{\"Name\":\"LogonDomain\",\"Value\":\"VAGRANT-2012-R2\"}]}}}}", + "code": "295", + "kind": "event", + "action": "retrieve password", + "category": [ + "iam" + ], + "type": [ + "admin", + "access" + ], + "outcome": "success" + }, + "user": { + "name": "Administrator" + } + }, + { + "log": { + "syslog": { + "priority": 5 + } + }, + "destination": { + "user": { + "name": "PSMConnect" + }, + "address": "169.254.180.25", + "ip": "169.254.180.25" + }, + "source": { + "user": { + "name": "Administrator" + }, + "address": "127.0.0.1", + "ip": "127.0.0.1" + }, + "tags": [ + "preserve_original_event" + ], + "network": { + "direction": "outbound" + }, + "observer": { + "product": "Vault", + "hostname": "VAULT", + "version": "11.7.0000", + "vendor": "Cyber-Ark" + }, + "@timestamp": "2021-03-10T18:28:07.000Z", + "file": { + "path": "Root\\PSMServer" + }, + "ecs": { + "version": "1.10.0" + }, + "related": { + "user": [ + "Administrator", + "PSMConnect" + ], + "ip": [ + "127.0.0.1", + "169.254.180.25" + ] + }, + "cyberarkpas": { + "audit": { + "severity": "Info", + "reason": "test", + "iso_timestamp": "2021-03-10T18:28:07Z", + "message": "Retrieve password", + "issuer": "Administrator", + "rfc5424": true, + "ca_properties": { + "logon_domain": "VAGRANT-2012-R2", + "other": {}, + "address": "169.254.180.25", + "user_name": "PSMConnect" + }, + "file": "Root\\PSMServer", + "safe": "PSM", + "station": "127.0.0.1", + "action": "Retrieve password", + "timestamp": "Mar 10 10:28:07", + "desc": "Retrieve password" + } + }, + "host": { + "name": "VAULT" + }, + "event": { + "severity": 2, + "reason": "test", + "ingested": "2021-05-31T15:30:18.767963400Z", + "original": "\u003c5\u003e1 2021-03-10T18:28:07Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 10:28:07\",\"IsoTimestamp\":\"2021-03-10T18:28:07Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"295\",\"Desc\":\"Retrieve password\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Retrieve password\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"PSM\",\"File\":\"Root\\\\PSMServer\",\"Station\":\"127.0.0.1\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"test\",\"ExtraDetails\":\"\",\"Message\":\"Retrieve password\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"UserName\",\"Value\":\"PSMConnect\"},{\"Name\":\"Address\",\"Value\":\"169.254.180.25\"},{\"Name\":\"LogonDomain\",\"Value\":\"VAGRANT-2012-R2\"}]}}}}", + "code": "295", + "kind": "event", + "action": "retrieve password", + "category": [ + "iam" + ], + "type": [ + "admin", + "access" + ], + "outcome": "success" + }, + "user": { + "name": "Administrator" + } + }, + { + "log": { + "syslog": { + "priority": 5 + } + }, + "destination": { + "user": { + "name": "x_accountB" + }, + "address": "components", + "domain": "components" + }, + "source": { + "user": { + "name": "PasswordManager" + }, + "address": "10.0.1.20", + "ip": "10.0.1.20" + }, + "tags": [ + "preserve_original_event" + ], + "observer": { + "product": "Vault", + "hostname": "VAULT", + "version": "11.7.0000", + "vendor": "Cyber-Ark" + }, + "@timestamp": "2021-03-10T23:39:22.000Z", + "file": { + "path": "Root\\Operating System-WindowsDesktopLocalAccountsRotationalPolicy-10.0.1.20-x_accountB" + }, + "ecs": { + "version": "1.10.0" + }, + "related": { + "user": [ + "PasswordManager", + "x_accountB" + ], + "ip": [ + "10.0.1.20" + ] + }, + "cyberarkpas": { + "audit": { + "severity": "Info", + "reason": "CPM", + "iso_timestamp": "2021-03-10T23:39:22Z", + "message": "Retrieve password", + "issuer": "PasswordManager", + "rfc5424": true, + "ca_properties": { + "other": { + "start_change_not_before": "1615419536" + }, + "address": "components", + "creation_method": "PVWA", + "cpm_status": "failure", + "policy_id": "WinDesktopLocal", + "group_name": "WindowsGroup", + "user_name": "x_accountB", + "index": "2", + "device_type": "Operating System", + "virtual_username": "virtual", + "retries_count": "0", + "reset_immediately": "ChangeTask", + "last_task": "ChangeTask", + "in_process": "ChangeTask", + "sequence_id": "24", + "dual_account_status": "Inactive", + "last_success_change": "1614868762" + }, + "file": "Root\\Operating System-WindowsDesktopLocalAccountsRotationalPolicy-10.0.1.20-x_accountB", + "safe": "Test", + "station": "10.0.1.20", + "action": "Retrieve password", + "timestamp": "Mar 10 15:39:22", + "desc": "Retrieve password" + } + }, + "host": { + "name": "VAULT" + }, + "event": { + "severity": 2, + "reason": "CPM", + "ingested": "2021-05-31T15:30:18.767966400Z", + "original": "\u003c5\u003e1 2021-03-10T23:39:22Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 15:39:22\",\"IsoTimestamp\":\"2021-03-10T23:39:22Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"295\",\"Desc\":\"Retrieve password\",\"Severity\":\"Info\",\"Issuer\":\"PasswordManager\",\"Action\":\"Retrieve password\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"Test\",\"File\":\"Root\\\\Operating System-WindowsDesktopLocalAccountsRotationalPolicy-10.0.1.20-x_accountB\",\"Station\":\"10.0.1.20\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"CPM\",\"ExtraDetails\":\"\",\"Message\":\"Retrieve password\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"WinDesktopLocal\"},{\"Name\":\"UserName\",\"Value\":\"x_accountB\"},{\"Name\":\"Address\",\"Value\":\"components\"},{\"Name\":\"ResetImmediately\",\"Value\":\"ChangeTask\"},{\"Name\":\"InProcess\",\"Value\":\"ChangeTask\"},{\"Name\":\"SequenceID\",\"Value\":\"24\"},{\"Name\":\"CPMStatus\",\"Value\":\"failure\"},{\"Name\":\"RetriesCount\",\"Value\":\"0\"},{\"Name\":\"LastTask\",\"Value\":\"ChangeTask\"},{\"Name\":\"StartChangeNotBefore\",\"Value\":\"1615419536\"},{\"Name\":\"GroupName\",\"Value\":\"WindowsGroup\"},{\"Name\":\"LastSuccessChange\",\"Value\":\"1614868762\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"},{\"Name\":\"Index\",\"Value\":\"2\"},{\"Name\":\"DualAccountStatus\",\"Value\":\"Inactive\"},{\"Name\":\"VirtualUsername\",\"Value\":\"virtual\"}]}}}}", + "code": "295", + "kind": "event", + "action": "retrieve password", + "category": [ + "iam" + ], + "type": [ + "admin", + "access" + ], + "outcome": "success" + }, + "user": { + "name": "PasswordManager" + } + }, + { + "log": { + "syslog": { + "priority": 5 + } + }, + "source": { + "user": { + "name": "PasswordManager" + }, + "address": "10.0.1.20", + "ip": "10.0.1.20" + }, + "tags": [ + "preserve_original_event" + ], + "observer": { + "product": "Vault", + "hostname": "VAULT", + "version": "11.7.0000", + "vendor": "Cyber-Ark" + }, + "@timestamp": "2021-03-10T23:39:25.000Z", + "file": { + "path": "Root\\Groups\\WindowsGroup" + }, + "ecs": { + "version": "1.10.0" + }, + "related": { + "user": [ + "PasswordManager" + ], + "ip": [ + "10.0.1.20" + ] + }, + "cyberarkpas": { + "audit": { + "severity": "Info", + "reason": "CPM", + "iso_timestamp": "2021-03-10T23:39:25Z", + "message": "Retrieve password", + "issuer": "PasswordManager", + "rfc5424": true, + "ca_properties": { + "other": { + "curr_ind": "1" + }, + "cpm_status": "success", + "policy_id": "WindowsDesktopLocalAccountsRotationalPolicy", + "last_success_change": "1615387136", + "last_task": "ChangeTask" + }, + "file": "Root\\Groups\\WindowsGroup", + "safe": "Test", + "station": "10.0.1.20", + "action": "Retrieve password", + "timestamp": "Mar 10 15:39:25", + "desc": "Retrieve password" + } + }, + "host": { + "name": "VAULT" + }, + "event": { + "severity": 2, + "reason": "CPM", + "ingested": "2021-05-31T15:30:18.767969100Z", + "original": "\u003c5\u003e1 2021-03-10T23:39:25Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 15:39:25\",\"IsoTimestamp\":\"2021-03-10T23:39:25Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"295\",\"Desc\":\"Retrieve password\",\"Severity\":\"Info\",\"Issuer\":\"PasswordManager\",\"Action\":\"Retrieve password\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"Test\",\"File\":\"Root\\\\Groups\\\\WindowsGroup\",\"Station\":\"10.0.1.20\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"CPM\",\"ExtraDetails\":\"\",\"Message\":\"Retrieve password\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"WindowsDesktopLocalAccountsRotationalPolicy\"},{\"Name\":\"CPMStatus\",\"Value\":\"success\"},{\"Name\":\"LastTask\",\"Value\":\"ChangeTask\"},{\"Name\":\"LastSuccessChange\",\"Value\":\"1615387136\"},{\"Name\":\"CurrInd\",\"Value\":\"1\"}]}}}}", + "code": "295", + "kind": "event", + "action": "retrieve password", + "category": [ + "iam" + ], + "type": [ + "admin", + "access" + ], + "outcome": "success" + }, + "user": { + "name": "PasswordManager" + } + }, + { + "log": { + "syslog": { + "priority": 5 + } + }, + "destination": { + "user": { + "name": "PSMAdminConnect" + }, + "address": "169.254.180.25", + "ip": "169.254.180.25" + }, + "source": { + "user": { + "name": "Administrator" + }, + "address": "127.0.0.1", + "ip": "127.0.0.1" + }, + "tags": [ + "preserve_original_event" + ], + "network": { + "direction": "outbound" + }, + "observer": { + "product": "Vault", + "hostname": "VAULT", + "version": "11.7.0000", + "vendor": "Cyber-Ark" + }, + "@timestamp": "2021-03-11T16:41:21.000Z", + "file": { + "path": "Root\\PSMAdmin" + }, + "ecs": { + "version": "1.10.0" + }, + "related": { + "user": [ + "Administrator", + "PSMAdminConnect" + ], + "ip": [ + "127.0.0.1", + "169.254.180.25" + ] + }, + "cyberarkpas": { + "audit": { + "severity": "Info", + "reason": "lksajdflkasdf", + "iso_timestamp": "2021-03-11T16:41:21Z", + "raw": "\u003csyslog\u003e\n\n \u003caudit_record\u003e\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\n \u003cTimestamp\u003eMar 11 08:41:21\u003c/Timestamp\u003e\n \u003cIsoTimestamp\u003e2021-03-11T16:41:21Z\u003c/IsoTimestamp\u003e\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\n \u003cProduct\u003eVault\u003c/Product\u003e\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\n \u003cMessageID\u003e295\u003c/MessageID\u003e\n \u003cDesc\u003eRetrieve password\u003c/Desc\u003e\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\n \u003cAction\u003eRetrieve password\u003c/Action\u003e\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\n \u003cSafe\u003ePSM\u003c/Safe\u003e\n \u003cFile\u003eRoot\\PSMAdmin\u003c/File\u003e\n \u003cStation\u003e127.0.0.1\u003c/Station\u003e\n \u003cLocation\u003e\u003c/Location\u003e\n \u003cCategory\u003e\u003c/Category\u003e\n \u003cRequestId\u003e\u003c/RequestId\u003e\n \u003cReason\u003elksajdflkasdf\u003c/Reason\u003e\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\n \u003cMessage\u003eRetrieve password\u003c/Message\u003e\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\n \u003cCAProperties\u003e\n \u003cCAProperty Name=\"UserName\" Value=\"PSMAdminConnect\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"Address\" Value=\"169.254.180.25\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"LogonDomain\" Value=\"VAGRANT-2012-R2\"\u003e\u003c/CAProperty\u003e\n \u003c/CAProperties\u003e\n \u003c/audit_record\u003e\n\n\u003c/syslog\u003e", + "message": "Retrieve password", + "issuer": "Administrator", + "rfc5424": true, + "ca_properties": { + "logon_domain": "VAGRANT-2012-R2", + "other": {}, + "address": "169.254.180.25", + "user_name": "PSMAdminConnect" + }, + "file": "Root\\PSMAdmin", + "safe": "PSM", + "station": "127.0.0.1", + "action": "Retrieve password", + "timestamp": "Mar 11 08:41:21", + "desc": "Retrieve password" + } + }, + "host": { + "name": "VAULT" + }, + "event": { + "severity": 2, + "reason": "lksajdflkasdf", + "ingested": "2021-05-31T15:30:18.767972Z", + "original": "\u003c5\u003e1 2021-03-11T16:41:21Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 11 08:41:21\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-11T16:41:21Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e295\u003c/MessageID\u003e\\n \u003cDesc\u003eRetrieve password\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003eRetrieve password\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003ePSM\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\PSMAdmin\u003c/File\u003e\\n \u003cStation\u003e127.0.0.1\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003elksajdflkasdf\u003c/Reason\u003e\\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eRetrieve password\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"PSMAdminConnect\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"169.254.180.25\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LogonDomain\\\" Value=\\\"VAGRANT-2012-R2\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 11 08:41:21\",\"IsoTimestamp\":\"2021-03-11T16:41:21Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"295\",\"Desc\":\"Retrieve password\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Retrieve password\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"PSM\",\"File\":\"Root\\\\PSMAdmin\",\"Station\":\"127.0.0.1\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"lksajdflkasdf\",\"ExtraDetails\":\"\",\"Message\":\"Retrieve password\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"UserName\",\"Value\":\"PSMAdminConnect\"},{\"Name\":\"Address\",\"Value\":\"169.254.180.25\"},{\"Name\":\"LogonDomain\",\"Value\":\"VAGRANT-2012-R2\"}]}}}}", + "code": "295", + "kind": "event", + "action": "retrieve password", + "category": [ + "iam" + ], + "type": [ + "admin", + "access" + ], + "outcome": "success" + }, + "user": { + "name": "Administrator" + } + }, + { + "log": { + "syslog": { + "priority": 5 + } + }, + "destination": { + "user": { + "name": "PSMConnect" + }, + "address": "169.254.180.25", + "ip": "169.254.180.25" + }, + "source": { + "user": { + "name": "PVWAAppUser" + }, + "address": "10.0.1.20", + "ip": "10.0.1.20" + }, + "tags": [ + "preserve_original_event" + ], + "network": { + "direction": "outbound" + }, + "observer": { + "product": "Vault", + "hostname": "VAULT", + "version": "11.7.0000", + "vendor": "Cyber-Ark" + }, + "@timestamp": "2021-03-11T16:50:28.000Z", + "file": { + "path": "Root\\PSMServer" + }, + "ecs": { + "version": "1.10.0" + }, + "related": { + "user": [ + "PVWAAppUser", + "PSMConnect" + ], + "ip": [ + "10.0.1.20", + "169.254.180.25" + ] + }, + "cyberarkpas": { + "audit": { + "severity": "Info", + "iso_timestamp": "2021-03-11T16:50:28Z", + "raw": "\u003csyslog\u003e\n\n \u003caudit_record\u003e\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\n \u003cTimestamp\u003eMar 11 08:50:28\u003c/Timestamp\u003e\n \u003cIsoTimestamp\u003e2021-03-11T16:50:28Z\u003c/IsoTimestamp\u003e\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\n \u003cProduct\u003eVault\u003c/Product\u003e\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\n \u003cMessageID\u003e295\u003c/MessageID\u003e\n \u003cDesc\u003eRetrieve password\u003c/Desc\u003e\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\n \u003cIssuer\u003ePVWAAppUser\u003c/Issuer\u003e\n \u003cAction\u003eRetrieve password\u003c/Action\u003e\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\n \u003cSafe\u003ePSM\u003c/Safe\u003e\n \u003cFile\u003eRoot\\PSMServer\u003c/File\u003e\n \u003cStation\u003e10.0.1.20\u003c/Station\u003e\n \u003cLocation\u003e\u003c/Location\u003e\n \u003cCategory\u003e\u003c/Category\u003e\n \u003cRequestId\u003e\u003c/RequestId\u003e\n \u003cReason\u003e\u003c/Reason\u003e\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\n \u003cMessage\u003eRetrieve password\u003c/Message\u003e\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\n \u003cCAProperties\u003e\n \u003cCAProperty Name=\"UserName\" Value=\"PSMConnect\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"Address\" Value=\"169.254.180.25\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"LogonDomain\" Value=\"VAGRANT-2012-R2\"\u003e\u003c/CAProperty\u003e\n \u003c/CAProperties\u003e\n \u003c/audit_record\u003e\n\n\u003c/syslog\u003e", + "message": "Retrieve password", + "issuer": "PVWAAppUser", + "rfc5424": true, + "ca_properties": { + "logon_domain": "VAGRANT-2012-R2", + "other": {}, + "address": "169.254.180.25", + "user_name": "PSMConnect" + }, + "file": "Root\\PSMServer", + "safe": "PSM", + "station": "10.0.1.20", + "action": "Retrieve password", + "timestamp": "Mar 11 08:50:28", + "desc": "Retrieve password" + } + }, + "host": { + "name": "VAULT" + }, + "event": { + "severity": 2, + "ingested": "2021-05-31T15:30:18.767975100Z", + "original": "\u003c5\u003e1 2021-03-11T16:50:28Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 11 08:50:28\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-11T16:50:28Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e295\u003c/MessageID\u003e\\n \u003cDesc\u003eRetrieve password\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003ePVWAAppUser\u003c/Issuer\u003e\\n \u003cAction\u003eRetrieve password\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003ePSM\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\PSMServer\u003c/File\u003e\\n \u003cStation\u003e10.0.1.20\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eRetrieve password\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"PSMConnect\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"169.254.180.25\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LogonDomain\\\" Value=\\\"VAGRANT-2012-R2\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 11 08:50:28\",\"IsoTimestamp\":\"2021-03-11T16:50:28Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"295\",\"Desc\":\"Retrieve password\",\"Severity\":\"Info\",\"Issuer\":\"PVWAAppUser\",\"Action\":\"Retrieve password\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"PSM\",\"File\":\"Root\\\\PSMServer\",\"Station\":\"10.0.1.20\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Retrieve password\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"UserName\",\"Value\":\"PSMConnect\"},{\"Name\":\"Address\",\"Value\":\"169.254.180.25\"},{\"Name\":\"LogonDomain\",\"Value\":\"VAGRANT-2012-R2\"}]}}}}", + "code": "295", + "kind": "event", + "action": "retrieve password", + "category": [ + "iam" + ], + "type": [ + "admin", + "access" + ], + "outcome": "success" + }, + "user": { + "name": "PVWAAppUser" + } + }, + { + "log": { + "syslog": { + "priority": 5 + } + }, + "destination": { + "user": { + "name": "PSMApp_VAGRANT" + }, + "address": "centos8", + "domain": "centos8" + }, + "source": { + "user": { + "name": "Administrator" + }, + "address": "127.0.0.1", + "ip": "127.0.0.1" + }, + "tags": [ + "preserve_original_event" + ], + "observer": { + "product": "Vault", + "hostname": "VAULT", + "version": "11.7.0000", + "vendor": "Cyber-Ark" + }, + "@timestamp": "2021-03-11T16:54:20.000Z", + "file": { + "path": "Root\\Operating System-UnixSSH-centos8-PSMApp_VAGRANT" + }, + "ecs": { + "version": "1.10.0" + }, + "related": { + "user": [ + "Administrator", + "PSMApp_VAGRANT" + ], + "ip": [ + "127.0.0.1" + ] + }, + "cyberarkpas": { + "audit": { + "severity": "Info", + "reason": "sdfsdf", + "iso_timestamp": "2021-03-11T16:54:20Z", + "raw": "\u003csyslog\u003e\n\n \u003caudit_record\u003e\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\n \u003cTimestamp\u003eMar 11 08:54:20\u003c/Timestamp\u003e\n \u003cIsoTimestamp\u003e2021-03-11T16:54:20Z\u003c/IsoTimestamp\u003e\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\n \u003cProduct\u003eVault\u003c/Product\u003e\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\n \u003cMessageID\u003e295\u003c/MessageID\u003e\n \u003cDesc\u003eRetrieve password\u003c/Desc\u003e\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\n \u003cAction\u003eRetrieve password\u003c/Action\u003e\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\n \u003cSafe\u003ePSM\u003c/Safe\u003e\n \u003cFile\u003eRoot\\Operating System-UnixSSH-centos8-PSMApp_VAGRANT\u003c/File\u003e\n \u003cStation\u003e127.0.0.1\u003c/Station\u003e\n \u003cLocation\u003e\u003c/Location\u003e\n \u003cCategory\u003e\u003c/Category\u003e\n \u003cRequestId\u003e\u003c/RequestId\u003e\n \u003cReason\u003esdfsdf\u003c/Reason\u003e\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\n \u003cMessage\u003eRetrieve password\u003c/Message\u003e\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\n \u003cCAProperties\u003e\n \u003cCAProperty Name=\"PolicyID\" Value=\"UnixSSH\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"UserName\" Value=\"PSMApp_VAGRANT\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"Address\" Value=\"centos8\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"CreationMethod\" Value=\"PVWA\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"DeviceType\" Value=\"Operating System\"\u003e\u003c/CAProperty\u003e\n \u003c/CAProperties\u003e\n \u003c/audit_record\u003e\n\n\u003c/syslog\u003e", + "message": "Retrieve password", + "issuer": "Administrator", + "rfc5424": true, + "ca_properties": { + "other": {}, + "device_type": "Operating System", + "address": "centos8", + "creation_method": "PVWA", + "policy_id": "UnixSSH", + "user_name": "PSMApp_VAGRANT" + }, + "file": "Root\\Operating System-UnixSSH-centos8-PSMApp_VAGRANT", + "safe": "PSM", + "station": "127.0.0.1", + "action": "Retrieve password", + "timestamp": "Mar 11 08:54:20", + "desc": "Retrieve password" + } + }, + "host": { + "name": "VAULT" + }, + "event": { + "severity": 2, + "reason": "sdfsdf", + "ingested": "2021-05-31T15:30:18.767978500Z", + "original": "\u003c5\u003e1 2021-03-11T16:54:20Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 11 08:54:20\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-11T16:54:20Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e295\u003c/MessageID\u003e\\n \u003cDesc\u003eRetrieve password\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003eRetrieve password\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003ePSM\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Operating System-UnixSSH-centos8-PSMApp_VAGRANT\u003c/File\u003e\\n \u003cStation\u003e127.0.0.1\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003esdfsdf\u003c/Reason\u003e\\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eRetrieve password\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"UnixSSH\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"PSMApp_VAGRANT\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"centos8\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Operating System\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 11 08:54:20\",\"IsoTimestamp\":\"2021-03-11T16:54:20Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"295\",\"Desc\":\"Retrieve password\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Retrieve password\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"PSM\",\"File\":\"Root\\\\Operating System-UnixSSH-centos8-PSMApp_VAGRANT\",\"Station\":\"127.0.0.1\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"sdfsdf\",\"ExtraDetails\":\"\",\"Message\":\"Retrieve password\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"UnixSSH\"},{\"Name\":\"UserName\",\"Value\":\"PSMApp_VAGRANT\"},{\"Name\":\"Address\",\"Value\":\"centos8\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"}]}}}}", + "code": "295", + "kind": "event", + "action": "retrieve password", + "category": [ + "iam" + ], + "type": [ + "admin", + "access" + ], + "outcome": "success" + }, + "user": { + "name": "Administrator" + } + } + ] +} \ No newline at end of file diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-300-psm-connect.log-expected.json b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-300-psm-connect.log-expected.json new file mode 100644 index 00000000000..48191f30069 --- /dev/null +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-300-psm-connect.log-expected.json @@ -0,0 +1,2162 @@ +{ + "expected": [ + { + "destination": { + "user": { + "name": "admin2" + }, + "address": "radiussrv.cyberark.local", + "domain": "radiussrv.cyberark.local" + }, + "source": { + "user": { + "name": "Administrator" + }, + "address": "10.2.0.6", + "ip": "10.2.0.6" + }, + "tags": [ + "preserve_original_event" + ], + "network": { + "application": "ssh" + }, + "observer": { + "version": "11.6.0000", + "product": "Vault", + "vendor": "Cyber-Ark" + }, + "@timestamp": "2021-03-16T15:01:00.000Z", + "file": { + "path": "Root\\Operating System-LINUX-SSH-radiussrv.cyberark.local-admin2" + }, + "ecs": { + "version": "1.10.0" + }, + "related": { + "user": [ + "Administrator", + "admin2" + ], + "ip": [ + "10.2.0.6", + "10.2.0.7" + ] + }, + "cyberarkpas": { + "audit": { + "severity": "Info", + "iso_timestamp": "2021-03-16T15:01:00Z", + "raw": "\u003csyslog\u003e\n \u003caudit_record\u003e\n \u003cRfc5424\u003eno\u003c/Rfc5424\u003e\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\n \u003cProduct\u003eVault\u003c/Product\u003e\n \u003cVersion\u003e11.6.0000\u003c/Version\u003e\n \u003cMessageID\u003e300\u003c/MessageID\u003e\n \u003cDesc\u003ePSM Connect\u003c/Desc\u003e\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\n \u003cAction\u003ePSM Connect\u003c/Action\u003e\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\n \u003cSafe\u003eLinux\u003c/Safe\u003e\n \u003cFile\u003eRoot\\Operating System-LINUX-SSH-radiussrv.cyberark.local-admin2\u003c/File\u003e\n \u003cStation\u003e10.2.0.7\u003c/Station\u003e\n \u003cLocation\u003e\u003c/Location\u003e\n \u003cCategory\u003e\u003c/Category\u003e\n \u003cRequestId\u003e\u003c/RequestId\u003e\n \u003cReason\u003e\u003c/Reason\u003e\n \u003cExtraDetails\u003eApplicationType=PSMP-SSH;DstHost=radiussrv.cyberark.local;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=35fac41e-22b5-11eb-83ca-000c297aae88;SrcHost=10.2.0.6;User=admin2;\u003c/ExtraDetails\u003e\n \u003cMessage\u003ePSM Connect\u003c/Message\u003e\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\n \u003cCAProperties\u003e\n \u003cCAProperty Name=\"PolicyID\" Value=\"LINUX-SSH\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"UserName\" Value=\"admin2\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"Address\" Value=\"radiussrv.cyberark.local\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"DeviceType\" Value=\"Operating System\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"CPMDisabled\" Value=\"No Reason\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"CreationMethod\" Value=\"PVWA\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"Customer\" Value=\"Tesla\"\u003e\u003c/CAProperty\u003e\n \u003c/CAProperties\u003e\n \u003c/audit_record\u003e\n\u003c/syslog\u003e", + "message": "PSM Connect", + "issuer": "Administrator", + "rfc5424": false, + "extra_details": { + "protocol": "SSH", + "other": { + "user": "admin2" + }, + "managed_account": "Yes", + "application_type": "PSMP-SSH", + "psmid": "PSMServer", + "session_id": "35fac41e-22b5-11eb-83ca-000c297aae88", + "src_host": "10.2.0.6", + "dst_host": "radiussrv.cyberark.local" + }, + "file": "Root\\Operating System-LINUX-SSH-radiussrv.cyberark.local-admin2", + "ca_properties": { + "other": {}, + "address": "radiussrv.cyberark.local", + "creation_method": "PVWA", + "policy_id": "LINUX-SSH", + "user_name": "admin2", + "cpm_disabled": "No Reason", + "device_type": "Operating System", + "customer": "Tesla" + }, + "safe": "Linux", + "station": "10.2.0.7", + "action": "PSM Connect", + "desc": "PSM Connect" + } + }, + "event": { + "severity": 2, + "ingested": "2021-05-31T15:30:19.154739100Z", + "original": "{\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eno\u003c/Rfc5424\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.6.0000\u003c/Version\u003e\\n \u003cMessageID\u003e300\u003c/MessageID\u003e\\n \u003cDesc\u003ePSM Connect\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003ePSM Connect\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003eLinux\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Operating System-LINUX-SSH-radiussrv.cyberark.local-admin2\u003c/File\u003e\\n \u003cStation\u003e10.2.0.7\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003eApplicationType=PSMP-SSH;DstHost=radiussrv.cyberark.local;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=35fac41e-22b5-11eb-83ca-000c297aae88;SrcHost=10.2.0.6;User=admin2;\u003c/ExtraDetails\u003e\\n \u003cMessage\u003ePSM Connect\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"LINUX-SSH\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"admin2\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"radiussrv.cyberark.local\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Operating System\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMDisabled\\\" Value=\\\"No Reason\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Customer\\\" Value=\\\"Tesla\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"no\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.6.0000\",\"MessageID\":\"300\",\"IsoTimestamp\":\"2021-03-16T15:01:00Z\",\"Desc\":\"PSM Connect\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"PSM Connect\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"Linux\",\"File\":\"Root\\\\Operating System-LINUX-SSH-radiussrv.cyberark.local-admin2\",\"Station\":\"10.2.0.7\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"ApplicationType=PSMP-SSH;DstHost=radiussrv.cyberark.local;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=35fac41e-22b5-11eb-83ca-000c297aae88;SrcHost=10.2.0.6;User=admin2;\",\"Message\":\"PSM Connect\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"LINUX-SSH\"},{\"Name\":\"UserName\",\"Value\":\"admin2\"},{\"Name\":\"Address\",\"Value\":\"radiussrv.cyberark.local\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"},{\"Name\":\"CPMDisabled\",\"Value\":\"No Reason\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"Customer\",\"Value\":\"Tesla\"}]}}}}", + "code": "300", + "kind": "event", + "action": "psm connect", + "category": [ + "session" + ], + "type": [ + "start" + ], + "outcome": "success" + }, + "user": { + "name": "Administrator" + } + }, + { + "log": { + "syslog": { + "priority": 5 + } + }, + "destination": { + "geo": { + "continent_name": "North America", + "country_name": "United States", + "location": { + "lon": -97.822, + "lat": 37.751 + }, + "country_iso_code": "US" + }, + "address": "34.123.103.115", + "user": { + "name": "adrian" + }, + "ip": "34.123.103.115" + }, + "source": { + "user": { + "name": "Administrator" + }, + "address": "127.0.0.1", + "ip": "127.0.0.1" + }, + "tags": [ + "preserve_original_event" + ], + "network": { + "application": "ssh", + "direction": "outbound" + }, + "observer": { + "product": "Vault", + "hostname": "VAULT", + "version": "11.7.0000", + "vendor": "Cyber-Ark" + }, + "@timestamp": "2021-03-11T17:38:20.000Z", + "file": { + "path": "Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian" + }, + "ecs": { + "version": "1.10.0" + }, + "related": { + "user": [ + "Administrator", + "adrian" + ], + "ip": [ + "127.0.0.1", + "34.123.103.115", + "81.32.170.205" + ] + }, + "cyberarkpas": { + "audit": { + "severity": "Info", + "iso_timestamp": "2021-03-11T17:38:20Z", + "raw": "\u003csyslog\u003e\n\n \u003caudit_record\u003e\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\n \u003cTimestamp\u003eMar 11 09:38:20\u003c/Timestamp\u003e\n \u003cIsoTimestamp\u003e2021-03-11T17:38:20Z\u003c/IsoTimestamp\u003e\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\n \u003cProduct\u003eVault\u003c/Product\u003e\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\n \u003cMessageID\u003e300\u003c/MessageID\u003e\n \u003cDesc\u003ePSM Connect\u003c/Desc\u003e\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\n \u003cAction\u003ePSM Connect\u003c/Action\u003e\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\n \u003cSafe\u003ePSM\u003c/Safe\u003e\n \u003cFile\u003eRoot\\Operating System-UnixSSHKeys-34.123.103.115-adrian\u003c/File\u003e\n \u003cStation\u003e81.32.170.205\u003c/Station\u003e\n \u003cLocation\u003e\u003c/Location\u003e\n \u003cCategory\u003e\u003c/Category\u003e\n \u003cRequestId\u003e\u003c/RequestId\u003e\n \u003cReason\u003e\u003c/Reason\u003e\n \u003cExtraDetails\u003eApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=ssh;PSMID=PSMServer;SessionID=87012dcc-8290-11eb-949e-080027efd402;SrcHost=127.0.0.1;User=adrian;\u003c/ExtraDetails\u003e\n \u003cMessage\u003ePSM Connect\u003c/Message\u003e\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\n \u003cCAProperties\u003e\n \u003cCAProperty Name=\"PolicyID\" Value=\"UnixSSHKeys\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"UserName\" Value=\"adrian\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"Address\" Value=\"34.123.103.115\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"CreationMethod\" Value=\"PVWA\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"DeviceType\" Value=\"Operating System\"\u003e\u003c/CAProperty\u003e\n \u003c/CAProperties\u003e\n \u003c/audit_record\u003e\n\n\u003c/syslog\u003e", + "message": "PSM Connect", + "issuer": "Administrator", + "extra_details": { + "protocol": "ssh", + "other": { + "user": "adrian" + }, + "managed_account": "Yes", + "application_type": "PSMP-SSH", + "psmid": "PSMServer", + "session_id": "87012dcc-8290-11eb-949e-080027efd402", + "src_host": "127.0.0.1", + "dst_host": "34.123.103.115" + }, + "rfc5424": true, + "ca_properties": { + "other": {}, + "device_type": "Operating System", + "address": "34.123.103.115", + "creation_method": "PVWA", + "policy_id": "UnixSSHKeys", + "user_name": "adrian" + }, + "file": "Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian", + "safe": "PSM", + "station": "81.32.170.205", + "action": "PSM Connect", + "timestamp": "Mar 11 09:38:20", + "desc": "PSM Connect" + } + }, + "host": { + "name": "VAULT" + }, + "event": { + "severity": 2, + "ingested": "2021-05-31T15:30:19.154755600Z", + "original": "\u003c5\u003e1 2021-03-11T17:38:20Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 11 09:38:20\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-11T17:38:20Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e300\u003c/MessageID\u003e\\n \u003cDesc\u003ePSM Connect\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003ePSM Connect\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003ePSM\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Operating System-UnixSSHKeys-34.123.103.115-adrian\u003c/File\u003e\\n \u003cStation\u003e81.32.170.205\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003eApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=ssh;PSMID=PSMServer;SessionID=87012dcc-8290-11eb-949e-080027efd402;SrcHost=127.0.0.1;User=adrian;\u003c/ExtraDetails\u003e\\n \u003cMessage\u003ePSM Connect\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"UnixSSHKeys\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"adrian\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"34.123.103.115\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Operating System\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 11 09:38:20\",\"IsoTimestamp\":\"2021-03-11T17:38:20Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"300\",\"Desc\":\"PSM Connect\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"PSM Connect\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"PSM\",\"File\":\"Root\\\\Operating System-UnixSSHKeys-34.123.103.115-adrian\",\"Station\":\"81.32.170.205\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=ssh;PSMID=PSMServer;SessionID=87012dcc-8290-11eb-949e-080027efd402;SrcHost=127.0.0.1;User=adrian;\",\"Message\":\"PSM Connect\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"UnixSSHKeys\"},{\"Name\":\"UserName\",\"Value\":\"adrian\"},{\"Name\":\"Address\",\"Value\":\"34.123.103.115\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"}]}}}}", + "code": "300", + "kind": "event", + "action": "psm connect", + "category": [ + "session" + ], + "type": [ + "start" + ], + "outcome": "success" + }, + "user": { + "name": "Administrator" + } + }, + { + "log": { + "syslog": { + "priority": 5 + } + }, + "destination": { + "geo": { + "continent_name": "North America", + "country_name": "United States", + "location": { + "lon": -97.822, + "lat": 37.751 + }, + "country_iso_code": "US" + }, + "address": "34.123.103.115", + "user": { + "name": "adrian" + }, + "ip": "34.123.103.115" + }, + "source": { + "user": { + "name": "Administrator" + }, + "address": "127.0.0.1", + "ip": "127.0.0.1" + }, + "tags": [ + "preserve_original_event" + ], + "network": { + "application": "ssh", + "direction": "outbound" + }, + "observer": { + "product": "Vault", + "hostname": "VAULT", + "version": "11.7.0000", + "vendor": "Cyber-Ark" + }, + "@timestamp": "2021-03-11T17:46:56.000Z", + "file": { + "path": "Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian" + }, + "ecs": { + "version": "1.10.0" + }, + "related": { + "user": [ + "Administrator", + "adrian" + ], + "ip": [ + "127.0.0.1", + "34.123.103.115", + "81.32.170.205" + ] + }, + "cyberarkpas": { + "audit": { + "severity": "Info", + "iso_timestamp": "2021-03-11T17:46:56Z", + "raw": "\u003csyslog\u003e\n\n \u003caudit_record\u003e\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\n \u003cTimestamp\u003eMar 11 09:46:56\u003c/Timestamp\u003e\n \u003cIsoTimestamp\u003e2021-03-11T17:46:56Z\u003c/IsoTimestamp\u003e\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\n \u003cProduct\u003eVault\u003c/Product\u003e\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\n \u003cMessageID\u003e300\u003c/MessageID\u003e\n \u003cDesc\u003ePSM Connect\u003c/Desc\u003e\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\n \u003cAction\u003ePSM Connect\u003c/Action\u003e\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\n \u003cSafe\u003ePSM\u003c/Safe\u003e\n \u003cFile\u003eRoot\\Operating System-UnixSSHKeys-34.123.103.115-adrian\u003c/File\u003e\n \u003cStation\u003e81.32.170.205\u003c/Station\u003e\n \u003cLocation\u003e\u003c/Location\u003e\n \u003cCategory\u003e\u003c/Category\u003e\n \u003cRequestId\u003e\u003c/RequestId\u003e\n \u003cReason\u003e\u003c/Reason\u003e\n \u003cExtraDetails\u003eApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=ssh;PSMID=PSMServer;SessionID=ba22b012-8291-11eb-b981-080027efd402;SrcHost=127.0.0.1;User=adrian;\u003c/ExtraDetails\u003e\n \u003cMessage\u003ePSM Connect\u003c/Message\u003e\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\n \u003cCAProperties\u003e\n \u003cCAProperty Name=\"PolicyID\" Value=\"UnixSSHKeys\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"UserName\" Value=\"adrian\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"Address\" Value=\"34.123.103.115\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"CreationMethod\" Value=\"PVWA\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"DeviceType\" Value=\"Operating System\"\u003e\u003c/CAProperty\u003e\n \u003c/CAProperties\u003e\n \u003c/audit_record\u003e\n\n\u003c/syslog\u003e", + "message": "PSM Connect", + "issuer": "Administrator", + "extra_details": { + "protocol": "ssh", + "other": { + "user": "adrian" + }, + "managed_account": "Yes", + "application_type": "PSMP-SSH", + "psmid": "PSMServer", + "session_id": "ba22b012-8291-11eb-b981-080027efd402", + "src_host": "127.0.0.1", + "dst_host": "34.123.103.115" + }, + "rfc5424": true, + "ca_properties": { + "other": {}, + "device_type": "Operating System", + "address": "34.123.103.115", + "creation_method": "PVWA", + "policy_id": "UnixSSHKeys", + "user_name": "adrian" + }, + "file": "Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian", + "safe": "PSM", + "station": "81.32.170.205", + "action": "PSM Connect", + "timestamp": "Mar 11 09:46:56", + "desc": "PSM Connect" + } + }, + "host": { + "name": "VAULT" + }, + "event": { + "severity": 2, + "ingested": "2021-05-31T15:30:19.154759500Z", + "original": "\u003c5\u003e1 2021-03-11T17:46:56Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 11 09:46:56\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-11T17:46:56Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e300\u003c/MessageID\u003e\\n \u003cDesc\u003ePSM Connect\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003ePSM Connect\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003ePSM\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Operating System-UnixSSHKeys-34.123.103.115-adrian\u003c/File\u003e\\n \u003cStation\u003e81.32.170.205\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003eApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=ssh;PSMID=PSMServer;SessionID=ba22b012-8291-11eb-b981-080027efd402;SrcHost=127.0.0.1;User=adrian;\u003c/ExtraDetails\u003e\\n \u003cMessage\u003ePSM Connect\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"UnixSSHKeys\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"adrian\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"34.123.103.115\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Operating System\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 11 09:46:56\",\"IsoTimestamp\":\"2021-03-11T17:46:56Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"300\",\"Desc\":\"PSM Connect\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"PSM Connect\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"PSM\",\"File\":\"Root\\\\Operating System-UnixSSHKeys-34.123.103.115-adrian\",\"Station\":\"81.32.170.205\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=ssh;PSMID=PSMServer;SessionID=ba22b012-8291-11eb-b981-080027efd402;SrcHost=127.0.0.1;User=adrian;\",\"Message\":\"PSM Connect\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"UnixSSHKeys\"},{\"Name\":\"UserName\",\"Value\":\"adrian\"},{\"Name\":\"Address\",\"Value\":\"34.123.103.115\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"}]}}}}", + "code": "300", + "kind": "event", + "action": "psm connect", + "category": [ + "session" + ], + "type": [ + "start" + ], + "outcome": "success" + }, + "user": { + "name": "Administrator" + } + }, + { + "log": { + "syslog": { + "priority": 5 + } + }, + "destination": { + "geo": { + "continent_name": "North America", + "country_name": "United States", + "location": { + "lon": -97.822, + "lat": 37.751 + }, + "country_iso_code": "US" + }, + "address": "34.123.103.115", + "user": { + "name": "adrian" + }, + "ip": "34.123.103.115" + }, + "source": { + "user": { + "name": "Administrator" + }, + "address": "10.0.2.2", + "ip": "10.0.2.2" + }, + "tags": [ + "preserve_original_event" + ], + "network": { + "application": "ssh", + "direction": "outbound" + }, + "observer": { + "product": "Vault", + "hostname": "VAULT", + "version": "11.7.0000", + "vendor": "Cyber-Ark" + }, + "@timestamp": "2021-03-11T17:48:34.000Z", + "file": { + "path": "Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian" + }, + "ecs": { + "version": "1.10.0" + }, + "related": { + "user": [ + "Administrator", + "adrian" + ], + "ip": [ + "10.0.2.2", + "34.123.103.115", + "81.32.170.205" + ] + }, + "cyberarkpas": { + "audit": { + "severity": "Info", + "iso_timestamp": "2021-03-11T17:48:34Z", + "raw": "\u003csyslog\u003e\n\n \u003caudit_record\u003e\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\n \u003cTimestamp\u003eMar 11 09:48:34\u003c/Timestamp\u003e\n \u003cIsoTimestamp\u003e2021-03-11T17:48:34Z\u003c/IsoTimestamp\u003e\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\n \u003cProduct\u003eVault\u003c/Product\u003e\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\n \u003cMessageID\u003e300\u003c/MessageID\u003e\n \u003cDesc\u003ePSM Connect\u003c/Desc\u003e\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\n \u003cAction\u003ePSM Connect\u003c/Action\u003e\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\n \u003cSafe\u003ePSM\u003c/Safe\u003e\n \u003cFile\u003eRoot\\Operating System-UnixSSHKeys-34.123.103.115-adrian\u003c/File\u003e\n \u003cStation\u003e81.32.170.205\u003c/Station\u003e\n \u003cLocation\u003e\u003c/Location\u003e\n \u003cCategory\u003e\u003c/Category\u003e\n \u003cRequestId\u003e\u003c/RequestId\u003e\n \u003cReason\u003e\u003c/Reason\u003e\n \u003cExtraDetails\u003eApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=ssh;PSMID=PSMServer;SessionID=f6acbf00-8291-11eb-b9ba-080027efd402;SrcHost=10.0.2.2;User=adrian;\u003c/ExtraDetails\u003e\n \u003cMessage\u003ePSM Connect\u003c/Message\u003e\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\n \u003cCAProperties\u003e\n \u003cCAProperty Name=\"PolicyID\" Value=\"UnixSSHKeys\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"UserName\" Value=\"adrian\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"Address\" Value=\"34.123.103.115\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"CreationMethod\" Value=\"PVWA\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"DeviceType\" Value=\"Operating System\"\u003e\u003c/CAProperty\u003e\n \u003c/CAProperties\u003e\n \u003c/audit_record\u003e\n\n\u003c/syslog\u003e", + "message": "PSM Connect", + "issuer": "Administrator", + "extra_details": { + "protocol": "ssh", + "other": { + "user": "adrian" + }, + "managed_account": "Yes", + "application_type": "PSMP-SSH", + "psmid": "PSMServer", + "session_id": "f6acbf00-8291-11eb-b9ba-080027efd402", + "src_host": "10.0.2.2", + "dst_host": "34.123.103.115" + }, + "rfc5424": true, + "ca_properties": { + "other": {}, + "device_type": "Operating System", + "address": "34.123.103.115", + "creation_method": "PVWA", + "policy_id": "UnixSSHKeys", + "user_name": "adrian" + }, + "file": "Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian", + "safe": "PSM", + "station": "81.32.170.205", + "action": "PSM Connect", + "timestamp": "Mar 11 09:48:34", + "desc": "PSM Connect" + } + }, + "host": { + "name": "VAULT" + }, + "event": { + "severity": 2, + "ingested": "2021-05-31T15:30:19.154762400Z", + "original": "\u003c5\u003e1 2021-03-11T17:48:34Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 11 09:48:34\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-11T17:48:34Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e300\u003c/MessageID\u003e\\n \u003cDesc\u003ePSM Connect\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003ePSM Connect\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003ePSM\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Operating System-UnixSSHKeys-34.123.103.115-adrian\u003c/File\u003e\\n \u003cStation\u003e81.32.170.205\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003eApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=ssh;PSMID=PSMServer;SessionID=f6acbf00-8291-11eb-b9ba-080027efd402;SrcHost=10.0.2.2;User=adrian;\u003c/ExtraDetails\u003e\\n \u003cMessage\u003ePSM Connect\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"UnixSSHKeys\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"adrian\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"34.123.103.115\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Operating System\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 11 09:48:34\",\"IsoTimestamp\":\"2021-03-11T17:48:34Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"300\",\"Desc\":\"PSM Connect\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"PSM Connect\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"PSM\",\"File\":\"Root\\\\Operating System-UnixSSHKeys-34.123.103.115-adrian\",\"Station\":\"81.32.170.205\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=ssh;PSMID=PSMServer;SessionID=f6acbf00-8291-11eb-b9ba-080027efd402;SrcHost=10.0.2.2;User=adrian;\",\"Message\":\"PSM Connect\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"UnixSSHKeys\"},{\"Name\":\"UserName\",\"Value\":\"adrian\"},{\"Name\":\"Address\",\"Value\":\"34.123.103.115\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"}]}}}}", + "code": "300", + "kind": "event", + "action": "psm connect", + "category": [ + "session" + ], + "type": [ + "start" + ], + "outcome": "success" + }, + "user": { + "name": "Administrator" + } + }, + { + "log": { + "syslog": { + "priority": 5 + } + }, + "destination": { + "geo": { + "continent_name": "North America", + "country_name": "United States", + "location": { + "lon": -97.822, + "lat": 37.751 + }, + "country_iso_code": "US" + }, + "address": "34.123.103.115", + "user": { + "name": "adrian" + }, + "ip": "34.123.103.115" + }, + "source": { + "user": { + "name": "Administrator" + }, + "address": "10.0.2.2", + "ip": "10.0.2.2" + }, + "tags": [ + "preserve_original_event" + ], + "network": { + "application": "ssh", + "direction": "outbound" + }, + "observer": { + "product": "Vault", + "hostname": "VAULT", + "version": "11.7.0000", + "vendor": "Cyber-Ark" + }, + "@timestamp": "2021-03-11T17:54:56.000Z", + "file": { + "path": "Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian" + }, + "ecs": { + "version": "1.10.0" + }, + "related": { + "user": [ + "Administrator", + "adrian" + ], + "ip": [ + "10.0.2.2", + "34.123.103.115", + "81.32.170.205" + ] + }, + "cyberarkpas": { + "audit": { + "severity": "Info", + "iso_timestamp": "2021-03-11T17:54:56Z", + "raw": "\u003csyslog\u003e\n\n \u003caudit_record\u003e\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\n \u003cTimestamp\u003eMar 11 09:54:56\u003c/Timestamp\u003e\n \u003cIsoTimestamp\u003e2021-03-11T17:54:56Z\u003c/IsoTimestamp\u003e\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\n \u003cProduct\u003eVault\u003c/Product\u003e\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\n \u003cMessageID\u003e300\u003c/MessageID\u003e\n \u003cDesc\u003ePSM Connect\u003c/Desc\u003e\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\n \u003cAction\u003ePSM Connect\u003c/Action\u003e\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\n \u003cSafe\u003ePSM\u003c/Safe\u003e\n \u003cFile\u003eRoot\\Operating System-UnixSSHKeys-34.123.103.115-adrian\u003c/File\u003e\n \u003cStation\u003e81.32.170.205\u003c/Station\u003e\n \u003cLocation\u003e\u003c/Location\u003e\n \u003cCategory\u003e\u003c/Category\u003e\n \u003cRequestId\u003e\u003c/RequestId\u003e\n \u003cReason\u003e\u003c/Reason\u003e\n \u003cExtraDetails\u003eApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=ssh;PSMID=PSMServer;SessionID=d8ff4d32-8292-11eb-b962-080027efd402;SrcHost=10.0.2.2;User=adrian;\u003c/ExtraDetails\u003e\n \u003cMessage\u003ePSM Connect\u003c/Message\u003e\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\n \u003cCAProperties\u003e\n \u003cCAProperty Name=\"PolicyID\" Value=\"UnixSSHKeys\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"UserName\" Value=\"adrian\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"Address\" Value=\"34.123.103.115\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"CreationMethod\" Value=\"PVWA\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"DeviceType\" Value=\"Operating System\"\u003e\u003c/CAProperty\u003e\n \u003c/CAProperties\u003e\n \u003c/audit_record\u003e\n\n\u003c/syslog\u003e", + "message": "PSM Connect", + "issuer": "Administrator", + "extra_details": { + "protocol": "ssh", + "other": { + "user": "adrian" + }, + "managed_account": "Yes", + "application_type": "PSMP-SSH", + "psmid": "PSMServer", + "session_id": "d8ff4d32-8292-11eb-b962-080027efd402", + "src_host": "10.0.2.2", + "dst_host": "34.123.103.115" + }, + "rfc5424": true, + "ca_properties": { + "other": {}, + "device_type": "Operating System", + "address": "34.123.103.115", + "creation_method": "PVWA", + "policy_id": "UnixSSHKeys", + "user_name": "adrian" + }, + "file": "Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian", + "safe": "PSM", + "station": "81.32.170.205", + "action": "PSM Connect", + "timestamp": "Mar 11 09:54:56", + "desc": "PSM Connect" + } + }, + "host": { + "name": "VAULT" + }, + "event": { + "severity": 2, + "ingested": "2021-05-31T15:30:19.154765400Z", + "original": "\u003c5\u003e1 2021-03-11T17:54:56Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 11 09:54:56\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-11T17:54:56Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e300\u003c/MessageID\u003e\\n \u003cDesc\u003ePSM Connect\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003ePSM Connect\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003ePSM\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Operating System-UnixSSHKeys-34.123.103.115-adrian\u003c/File\u003e\\n \u003cStation\u003e81.32.170.205\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003eApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=ssh;PSMID=PSMServer;SessionID=d8ff4d32-8292-11eb-b962-080027efd402;SrcHost=10.0.2.2;User=adrian;\u003c/ExtraDetails\u003e\\n \u003cMessage\u003ePSM Connect\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"UnixSSHKeys\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"adrian\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"34.123.103.115\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Operating System\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 11 09:54:56\",\"IsoTimestamp\":\"2021-03-11T17:54:56Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"300\",\"Desc\":\"PSM Connect\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"PSM Connect\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"PSM\",\"File\":\"Root\\\\Operating System-UnixSSHKeys-34.123.103.115-adrian\",\"Station\":\"81.32.170.205\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=ssh;PSMID=PSMServer;SessionID=d8ff4d32-8292-11eb-b962-080027efd402;SrcHost=10.0.2.2;User=adrian;\",\"Message\":\"PSM Connect\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"UnixSSHKeys\"},{\"Name\":\"UserName\",\"Value\":\"adrian\"},{\"Name\":\"Address\",\"Value\":\"34.123.103.115\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"}]}}}}", + "code": "300", + "kind": "event", + "action": "psm connect", + "category": [ + "session" + ], + "type": [ + "start" + ], + "outcome": "success" + }, + "user": { + "name": "Administrator" + } + }, + { + "log": { + "syslog": { + "priority": 5 + } + }, + "destination": { + "geo": { + "continent_name": "North America", + "country_name": "United States", + "location": { + "lon": -97.822, + "lat": 37.751 + }, + "country_iso_code": "US" + }, + "address": "34.123.103.115", + "user": { + "name": "adrian" + }, + "ip": "34.123.103.115" + }, + "source": { + "user": { + "name": "Administrator" + }, + "address": "10.0.2.2", + "ip": "10.0.2.2" + }, + "tags": [ + "preserve_original_event" + ], + "network": { + "application": "ssh", + "direction": "outbound" + }, + "observer": { + "product": "Vault", + "hostname": "VAULT", + "version": "11.7.0000", + "vendor": "Cyber-Ark" + }, + "@timestamp": "2021-03-11T17:56:37.000Z", + "file": { + "path": "Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian" + }, + "ecs": { + "version": "1.10.0" + }, + "related": { + "user": [ + "Administrator", + "adrian" + ], + "ip": [ + "10.0.2.2", + "34.123.103.115", + "81.32.170.205" + ] + }, + "cyberarkpas": { + "audit": { + "severity": "Info", + "iso_timestamp": "2021-03-11T17:56:37Z", + "raw": "\u003csyslog\u003e\n\n \u003caudit_record\u003e\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\n \u003cTimestamp\u003eMar 11 09:56:37\u003c/Timestamp\u003e\n \u003cIsoTimestamp\u003e2021-03-11T17:56:37Z\u003c/IsoTimestamp\u003e\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\n \u003cProduct\u003eVault\u003c/Product\u003e\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\n \u003cMessageID\u003e300\u003c/MessageID\u003e\n \u003cDesc\u003ePSM Connect\u003c/Desc\u003e\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\n \u003cAction\u003ePSM Connect\u003c/Action\u003e\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\n \u003cSafe\u003ePSM\u003c/Safe\u003e\n \u003cFile\u003eRoot\\Operating System-UnixSSHKeys-34.123.103.115-adrian\u003c/File\u003e\n \u003cStation\u003e81.32.170.205\u003c/Station\u003e\n \u003cLocation\u003e\u003c/Location\u003e\n \u003cCategory\u003e\u003c/Category\u003e\n \u003cRequestId\u003e\u003c/RequestId\u003e\n \u003cReason\u003e\u003c/Reason\u003e\n \u003cExtraDetails\u003eApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=ssh;PSMID=PSMServer;SessionID=173dd46a-8293-11eb-afcb-080027efd402;SrcHost=10.0.2.2;User=adrian;\u003c/ExtraDetails\u003e\n \u003cMessage\u003ePSM Connect\u003c/Message\u003e\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\n \u003cCAProperties\u003e\n \u003cCAProperty Name=\"PolicyID\" Value=\"UnixSSHKeys\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"UserName\" Value=\"adrian\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"Address\" Value=\"34.123.103.115\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"CreationMethod\" Value=\"PVWA\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"DeviceType\" Value=\"Operating System\"\u003e\u003c/CAProperty\u003e\n \u003c/CAProperties\u003e\n \u003c/audit_record\u003e\n\n\u003c/syslog\u003e", + "message": "PSM Connect", + "issuer": "Administrator", + "extra_details": { + "protocol": "ssh", + "other": { + "user": "adrian" + }, + "managed_account": "Yes", + "application_type": "PSMP-SSH", + "psmid": "PSMServer", + "session_id": "173dd46a-8293-11eb-afcb-080027efd402", + "src_host": "10.0.2.2", + "dst_host": "34.123.103.115" + }, + "rfc5424": true, + "ca_properties": { + "other": {}, + "device_type": "Operating System", + "address": "34.123.103.115", + "creation_method": "PVWA", + "policy_id": "UnixSSHKeys", + "user_name": "adrian" + }, + "file": "Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian", + "safe": "PSM", + "station": "81.32.170.205", + "action": "PSM Connect", + "timestamp": "Mar 11 09:56:37", + "desc": "PSM Connect" + } + }, + "host": { + "name": "VAULT" + }, + "event": { + "severity": 2, + "ingested": "2021-05-31T15:30:19.154768100Z", + "original": "\u003c5\u003e1 2021-03-11T17:56:37Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 11 09:56:37\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-11T17:56:37Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e300\u003c/MessageID\u003e\\n \u003cDesc\u003ePSM Connect\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003ePSM Connect\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003ePSM\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Operating System-UnixSSHKeys-34.123.103.115-adrian\u003c/File\u003e\\n \u003cStation\u003e81.32.170.205\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003eApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=ssh;PSMID=PSMServer;SessionID=173dd46a-8293-11eb-afcb-080027efd402;SrcHost=10.0.2.2;User=adrian;\u003c/ExtraDetails\u003e\\n \u003cMessage\u003ePSM Connect\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"UnixSSHKeys\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"adrian\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"34.123.103.115\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Operating System\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 11 09:56:37\",\"IsoTimestamp\":\"2021-03-11T17:56:37Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"300\",\"Desc\":\"PSM Connect\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"PSM Connect\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"PSM\",\"File\":\"Root\\\\Operating System-UnixSSHKeys-34.123.103.115-adrian\",\"Station\":\"81.32.170.205\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=ssh;PSMID=PSMServer;SessionID=173dd46a-8293-11eb-afcb-080027efd402;SrcHost=10.0.2.2;User=adrian;\",\"Message\":\"PSM Connect\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"UnixSSHKeys\"},{\"Name\":\"UserName\",\"Value\":\"adrian\"},{\"Name\":\"Address\",\"Value\":\"34.123.103.115\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"}]}}}}", + "code": "300", + "kind": "event", + "action": "psm connect", + "category": [ + "session" + ], + "type": [ + "start" + ], + "outcome": "success" + }, + "user": { + "name": "Administrator" + } + }, + { + "log": { + "syslog": { + "priority": 5 + } + }, + "destination": { + "geo": { + "continent_name": "North America", + "country_name": "United States", + "location": { + "lon": -97.822, + "lat": 37.751 + }, + "country_iso_code": "US" + }, + "address": "34.123.103.115", + "user": { + "name": "adrian" + }, + "ip": "34.123.103.115" + }, + "source": { + "user": { + "name": "Administrator" + }, + "address": "10.0.2.2", + "ip": "10.0.2.2" + }, + "tags": [ + "preserve_original_event" + ], + "network": { + "application": "ssh", + "direction": "outbound" + }, + "observer": { + "product": "Vault", + "hostname": "VAULT", + "version": "11.7.0000", + "vendor": "Cyber-Ark" + }, + "@timestamp": "2021-03-11T20:23:25.000Z", + "file": { + "path": "Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian" + }, + "ecs": { + "version": "1.10.0" + }, + "related": { + "user": [ + "Administrator", + "adrian" + ], + "ip": [ + "10.0.2.2", + "34.123.103.115", + "81.32.170.205" + ] + }, + "cyberarkpas": { + "audit": { + "severity": "Info", + "iso_timestamp": "2021-03-11T20:23:25Z", + "raw": "\u003csyslog\u003e\n\n \u003caudit_record\u003e\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\n \u003cTimestamp\u003eMar 11 12:23:25\u003c/Timestamp\u003e\n \u003cIsoTimestamp\u003e2021-03-11T20:23:25Z\u003c/IsoTimestamp\u003e\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\n \u003cProduct\u003eVault\u003c/Product\u003e\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\n \u003cMessageID\u003e300\u003c/MessageID\u003e\n \u003cDesc\u003ePSM Connect\u003c/Desc\u003e\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\n \u003cAction\u003ePSM Connect\u003c/Action\u003e\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\n \u003cSafe\u003ePSM\u003c/Safe\u003e\n \u003cFile\u003eRoot\\Operating System-UnixSSHKeys-34.123.103.115-adrian\u003c/File\u003e\n \u003cStation\u003e81.32.170.205\u003c/Station\u003e\n \u003cLocation\u003e\u003c/Location\u003e\n \u003cCategory\u003e\u003c/Category\u003e\n \u003cRequestId\u003e\u003c/RequestId\u003e\n \u003cReason\u003e\u003c/Reason\u003e\n \u003cExtraDetails\u003eApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=ssh;PSMID=PSMServer;SessionID=988b22e8-82a7-11eb-83b9-080027efd402;SrcHost=10.0.2.2;User=adrian;\u003c/ExtraDetails\u003e\n \u003cMessage\u003ePSM Connect\u003c/Message\u003e\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\n \u003cCAProperties\u003e\n \u003cCAProperty Name=\"PolicyID\" Value=\"UnixSSHKeys\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"UserName\" Value=\"adrian\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"Address\" Value=\"34.123.103.115\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"CreationMethod\" Value=\"PVWA\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"DeviceType\" Value=\"Operating System\"\u003e\u003c/CAProperty\u003e\n \u003c/CAProperties\u003e\n \u003c/audit_record\u003e\n\n\u003c/syslog\u003e", + "message": "PSM Connect", + "issuer": "Administrator", + "extra_details": { + "protocol": "ssh", + "other": { + "user": "adrian" + }, + "managed_account": "Yes", + "application_type": "PSMP-SSH", + "psmid": "PSMServer", + "session_id": "988b22e8-82a7-11eb-83b9-080027efd402", + "src_host": "10.0.2.2", + "dst_host": "34.123.103.115" + }, + "rfc5424": true, + "ca_properties": { + "other": {}, + "device_type": "Operating System", + "address": "34.123.103.115", + "creation_method": "PVWA", + "policy_id": "UnixSSHKeys", + "user_name": "adrian" + }, + "file": "Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian", + "safe": "PSM", + "station": "81.32.170.205", + "action": "PSM Connect", + "timestamp": "Mar 11 12:23:25", + "desc": "PSM Connect" + } + }, + "host": { + "name": "VAULT" + }, + "event": { + "severity": 2, + "ingested": "2021-05-31T15:30:19.154770600Z", + "original": "\u003c5\u003e1 2021-03-11T20:23:25Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 11 12:23:25\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-11T20:23:25Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e300\u003c/MessageID\u003e\\n \u003cDesc\u003ePSM Connect\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003ePSM Connect\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003ePSM\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Operating System-UnixSSHKeys-34.123.103.115-adrian\u003c/File\u003e\\n \u003cStation\u003e81.32.170.205\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003eApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=ssh;PSMID=PSMServer;SessionID=988b22e8-82a7-11eb-83b9-080027efd402;SrcHost=10.0.2.2;User=adrian;\u003c/ExtraDetails\u003e\\n \u003cMessage\u003ePSM Connect\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"UnixSSHKeys\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"adrian\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"34.123.103.115\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Operating System\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 11 12:23:25\",\"IsoTimestamp\":\"2021-03-11T20:23:25Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"300\",\"Desc\":\"PSM Connect\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"PSM Connect\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"PSM\",\"File\":\"Root\\\\Operating System-UnixSSHKeys-34.123.103.115-adrian\",\"Station\":\"81.32.170.205\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=ssh;PSMID=PSMServer;SessionID=988b22e8-82a7-11eb-83b9-080027efd402;SrcHost=10.0.2.2;User=adrian;\",\"Message\":\"PSM Connect\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"UnixSSHKeys\"},{\"Name\":\"UserName\",\"Value\":\"adrian\"},{\"Name\":\"Address\",\"Value\":\"34.123.103.115\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"}]}}}}", + "code": "300", + "kind": "event", + "action": "psm connect", + "category": [ + "session" + ], + "type": [ + "start" + ], + "outcome": "success" + }, + "user": { + "name": "Administrator" + } + }, + { + "log": { + "syslog": { + "priority": 5 + } + }, + "destination": { + "geo": { + "continent_name": "North America", + "country_name": "United States", + "location": { + "lon": -97.822, + "lat": 37.751 + }, + "country_iso_code": "US" + }, + "address": "34.123.103.115", + "user": { + "name": "testark" + }, + "ip": "34.123.103.115" + }, + "source": { + "geo": { + "continent_name": "Europe", + "region_iso_code": "ES-B", + "city_name": "Barcelona", + "country_iso_code": "ES", + "country_name": "Spain", + "region_name": "Barcelona", + "location": { + "lon": 2.1611, + "lat": 41.3891 + } + }, + "address": "81.32.170.205", + "user": { + "name": "Administrator" + }, + "ip": "81.32.170.205" + }, + "tags": [ + "preserve_original_event" + ], + "network": { + "application": "ssh", + "direction": "external" + }, + "observer": { + "product": "Vault", + "hostname": "VAULT", + "version": "11.7.0000", + "vendor": "Cyber-Ark" + }, + "@timestamp": "2021-03-14T13:49:37.000Z", + "file": { + "path": "Root\\Operating System-UnixSSH-34.123.103.115-testark" + }, + "ecs": { + "version": "1.10.0" + }, + "related": { + "user": [ + "Administrator", + "testark" + ], + "ip": [ + "81.32.170.205", + "34.123.103.115", + "34.71.250.247" + ] + }, + "cyberarkpas": { + "audit": { + "severity": "Info", + "iso_timestamp": "2021-03-14T13:49:37Z", + "raw": "\u003csyslog\u003e\n\n \u003caudit_record\u003e\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\n \u003cTimestamp\u003eMar 14 06:49:37\u003c/Timestamp\u003e\n \u003cIsoTimestamp\u003e2021-03-14T13:49:37Z\u003c/IsoTimestamp\u003e\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\n \u003cProduct\u003eVault\u003c/Product\u003e\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\n \u003cMessageID\u003e300\u003c/MessageID\u003e\n \u003cDesc\u003ePSM Connect\u003c/Desc\u003e\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\n \u003cAction\u003ePSM Connect\u003c/Action\u003e\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\n \u003cSafe\u003epartner\u003c/Safe\u003e\n \u003cFile\u003eRoot\\Operating System-UnixSSH-34.123.103.115-testark\u003c/File\u003e\n \u003cStation\u003e34.71.250.247\u003c/Station\u003e\n \u003cLocation\u003e\u003c/Location\u003e\n \u003cCategory\u003e\u003c/Category\u003e\n \u003cRequestId\u003e\u003c/RequestId\u003e\n \u003cReason\u003e\u003c/Reason\u003e\n \u003cExtraDetails\u003eApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=d284c268-2ba0-4366-af52-e33459b073a1;SrcHost=81.32.170.205;User=testark;\u003c/ExtraDetails\u003e\n \u003cMessage\u003ePSM Connect\u003c/Message\u003e\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\n \u003cCAProperties\u003e\n \u003cCAProperty Name=\"PolicyID\" Value=\"UnixSSH\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"UserName\" Value=\"testark\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"Address\" Value=\"34.123.103.115\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"ResetImmediately\" Value=\"ReconcileTask\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"CPMStatus\" Value=\"failure\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"RetriesCount\" Value=\"0\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"LastFailDate\" Value=\"1615729572\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"LastTask\" Value=\"ReconcileTask\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"CPMErrorDetails\" Value=\"First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"CreationMethod\" Value=\"PVWA\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"DeviceType\" Value=\"Operating System\"\u003e\u003c/CAProperty\u003e\n \u003c/CAProperties\u003e\n \u003c/audit_record\u003e\n\n\u003c/syslog\u003e", + "message": "PSM Connect", + "issuer": "Administrator", + "extra_details": { + "protocol": "SSH", + "other": { + "user": "testark" + }, + "managed_account": "Yes", + "application_type": "PSMP-SSH", + "psmid": "PSMServer", + "session_id": "d284c268-2ba0-4366-af52-e33459b073a1", + "src_host": "81.32.170.205", + "dst_host": "34.123.103.115" + }, + "rfc5424": true, + "ca_properties": { + "other": {}, + "address": "34.123.103.115", + "creation_method": "PVWA", + "cpm_status": "failure", + "policy_id": "UnixSSH", + "cpm_error_details": "First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031", + "user_name": "testark", + "last_fail_date": "1615729572", + "device_type": "Operating System", + "retries_count": "0", + "reset_immediately": "ReconcileTask", + "last_task": "ReconcileTask" + }, + "file": "Root\\Operating System-UnixSSH-34.123.103.115-testark", + "safe": "partner", + "station": "34.71.250.247", + "action": "PSM Connect", + "timestamp": "Mar 14 06:49:37", + "desc": "PSM Connect" + } + }, + "host": { + "name": "VAULT" + }, + "event": { + "severity": 2, + "ingested": "2021-05-31T15:30:19.154773400Z", + "original": "\u003c5\u003e1 2021-03-14T13:49:37Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 14 06:49:37\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-14T13:49:37Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e300\u003c/MessageID\u003e\\n \u003cDesc\u003ePSM Connect\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003ePSM Connect\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003epartner\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Operating System-UnixSSH-34.123.103.115-testark\u003c/File\u003e\\n \u003cStation\u003e34.71.250.247\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003eApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=d284c268-2ba0-4366-af52-e33459b073a1;SrcHost=81.32.170.205;User=testark;\u003c/ExtraDetails\u003e\\n \u003cMessage\u003ePSM Connect\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"UnixSSH\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"testark\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"34.123.103.115\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"ResetImmediately\\\" Value=\\\"ReconcileTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMStatus\\\" Value=\\\"failure\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"RetriesCount\\\" Value=\\\"0\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastFailDate\\\" Value=\\\"1615729572\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastTask\\\" Value=\\\"ReconcileTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMErrorDetails\\\" Value=\\\"First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Operating System\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 14 06:49:37\",\"IsoTimestamp\":\"2021-03-14T13:49:37Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"300\",\"Desc\":\"PSM Connect\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"PSM Connect\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"partner\",\"File\":\"Root\\\\Operating System-UnixSSH-34.123.103.115-testark\",\"Station\":\"34.71.250.247\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=d284c268-2ba0-4366-af52-e33459b073a1;SrcHost=81.32.170.205;User=testark;\",\"Message\":\"PSM Connect\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"UnixSSH\"},{\"Name\":\"UserName\",\"Value\":\"testark\"},{\"Name\":\"Address\",\"Value\":\"34.123.103.115\"},{\"Name\":\"ResetImmediately\",\"Value\":\"ReconcileTask\"},{\"Name\":\"CPMStatus\",\"Value\":\"failure\"},{\"Name\":\"RetriesCount\",\"Value\":\"0\"},{\"Name\":\"LastFailDate\",\"Value\":\"1615729572\"},{\"Name\":\"LastTask\",\"Value\":\"ReconcileTask\"},{\"Name\":\"CPMErrorDetails\",\"Value\":\"First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"}]}}}}", + "code": "300", + "kind": "event", + "action": "psm connect", + "category": [ + "session" + ], + "type": [ + "start" + ], + "outcome": "success" + }, + "user": { + "name": "Administrator" + } + }, + { + "log": { + "syslog": { + "priority": 5 + } + }, + "destination": { + "geo": { + "continent_name": "North America", + "country_name": "United States", + "location": { + "lon": -97.822, + "lat": 37.751 + }, + "country_iso_code": "US" + }, + "address": "34.123.103.115", + "user": { + "name": "testark" + }, + "ip": "34.123.103.115" + }, + "source": { + "geo": { + "continent_name": "Europe", + "region_iso_code": "ES-B", + "city_name": "Barcelona", + "country_iso_code": "ES", + "country_name": "Spain", + "region_name": "Barcelona", + "location": { + "lon": 2.1611, + "lat": 41.3891 + } + }, + "address": "81.32.170.205", + "user": { + "name": "Administrator" + }, + "ip": "81.32.170.205" + }, + "tags": [ + "preserve_original_event" + ], + "network": { + "application": "ssh", + "direction": "external" + }, + "observer": { + "product": "Vault", + "hostname": "VAULT", + "version": "11.7.0000", + "vendor": "Cyber-Ark" + }, + "@timestamp": "2021-03-14T13:50:43.000Z", + "file": { + "path": "Root\\Operating System-UnixSSH-34.123.103.115-testark" + }, + "ecs": { + "version": "1.10.0" + }, + "related": { + "user": [ + "Administrator", + "testark" + ], + "ip": [ + "81.32.170.205", + "34.123.103.115", + "34.71.250.247" + ] + }, + "cyberarkpas": { + "audit": { + "severity": "Info", + "iso_timestamp": "2021-03-14T13:50:43Z", + "raw": "\u003csyslog\u003e\n\n \u003caudit_record\u003e\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\n \u003cTimestamp\u003eMar 14 06:50:43\u003c/Timestamp\u003e\n \u003cIsoTimestamp\u003e2021-03-14T13:50:43Z\u003c/IsoTimestamp\u003e\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\n \u003cProduct\u003eVault\u003c/Product\u003e\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\n \u003cMessageID\u003e300\u003c/MessageID\u003e\n \u003cDesc\u003ePSM Connect\u003c/Desc\u003e\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\n \u003cAction\u003ePSM Connect\u003c/Action\u003e\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\n \u003cSafe\u003epartner\u003c/Safe\u003e\n \u003cFile\u003eRoot\\Operating System-UnixSSH-34.123.103.115-testark\u003c/File\u003e\n \u003cStation\u003e34.71.250.247\u003c/Station\u003e\n \u003cLocation\u003e\u003c/Location\u003e\n \u003cCategory\u003e\u003c/Category\u003e\n \u003cRequestId\u003e\u003c/RequestId\u003e\n \u003cReason\u003e\u003c/Reason\u003e\n \u003cExtraDetails\u003eApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=47747796-03e1-4a11-af39-ab56c00e7732;SrcHost=81.32.170.205;User=testark;\u003c/ExtraDetails\u003e\n \u003cMessage\u003ePSM Connect\u003c/Message\u003e\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\n \u003cCAProperties\u003e\n \u003cCAProperty Name=\"PolicyID\" Value=\"UnixSSH\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"UserName\" Value=\"testark\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"Address\" Value=\"34.123.103.115\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"ResetImmediately\" Value=\"ReconcileTask\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"CPMStatus\" Value=\"failure\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"RetriesCount\" Value=\"0\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"LastFailDate\" Value=\"1615729572\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"LastTask\" Value=\"ReconcileTask\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"CPMErrorDetails\" Value=\"First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"CreationMethod\" Value=\"PVWA\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"DeviceType\" Value=\"Operating System\"\u003e\u003c/CAProperty\u003e\n \u003c/CAProperties\u003e\n \u003c/audit_record\u003e\n\n\u003c/syslog\u003e", + "message": "PSM Connect", + "issuer": "Administrator", + "extra_details": { + "protocol": "SSH", + "other": { + "user": "testark" + }, + "managed_account": "Yes", + "application_type": "PSMP-SSH", + "psmid": "PSMServer", + "session_id": "47747796-03e1-4a11-af39-ab56c00e7732", + "src_host": "81.32.170.205", + "dst_host": "34.123.103.115" + }, + "rfc5424": true, + "ca_properties": { + "other": {}, + "address": "34.123.103.115", + "creation_method": "PVWA", + "cpm_status": "failure", + "policy_id": "UnixSSH", + "cpm_error_details": "First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031", + "user_name": "testark", + "last_fail_date": "1615729572", + "device_type": "Operating System", + "retries_count": "0", + "reset_immediately": "ReconcileTask", + "last_task": "ReconcileTask" + }, + "file": "Root\\Operating System-UnixSSH-34.123.103.115-testark", + "safe": "partner", + "station": "34.71.250.247", + "action": "PSM Connect", + "timestamp": "Mar 14 06:50:43", + "desc": "PSM Connect" + } + }, + "host": { + "name": "VAULT" + }, + "event": { + "severity": 2, + "ingested": "2021-05-31T15:30:19.154776Z", + "original": "\u003c5\u003e1 2021-03-14T13:50:43Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 14 06:50:43\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-14T13:50:43Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e300\u003c/MessageID\u003e\\n \u003cDesc\u003ePSM Connect\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003ePSM Connect\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003epartner\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Operating System-UnixSSH-34.123.103.115-testark\u003c/File\u003e\\n \u003cStation\u003e34.71.250.247\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003eApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=47747796-03e1-4a11-af39-ab56c00e7732;SrcHost=81.32.170.205;User=testark;\u003c/ExtraDetails\u003e\\n \u003cMessage\u003ePSM Connect\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"UnixSSH\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"testark\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"34.123.103.115\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"ResetImmediately\\\" Value=\\\"ReconcileTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMStatus\\\" Value=\\\"failure\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"RetriesCount\\\" Value=\\\"0\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastFailDate\\\" Value=\\\"1615729572\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastTask\\\" Value=\\\"ReconcileTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMErrorDetails\\\" Value=\\\"First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Operating System\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 14 06:50:43\",\"IsoTimestamp\":\"2021-03-14T13:50:43Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"300\",\"Desc\":\"PSM Connect\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"PSM Connect\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"partner\",\"File\":\"Root\\\\Operating System-UnixSSH-34.123.103.115-testark\",\"Station\":\"34.71.250.247\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=47747796-03e1-4a11-af39-ab56c00e7732;SrcHost=81.32.170.205;User=testark;\",\"Message\":\"PSM Connect\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"UnixSSH\"},{\"Name\":\"UserName\",\"Value\":\"testark\"},{\"Name\":\"Address\",\"Value\":\"34.123.103.115\"},{\"Name\":\"ResetImmediately\",\"Value\":\"ReconcileTask\"},{\"Name\":\"CPMStatus\",\"Value\":\"failure\"},{\"Name\":\"RetriesCount\",\"Value\":\"0\"},{\"Name\":\"LastFailDate\",\"Value\":\"1615729572\"},{\"Name\":\"LastTask\",\"Value\":\"ReconcileTask\"},{\"Name\":\"CPMErrorDetails\",\"Value\":\"First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"}]}}}}", + "code": "300", + "kind": "event", + "action": "psm connect", + "category": [ + "session" + ], + "type": [ + "start" + ], + "outcome": "success" + }, + "user": { + "name": "Administrator" + } + }, + { + "log": { + "syslog": { + "priority": 5 + } + }, + "destination": { + "geo": { + "continent_name": "North America", + "country_name": "United States", + "location": { + "lon": -97.822, + "lat": 37.751 + }, + "country_iso_code": "US" + }, + "address": "34.123.103.115", + "user": { + "name": "testark" + }, + "ip": "34.123.103.115" + }, + "source": { + "geo": { + "continent_name": "Europe", + "region_iso_code": "ES-B", + "city_name": "Barcelona", + "country_iso_code": "ES", + "country_name": "Spain", + "region_name": "Barcelona", + "location": { + "lon": 2.1611, + "lat": 41.3891 + } + }, + "address": "81.32.170.205", + "user": { + "name": "Administrator" + }, + "ip": "81.32.170.205" + }, + "tags": [ + "preserve_original_event" + ], + "network": { + "application": "ssh", + "direction": "external" + }, + "observer": { + "product": "Vault", + "hostname": "VAULT", + "version": "11.7.0000", + "vendor": "Cyber-Ark" + }, + "@timestamp": "2021-03-15T10:31:56.000Z", + "file": { + "path": "Root\\Operating System-UnixSSH-34.123.103.115-testark" + }, + "ecs": { + "version": "1.10.0" + }, + "related": { + "user": [ + "Administrator", + "testark" + ], + "ip": [ + "81.32.170.205", + "34.123.103.115", + "34.71.250.247" + ] + }, + "cyberarkpas": { + "audit": { + "severity": "Info", + "iso_timestamp": "2021-03-15T10:31:56Z", + "raw": "\u003csyslog\u003e\n\n \u003caudit_record\u003e\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\n \u003cTimestamp\u003eMar 15 03:31:56\u003c/Timestamp\u003e\n \u003cIsoTimestamp\u003e2021-03-15T10:31:56Z\u003c/IsoTimestamp\u003e\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\n \u003cProduct\u003eVault\u003c/Product\u003e\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\n \u003cMessageID\u003e300\u003c/MessageID\u003e\n \u003cDesc\u003ePSM Connect\u003c/Desc\u003e\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\n \u003cAction\u003ePSM Connect\u003c/Action\u003e\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\n \u003cSafe\u003epartner\u003c/Safe\u003e\n \u003cFile\u003eRoot\\Operating System-UnixSSH-34.123.103.115-testark\u003c/File\u003e\n \u003cStation\u003e34.71.250.247\u003c/Station\u003e\n \u003cLocation\u003e\u003c/Location\u003e\n \u003cCategory\u003e\u003c/Category\u003e\n \u003cRequestId\u003e\u003c/RequestId\u003e\n \u003cReason\u003e\u003c/Reason\u003e\n \u003cExtraDetails\u003eApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=29f340df-89e9-405a-beae-0216390cda42;SrcHost=81.32.170.205;User=testark;\u003c/ExtraDetails\u003e\n \u003cMessage\u003ePSM Connect\u003c/Message\u003e\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\n \u003cCAProperties\u003e\n \u003cCAProperty Name=\"PolicyID\" Value=\"UnixSSH\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"UserName\" Value=\"testark\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"Address\" Value=\"34.123.103.115\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"CPMStatus\" Value=\"success\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"RetriesCount\" Value=\"-1\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"LastTask\" Value=\"VerifyTask\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"LastSuccessVerification\" Value=\"1615803764\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"CreationMethod\" Value=\"PVWA\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"DeviceType\" Value=\"Operating System\"\u003e\u003c/CAProperty\u003e\n \u003c/CAProperties\u003e\n \u003c/audit_record\u003e\n\n\u003c/syslog\u003e", + "message": "PSM Connect", + "issuer": "Administrator", + "extra_details": { + "protocol": "SSH", + "other": { + "user": "testark" + }, + "managed_account": "Yes", + "application_type": "PSMP-SSH", + "psmid": "PSMServer", + "session_id": "29f340df-89e9-405a-beae-0216390cda42", + "src_host": "81.32.170.205", + "dst_host": "34.123.103.115" + }, + "rfc5424": true, + "ca_properties": { + "other": {}, + "address": "34.123.103.115", + "creation_method": "PVWA", + "cpm_status": "success", + "policy_id": "UnixSSH", + "user_name": "testark", + "device_type": "Operating System", + "retries_count": "-1", + "last_success_verification": "1615803764", + "last_task": "VerifyTask" + }, + "file": "Root\\Operating System-UnixSSH-34.123.103.115-testark", + "safe": "partner", + "station": "34.71.250.247", + "action": "PSM Connect", + "timestamp": "Mar 15 03:31:56", + "desc": "PSM Connect" + } + }, + "host": { + "name": "VAULT" + }, + "event": { + "severity": 2, + "ingested": "2021-05-31T15:30:19.154778700Z", + "original": "\u003c5\u003e1 2021-03-15T10:31:56Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 15 03:31:56\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-15T10:31:56Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e300\u003c/MessageID\u003e\\n \u003cDesc\u003ePSM Connect\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003ePSM Connect\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003epartner\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Operating System-UnixSSH-34.123.103.115-testark\u003c/File\u003e\\n \u003cStation\u003e34.71.250.247\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003eApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=29f340df-89e9-405a-beae-0216390cda42;SrcHost=81.32.170.205;User=testark;\u003c/ExtraDetails\u003e\\n \u003cMessage\u003ePSM Connect\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"UnixSSH\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"testark\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"34.123.103.115\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMStatus\\\" Value=\\\"success\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"RetriesCount\\\" Value=\\\"-1\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastTask\\\" Value=\\\"VerifyTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastSuccessVerification\\\" Value=\\\"1615803764\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Operating System\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 15 03:31:56\",\"IsoTimestamp\":\"2021-03-15T10:31:56Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"300\",\"Desc\":\"PSM Connect\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"PSM Connect\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"partner\",\"File\":\"Root\\\\Operating System-UnixSSH-34.123.103.115-testark\",\"Station\":\"34.71.250.247\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=29f340df-89e9-405a-beae-0216390cda42;SrcHost=81.32.170.205;User=testark;\",\"Message\":\"PSM Connect\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"UnixSSH\"},{\"Name\":\"UserName\",\"Value\":\"testark\"},{\"Name\":\"Address\",\"Value\":\"34.123.103.115\"},{\"Name\":\"CPMStatus\",\"Value\":\"success\"},{\"Name\":\"RetriesCount\",\"Value\":\"-1\"},{\"Name\":\"LastTask\",\"Value\":\"VerifyTask\"},{\"Name\":\"LastSuccessVerification\",\"Value\":\"1615803764\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"}]}}}}", + "code": "300", + "kind": "event", + "action": "psm connect", + "category": [ + "session" + ], + "type": [ + "start" + ], + "outcome": "success" + }, + "user": { + "name": "Administrator" + } + }, + { + "log": { + "syslog": { + "priority": 5 + } + }, + "destination": { + "geo": { + "continent_name": "North America", + "country_name": "United States", + "location": { + "lon": -97.822, + "lat": 37.751 + }, + "country_iso_code": "US" + }, + "address": "34.123.103.115", + "user": { + "name": "testark" + }, + "ip": "34.123.103.115" + }, + "source": { + "geo": { + "continent_name": "Europe", + "region_iso_code": "ES-B", + "city_name": "Barcelona", + "country_iso_code": "ES", + "country_name": "Spain", + "region_name": "Barcelona", + "location": { + "lon": 2.1611, + "lat": 41.3891 + } + }, + "address": "81.32.170.205", + "user": { + "name": "Administrator" + }, + "ip": "81.32.170.205" + }, + "tags": [ + "preserve_original_event" + ], + "network": { + "application": "ssh", + "direction": "external" + }, + "observer": { + "product": "Vault", + "hostname": "VAULT", + "version": "11.7.0000", + "vendor": "Cyber-Ark" + }, + "@timestamp": "2021-03-15T10:33:39.000Z", + "file": { + "path": "Root\\Operating System-UnixSSH-34.123.103.115-testark" + }, + "ecs": { + "version": "1.10.0" + }, + "related": { + "user": [ + "Administrator", + "testark" + ], + "ip": [ + "81.32.170.205", + "34.123.103.115", + "34.71.250.247" + ] + }, + "cyberarkpas": { + "audit": { + "severity": "Info", + "iso_timestamp": "2021-03-15T10:33:39Z", + "raw": "\u003csyslog\u003e\n\n \u003caudit_record\u003e\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\n \u003cTimestamp\u003eMar 15 03:33:39\u003c/Timestamp\u003e\n \u003cIsoTimestamp\u003e2021-03-15T10:33:39Z\u003c/IsoTimestamp\u003e\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\n \u003cProduct\u003eVault\u003c/Product\u003e\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\n \u003cMessageID\u003e300\u003c/MessageID\u003e\n \u003cDesc\u003ePSM Connect\u003c/Desc\u003e\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\n \u003cAction\u003ePSM Connect\u003c/Action\u003e\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\n \u003cSafe\u003epartner\u003c/Safe\u003e\n \u003cFile\u003eRoot\\Operating System-UnixSSH-34.123.103.115-testark\u003c/File\u003e\n \u003cStation\u003e34.71.250.247\u003c/Station\u003e\n \u003cLocation\u003e\u003c/Location\u003e\n \u003cCategory\u003e\u003c/Category\u003e\n \u003cRequestId\u003e\u003c/RequestId\u003e\n \u003cReason\u003e\u003c/Reason\u003e\n \u003cExtraDetails\u003eApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=f1654cf8-8ce5-472a-8205-ba731b0fab46;SrcHost=81.32.170.205;User=testark;\u003c/ExtraDetails\u003e\n \u003cMessage\u003ePSM Connect\u003c/Message\u003e\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\n \u003cCAProperties\u003e\n \u003cCAProperty Name=\"PolicyID\" Value=\"UnixSSH\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"UserName\" Value=\"testark\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"Address\" Value=\"34.123.103.115\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"CPMStatus\" Value=\"success\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"RetriesCount\" Value=\"-1\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"LastTask\" Value=\"VerifyTask\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"LastSuccessVerification\" Value=\"1615803764\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"CreationMethod\" Value=\"PVWA\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"DeviceType\" Value=\"Operating System\"\u003e\u003c/CAProperty\u003e\n \u003c/CAProperties\u003e\n \u003c/audit_record\u003e\n\n\u003c/syslog\u003e", + "message": "PSM Connect", + "issuer": "Administrator", + "extra_details": { + "protocol": "SSH", + "other": { + "user": "testark" + }, + "managed_account": "Yes", + "application_type": "PSMP-SSH", + "psmid": "PSMServer", + "session_id": "f1654cf8-8ce5-472a-8205-ba731b0fab46", + "src_host": "81.32.170.205", + "dst_host": "34.123.103.115" + }, + "rfc5424": true, + "ca_properties": { + "other": {}, + "address": "34.123.103.115", + "creation_method": "PVWA", + "cpm_status": "success", + "policy_id": "UnixSSH", + "user_name": "testark", + "device_type": "Operating System", + "retries_count": "-1", + "last_success_verification": "1615803764", + "last_task": "VerifyTask" + }, + "file": "Root\\Operating System-UnixSSH-34.123.103.115-testark", + "safe": "partner", + "station": "34.71.250.247", + "action": "PSM Connect", + "timestamp": "Mar 15 03:33:39", + "desc": "PSM Connect" + } + }, + "host": { + "name": "VAULT" + }, + "event": { + "severity": 2, + "ingested": "2021-05-31T15:30:19.154781400Z", + "original": "\u003c5\u003e1 2021-03-15T10:33:39Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 15 03:33:39\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-15T10:33:39Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e300\u003c/MessageID\u003e\\n \u003cDesc\u003ePSM Connect\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003ePSM Connect\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003epartner\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Operating System-UnixSSH-34.123.103.115-testark\u003c/File\u003e\\n \u003cStation\u003e34.71.250.247\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003eApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=f1654cf8-8ce5-472a-8205-ba731b0fab46;SrcHost=81.32.170.205;User=testark;\u003c/ExtraDetails\u003e\\n \u003cMessage\u003ePSM Connect\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"UnixSSH\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"testark\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"34.123.103.115\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMStatus\\\" Value=\\\"success\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"RetriesCount\\\" Value=\\\"-1\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastTask\\\" Value=\\\"VerifyTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastSuccessVerification\\\" Value=\\\"1615803764\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Operating System\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 15 03:33:39\",\"IsoTimestamp\":\"2021-03-15T10:33:39Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"300\",\"Desc\":\"PSM Connect\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"PSM Connect\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"partner\",\"File\":\"Root\\\\Operating System-UnixSSH-34.123.103.115-testark\",\"Station\":\"34.71.250.247\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=f1654cf8-8ce5-472a-8205-ba731b0fab46;SrcHost=81.32.170.205;User=testark;\",\"Message\":\"PSM Connect\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"UnixSSH\"},{\"Name\":\"UserName\",\"Value\":\"testark\"},{\"Name\":\"Address\",\"Value\":\"34.123.103.115\"},{\"Name\":\"CPMStatus\",\"Value\":\"success\"},{\"Name\":\"RetriesCount\",\"Value\":\"-1\"},{\"Name\":\"LastTask\",\"Value\":\"VerifyTask\"},{\"Name\":\"LastSuccessVerification\",\"Value\":\"1615803764\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"}]}}}}", + "code": "300", + "kind": "event", + "action": "psm connect", + "category": [ + "session" + ], + "type": [ + "start" + ], + "outcome": "success" + }, + "user": { + "name": "Administrator" + } + }, + { + "log": { + "syslog": { + "priority": 5 + } + }, + "destination": { + "geo": { + "continent_name": "North America", + "country_name": "United States", + "location": { + "lon": -97.822, + "lat": 37.751 + }, + "country_iso_code": "US" + }, + "address": "34.123.103.115", + "user": { + "name": "testark" + }, + "ip": "34.123.103.115" + }, + "source": { + "geo": { + "continent_name": "Europe", + "region_iso_code": "ES-B", + "city_name": "Barcelona", + "country_iso_code": "ES", + "country_name": "Spain", + "region_name": "Barcelona", + "location": { + "lon": 2.1611, + "lat": 41.3891 + } + }, + "address": "81.32.170.205", + "user": { + "name": "Administrator" + }, + "ip": "81.32.170.205" + }, + "tags": [ + "preserve_original_event" + ], + "network": { + "application": "ssh", + "direction": "external" + }, + "observer": { + "product": "Vault", + "hostname": "VAULT", + "version": "11.7.0000", + "vendor": "Cyber-Ark" + }, + "@timestamp": "2021-03-15T10:35:00.000Z", + "file": { + "path": "Root\\Operating System-UnixSSH-34.123.103.115-testark" + }, + "ecs": { + "version": "1.10.0" + }, + "related": { + "user": [ + "Administrator", + "testark" + ], + "ip": [ + "81.32.170.205", + "34.123.103.115", + "34.71.250.247" + ] + }, + "cyberarkpas": { + "audit": { + "severity": "Info", + "iso_timestamp": "2021-03-15T10:35:00Z", + "raw": "\u003csyslog\u003e\n\n \u003caudit_record\u003e\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\n \u003cTimestamp\u003eMar 15 03:35:00\u003c/Timestamp\u003e\n \u003cIsoTimestamp\u003e2021-03-15T10:35:00Z\u003c/IsoTimestamp\u003e\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\n \u003cProduct\u003eVault\u003c/Product\u003e\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\n \u003cMessageID\u003e300\u003c/MessageID\u003e\n \u003cDesc\u003ePSM Connect\u003c/Desc\u003e\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\n \u003cAction\u003ePSM Connect\u003c/Action\u003e\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\n \u003cSafe\u003epartner\u003c/Safe\u003e\n \u003cFile\u003eRoot\\Operating System-UnixSSH-34.123.103.115-testark\u003c/File\u003e\n \u003cStation\u003e34.71.250.247\u003c/Station\u003e\n \u003cLocation\u003e\u003c/Location\u003e\n \u003cCategory\u003e\u003c/Category\u003e\n \u003cRequestId\u003e\u003c/RequestId\u003e\n \u003cReason\u003e\u003c/Reason\u003e\n \u003cExtraDetails\u003eApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=8b3d0b38-aef5-49d9-bdd7-d57706887d8b;SrcHost=81.32.170.205;User=testark;\u003c/ExtraDetails\u003e\n \u003cMessage\u003ePSM Connect\u003c/Message\u003e\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\n \u003cCAProperties\u003e\n \u003cCAProperty Name=\"PolicyID\" Value=\"UnixSSH\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"UserName\" Value=\"testark\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"Address\" Value=\"34.123.103.115\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"CPMStatus\" Value=\"success\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"RetriesCount\" Value=\"-1\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"LastTask\" Value=\"VerifyTask\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"LastSuccessVerification\" Value=\"1615803764\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"CreationMethod\" Value=\"PVWA\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"DeviceType\" Value=\"Operating System\"\u003e\u003c/CAProperty\u003e\n \u003c/CAProperties\u003e\n \u003c/audit_record\u003e\n\n\u003c/syslog\u003e", + "message": "PSM Connect", + "issuer": "Administrator", + "extra_details": { + "protocol": "SSH", + "other": { + "user": "testark" + }, + "managed_account": "Yes", + "application_type": "PSMP-SSH", + "psmid": "PSMServer", + "session_id": "8b3d0b38-aef5-49d9-bdd7-d57706887d8b", + "src_host": "81.32.170.205", + "dst_host": "34.123.103.115" + }, + "rfc5424": true, + "ca_properties": { + "other": {}, + "address": "34.123.103.115", + "creation_method": "PVWA", + "cpm_status": "success", + "policy_id": "UnixSSH", + "user_name": "testark", + "device_type": "Operating System", + "retries_count": "-1", + "last_success_verification": "1615803764", + "last_task": "VerifyTask" + }, + "file": "Root\\Operating System-UnixSSH-34.123.103.115-testark", + "safe": "partner", + "station": "34.71.250.247", + "action": "PSM Connect", + "timestamp": "Mar 15 03:35:00", + "desc": "PSM Connect" + } + }, + "host": { + "name": "VAULT" + }, + "event": { + "severity": 2, + "ingested": "2021-05-31T15:30:19.154784300Z", + "original": "\u003c5\u003e1 2021-03-15T10:35:00Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 15 03:35:00\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-15T10:35:00Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e300\u003c/MessageID\u003e\\n \u003cDesc\u003ePSM Connect\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003ePSM Connect\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003epartner\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Operating System-UnixSSH-34.123.103.115-testark\u003c/File\u003e\\n \u003cStation\u003e34.71.250.247\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003eApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=8b3d0b38-aef5-49d9-bdd7-d57706887d8b;SrcHost=81.32.170.205;User=testark;\u003c/ExtraDetails\u003e\\n \u003cMessage\u003ePSM Connect\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"UnixSSH\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"testark\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"34.123.103.115\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMStatus\\\" Value=\\\"success\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"RetriesCount\\\" Value=\\\"-1\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastTask\\\" Value=\\\"VerifyTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastSuccessVerification\\\" Value=\\\"1615803764\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Operating System\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 15 03:35:00\",\"IsoTimestamp\":\"2021-03-15T10:35:00Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"300\",\"Desc\":\"PSM Connect\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"PSM Connect\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"partner\",\"File\":\"Root\\\\Operating System-UnixSSH-34.123.103.115-testark\",\"Station\":\"34.71.250.247\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=8b3d0b38-aef5-49d9-bdd7-d57706887d8b;SrcHost=81.32.170.205;User=testark;\",\"Message\":\"PSM Connect\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"UnixSSH\"},{\"Name\":\"UserName\",\"Value\":\"testark\"},{\"Name\":\"Address\",\"Value\":\"34.123.103.115\"},{\"Name\":\"CPMStatus\",\"Value\":\"success\"},{\"Name\":\"RetriesCount\",\"Value\":\"-1\"},{\"Name\":\"LastTask\",\"Value\":\"VerifyTask\"},{\"Name\":\"LastSuccessVerification\",\"Value\":\"1615803764\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"}]}}}}", + "code": "300", + "kind": "event", + "action": "psm connect", + "category": [ + "session" + ], + "type": [ + "start" + ], + "outcome": "success" + }, + "user": { + "name": "Administrator" + } + }, + { + "log": { + "syslog": { + "priority": 5 + } + }, + "destination": { + "geo": { + "continent_name": "North America", + "country_name": "United States", + "location": { + "lon": -97.822, + "lat": 37.751 + }, + "country_iso_code": "US" + }, + "address": "34.123.103.115", + "user": { + "name": "adrian" + }, + "ip": "34.123.103.115" + }, + "source": { + "geo": { + "continent_name": "Europe", + "region_iso_code": "ES-B", + "city_name": "Barcelona", + "country_iso_code": "ES", + "country_name": "Spain", + "region_name": "Barcelona", + "location": { + "lon": 2.1611, + "lat": 41.3891 + } + }, + "address": "81.32.170.205", + "user": { + "name": "Administrator" + }, + "ip": "81.32.170.205" + }, + "tags": [ + "preserve_original_event" + ], + "network": { + "application": "ssh", + "direction": "external" + }, + "observer": { + "product": "Vault", + "hostname": "VAULT", + "version": "11.7.0000", + "vendor": "Cyber-Ark" + }, + "@timestamp": "2021-03-15T13:18:31.000Z", + "file": { + "path": "Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian" + }, + "ecs": { + "version": "1.10.0" + }, + "related": { + "user": [ + "Administrator", + "adrian" + ], + "ip": [ + "81.32.170.205", + "34.123.103.115", + "34.71.250.247" + ] + }, + "cyberarkpas": { + "audit": { + "severity": "Info", + "iso_timestamp": "2021-03-15T13:18:31Z", + "raw": "\u003csyslog\u003e\n\n \u003caudit_record\u003e\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\n \u003cTimestamp\u003eMar 15 06:18:31\u003c/Timestamp\u003e\n \u003cIsoTimestamp\u003e2021-03-15T13:18:31Z\u003c/IsoTimestamp\u003e\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\n \u003cProduct\u003eVault\u003c/Product\u003e\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\n \u003cMessageID\u003e300\u003c/MessageID\u003e\n \u003cDesc\u003ePSM Connect\u003c/Desc\u003e\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\n \u003cAction\u003ePSM Connect\u003c/Action\u003e\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\n \u003cSafe\u003ePSM\u003c/Safe\u003e\n \u003cFile\u003eRoot\\Operating System-UnixSSHKeys-34.123.103.115-adrian\u003c/File\u003e\n \u003cStation\u003e34.71.250.247\u003c/Station\u003e\n \u003cLocation\u003e\u003c/Location\u003e\n \u003cCategory\u003e\u003c/Category\u003e\n \u003cRequestId\u003e\u003c/RequestId\u003e\n \u003cReason\u003e\u003c/Reason\u003e\n \u003cExtraDetails\u003eApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=692fe25f-f940-4170-8ea4-5241b35173f0;SrcHost=81.32.170.205;User=adrian;\u003c/ExtraDetails\u003e\n \u003cMessage\u003ePSM Connect\u003c/Message\u003e\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\n \u003cCAProperties\u003e\n \u003cCAProperty Name=\"PolicyID\" Value=\"UnixSSHKeys\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"UserName\" Value=\"adrian\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"Address\" Value=\"34.123.103.115\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"CreationMethod\" Value=\"PVWA\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"DeviceType\" Value=\"Operating System\"\u003e\u003c/CAProperty\u003e\n \u003c/CAProperties\u003e\n \u003c/audit_record\u003e\n\n\u003c/syslog\u003e", + "message": "PSM Connect", + "issuer": "Administrator", + "extra_details": { + "protocol": "SSH", + "other": { + "user": "adrian" + }, + "managed_account": "Yes", + "application_type": "PSMP-SSH", + "psmid": "PSMServer", + "session_id": "692fe25f-f940-4170-8ea4-5241b35173f0", + "src_host": "81.32.170.205", + "dst_host": "34.123.103.115" + }, + "rfc5424": true, + "ca_properties": { + "other": {}, + "device_type": "Operating System", + "address": "34.123.103.115", + "creation_method": "PVWA", + "policy_id": "UnixSSHKeys", + "user_name": "adrian" + }, + "file": "Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian", + "safe": "PSM", + "station": "34.71.250.247", + "action": "PSM Connect", + "timestamp": "Mar 15 06:18:31", + "desc": "PSM Connect" + } + }, + "host": { + "name": "VAULT" + }, + "event": { + "severity": 2, + "ingested": "2021-05-31T15:30:19.154787Z", + "original": "\u003c5\u003e1 2021-03-15T13:18:31Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 15 06:18:31\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-15T13:18:31Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e300\u003c/MessageID\u003e\\n \u003cDesc\u003ePSM Connect\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003ePSM Connect\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003ePSM\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Operating System-UnixSSHKeys-34.123.103.115-adrian\u003c/File\u003e\\n \u003cStation\u003e34.71.250.247\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003eApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=692fe25f-f940-4170-8ea4-5241b35173f0;SrcHost=81.32.170.205;User=adrian;\u003c/ExtraDetails\u003e\\n \u003cMessage\u003ePSM Connect\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"UnixSSHKeys\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"adrian\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"34.123.103.115\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Operating System\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 15 06:18:31\",\"IsoTimestamp\":\"2021-03-15T13:18:31Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"300\",\"Desc\":\"PSM Connect\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"PSM Connect\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"PSM\",\"File\":\"Root\\\\Operating System-UnixSSHKeys-34.123.103.115-adrian\",\"Station\":\"34.71.250.247\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=692fe25f-f940-4170-8ea4-5241b35173f0;SrcHost=81.32.170.205;User=adrian;\",\"Message\":\"PSM Connect\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"UnixSSHKeys\"},{\"Name\":\"UserName\",\"Value\":\"adrian\"},{\"Name\":\"Address\",\"Value\":\"34.123.103.115\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"}]}}}}", + "code": "300", + "kind": "event", + "action": "psm connect", + "category": [ + "session" + ], + "type": [ + "start" + ], + "outcome": "success" + }, + "user": { + "name": "Administrator" + } + }, + { + "log": { + "syslog": { + "priority": 5 + } + }, + "destination": { + "geo": { + "continent_name": "North America", + "country_name": "United States", + "location": { + "lon": -97.822, + "lat": 37.751 + }, + "country_iso_code": "US" + }, + "address": "34.123.103.115", + "user": { + "name": "adrian" + }, + "ip": "34.123.103.115" + }, + "source": { + "geo": { + "continent_name": "Europe", + "region_iso_code": "ES-B", + "city_name": "Barcelona", + "country_iso_code": "ES", + "country_name": "Spain", + "region_name": "Barcelona", + "location": { + "lon": 2.1611, + "lat": 41.3891 + } + }, + "address": "81.32.170.205", + "user": { + "name": "Administrator" + }, + "ip": "81.32.170.205" + }, + "tags": [ + "preserve_original_event" + ], + "network": { + "application": "ssh", + "direction": "external" + }, + "observer": { + "product": "Vault", + "hostname": "VAULT", + "version": "11.7.0000", + "vendor": "Cyber-Ark" + }, + "@timestamp": "2021-03-15T14:08:06.000Z", + "file": { + "path": "Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian" + }, + "ecs": { + "version": "1.10.0" + }, + "related": { + "user": [ + "Administrator", + "adrian" + ], + "ip": [ + "81.32.170.205", + "34.123.103.115", + "34.71.250.247" + ] + }, + "cyberarkpas": { + "audit": { + "severity": "Info", + "iso_timestamp": "2021-03-15T14:08:06Z", + "raw": "\u003csyslog\u003e\n\n \u003caudit_record\u003e\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\n \u003cTimestamp\u003eMar 15 07:08:06\u003c/Timestamp\u003e\n \u003cIsoTimestamp\u003e2021-03-15T14:08:06Z\u003c/IsoTimestamp\u003e\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\n \u003cProduct\u003eVault\u003c/Product\u003e\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\n \u003cMessageID\u003e300\u003c/MessageID\u003e\n \u003cDesc\u003ePSM Connect\u003c/Desc\u003e\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\n \u003cAction\u003ePSM Connect\u003c/Action\u003e\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\n \u003cSafe\u003ePSM\u003c/Safe\u003e\n \u003cFile\u003eRoot\\Operating System-UnixSSHKeys-34.123.103.115-adrian\u003c/File\u003e\n \u003cStation\u003e34.71.250.247\u003c/Station\u003e\n \u003cLocation\u003e\u003c/Location\u003e\n \u003cCategory\u003e\u003c/Category\u003e\n \u003cRequestId\u003e\u003c/RequestId\u003e\n \u003cReason\u003e\u003c/Reason\u003e\n \u003cExtraDetails\u003eApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=f5725611-ca57-4a2a-a089-f45b3174a358;SrcHost=81.32.170.205;User=adrian;\u003c/ExtraDetails\u003e\n \u003cMessage\u003ePSM Connect\u003c/Message\u003e\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\n \u003cCAProperties\u003e\n \u003cCAProperty Name=\"PolicyID\" Value=\"UnixSSHKeys\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"UserName\" Value=\"adrian\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"Address\" Value=\"34.123.103.115\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"CreationMethod\" Value=\"PVWA\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"DeviceType\" Value=\"Operating System\"\u003e\u003c/CAProperty\u003e\n \u003c/CAProperties\u003e\n \u003c/audit_record\u003e\n\n\u003c/syslog\u003e", + "message": "PSM Connect", + "issuer": "Administrator", + "extra_details": { + "protocol": "SSH", + "other": { + "user": "adrian" + }, + "managed_account": "Yes", + "application_type": "PSMP-SSH", + "psmid": "PSMServer", + "session_id": "f5725611-ca57-4a2a-a089-f45b3174a358", + "src_host": "81.32.170.205", + "dst_host": "34.123.103.115" + }, + "rfc5424": true, + "ca_properties": { + "other": {}, + "device_type": "Operating System", + "address": "34.123.103.115", + "creation_method": "PVWA", + "policy_id": "UnixSSHKeys", + "user_name": "adrian" + }, + "file": "Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian", + "safe": "PSM", + "station": "34.71.250.247", + "action": "PSM Connect", + "timestamp": "Mar 15 07:08:06", + "desc": "PSM Connect" + } + }, + "host": { + "name": "VAULT" + }, + "event": { + "severity": 2, + "ingested": "2021-05-31T15:30:19.154789800Z", + "original": "\u003c5\u003e1 2021-03-15T14:08:06Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 15 07:08:06\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-15T14:08:06Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e300\u003c/MessageID\u003e\\n \u003cDesc\u003ePSM Connect\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003ePSM Connect\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003ePSM\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Operating System-UnixSSHKeys-34.123.103.115-adrian\u003c/File\u003e\\n \u003cStation\u003e34.71.250.247\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003eApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=f5725611-ca57-4a2a-a089-f45b3174a358;SrcHost=81.32.170.205;User=adrian;\u003c/ExtraDetails\u003e\\n \u003cMessage\u003ePSM Connect\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"UnixSSHKeys\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"adrian\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"34.123.103.115\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Operating System\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 15 07:08:06\",\"IsoTimestamp\":\"2021-03-15T14:08:06Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"300\",\"Desc\":\"PSM Connect\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"PSM Connect\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"PSM\",\"File\":\"Root\\\\Operating System-UnixSSHKeys-34.123.103.115-adrian\",\"Station\":\"34.71.250.247\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=f5725611-ca57-4a2a-a089-f45b3174a358;SrcHost=81.32.170.205;User=adrian;\",\"Message\":\"PSM Connect\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"UnixSSHKeys\"},{\"Name\":\"UserName\",\"Value\":\"adrian\"},{\"Name\":\"Address\",\"Value\":\"34.123.103.115\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"}]}}}}", + "code": "300", + "kind": "event", + "action": "psm connect", + "category": [ + "session" + ], + "type": [ + "start" + ], + "outcome": "success" + }, + "user": { + "name": "Administrator" + } + }, + { + "log": { + "syslog": { + "priority": 5 + } + }, + "destination": { + "geo": { + "continent_name": "North America", + "country_name": "United States", + "location": { + "lon": -97.822, + "lat": 37.751 + }, + "country_iso_code": "US" + }, + "address": "34.123.103.115", + "user": { + "name": "testark" + }, + "ip": "34.123.103.115" + }, + "source": { + "geo": { + "continent_name": "Europe", + "region_iso_code": "ES-B", + "city_name": "Barcelona", + "country_iso_code": "ES", + "country_name": "Spain", + "region_name": "Barcelona", + "location": { + "lon": 2.1611, + "lat": 41.3891 + } + }, + "address": "81.32.170.205", + "user": { + "name": "Administrator" + }, + "ip": "81.32.170.205" + }, + "tags": [ + "preserve_original_event" + ], + "network": { + "application": "ssh", + "direction": "external" + }, + "observer": { + "product": "Vault", + "hostname": "VAULT", + "version": "11.7.0000", + "vendor": "Cyber-Ark" + }, + "@timestamp": "2021-03-15T14:08:28.000Z", + "file": { + "path": "Root\\Operating System-UnixSSH-34.123.103.115-testark" + }, + "ecs": { + "version": "1.10.0" + }, + "related": { + "user": [ + "Administrator", + "testark" + ], + "ip": [ + "81.32.170.205", + "34.123.103.115", + "34.71.250.247" + ] + }, + "cyberarkpas": { + "audit": { + "severity": "Info", + "iso_timestamp": "2021-03-15T14:08:28Z", + "raw": "\u003csyslog\u003e\n\n \u003caudit_record\u003e\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\n \u003cTimestamp\u003eMar 15 07:08:28\u003c/Timestamp\u003e\n \u003cIsoTimestamp\u003e2021-03-15T14:08:28Z\u003c/IsoTimestamp\u003e\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\n \u003cProduct\u003eVault\u003c/Product\u003e\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\n \u003cMessageID\u003e300\u003c/MessageID\u003e\n \u003cDesc\u003ePSM Connect\u003c/Desc\u003e\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\n \u003cAction\u003ePSM Connect\u003c/Action\u003e\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\n \u003cSafe\u003epartner\u003c/Safe\u003e\n \u003cFile\u003eRoot\\Operating System-UnixSSH-34.123.103.115-testark\u003c/File\u003e\n \u003cStation\u003e34.71.250.247\u003c/Station\u003e\n \u003cLocation\u003e\u003c/Location\u003e\n \u003cCategory\u003e\u003c/Category\u003e\n \u003cRequestId\u003e\u003c/RequestId\u003e\n \u003cReason\u003e\u003c/Reason\u003e\n \u003cExtraDetails\u003eApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=7db90436-8a1a-4203-9a96-65137625ab2d;SrcHost=81.32.170.205;User=testark;\u003c/ExtraDetails\u003e\n \u003cMessage\u003ePSM Connect\u003c/Message\u003e\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\n \u003cCAProperties\u003e\n \u003cCAProperty Name=\"PolicyID\" Value=\"UnixSSH\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"UserName\" Value=\"testark\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"Address\" Value=\"34.123.103.115\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"ResetImmediately\" Value=\"ReconcileTask\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"CPMStatus\" Value=\"failure\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"RetriesCount\" Value=\"0\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"LastFailDate\" Value=\"1615814025\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"LastTask\" Value=\"ReconcileTask\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"LastSuccessVerification\" Value=\"1615803764\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"CPMErrorDetails\" Value=\"First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"CreationMethod\" Value=\"PVWA\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"DeviceType\" Value=\"Operating System\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"UseSudoOnReconcile\" Value=\"Yes\"\u003e\u003c/CAProperty\u003e\n \u003c/CAProperties\u003e\n \u003c/audit_record\u003e\n\n\u003c/syslog\u003e", + "message": "PSM Connect", + "issuer": "Administrator", + "extra_details": { + "protocol": "SSH", + "other": { + "user": "testark" + }, + "managed_account": "Yes", + "application_type": "PSMP-SSH", + "psmid": "PSMServer", + "session_id": "7db90436-8a1a-4203-9a96-65137625ab2d", + "src_host": "81.32.170.205", + "dst_host": "34.123.103.115" + }, + "rfc5424": true, + "ca_properties": { + "other": { + "use_sudo_on_reconcile": "Yes" + }, + "address": "34.123.103.115", + "creation_method": "PVWA", + "cpm_status": "failure", + "policy_id": "UnixSSH", + "user_name": "testark", + "device_type": "Operating System", + "retries_count": "0", + "last_success_verification": "1615803764", + "reset_immediately": "ReconcileTask", + "last_task": "ReconcileTask", + "cpm_error_details": "First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031", + "last_fail_date": "1615814025" + }, + "file": "Root\\Operating System-UnixSSH-34.123.103.115-testark", + "safe": "partner", + "station": "34.71.250.247", + "action": "PSM Connect", + "timestamp": "Mar 15 07:08:28", + "desc": "PSM Connect" + } + }, + "host": { + "name": "VAULT" + }, + "event": { + "severity": 2, + "ingested": "2021-05-31T15:30:19.154793100Z", + "original": "\u003c5\u003e1 2021-03-15T14:08:28Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 15 07:08:28\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-15T14:08:28Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e300\u003c/MessageID\u003e\\n \u003cDesc\u003ePSM Connect\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003ePSM Connect\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003epartner\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Operating System-UnixSSH-34.123.103.115-testark\u003c/File\u003e\\n \u003cStation\u003e34.71.250.247\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003eApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=7db90436-8a1a-4203-9a96-65137625ab2d;SrcHost=81.32.170.205;User=testark;\u003c/ExtraDetails\u003e\\n \u003cMessage\u003ePSM Connect\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"UnixSSH\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"testark\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"34.123.103.115\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"ResetImmediately\\\" Value=\\\"ReconcileTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMStatus\\\" Value=\\\"failure\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"RetriesCount\\\" Value=\\\"0\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastFailDate\\\" Value=\\\"1615814025\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastTask\\\" Value=\\\"ReconcileTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastSuccessVerification\\\" Value=\\\"1615803764\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMErrorDetails\\\" Value=\\\"First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Operating System\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UseSudoOnReconcile\\\" Value=\\\"Yes\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 15 07:08:28\",\"IsoTimestamp\":\"2021-03-15T14:08:28Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"300\",\"Desc\":\"PSM Connect\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"PSM Connect\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"partner\",\"File\":\"Root\\\\Operating System-UnixSSH-34.123.103.115-testark\",\"Station\":\"34.71.250.247\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=7db90436-8a1a-4203-9a96-65137625ab2d;SrcHost=81.32.170.205;User=testark;\",\"Message\":\"PSM Connect\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"UnixSSH\"},{\"Name\":\"UserName\",\"Value\":\"testark\"},{\"Name\":\"Address\",\"Value\":\"34.123.103.115\"},{\"Name\":\"ResetImmediately\",\"Value\":\"ReconcileTask\"},{\"Name\":\"CPMStatus\",\"Value\":\"failure\"},{\"Name\":\"RetriesCount\",\"Value\":\"0\"},{\"Name\":\"LastFailDate\",\"Value\":\"1615814025\"},{\"Name\":\"LastTask\",\"Value\":\"ReconcileTask\"},{\"Name\":\"LastSuccessVerification\",\"Value\":\"1615803764\"},{\"Name\":\"CPMErrorDetails\",\"Value\":\"First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"},{\"Name\":\"UseSudoOnReconcile\",\"Value\":\"Yes\"}]}}}}", + "code": "300", + "kind": "event", + "action": "psm connect", + "category": [ + "session" + ], + "type": [ + "start" + ], + "outcome": "success" + }, + "user": { + "name": "Administrator" + } + }, + { + "log": { + "syslog": { + "priority": 5 + } + }, + "destination": { + "geo": { + "continent_name": "North America", + "country_name": "United States", + "location": { + "lon": -97.822, + "lat": 37.751 + }, + "country_iso_code": "US" + }, + "address": "34.123.103.115", + "user": { + "name": "testark" + }, + "ip": "34.123.103.115" + }, + "source": { + "geo": { + "continent_name": "Europe", + "region_iso_code": "ES-B", + "city_name": "Barcelona", + "country_iso_code": "ES", + "country_name": "Spain", + "region_name": "Barcelona", + "location": { + "lon": 2.1611, + "lat": 41.3891 + } + }, + "address": "81.32.170.205", + "user": { + "name": "Administrator" + }, + "ip": "81.32.170.205" + }, + "tags": [ + "preserve_original_event" + ], + "network": { + "application": "ssh", + "direction": "external" + }, + "observer": { + "product": "Vault", + "hostname": "VAULT", + "version": "11.7.0000", + "vendor": "Cyber-Ark" + }, + "@timestamp": "2021-03-15T14:11:09.000Z", + "file": { + "path": "Root\\Operating System-UnixSSH-34.123.103.115-testark" + }, + "ecs": { + "version": "1.10.0" + }, + "related": { + "user": [ + "Administrator", + "testark" + ], + "ip": [ + "81.32.170.205", + "34.123.103.115", + "34.71.250.247" + ] + }, + "cyberarkpas": { + "audit": { + "severity": "Info", + "iso_timestamp": "2021-03-15T14:11:09Z", + "raw": "\u003csyslog\u003e\n\n \u003caudit_record\u003e\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\n \u003cTimestamp\u003eMar 15 07:11:09\u003c/Timestamp\u003e\n \u003cIsoTimestamp\u003e2021-03-15T14:11:09Z\u003c/IsoTimestamp\u003e\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\n \u003cProduct\u003eVault\u003c/Product\u003e\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\n \u003cMessageID\u003e300\u003c/MessageID\u003e\n \u003cDesc\u003ePSM Connect\u003c/Desc\u003e\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\n \u003cAction\u003ePSM Connect\u003c/Action\u003e\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\n \u003cSafe\u003epartner\u003c/Safe\u003e\n \u003cFile\u003eRoot\\Operating System-UnixSSH-34.123.103.115-testark\u003c/File\u003e\n \u003cStation\u003e34.71.250.247\u003c/Station\u003e\n \u003cLocation\u003e\u003c/Location\u003e\n \u003cCategory\u003e\u003c/Category\u003e\n \u003cRequestId\u003e\u003c/RequestId\u003e\n \u003cReason\u003e\u003c/Reason\u003e\n \u003cExtraDetails\u003eApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=27f74dce-f5d5-4c94-bf99-ca6aafe2c518;SrcHost=81.32.170.205;User=testark;\u003c/ExtraDetails\u003e\n \u003cMessage\u003ePSM Connect\u003c/Message\u003e\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\n \u003cCAProperties\u003e\n \u003cCAProperty Name=\"PolicyID\" Value=\"UnixSSH\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"UserName\" Value=\"testark\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"Address\" Value=\"34.123.103.115\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"ResetImmediately\" Value=\"ReconcileTask\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"CPMStatus\" Value=\"failure\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"RetriesCount\" Value=\"0\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"LastFailDate\" Value=\"1615814025\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"LastTask\" Value=\"ReconcileTask\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"LastSuccessVerification\" Value=\"1615803764\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"CPMErrorDetails\" Value=\"First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"CreationMethod\" Value=\"PVWA\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"DeviceType\" Value=\"Operating System\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"UseSudoOnReconcile\" Value=\"Yes\"\u003e\u003c/CAProperty\u003e\n \u003c/CAProperties\u003e\n \u003c/audit_record\u003e\n\n\u003c/syslog\u003e", + "message": "PSM Connect", + "issuer": "Administrator", + "extra_details": { + "protocol": "SSH", + "other": { + "user": "testark" + }, + "managed_account": "Yes", + "application_type": "PSMP-SSH", + "psmid": "PSMServer", + "session_id": "27f74dce-f5d5-4c94-bf99-ca6aafe2c518", + "src_host": "81.32.170.205", + "dst_host": "34.123.103.115" + }, + "rfc5424": true, + "ca_properties": { + "other": { + "use_sudo_on_reconcile": "Yes" + }, + "address": "34.123.103.115", + "creation_method": "PVWA", + "cpm_status": "failure", + "policy_id": "UnixSSH", + "user_name": "testark", + "device_type": "Operating System", + "retries_count": "0", + "last_success_verification": "1615803764", + "reset_immediately": "ReconcileTask", + "last_task": "ReconcileTask", + "cpm_error_details": "First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031", + "last_fail_date": "1615814025" + }, + "file": "Root\\Operating System-UnixSSH-34.123.103.115-testark", + "safe": "partner", + "station": "34.71.250.247", + "action": "PSM Connect", + "timestamp": "Mar 15 07:11:09", + "desc": "PSM Connect" + } + }, + "host": { + "name": "VAULT" + }, + "event": { + "severity": 2, + "ingested": "2021-05-31T15:30:19.154795900Z", + "original": "\u003c5\u003e1 2021-03-15T14:11:09Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 15 07:11:09\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-15T14:11:09Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e300\u003c/MessageID\u003e\\n \u003cDesc\u003ePSM Connect\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003ePSM Connect\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003epartner\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Operating System-UnixSSH-34.123.103.115-testark\u003c/File\u003e\\n \u003cStation\u003e34.71.250.247\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003eApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=27f74dce-f5d5-4c94-bf99-ca6aafe2c518;SrcHost=81.32.170.205;User=testark;\u003c/ExtraDetails\u003e\\n \u003cMessage\u003ePSM Connect\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"UnixSSH\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"testark\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"34.123.103.115\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"ResetImmediately\\\" Value=\\\"ReconcileTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMStatus\\\" Value=\\\"failure\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"RetriesCount\\\" Value=\\\"0\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastFailDate\\\" Value=\\\"1615814025\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastTask\\\" Value=\\\"ReconcileTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastSuccessVerification\\\" Value=\\\"1615803764\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMErrorDetails\\\" Value=\\\"First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Operating System\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UseSudoOnReconcile\\\" Value=\\\"Yes\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 15 07:11:09\",\"IsoTimestamp\":\"2021-03-15T14:11:09Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"300\",\"Desc\":\"PSM Connect\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"PSM Connect\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"partner\",\"File\":\"Root\\\\Operating System-UnixSSH-34.123.103.115-testark\",\"Station\":\"34.71.250.247\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=27f74dce-f5d5-4c94-bf99-ca6aafe2c518;SrcHost=81.32.170.205;User=testark;\",\"Message\":\"PSM Connect\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"UnixSSH\"},{\"Name\":\"UserName\",\"Value\":\"testark\"},{\"Name\":\"Address\",\"Value\":\"34.123.103.115\"},{\"Name\":\"ResetImmediately\",\"Value\":\"ReconcileTask\"},{\"Name\":\"CPMStatus\",\"Value\":\"failure\"},{\"Name\":\"RetriesCount\",\"Value\":\"0\"},{\"Name\":\"LastFailDate\",\"Value\":\"1615814025\"},{\"Name\":\"LastTask\",\"Value\":\"ReconcileTask\"},{\"Name\":\"LastSuccessVerification\",\"Value\":\"1615803764\"},{\"Name\":\"CPMErrorDetails\",\"Value\":\"First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"},{\"Name\":\"UseSudoOnReconcile\",\"Value\":\"Yes\"}]}}}}", + "code": "300", + "kind": "event", + "action": "psm connect", + "category": [ + "session" + ], + "type": [ + "start" + ], + "outcome": "success" + }, + "user": { + "name": "Administrator" + } + }, + { + "log": { + "syslog": { + "priority": 5 + } + }, + "destination": { + "geo": { + "continent_name": "North America", + "country_name": "United States", + "location": { + "lon": -97.822, + "lat": 37.751 + }, + "country_iso_code": "US" + }, + "address": "34.123.103.115", + "user": { + "name": "testark" + }, + "ip": "34.123.103.115" + }, + "source": { + "geo": { + "continent_name": "Europe", + "region_iso_code": "ES-B", + "city_name": "Barcelona", + "country_iso_code": "ES", + "country_name": "Spain", + "region_name": "Barcelona", + "location": { + "lon": 2.1611, + "lat": 41.3891 + } + }, + "address": "81.32.170.205", + "user": { + "name": "Administrator" + }, + "ip": "81.32.170.205" + }, + "tags": [ + "preserve_original_event" + ], + "network": { + "application": "ssh", + "direction": "external" + }, + "observer": { + "product": "Vault", + "hostname": "VAULT", + "version": "11.7.0000", + "vendor": "Cyber-Ark" + }, + "@timestamp": "2021-03-16T10:04:51.000Z", + "file": { + "path": "Root\\Operating System-UnixSSH-34.123.103.115-testark" + }, + "ecs": { + "version": "1.10.0" + }, + "related": { + "user": [ + "Administrator", + "testark" + ], + "ip": [ + "81.32.170.205", + "34.123.103.115", + "34.71.250.247" + ] + }, + "cyberarkpas": { + "audit": { + "severity": "Info", + "iso_timestamp": "2021-03-16T10:04:51Z", + "raw": "\u003csyslog\u003e\n\n \u003caudit_record\u003e\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\n \u003cTimestamp\u003eMar 16 03:04:51\u003c/Timestamp\u003e\n \u003cIsoTimestamp\u003e2021-03-16T10:04:51Z\u003c/IsoTimestamp\u003e\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\n \u003cProduct\u003eVault\u003c/Product\u003e\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\n \u003cMessageID\u003e300\u003c/MessageID\u003e\n \u003cDesc\u003ePSM Connect\u003c/Desc\u003e\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\n \u003cAction\u003ePSM Connect\u003c/Action\u003e\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\n \u003cSafe\u003epartner\u003c/Safe\u003e\n \u003cFile\u003eRoot\\Operating System-UnixSSH-34.123.103.115-testark\u003c/File\u003e\n \u003cStation\u003e34.71.250.247\u003c/Station\u003e\n \u003cLocation\u003e\u003c/Location\u003e\n \u003cCategory\u003e\u003c/Category\u003e\n \u003cRequestId\u003e\u003c/RequestId\u003e\n \u003cReason\u003e\u003c/Reason\u003e\n \u003cExtraDetails\u003eApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=8b222ac9-c2ad-49ea-9c4e-6829940f58d4;SrcHost=81.32.170.205;User=testark;\u003c/ExtraDetails\u003e\n \u003cMessage\u003ePSM Connect\u003c/Message\u003e\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\n \u003cCAProperties\u003e\n \u003cCAProperty Name=\"PolicyID\" Value=\"UnixSSH\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"UserName\" Value=\"testark\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"Address\" Value=\"34.123.103.115\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"ResetImmediately\" Value=\"ReconcileTask\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"CPMStatus\" Value=\"failure\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"RetriesCount\" Value=\"4\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"LastFailDate\" Value=\"1615888216\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"LastTask\" Value=\"ReconcileTask\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"LastSuccessVerification\" Value=\"1615803764\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"CPMErrorDetails\" Value=\"First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"CreationMethod\" Value=\"PVWA\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"DeviceType\" Value=\"Operating System\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"UseSudoOnReconcile\" Value=\"Yes\"\u003e\u003c/CAProperty\u003e\n \u003c/CAProperties\u003e\n \u003c/audit_record\u003e\n\n\u003c/syslog\u003e", + "message": "PSM Connect", + "issuer": "Administrator", + "extra_details": { + "protocol": "SSH", + "other": { + "user": "testark" + }, + "managed_account": "Yes", + "application_type": "PSMP-SSH", + "psmid": "PSMServer", + "session_id": "8b222ac9-c2ad-49ea-9c4e-6829940f58d4", + "src_host": "81.32.170.205", + "dst_host": "34.123.103.115" + }, + "rfc5424": true, + "ca_properties": { + "other": { + "use_sudo_on_reconcile": "Yes" + }, + "address": "34.123.103.115", + "creation_method": "PVWA", + "cpm_status": "failure", + "policy_id": "UnixSSH", + "user_name": "testark", + "device_type": "Operating System", + "retries_count": "4", + "last_success_verification": "1615803764", + "reset_immediately": "ReconcileTask", + "last_task": "ReconcileTask", + "cpm_error_details": "First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031", + "last_fail_date": "1615888216" + }, + "file": "Root\\Operating System-UnixSSH-34.123.103.115-testark", + "safe": "partner", + "station": "34.71.250.247", + "action": "PSM Connect", + "timestamp": "Mar 16 03:04:51", + "desc": "PSM Connect" + } + }, + "host": { + "name": "VAULT" + }, + "event": { + "severity": 2, + "ingested": "2021-05-31T15:30:19.154798900Z", + "original": "\u003c5\u003e1 2021-03-16T10:04:51Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 16 03:04:51\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-16T10:04:51Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e300\u003c/MessageID\u003e\\n \u003cDesc\u003ePSM Connect\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003ePSM Connect\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003epartner\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Operating System-UnixSSH-34.123.103.115-testark\u003c/File\u003e\\n \u003cStation\u003e34.71.250.247\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003eApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=8b222ac9-c2ad-49ea-9c4e-6829940f58d4;SrcHost=81.32.170.205;User=testark;\u003c/ExtraDetails\u003e\\n \u003cMessage\u003ePSM Connect\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"UnixSSH\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"testark\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"34.123.103.115\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"ResetImmediately\\\" Value=\\\"ReconcileTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMStatus\\\" Value=\\\"failure\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"RetriesCount\\\" Value=\\\"4\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastFailDate\\\" Value=\\\"1615888216\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastTask\\\" Value=\\\"ReconcileTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastSuccessVerification\\\" Value=\\\"1615803764\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMErrorDetails\\\" Value=\\\"First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Operating System\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UseSudoOnReconcile\\\" Value=\\\"Yes\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 16 03:04:51\",\"IsoTimestamp\":\"2021-03-16T10:04:51Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"300\",\"Desc\":\"PSM Connect\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"PSM Connect\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"partner\",\"File\":\"Root\\\\Operating System-UnixSSH-34.123.103.115-testark\",\"Station\":\"34.71.250.247\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=8b222ac9-c2ad-49ea-9c4e-6829940f58d4;SrcHost=81.32.170.205;User=testark;\",\"Message\":\"PSM Connect\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"UnixSSH\"},{\"Name\":\"UserName\",\"Value\":\"testark\"},{\"Name\":\"Address\",\"Value\":\"34.123.103.115\"},{\"Name\":\"ResetImmediately\",\"Value\":\"ReconcileTask\"},{\"Name\":\"CPMStatus\",\"Value\":\"failure\"},{\"Name\":\"RetriesCount\",\"Value\":\"4\"},{\"Name\":\"LastFailDate\",\"Value\":\"1615888216\"},{\"Name\":\"LastTask\",\"Value\":\"ReconcileTask\"},{\"Name\":\"LastSuccessVerification\",\"Value\":\"1615803764\"},{\"Name\":\"CPMErrorDetails\",\"Value\":\"First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"},{\"Name\":\"UseSudoOnReconcile\",\"Value\":\"Yes\"}]}}}}", + "code": "300", + "kind": "event", + "action": "psm connect", + "category": [ + "session" + ], + "type": [ + "start" + ], + "outcome": "success" + }, + "user": { + "name": "Administrator" + } + } + ] +} \ No newline at end of file diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-302-psm-disconnect.log-expected.json b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-302-psm-disconnect.log-expected.json new file mode 100644 index 00000000000..710c3b92741 --- /dev/null +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-302-psm-disconnect.log-expected.json @@ -0,0 +1,2055 @@ +{ + "expected": [ + { + "destination": { + "user": { + "name": "admin2" + }, + "address": "radiussrv.cyberark.local", + "domain": "radiussrv.cyberark.local" + }, + "source": { + "user": { + "name": "Administrator" + }, + "address": "10.2.0.6", + "ip": "10.2.0.6" + }, + "tags": [ + "preserve_original_event" + ], + "network": { + "application": "ssh" + }, + "observer": { + "version": "11.6.0000", + "product": "Vault", + "vendor": "Cyber-Ark" + }, + "@timestamp": "2021-03-16T15:01:00.000Z", + "file": { + "path": "Root\\Operating System-LINUX-SSH-radiussrv.cyberark.local-admin2" + }, + "ecs": { + "version": "1.10.0" + }, + "related": { + "user": [ + "Administrator", + "admin2" + ], + "ip": [ + "10.2.0.6", + "10.2.0.7" + ] + }, + "cyberarkpas": { + "audit": { + "severity": "Info", + "iso_timestamp": "2021-03-16T15:01:00Z", + "raw": "\u003csyslog\u003e\n \u003caudit_record\u003e\n \u003cRfc5424\u003eno\u003c/Rfc5424\u003e\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\n \u003cProduct\u003eVault\u003c/Product\u003e\n \u003cVersion\u003e11.6.0000\u003c/Version\u003e\n \u003cMessageID\u003e302\u003c/MessageID\u003e\n \u003cDesc\u003ePSM Disconnect\u003c/Desc\u003e\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\n \u003cAction\u003ePSM Disconnect\u003c/Action\u003e\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\n \u003cSafe\u003eLinux\u003c/Safe\u003e\n \u003cFile\u003eRoot\\Operating System-LINUX-SSH-radiussrv.cyberark.local-admin2\u003c/File\u003e\n \u003cStation\u003e10.2.0.7\u003c/Station\u003e\n \u003cLocation\u003e\u003c/Location\u003e\n \u003cCategory\u003e\u003c/Category\u003e\n \u003cRequestId\u003e\u003c/RequestId\u003e\n \u003cReason\u003e\u003c/Reason\u003e\n \u003cExtraDetails\u003eApplicationType=PSMP-SSH;DstHost=radiussrv.cyberark.local;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionDuration=00:00:07;SessionID=35fac41e-22b5-11eb-83ca-000c297aae88;SrcHost=10.2.0.6;User=admin2;\u003c/ExtraDetails\u003e\n \u003cMessage\u003ePSM Disconnect\u003c/Message\u003e\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\n \u003cCAProperties\u003e\n \u003cCAProperty Name=\"PolicyID\" Value=\"LINUX-SSH\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"UserName\" Value=\"admin2\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"Address\" Value=\"radiussrv.cyberark.local\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"DeviceType\" Value=\"Operating System\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"CPMDisabled\" Value=\"No Reason\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"CreationMethod\" Value=\"PVWA\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"Customer\" Value=\"Tesla\"\u003e\u003c/CAProperty\u003e\n \u003c/CAProperties\u003e\n \u003c/audit_record\u003e\n\u003c/syslog\u003e", + "message": "PSM Disconnect", + "issuer": "Administrator", + "rfc5424": false, + "extra_details": { + "protocol": "SSH", + "other": { + "user": "admin2" + }, + "managed_account": "Yes", + "application_type": "PSMP-SSH", + "psmid": "PSMServer", + "session_id": "35fac41e-22b5-11eb-83ca-000c297aae88", + "src_host": "10.2.0.6", + "dst_host": "radiussrv.cyberark.local", + "session_duration": "00:00:07" + }, + "file": "Root\\Operating System-LINUX-SSH-radiussrv.cyberark.local-admin2", + "ca_properties": { + "other": {}, + "address": "radiussrv.cyberark.local", + "creation_method": "PVWA", + "policy_id": "LINUX-SSH", + "user_name": "admin2", + "cpm_disabled": "No Reason", + "device_type": "Operating System", + "customer": "Tesla" + }, + "safe": "Linux", + "station": "10.2.0.7", + "action": "PSM Disconnect", + "desc": "PSM Disconnect" + } + }, + "event": { + "severity": 2, + "duration": 7000000000, + "ingested": "2021-05-31T15:30:19.830741900Z", + "original": "{\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eno\u003c/Rfc5424\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.6.0000\u003c/Version\u003e\\n \u003cMessageID\u003e302\u003c/MessageID\u003e\\n \u003cDesc\u003ePSM Disconnect\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003ePSM Disconnect\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003eLinux\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Operating System-LINUX-SSH-radiussrv.cyberark.local-admin2\u003c/File\u003e\\n \u003cStation\u003e10.2.0.7\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003eApplicationType=PSMP-SSH;DstHost=radiussrv.cyberark.local;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionDuration=00:00:07;SessionID=35fac41e-22b5-11eb-83ca-000c297aae88;SrcHost=10.2.0.6;User=admin2;\u003c/ExtraDetails\u003e\\n \u003cMessage\u003ePSM Disconnect\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"LINUX-SSH\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"admin2\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"radiussrv.cyberark.local\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Operating System\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMDisabled\\\" Value=\\\"No Reason\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Customer\\\" Value=\\\"Tesla\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"no\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.6.0000\",\"MessageID\":\"302\",\"IsoTimestamp\":\"2021-03-16T15:01:00Z\",\"Desc\":\"PSM Disconnect\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"PSM Disconnect\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"Linux\",\"File\":\"Root\\\\Operating System-LINUX-SSH-radiussrv.cyberark.local-admin2\",\"Station\":\"10.2.0.7\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"ApplicationType=PSMP-SSH;DstHost=radiussrv.cyberark.local;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionDuration=00:00:07;SessionID=35fac41e-22b5-11eb-83ca-000c297aae88;SrcHost=10.2.0.6;User=admin2;\",\"Message\":\"PSM Disconnect\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"LINUX-SSH\"},{\"Name\":\"UserName\",\"Value\":\"admin2\"},{\"Name\":\"Address\",\"Value\":\"radiussrv.cyberark.local\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"},{\"Name\":\"CPMDisabled\",\"Value\":\"No Reason\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"Customer\",\"Value\":\"Tesla\"}]}}}}", + "code": "302", + "kind": "event", + "action": "psm disconnect", + "category": [ + "session" + ], + "type": [ + "end" + ], + "outcome": "success" + }, + "user": { + "name": "Administrator" + } + }, + { + "log": { + "syslog": { + "priority": 5 + } + }, + "destination": { + "geo": { + "continent_name": "North America", + "country_name": "United States", + "location": { + "lon": -97.822, + "lat": 37.751 + }, + "country_iso_code": "US" + }, + "address": "34.123.103.115", + "user": { + "name": "adrian" + }, + "ip": "34.123.103.115" + }, + "source": { + "user": { + "name": "Administrator" + }, + "address": "127.0.0.1", + "ip": "127.0.0.1" + }, + "tags": [ + "preserve_original_event" + ], + "network": { + "application": "ssh", + "direction": "outbound" + }, + "observer": { + "product": "Vault", + "hostname": "VAULT", + "version": "11.7.0000", + "vendor": "Cyber-Ark" + }, + "@timestamp": "2021-03-11T17:38:26.000Z", + "file": { + "path": "Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian" + }, + "ecs": { + "version": "1.10.0" + }, + "related": { + "user": [ + "Administrator", + "adrian" + ], + "ip": [ + "127.0.0.1", + "34.123.103.115", + "81.32.170.205" + ] + }, + "cyberarkpas": { + "audit": { + "severity": "Info", + "iso_timestamp": "2021-03-11T17:38:26Z", + "raw": "\u003csyslog\u003e\n\n \u003caudit_record\u003e\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\n \u003cTimestamp\u003eMar 11 09:38:26\u003c/Timestamp\u003e\n \u003cIsoTimestamp\u003e2021-03-11T17:38:26Z\u003c/IsoTimestamp\u003e\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\n \u003cProduct\u003eVault\u003c/Product\u003e\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\n \u003cMessageID\u003e302\u003c/MessageID\u003e\n \u003cDesc\u003ePSM Disconnect\u003c/Desc\u003e\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\n \u003cAction\u003ePSM Disconnect\u003c/Action\u003e\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\n \u003cSafe\u003ePSM\u003c/Safe\u003e\n \u003cFile\u003eRoot\\Operating System-UnixSSHKeys-34.123.103.115-adrian\u003c/File\u003e\n \u003cStation\u003e81.32.170.205\u003c/Station\u003e\n \u003cLocation\u003e\u003c/Location\u003e\n \u003cCategory\u003e\u003c/Category\u003e\n \u003cRequestId\u003e\u003c/RequestId\u003e\n \u003cReason\u003e\u003c/Reason\u003e\n \u003cExtraDetails\u003eApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=ssh;PSMID=PSMServer;SessionDuration=00:00:13;SessionID=87012dcc-8290-11eb-949e-080027efd402;SrcHost=127.0.0.1;User=adrian;\u003c/ExtraDetails\u003e\n \u003cMessage\u003ePSM Disconnect\u003c/Message\u003e\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\n \u003cCAProperties\u003e\n \u003cCAProperty Name=\"PolicyID\" Value=\"UnixSSHKeys\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"UserName\" Value=\"adrian\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"Address\" Value=\"34.123.103.115\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"CreationMethod\" Value=\"PVWA\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"DeviceType\" Value=\"Operating System\"\u003e\u003c/CAProperty\u003e\n \u003c/CAProperties\u003e\n \u003c/audit_record\u003e\n\n\u003c/syslog\u003e", + "message": "PSM Disconnect", + "issuer": "Administrator", + "extra_details": { + "protocol": "ssh", + "other": { + "user": "adrian" + }, + "managed_account": "Yes", + "application_type": "PSMP-SSH", + "psmid": "PSMServer", + "session_id": "87012dcc-8290-11eb-949e-080027efd402", + "src_host": "127.0.0.1", + "dst_host": "34.123.103.115", + "session_duration": "00:00:13" + }, + "rfc5424": true, + "ca_properties": { + "other": {}, + "device_type": "Operating System", + "address": "34.123.103.115", + "creation_method": "PVWA", + "policy_id": "UnixSSHKeys", + "user_name": "adrian" + }, + "file": "Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian", + "safe": "PSM", + "station": "81.32.170.205", + "action": "PSM Disconnect", + "timestamp": "Mar 11 09:38:26", + "desc": "PSM Disconnect" + } + }, + "host": { + "name": "VAULT" + }, + "event": { + "severity": 2, + "duration": 13000000000, + "ingested": "2021-05-31T15:30:19.830758900Z", + "original": "\u003c5\u003e1 2021-03-11T17:38:26Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 11 09:38:26\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-11T17:38:26Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e302\u003c/MessageID\u003e\\n \u003cDesc\u003ePSM Disconnect\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003ePSM Disconnect\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003ePSM\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Operating System-UnixSSHKeys-34.123.103.115-adrian\u003c/File\u003e\\n \u003cStation\u003e81.32.170.205\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003eApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=ssh;PSMID=PSMServer;SessionDuration=00:00:13;SessionID=87012dcc-8290-11eb-949e-080027efd402;SrcHost=127.0.0.1;User=adrian;\u003c/ExtraDetails\u003e\\n \u003cMessage\u003ePSM Disconnect\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"UnixSSHKeys\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"adrian\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"34.123.103.115\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Operating System\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 11 09:38:26\",\"IsoTimestamp\":\"2021-03-11T17:38:26Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"302\",\"Desc\":\"PSM Disconnect\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"PSM Disconnect\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"PSM\",\"File\":\"Root\\\\Operating System-UnixSSHKeys-34.123.103.115-adrian\",\"Station\":\"81.32.170.205\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=ssh;PSMID=PSMServer;SessionDuration=00:00:13;SessionID=87012dcc-8290-11eb-949e-080027efd402;SrcHost=127.0.0.1;User=adrian;\",\"Message\":\"PSM Disconnect\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"UnixSSHKeys\"},{\"Name\":\"UserName\",\"Value\":\"adrian\"},{\"Name\":\"Address\",\"Value\":\"34.123.103.115\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"}]}}}}", + "code": "302", + "kind": "event", + "action": "psm disconnect", + "category": [ + "session" + ], + "type": [ + "end" + ], + "outcome": "success" + }, + "user": { + "name": "Administrator" + } + }, + { + "log": { + "syslog": { + "priority": 5 + } + }, + "destination": { + "geo": { + "continent_name": "North America", + "country_name": "United States", + "location": { + "lon": -97.822, + "lat": 37.751 + }, + "country_iso_code": "US" + }, + "address": "34.123.103.115", + "user": { + "name": "adrian" + }, + "ip": "34.123.103.115" + }, + "source": { + "user": { + "name": "Administrator" + }, + "address": "127.0.0.1", + "ip": "127.0.0.1" + }, + "tags": [ + "preserve_original_event" + ], + "network": { + "application": "ssh", + "direction": "outbound" + }, + "observer": { + "product": "Vault", + "hostname": "VAULT", + "version": "11.7.0000", + "vendor": "Cyber-Ark" + }, + "@timestamp": "2021-03-11T17:47:01.000Z", + "file": { + "path": "Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian" + }, + "ecs": { + "version": "1.10.0" + }, + "related": { + "user": [ + "Administrator", + "adrian" + ], + "ip": [ + "127.0.0.1", + "34.123.103.115", + "81.32.170.205" + ] + }, + "cyberarkpas": { + "audit": { + "severity": "Info", + "iso_timestamp": "2021-03-11T17:47:01Z", + "raw": "\u003csyslog\u003e\n\n \u003caudit_record\u003e\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\n \u003cTimestamp\u003eMar 11 09:47:01\u003c/Timestamp\u003e\n \u003cIsoTimestamp\u003e2021-03-11T17:47:01Z\u003c/IsoTimestamp\u003e\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\n \u003cProduct\u003eVault\u003c/Product\u003e\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\n \u003cMessageID\u003e302\u003c/MessageID\u003e\n \u003cDesc\u003ePSM Disconnect\u003c/Desc\u003e\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\n \u003cAction\u003ePSM Disconnect\u003c/Action\u003e\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\n \u003cSafe\u003ePSM\u003c/Safe\u003e\n \u003cFile\u003eRoot\\Operating System-UnixSSHKeys-34.123.103.115-adrian\u003c/File\u003e\n \u003cStation\u003e81.32.170.205\u003c/Station\u003e\n \u003cLocation\u003e\u003c/Location\u003e\n \u003cCategory\u003e\u003c/Category\u003e\n \u003cRequestId\u003e\u003c/RequestId\u003e\n \u003cReason\u003e\u003c/Reason\u003e\n \u003cExtraDetails\u003eApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=ssh;PSMID=PSMServer;SessionDuration=00:00:11;SessionID=ba22b012-8291-11eb-b981-080027efd402;SrcHost=127.0.0.1;User=adrian;\u003c/ExtraDetails\u003e\n \u003cMessage\u003ePSM Disconnect\u003c/Message\u003e\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\n \u003cCAProperties\u003e\n \u003cCAProperty Name=\"PolicyID\" Value=\"UnixSSHKeys\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"UserName\" Value=\"adrian\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"Address\" Value=\"34.123.103.115\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"CreationMethod\" Value=\"PVWA\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"DeviceType\" Value=\"Operating System\"\u003e\u003c/CAProperty\u003e\n \u003c/CAProperties\u003e\n \u003c/audit_record\u003e\n\n\u003c/syslog\u003e", + "message": "PSM Disconnect", + "issuer": "Administrator", + "extra_details": { + "protocol": "ssh", + "other": { + "user": "adrian" + }, + "managed_account": "Yes", + "application_type": "PSMP-SSH", + "psmid": "PSMServer", + "session_id": "ba22b012-8291-11eb-b981-080027efd402", + "src_host": "127.0.0.1", + "dst_host": "34.123.103.115", + "session_duration": "00:00:11" + }, + "rfc5424": true, + "ca_properties": { + "other": {}, + "device_type": "Operating System", + "address": "34.123.103.115", + "creation_method": "PVWA", + "policy_id": "UnixSSHKeys", + "user_name": "adrian" + }, + "file": "Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian", + "safe": "PSM", + "station": "81.32.170.205", + "action": "PSM Disconnect", + "timestamp": "Mar 11 09:47:01", + "desc": "PSM Disconnect" + } + }, + "host": { + "name": "VAULT" + }, + "event": { + "severity": 2, + "duration": 11000000000, + "ingested": "2021-05-31T15:30:19.830763200Z", + "original": "\u003c5\u003e1 2021-03-11T17:47:01Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 11 09:47:01\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-11T17:47:01Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e302\u003c/MessageID\u003e\\n \u003cDesc\u003ePSM Disconnect\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003ePSM Disconnect\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003ePSM\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Operating System-UnixSSHKeys-34.123.103.115-adrian\u003c/File\u003e\\n \u003cStation\u003e81.32.170.205\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003eApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=ssh;PSMID=PSMServer;SessionDuration=00:00:11;SessionID=ba22b012-8291-11eb-b981-080027efd402;SrcHost=127.0.0.1;User=adrian;\u003c/ExtraDetails\u003e\\n \u003cMessage\u003ePSM Disconnect\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"UnixSSHKeys\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"adrian\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"34.123.103.115\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Operating System\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 11 09:47:01\",\"IsoTimestamp\":\"2021-03-11T17:47:01Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"302\",\"Desc\":\"PSM Disconnect\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"PSM Disconnect\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"PSM\",\"File\":\"Root\\\\Operating System-UnixSSHKeys-34.123.103.115-adrian\",\"Station\":\"81.32.170.205\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=ssh;PSMID=PSMServer;SessionDuration=00:00:11;SessionID=ba22b012-8291-11eb-b981-080027efd402;SrcHost=127.0.0.1;User=adrian;\",\"Message\":\"PSM Disconnect\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"UnixSSHKeys\"},{\"Name\":\"UserName\",\"Value\":\"adrian\"},{\"Name\":\"Address\",\"Value\":\"34.123.103.115\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"}]}}}}", + "code": "302", + "kind": "event", + "action": "psm disconnect", + "category": [ + "session" + ], + "type": [ + "end" + ], + "outcome": "success" + }, + "user": { + "name": "Administrator" + } + }, + { + "log": { + "syslog": { + "priority": 5 + } + }, + "destination": { + "geo": { + "continent_name": "North America", + "country_name": "United States", + "location": { + "lon": -97.822, + "lat": 37.751 + }, + "country_iso_code": "US" + }, + "address": "34.123.103.115", + "user": { + "name": "adrian" + }, + "ip": "34.123.103.115" + }, + "source": { + "user": { + "name": "Administrator" + }, + "address": "10.0.2.2", + "ip": "10.0.2.2" + }, + "tags": [ + "preserve_original_event" + ], + "network": { + "application": "ssh", + "direction": "outbound" + }, + "observer": { + "product": "Vault", + "hostname": "VAULT", + "version": "11.7.0000", + "vendor": "Cyber-Ark" + }, + "@timestamp": "2021-03-11T17:48:40.000Z", + "file": { + "path": "Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian" + }, + "ecs": { + "version": "1.10.0" + }, + "related": { + "user": [ + "Administrator", + "adrian" + ], + "ip": [ + "10.0.2.2", + "34.123.103.115", + "81.32.170.205" + ] + }, + "cyberarkpas": { + "audit": { + "severity": "Info", + "iso_timestamp": "2021-03-11T17:48:40Z", + "raw": "\u003csyslog\u003e\n\n \u003caudit_record\u003e\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\n \u003cTimestamp\u003eMar 11 09:48:40\u003c/Timestamp\u003e\n \u003cIsoTimestamp\u003e2021-03-11T17:48:40Z\u003c/IsoTimestamp\u003e\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\n \u003cProduct\u003eVault\u003c/Product\u003e\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\n \u003cMessageID\u003e302\u003c/MessageID\u003e\n \u003cDesc\u003ePSM Disconnect\u003c/Desc\u003e\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\n \u003cAction\u003ePSM Disconnect\u003c/Action\u003e\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\n \u003cSafe\u003ePSM\u003c/Safe\u003e\n \u003cFile\u003eRoot\\Operating System-UnixSSHKeys-34.123.103.115-adrian\u003c/File\u003e\n \u003cStation\u003e81.32.170.205\u003c/Station\u003e\n \u003cLocation\u003e\u003c/Location\u003e\n \u003cCategory\u003e\u003c/Category\u003e\n \u003cRequestId\u003e\u003c/RequestId\u003e\n \u003cReason\u003e\u003c/Reason\u003e\n \u003cExtraDetails\u003eApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=ssh;PSMID=PSMServer;SessionDuration=00:00:12;SessionID=f6acbf00-8291-11eb-b9ba-080027efd402;SrcHost=10.0.2.2;User=adrian;\u003c/ExtraDetails\u003e\n \u003cMessage\u003ePSM Disconnect\u003c/Message\u003e\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\n \u003cCAProperties\u003e\n \u003cCAProperty Name=\"PolicyID\" Value=\"UnixSSHKeys\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"UserName\" Value=\"adrian\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"Address\" Value=\"34.123.103.115\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"CreationMethod\" Value=\"PVWA\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"DeviceType\" Value=\"Operating System\"\u003e\u003c/CAProperty\u003e\n \u003c/CAProperties\u003e\n \u003c/audit_record\u003e\n\n\u003c/syslog\u003e", + "message": "PSM Disconnect", + "issuer": "Administrator", + "extra_details": { + "protocol": "ssh", + "other": { + "user": "adrian" + }, + "managed_account": "Yes", + "application_type": "PSMP-SSH", + "psmid": "PSMServer", + "session_id": "f6acbf00-8291-11eb-b9ba-080027efd402", + "src_host": "10.0.2.2", + "dst_host": "34.123.103.115", + "session_duration": "00:00:12" + }, + "rfc5424": true, + "ca_properties": { + "other": {}, + "device_type": "Operating System", + "address": "34.123.103.115", + "creation_method": "PVWA", + "policy_id": "UnixSSHKeys", + "user_name": "adrian" + }, + "file": "Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian", + "safe": "PSM", + "station": "81.32.170.205", + "action": "PSM Disconnect", + "timestamp": "Mar 11 09:48:40", + "desc": "PSM Disconnect" + } + }, + "host": { + "name": "VAULT" + }, + "event": { + "severity": 2, + "duration": 12000000000, + "ingested": "2021-05-31T15:30:19.830767100Z", + "original": "\u003c5\u003e1 2021-03-11T17:48:40Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 11 09:48:40\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-11T17:48:40Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e302\u003c/MessageID\u003e\\n \u003cDesc\u003ePSM Disconnect\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003ePSM Disconnect\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003ePSM\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Operating System-UnixSSHKeys-34.123.103.115-adrian\u003c/File\u003e\\n \u003cStation\u003e81.32.170.205\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003eApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=ssh;PSMID=PSMServer;SessionDuration=00:00:12;SessionID=f6acbf00-8291-11eb-b9ba-080027efd402;SrcHost=10.0.2.2;User=adrian;\u003c/ExtraDetails\u003e\\n \u003cMessage\u003ePSM Disconnect\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"UnixSSHKeys\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"adrian\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"34.123.103.115\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Operating System\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 11 09:48:40\",\"IsoTimestamp\":\"2021-03-11T17:48:40Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"302\",\"Desc\":\"PSM Disconnect\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"PSM Disconnect\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"PSM\",\"File\":\"Root\\\\Operating System-UnixSSHKeys-34.123.103.115-adrian\",\"Station\":\"81.32.170.205\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=ssh;PSMID=PSMServer;SessionDuration=00:00:12;SessionID=f6acbf00-8291-11eb-b9ba-080027efd402;SrcHost=10.0.2.2;User=adrian;\",\"Message\":\"PSM Disconnect\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"UnixSSHKeys\"},{\"Name\":\"UserName\",\"Value\":\"adrian\"},{\"Name\":\"Address\",\"Value\":\"34.123.103.115\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"}]}}}}", + "code": "302", + "kind": "event", + "action": "psm disconnect", + "category": [ + "session" + ], + "type": [ + "end" + ], + "outcome": "success" + }, + "user": { + "name": "Administrator" + } + }, + { + "log": { + "syslog": { + "priority": 5 + } + }, + "destination": { + "geo": { + "continent_name": "North America", + "country_name": "United States", + "location": { + "lon": -97.822, + "lat": 37.751 + }, + "country_iso_code": "US" + }, + "address": "34.123.103.115", + "user": { + "name": "adrian" + }, + "ip": "34.123.103.115" + }, + "source": { + "user": { + "name": "Administrator" + }, + "address": "10.0.2.2", + "ip": "10.0.2.2" + }, + "tags": [ + "preserve_original_event" + ], + "network": { + "application": "ssh", + "direction": "outbound" + }, + "observer": { + "product": "Vault", + "hostname": "VAULT", + "version": "11.7.0000", + "vendor": "Cyber-Ark" + }, + "@timestamp": "2021-03-11T17:55:02.000Z", + "file": { + "path": "Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian" + }, + "ecs": { + "version": "1.10.0" + }, + "related": { + "user": [ + "Administrator", + "adrian" + ], + "ip": [ + "10.0.2.2", + "34.123.103.115", + "81.32.170.205" + ] + }, + "cyberarkpas": { + "audit": { + "severity": "Info", + "iso_timestamp": "2021-03-11T17:55:02Z", + "raw": "\u003csyslog\u003e\n\n \u003caudit_record\u003e\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\n \u003cTimestamp\u003eMar 11 09:55:02\u003c/Timestamp\u003e\n \u003cIsoTimestamp\u003e2021-03-11T17:55:02Z\u003c/IsoTimestamp\u003e\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\n \u003cProduct\u003eVault\u003c/Product\u003e\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\n \u003cMessageID\u003e302\u003c/MessageID\u003e\n \u003cDesc\u003ePSM Disconnect\u003c/Desc\u003e\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\n \u003cAction\u003ePSM Disconnect\u003c/Action\u003e\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\n \u003cSafe\u003ePSM\u003c/Safe\u003e\n \u003cFile\u003eRoot\\Operating System-UnixSSHKeys-34.123.103.115-adrian\u003c/File\u003e\n \u003cStation\u003e81.32.170.205\u003c/Station\u003e\n \u003cLocation\u003e\u003c/Location\u003e\n \u003cCategory\u003e\u003c/Category\u003e\n \u003cRequestId\u003e\u003c/RequestId\u003e\n \u003cReason\u003e\u003c/Reason\u003e\n \u003cExtraDetails\u003eApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=ssh;PSMID=PSMServer;SessionDuration=00:00:12;SessionID=d8ff4d32-8292-11eb-b962-080027efd402;SrcHost=10.0.2.2;User=adrian;\u003c/ExtraDetails\u003e\n \u003cMessage\u003ePSM Disconnect\u003c/Message\u003e\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\n \u003cCAProperties\u003e\n \u003cCAProperty Name=\"PolicyID\" Value=\"UnixSSHKeys\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"UserName\" Value=\"adrian\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"Address\" Value=\"34.123.103.115\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"CreationMethod\" Value=\"PVWA\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"DeviceType\" Value=\"Operating System\"\u003e\u003c/CAProperty\u003e\n \u003c/CAProperties\u003e\n \u003c/audit_record\u003e\n\n\u003c/syslog\u003e", + "message": "PSM Disconnect", + "issuer": "Administrator", + "extra_details": { + "protocol": "ssh", + "other": { + "user": "adrian" + }, + "managed_account": "Yes", + "application_type": "PSMP-SSH", + "psmid": "PSMServer", + "session_id": "d8ff4d32-8292-11eb-b962-080027efd402", + "src_host": "10.0.2.2", + "dst_host": "34.123.103.115", + "session_duration": "00:00:12" + }, + "rfc5424": true, + "ca_properties": { + "other": {}, + "device_type": "Operating System", + "address": "34.123.103.115", + "creation_method": "PVWA", + "policy_id": "UnixSSHKeys", + "user_name": "adrian" + }, + "file": "Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian", + "safe": "PSM", + "station": "81.32.170.205", + "action": "PSM Disconnect", + "timestamp": "Mar 11 09:55:02", + "desc": "PSM Disconnect" + } + }, + "host": { + "name": "VAULT" + }, + "event": { + "severity": 2, + "duration": 12000000000, + "ingested": "2021-05-31T15:30:19.830770100Z", + "original": "\u003c5\u003e1 2021-03-11T17:55:02Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 11 09:55:02\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-11T17:55:02Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e302\u003c/MessageID\u003e\\n \u003cDesc\u003ePSM Disconnect\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003ePSM Disconnect\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003ePSM\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Operating System-UnixSSHKeys-34.123.103.115-adrian\u003c/File\u003e\\n \u003cStation\u003e81.32.170.205\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003eApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=ssh;PSMID=PSMServer;SessionDuration=00:00:12;SessionID=d8ff4d32-8292-11eb-b962-080027efd402;SrcHost=10.0.2.2;User=adrian;\u003c/ExtraDetails\u003e\\n \u003cMessage\u003ePSM Disconnect\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"UnixSSHKeys\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"adrian\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"34.123.103.115\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Operating System\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 11 09:55:02\",\"IsoTimestamp\":\"2021-03-11T17:55:02Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"302\",\"Desc\":\"PSM Disconnect\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"PSM Disconnect\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"PSM\",\"File\":\"Root\\\\Operating System-UnixSSHKeys-34.123.103.115-adrian\",\"Station\":\"81.32.170.205\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=ssh;PSMID=PSMServer;SessionDuration=00:00:12;SessionID=d8ff4d32-8292-11eb-b962-080027efd402;SrcHost=10.0.2.2;User=adrian;\",\"Message\":\"PSM Disconnect\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"UnixSSHKeys\"},{\"Name\":\"UserName\",\"Value\":\"adrian\"},{\"Name\":\"Address\",\"Value\":\"34.123.103.115\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"}]}}}}", + "code": "302", + "kind": "event", + "action": "psm disconnect", + "category": [ + "session" + ], + "type": [ + "end" + ], + "outcome": "success" + }, + "user": { + "name": "Administrator" + } + }, + { + "log": { + "syslog": { + "priority": 5 + } + }, + "destination": { + "geo": { + "continent_name": "North America", + "country_name": "United States", + "location": { + "lon": -97.822, + "lat": 37.751 + }, + "country_iso_code": "US" + }, + "address": "34.123.103.115", + "user": { + "name": "adrian" + }, + "ip": "34.123.103.115" + }, + "source": { + "user": { + "name": "Administrator" + }, + "address": "10.0.2.2", + "ip": "10.0.2.2" + }, + "tags": [ + "preserve_original_event" + ], + "network": { + "application": "ssh", + "direction": "outbound" + }, + "observer": { + "product": "Vault", + "hostname": "VAULT", + "version": "11.7.0000", + "vendor": "Cyber-Ark" + }, + "@timestamp": "2021-03-11T17:56:42.000Z", + "file": { + "path": "Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian" + }, + "ecs": { + "version": "1.10.0" + }, + "related": { + "user": [ + "Administrator", + "adrian" + ], + "ip": [ + "10.0.2.2", + "34.123.103.115", + "81.32.170.205" + ] + }, + "cyberarkpas": { + "audit": { + "severity": "Info", + "iso_timestamp": "2021-03-11T17:56:42Z", + "raw": "\u003csyslog\u003e\n\n \u003caudit_record\u003e\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\n \u003cTimestamp\u003eMar 11 09:56:42\u003c/Timestamp\u003e\n \u003cIsoTimestamp\u003e2021-03-11T17:56:42Z\u003c/IsoTimestamp\u003e\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\n \u003cProduct\u003eVault\u003c/Product\u003e\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\n \u003cMessageID\u003e302\u003c/MessageID\u003e\n \u003cDesc\u003ePSM Disconnect\u003c/Desc\u003e\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\n \u003cAction\u003ePSM Disconnect\u003c/Action\u003e\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\n \u003cSafe\u003ePSM\u003c/Safe\u003e\n \u003cFile\u003eRoot\\Operating System-UnixSSHKeys-34.123.103.115-adrian\u003c/File\u003e\n \u003cStation\u003e81.32.170.205\u003c/Station\u003e\n \u003cLocation\u003e\u003c/Location\u003e\n \u003cCategory\u003e\u003c/Category\u003e\n \u003cRequestId\u003e\u003c/RequestId\u003e\n \u003cReason\u003e\u003c/Reason\u003e\n \u003cExtraDetails\u003eApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=ssh;PSMID=PSMServer;SessionDuration=00:00:12;SessionID=173dd46a-8293-11eb-afcb-080027efd402;SrcHost=10.0.2.2;User=adrian;\u003c/ExtraDetails\u003e\n \u003cMessage\u003ePSM Disconnect\u003c/Message\u003e\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\n \u003cCAProperties\u003e\n \u003cCAProperty Name=\"PolicyID\" Value=\"UnixSSHKeys\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"UserName\" Value=\"adrian\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"Address\" Value=\"34.123.103.115\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"CreationMethod\" Value=\"PVWA\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"DeviceType\" Value=\"Operating System\"\u003e\u003c/CAProperty\u003e\n \u003c/CAProperties\u003e\n \u003c/audit_record\u003e\n\n\u003c/syslog\u003e", + "message": "PSM Disconnect", + "issuer": "Administrator", + "extra_details": { + "protocol": "ssh", + "other": { + "user": "adrian" + }, + "managed_account": "Yes", + "application_type": "PSMP-SSH", + "psmid": "PSMServer", + "session_id": "173dd46a-8293-11eb-afcb-080027efd402", + "src_host": "10.0.2.2", + "dst_host": "34.123.103.115", + "session_duration": "00:00:12" + }, + "rfc5424": true, + "ca_properties": { + "other": {}, + "device_type": "Operating System", + "address": "34.123.103.115", + "creation_method": "PVWA", + "policy_id": "UnixSSHKeys", + "user_name": "adrian" + }, + "file": "Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian", + "safe": "PSM", + "station": "81.32.170.205", + "action": "PSM Disconnect", + "timestamp": "Mar 11 09:56:42", + "desc": "PSM Disconnect" + } + }, + "host": { + "name": "VAULT" + }, + "event": { + "severity": 2, + "duration": 12000000000, + "ingested": "2021-05-31T15:30:19.830773Z", + "original": "\u003c5\u003e1 2021-03-11T17:56:42Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 11 09:56:42\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-11T17:56:42Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e302\u003c/MessageID\u003e\\n \u003cDesc\u003ePSM Disconnect\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003ePSM Disconnect\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003ePSM\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Operating System-UnixSSHKeys-34.123.103.115-adrian\u003c/File\u003e\\n \u003cStation\u003e81.32.170.205\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003eApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=ssh;PSMID=PSMServer;SessionDuration=00:00:12;SessionID=173dd46a-8293-11eb-afcb-080027efd402;SrcHost=10.0.2.2;User=adrian;\u003c/ExtraDetails\u003e\\n \u003cMessage\u003ePSM Disconnect\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"UnixSSHKeys\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"adrian\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"34.123.103.115\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Operating System\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 11 09:56:42\",\"IsoTimestamp\":\"2021-03-11T17:56:42Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"302\",\"Desc\":\"PSM Disconnect\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"PSM Disconnect\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"PSM\",\"File\":\"Root\\\\Operating System-UnixSSHKeys-34.123.103.115-adrian\",\"Station\":\"81.32.170.205\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=ssh;PSMID=PSMServer;SessionDuration=00:00:12;SessionID=173dd46a-8293-11eb-afcb-080027efd402;SrcHost=10.0.2.2;User=adrian;\",\"Message\":\"PSM Disconnect\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"UnixSSHKeys\"},{\"Name\":\"UserName\",\"Value\":\"adrian\"},{\"Name\":\"Address\",\"Value\":\"34.123.103.115\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"}]}}}}", + "code": "302", + "kind": "event", + "action": "psm disconnect", + "category": [ + "session" + ], + "type": [ + "end" + ], + "outcome": "success" + }, + "user": { + "name": "Administrator" + } + }, + { + "log": { + "syslog": { + "priority": 5 + } + }, + "destination": { + "geo": { + "continent_name": "North America", + "country_name": "United States", + "location": { + "lon": -97.822, + "lat": 37.751 + }, + "country_iso_code": "US" + }, + "address": "34.123.103.115", + "user": { + "name": "adrian" + }, + "ip": "34.123.103.115" + }, + "source": { + "user": { + "name": "Administrator" + }, + "address": "10.0.2.2", + "ip": "10.0.2.2" + }, + "tags": [ + "preserve_original_event" + ], + "network": { + "application": "ssh", + "direction": "outbound" + }, + "observer": { + "product": "Vault", + "hostname": "VAULT", + "version": "11.7.0000", + "vendor": "Cyber-Ark" + }, + "@timestamp": "2021-03-11T20:23:30.000Z", + "file": { + "path": "Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian" + }, + "ecs": { + "version": "1.10.0" + }, + "related": { + "user": [ + "Administrator", + "adrian" + ], + "ip": [ + "10.0.2.2", + "34.123.103.115", + "81.32.170.205" + ] + }, + "cyberarkpas": { + "audit": { + "severity": "Info", + "iso_timestamp": "2021-03-11T20:23:30Z", + "raw": "\u003csyslog\u003e\n\n \u003caudit_record\u003e\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\n \u003cTimestamp\u003eMar 11 12:23:30\u003c/Timestamp\u003e\n \u003cIsoTimestamp\u003e2021-03-11T20:23:30Z\u003c/IsoTimestamp\u003e\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\n \u003cProduct\u003eVault\u003c/Product\u003e\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\n \u003cMessageID\u003e302\u003c/MessageID\u003e\n \u003cDesc\u003ePSM Disconnect\u003c/Desc\u003e\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\n \u003cAction\u003ePSM Disconnect\u003c/Action\u003e\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\n \u003cSafe\u003ePSM\u003c/Safe\u003e\n \u003cFile\u003eRoot\\Operating System-UnixSSHKeys-34.123.103.115-adrian\u003c/File\u003e\n \u003cStation\u003e81.32.170.205\u003c/Station\u003e\n \u003cLocation\u003e\u003c/Location\u003e\n \u003cCategory\u003e\u003c/Category\u003e\n \u003cRequestId\u003e\u003c/RequestId\u003e\n \u003cReason\u003e\u003c/Reason\u003e\n \u003cExtraDetails\u003eApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=ssh;PSMID=PSMServer;SessionDuration=00:00:12;SessionID=988b22e8-82a7-11eb-83b9-080027efd402;SrcHost=10.0.2.2;User=adrian;\u003c/ExtraDetails\u003e\n \u003cMessage\u003ePSM Disconnect\u003c/Message\u003e\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\n \u003cCAProperties\u003e\n \u003cCAProperty Name=\"PolicyID\" Value=\"UnixSSHKeys\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"UserName\" Value=\"adrian\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"Address\" Value=\"34.123.103.115\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"CreationMethod\" Value=\"PVWA\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"DeviceType\" Value=\"Operating System\"\u003e\u003c/CAProperty\u003e\n \u003c/CAProperties\u003e\n \u003c/audit_record\u003e\n\n\u003c/syslog\u003e", + "message": "PSM Disconnect", + "issuer": "Administrator", + "extra_details": { + "protocol": "ssh", + "other": { + "user": "adrian" + }, + "managed_account": "Yes", + "application_type": "PSMP-SSH", + "psmid": "PSMServer", + "session_id": "988b22e8-82a7-11eb-83b9-080027efd402", + "src_host": "10.0.2.2", + "dst_host": "34.123.103.115", + "session_duration": "00:00:12" + }, + "rfc5424": true, + "ca_properties": { + "other": {}, + "device_type": "Operating System", + "address": "34.123.103.115", + "creation_method": "PVWA", + "policy_id": "UnixSSHKeys", + "user_name": "adrian" + }, + "file": "Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian", + "safe": "PSM", + "station": "81.32.170.205", + "action": "PSM Disconnect", + "timestamp": "Mar 11 12:23:30", + "desc": "PSM Disconnect" + } + }, + "host": { + "name": "VAULT" + }, + "event": { + "severity": 2, + "duration": 12000000000, + "ingested": "2021-05-31T15:30:19.830775800Z", + "original": "\u003c5\u003e1 2021-03-11T20:23:30Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 11 12:23:30\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-11T20:23:30Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e302\u003c/MessageID\u003e\\n \u003cDesc\u003ePSM Disconnect\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003ePSM Disconnect\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003ePSM\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Operating System-UnixSSHKeys-34.123.103.115-adrian\u003c/File\u003e\\n \u003cStation\u003e81.32.170.205\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003eApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=ssh;PSMID=PSMServer;SessionDuration=00:00:12;SessionID=988b22e8-82a7-11eb-83b9-080027efd402;SrcHost=10.0.2.2;User=adrian;\u003c/ExtraDetails\u003e\\n \u003cMessage\u003ePSM Disconnect\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"UnixSSHKeys\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"adrian\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"34.123.103.115\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Operating System\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 11 12:23:30\",\"IsoTimestamp\":\"2021-03-11T20:23:30Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"302\",\"Desc\":\"PSM Disconnect\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"PSM Disconnect\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"PSM\",\"File\":\"Root\\\\Operating System-UnixSSHKeys-34.123.103.115-adrian\",\"Station\":\"81.32.170.205\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=ssh;PSMID=PSMServer;SessionDuration=00:00:12;SessionID=988b22e8-82a7-11eb-83b9-080027efd402;SrcHost=10.0.2.2;User=adrian;\",\"Message\":\"PSM Disconnect\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"UnixSSHKeys\"},{\"Name\":\"UserName\",\"Value\":\"adrian\"},{\"Name\":\"Address\",\"Value\":\"34.123.103.115\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"}]}}}}", + "code": "302", + "kind": "event", + "action": "psm disconnect", + "category": [ + "session" + ], + "type": [ + "end" + ], + "outcome": "success" + }, + "user": { + "name": "Administrator" + } + }, + { + "log": { + "syslog": { + "priority": 5 + } + }, + "destination": { + "geo": { + "continent_name": "North America", + "country_name": "United States", + "location": { + "lon": -97.822, + "lat": 37.751 + }, + "country_iso_code": "US" + }, + "address": "34.123.103.115", + "user": { + "name": "testark" + }, + "ip": "34.123.103.115" + }, + "source": { + "geo": { + "continent_name": "Europe", + "region_iso_code": "ES-B", + "city_name": "Barcelona", + "country_iso_code": "ES", + "country_name": "Spain", + "region_name": "Barcelona", + "location": { + "lon": 2.1611, + "lat": 41.3891 + } + }, + "address": "81.32.170.205", + "user": { + "name": "Administrator" + }, + "ip": "81.32.170.205" + }, + "tags": [ + "preserve_original_event" + ], + "network": { + "application": "ssh", + "direction": "external" + }, + "observer": { + "product": "Vault", + "hostname": "VAULT", + "version": "11.7.0000", + "vendor": "Cyber-Ark" + }, + "@timestamp": "2021-03-14T13:49:54.000Z", + "file": { + "path": "Root\\Operating System-UnixSSH-34.123.103.115-testark" + }, + "ecs": { + "version": "1.10.0" + }, + "related": { + "user": [ + "Administrator", + "testark" + ], + "ip": [ + "81.32.170.205", + "34.123.103.115", + "34.71.250.247" + ] + }, + "cyberarkpas": { + "audit": { + "severity": "Info", + "iso_timestamp": "2021-03-14T13:49:54Z", + "raw": "\u003csyslog\u003e\n\n \u003caudit_record\u003e\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\n \u003cTimestamp\u003eMar 14 06:49:54\u003c/Timestamp\u003e\n \u003cIsoTimestamp\u003e2021-03-14T13:49:54Z\u003c/IsoTimestamp\u003e\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\n \u003cProduct\u003eVault\u003c/Product\u003e\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\n \u003cMessageID\u003e302\u003c/MessageID\u003e\n \u003cDesc\u003ePSM Disconnect\u003c/Desc\u003e\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\n \u003cAction\u003ePSM Disconnect\u003c/Action\u003e\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\n \u003cSafe\u003epartner\u003c/Safe\u003e\n \u003cFile\u003eRoot\\Operating System-UnixSSH-34.123.103.115-testark\u003c/File\u003e\n \u003cStation\u003e34.71.250.247\u003c/Station\u003e\n \u003cLocation\u003e\u003c/Location\u003e\n \u003cCategory\u003e\u003c/Category\u003e\n \u003cRequestId\u003e\u003c/RequestId\u003e\n \u003cReason\u003e\u003c/Reason\u003e\n \u003cExtraDetails\u003eApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionDuration=00:00:18;SessionID=d284c268-2ba0-4366-af52-e33459b073a1;SrcHost=81.32.170.205;User=testark;\u003c/ExtraDetails\u003e\n \u003cMessage\u003ePSM Disconnect\u003c/Message\u003e\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\n \u003cCAProperties\u003e\n \u003cCAProperty Name=\"PolicyID\" Value=\"UnixSSH\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"UserName\" Value=\"testark\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"Address\" Value=\"34.123.103.115\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"ResetImmediately\" Value=\"ReconcileTask\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"CPMStatus\" Value=\"failure\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"RetriesCount\" Value=\"0\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"LastFailDate\" Value=\"1615729572\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"LastTask\" Value=\"ReconcileTask\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"CPMErrorDetails\" Value=\"First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"CreationMethod\" Value=\"PVWA\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"DeviceType\" Value=\"Operating System\"\u003e\u003c/CAProperty\u003e\n \u003c/CAProperties\u003e\n \u003c/audit_record\u003e\n\n\u003c/syslog\u003e", + "message": "PSM Disconnect", + "issuer": "Administrator", + "extra_details": { + "protocol": "SSH", + "other": { + "user": "testark" + }, + "managed_account": "Yes", + "application_type": "PSMP-SSH", + "psmid": "PSMServer", + "session_id": "d284c268-2ba0-4366-af52-e33459b073a1", + "src_host": "81.32.170.205", + "dst_host": "34.123.103.115", + "session_duration": "00:00:18" + }, + "rfc5424": true, + "ca_properties": { + "other": {}, + "address": "34.123.103.115", + "creation_method": "PVWA", + "cpm_status": "failure", + "policy_id": "UnixSSH", + "cpm_error_details": "First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031", + "user_name": "testark", + "last_fail_date": "1615729572", + "device_type": "Operating System", + "retries_count": "0", + "reset_immediately": "ReconcileTask", + "last_task": "ReconcileTask" + }, + "file": "Root\\Operating System-UnixSSH-34.123.103.115-testark", + "safe": "partner", + "station": "34.71.250.247", + "action": "PSM Disconnect", + "timestamp": "Mar 14 06:49:54", + "desc": "PSM Disconnect" + } + }, + "host": { + "name": "VAULT" + }, + "event": { + "severity": 2, + "duration": 18000000000, + "ingested": "2021-05-31T15:30:19.830778400Z", + "original": "\u003c5\u003e1 2021-03-14T13:49:54Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 14 06:49:54\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-14T13:49:54Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e302\u003c/MessageID\u003e\\n \u003cDesc\u003ePSM Disconnect\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003ePSM Disconnect\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003epartner\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Operating System-UnixSSH-34.123.103.115-testark\u003c/File\u003e\\n \u003cStation\u003e34.71.250.247\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003eApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionDuration=00:00:18;SessionID=d284c268-2ba0-4366-af52-e33459b073a1;SrcHost=81.32.170.205;User=testark;\u003c/ExtraDetails\u003e\\n \u003cMessage\u003ePSM Disconnect\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"UnixSSH\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"testark\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"34.123.103.115\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"ResetImmediately\\\" Value=\\\"ReconcileTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMStatus\\\" Value=\\\"failure\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"RetriesCount\\\" Value=\\\"0\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastFailDate\\\" Value=\\\"1615729572\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastTask\\\" Value=\\\"ReconcileTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMErrorDetails\\\" Value=\\\"First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Operating System\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 14 06:49:54\",\"IsoTimestamp\":\"2021-03-14T13:49:54Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"302\",\"Desc\":\"PSM Disconnect\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"PSM Disconnect\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"partner\",\"File\":\"Root\\\\Operating System-UnixSSH-34.123.103.115-testark\",\"Station\":\"34.71.250.247\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionDuration=00:00:18;SessionID=d284c268-2ba0-4366-af52-e33459b073a1;SrcHost=81.32.170.205;User=testark;\",\"Message\":\"PSM Disconnect\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"UnixSSH\"},{\"Name\":\"UserName\",\"Value\":\"testark\"},{\"Name\":\"Address\",\"Value\":\"34.123.103.115\"},{\"Name\":\"ResetImmediately\",\"Value\":\"ReconcileTask\"},{\"Name\":\"CPMStatus\",\"Value\":\"failure\"},{\"Name\":\"RetriesCount\",\"Value\":\"0\"},{\"Name\":\"LastFailDate\",\"Value\":\"1615729572\"},{\"Name\":\"LastTask\",\"Value\":\"ReconcileTask\"},{\"Name\":\"CPMErrorDetails\",\"Value\":\"First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"}]}}}}", + "code": "302", + "kind": "event", + "action": "psm disconnect", + "category": [ + "session" + ], + "type": [ + "end" + ], + "outcome": "success" + }, + "user": { + "name": "Administrator" + } + }, + { + "log": { + "syslog": { + "priority": 5 + } + }, + "destination": { + "geo": { + "continent_name": "North America", + "country_name": "United States", + "location": { + "lon": -97.822, + "lat": 37.751 + }, + "country_iso_code": "US" + }, + "address": "34.123.103.115", + "user": { + "name": "testark" + }, + "ip": "34.123.103.115" + }, + "source": { + "geo": { + "continent_name": "Europe", + "region_iso_code": "ES-B", + "city_name": "Barcelona", + "country_iso_code": "ES", + "country_name": "Spain", + "region_name": "Barcelona", + "location": { + "lon": 2.1611, + "lat": 41.3891 + } + }, + "address": "81.32.170.205", + "user": { + "name": "Administrator" + }, + "ip": "81.32.170.205" + }, + "tags": [ + "preserve_original_event" + ], + "network": { + "application": "ssh", + "direction": "external" + }, + "observer": { + "product": "Vault", + "hostname": "VAULT", + "version": "11.7.0000", + "vendor": "Cyber-Ark" + }, + "@timestamp": "2021-03-14T13:51:35.000Z", + "file": { + "path": "Root\\Operating System-UnixSSH-34.123.103.115-testark" + }, + "ecs": { + "version": "1.10.0" + }, + "related": { + "user": [ + "Administrator", + "testark" + ], + "ip": [ + "81.32.170.205", + "34.123.103.115", + "34.71.250.247" + ] + }, + "cyberarkpas": { + "audit": { + "severity": "Info", + "iso_timestamp": "2021-03-14T13:51:35Z", + "raw": "\u003csyslog\u003e\n\n \u003caudit_record\u003e\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\n \u003cTimestamp\u003eMar 14 06:51:35\u003c/Timestamp\u003e\n \u003cIsoTimestamp\u003e2021-03-14T13:51:35Z\u003c/IsoTimestamp\u003e\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\n \u003cProduct\u003eVault\u003c/Product\u003e\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\n \u003cMessageID\u003e302\u003c/MessageID\u003e\n \u003cDesc\u003ePSM Disconnect\u003c/Desc\u003e\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\n \u003cAction\u003ePSM Disconnect\u003c/Action\u003e\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\n \u003cSafe\u003epartner\u003c/Safe\u003e\n \u003cFile\u003eRoot\\Operating System-UnixSSH-34.123.103.115-testark\u003c/File\u003e\n \u003cStation\u003e34.71.250.247\u003c/Station\u003e\n \u003cLocation\u003e\u003c/Location\u003e\n \u003cCategory\u003e\u003c/Category\u003e\n \u003cRequestId\u003e\u003c/RequestId\u003e\n \u003cReason\u003e\u003c/Reason\u003e\n \u003cExtraDetails\u003eApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionDuration=00:00:54;SessionID=47747796-03e1-4a11-af39-ab56c00e7732;SrcHost=81.32.170.205;User=testark;\u003c/ExtraDetails\u003e\n \u003cMessage\u003ePSM Disconnect\u003c/Message\u003e\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\n \u003cCAProperties\u003e\n \u003cCAProperty Name=\"PolicyID\" Value=\"UnixSSH\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"UserName\" Value=\"testark\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"Address\" Value=\"34.123.103.115\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"ResetImmediately\" Value=\"ReconcileTask\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"CPMStatus\" Value=\"failure\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"RetriesCount\" Value=\"0\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"LastFailDate\" Value=\"1615729572\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"LastTask\" Value=\"ReconcileTask\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"CPMErrorDetails\" Value=\"First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"CreationMethod\" Value=\"PVWA\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"DeviceType\" Value=\"Operating System\"\u003e\u003c/CAProperty\u003e\n \u003c/CAProperties\u003e\n \u003c/audit_record\u003e\n\n\u003c/syslog\u003e", + "message": "PSM Disconnect", + "issuer": "Administrator", + "extra_details": { + "protocol": "SSH", + "other": { + "user": "testark" + }, + "managed_account": "Yes", + "application_type": "PSMP-SSH", + "psmid": "PSMServer", + "session_id": "47747796-03e1-4a11-af39-ab56c00e7732", + "src_host": "81.32.170.205", + "dst_host": "34.123.103.115", + "session_duration": "00:00:54" + }, + "rfc5424": true, + "ca_properties": { + "other": {}, + "address": "34.123.103.115", + "creation_method": "PVWA", + "cpm_status": "failure", + "policy_id": "UnixSSH", + "cpm_error_details": "First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031", + "user_name": "testark", + "last_fail_date": "1615729572", + "device_type": "Operating System", + "retries_count": "0", + "reset_immediately": "ReconcileTask", + "last_task": "ReconcileTask" + }, + "file": "Root\\Operating System-UnixSSH-34.123.103.115-testark", + "safe": "partner", + "station": "34.71.250.247", + "action": "PSM Disconnect", + "timestamp": "Mar 14 06:51:35", + "desc": "PSM Disconnect" + } + }, + "host": { + "name": "VAULT" + }, + "event": { + "severity": 2, + "duration": 54000000000, + "ingested": "2021-05-31T15:30:19.830781300Z", + "original": "\u003c5\u003e1 2021-03-14T13:51:35Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 14 06:51:35\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-14T13:51:35Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e302\u003c/MessageID\u003e\\n \u003cDesc\u003ePSM Disconnect\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003ePSM Disconnect\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003epartner\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Operating System-UnixSSH-34.123.103.115-testark\u003c/File\u003e\\n \u003cStation\u003e34.71.250.247\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003eApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionDuration=00:00:54;SessionID=47747796-03e1-4a11-af39-ab56c00e7732;SrcHost=81.32.170.205;User=testark;\u003c/ExtraDetails\u003e\\n \u003cMessage\u003ePSM Disconnect\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"UnixSSH\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"testark\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"34.123.103.115\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"ResetImmediately\\\" Value=\\\"ReconcileTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMStatus\\\" Value=\\\"failure\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"RetriesCount\\\" Value=\\\"0\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastFailDate\\\" Value=\\\"1615729572\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastTask\\\" Value=\\\"ReconcileTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMErrorDetails\\\" Value=\\\"First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Operating System\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 14 06:51:35\",\"IsoTimestamp\":\"2021-03-14T13:51:35Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"302\",\"Desc\":\"PSM Disconnect\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"PSM Disconnect\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"partner\",\"File\":\"Root\\\\Operating System-UnixSSH-34.123.103.115-testark\",\"Station\":\"34.71.250.247\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionDuration=00:00:54;SessionID=47747796-03e1-4a11-af39-ab56c00e7732;SrcHost=81.32.170.205;User=testark;\",\"Message\":\"PSM Disconnect\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"UnixSSH\"},{\"Name\":\"UserName\",\"Value\":\"testark\"},{\"Name\":\"Address\",\"Value\":\"34.123.103.115\"},{\"Name\":\"ResetImmediately\",\"Value\":\"ReconcileTask\"},{\"Name\":\"CPMStatus\",\"Value\":\"failure\"},{\"Name\":\"RetriesCount\",\"Value\":\"0\"},{\"Name\":\"LastFailDate\",\"Value\":\"1615729572\"},{\"Name\":\"LastTask\",\"Value\":\"ReconcileTask\"},{\"Name\":\"CPMErrorDetails\",\"Value\":\"First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"}]}}}}", + "code": "302", + "kind": "event", + "action": "psm disconnect", + "category": [ + "session" + ], + "type": [ + "end" + ], + "outcome": "success" + }, + "user": { + "name": "Administrator" + } + }, + { + "log": { + "syslog": { + "priority": 5 + } + }, + "destination": { + "geo": { + "continent_name": "North America", + "country_name": "United States", + "location": { + "lon": -97.822, + "lat": 37.751 + }, + "country_iso_code": "US" + }, + "address": "34.123.103.115", + "user": { + "name": "testark" + }, + "ip": "34.123.103.115" + }, + "source": { + "geo": { + "continent_name": "Europe", + "region_iso_code": "ES-B", + "city_name": "Barcelona", + "country_iso_code": "ES", + "country_name": "Spain", + "region_name": "Barcelona", + "location": { + "lon": 2.1611, + "lat": 41.3891 + } + }, + "address": "81.32.170.205", + "user": { + "name": "Administrator" + }, + "ip": "81.32.170.205" + }, + "tags": [ + "preserve_original_event" + ], + "network": { + "application": "ssh", + "direction": "external" + }, + "observer": { + "product": "Vault", + "hostname": "VAULT", + "version": "11.7.0000", + "vendor": "Cyber-Ark" + }, + "@timestamp": "2021-03-15T10:33:30.000Z", + "file": { + "path": "Root\\Operating System-UnixSSH-34.123.103.115-testark" + }, + "ecs": { + "version": "1.10.0" + }, + "related": { + "user": [ + "Administrator", + "testark" + ], + "ip": [ + "81.32.170.205", + "34.123.103.115", + "34.71.250.247" + ] + }, + "cyberarkpas": { + "audit": { + "severity": "Info", + "iso_timestamp": "2021-03-15T10:33:30Z", + "raw": "\u003csyslog\u003e\n\n \u003caudit_record\u003e\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\n \u003cTimestamp\u003eMar 15 03:33:30\u003c/Timestamp\u003e\n \u003cIsoTimestamp\u003e2021-03-15T10:33:30Z\u003c/IsoTimestamp\u003e\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\n \u003cProduct\u003eVault\u003c/Product\u003e\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\n \u003cMessageID\u003e302\u003c/MessageID\u003e\n \u003cDesc\u003ePSM Disconnect\u003c/Desc\u003e\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\n \u003cAction\u003ePSM Disconnect\u003c/Action\u003e\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\n \u003cSafe\u003epartner\u003c/Safe\u003e\n \u003cFile\u003eRoot\\Operating System-UnixSSH-34.123.103.115-testark\u003c/File\u003e\n \u003cStation\u003e34.71.250.247\u003c/Station\u003e\n \u003cLocation\u003e\u003c/Location\u003e\n \u003cCategory\u003e\u003c/Category\u003e\n \u003cRequestId\u003e\u003c/RequestId\u003e\n \u003cReason\u003e\u003c/Reason\u003e\n \u003cExtraDetails\u003eApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionDuration=00:01:35;SessionID=29f340df-89e9-405a-beae-0216390cda42;SrcHost=81.32.170.205;User=testark;\u003c/ExtraDetails\u003e\n \u003cMessage\u003ePSM Disconnect\u003c/Message\u003e\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\n \u003cCAProperties\u003e\n \u003cCAProperty Name=\"PolicyID\" Value=\"UnixSSH\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"UserName\" Value=\"testark\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"Address\" Value=\"34.123.103.115\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"CPMStatus\" Value=\"success\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"RetriesCount\" Value=\"-1\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"LastTask\" Value=\"VerifyTask\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"LastSuccessVerification\" Value=\"1615803764\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"CreationMethod\" Value=\"PVWA\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"DeviceType\" Value=\"Operating System\"\u003e\u003c/CAProperty\u003e\n \u003c/CAProperties\u003e\n \u003c/audit_record\u003e\n\n\u003c/syslog\u003e", + "message": "PSM Disconnect", + "issuer": "Administrator", + "extra_details": { + "protocol": "SSH", + "other": { + "user": "testark" + }, + "managed_account": "Yes", + "application_type": "PSMP-SSH", + "psmid": "PSMServer", + "session_id": "29f340df-89e9-405a-beae-0216390cda42", + "src_host": "81.32.170.205", + "dst_host": "34.123.103.115", + "session_duration": "00:01:35" + }, + "rfc5424": true, + "ca_properties": { + "other": {}, + "address": "34.123.103.115", + "creation_method": "PVWA", + "cpm_status": "success", + "policy_id": "UnixSSH", + "user_name": "testark", + "device_type": "Operating System", + "retries_count": "-1", + "last_success_verification": "1615803764", + "last_task": "VerifyTask" + }, + "file": "Root\\Operating System-UnixSSH-34.123.103.115-testark", + "safe": "partner", + "station": "34.71.250.247", + "action": "PSM Disconnect", + "timestamp": "Mar 15 03:33:30", + "desc": "PSM Disconnect" + } + }, + "host": { + "name": "VAULT" + }, + "event": { + "severity": 2, + "duration": 95000000000, + "ingested": "2021-05-31T15:30:19.830784Z", + "original": "\u003c5\u003e1 2021-03-15T10:33:30Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 15 03:33:30\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-15T10:33:30Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e302\u003c/MessageID\u003e\\n \u003cDesc\u003ePSM Disconnect\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003ePSM Disconnect\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003epartner\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Operating System-UnixSSH-34.123.103.115-testark\u003c/File\u003e\\n \u003cStation\u003e34.71.250.247\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003eApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionDuration=00:01:35;SessionID=29f340df-89e9-405a-beae-0216390cda42;SrcHost=81.32.170.205;User=testark;\u003c/ExtraDetails\u003e\\n \u003cMessage\u003ePSM Disconnect\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"UnixSSH\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"testark\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"34.123.103.115\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMStatus\\\" Value=\\\"success\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"RetriesCount\\\" Value=\\\"-1\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastTask\\\" Value=\\\"VerifyTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastSuccessVerification\\\" Value=\\\"1615803764\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Operating System\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 15 03:33:30\",\"IsoTimestamp\":\"2021-03-15T10:33:30Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"302\",\"Desc\":\"PSM Disconnect\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"PSM Disconnect\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"partner\",\"File\":\"Root\\\\Operating System-UnixSSH-34.123.103.115-testark\",\"Station\":\"34.71.250.247\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionDuration=00:01:35;SessionID=29f340df-89e9-405a-beae-0216390cda42;SrcHost=81.32.170.205;User=testark;\",\"Message\":\"PSM Disconnect\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"UnixSSH\"},{\"Name\":\"UserName\",\"Value\":\"testark\"},{\"Name\":\"Address\",\"Value\":\"34.123.103.115\"},{\"Name\":\"CPMStatus\",\"Value\":\"success\"},{\"Name\":\"RetriesCount\",\"Value\":\"-1\"},{\"Name\":\"LastTask\",\"Value\":\"VerifyTask\"},{\"Name\":\"LastSuccessVerification\",\"Value\":\"1615803764\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"}]}}}}", + "code": "302", + "kind": "event", + "action": "psm disconnect", + "category": [ + "session" + ], + "type": [ + "end" + ], + "outcome": "success" + }, + "user": { + "name": "Administrator" + } + }, + { + "log": { + "syslog": { + "priority": 5 + } + }, + "destination": { + "geo": { + "continent_name": "North America", + "country_name": "United States", + "location": { + "lon": -97.822, + "lat": 37.751 + }, + "country_iso_code": "US" + }, + "address": "34.123.103.115", + "user": { + "name": "testark" + }, + "ip": "34.123.103.115" + }, + "source": { + "geo": { + "continent_name": "Europe", + "region_iso_code": "ES-B", + "city_name": "Barcelona", + "country_iso_code": "ES", + "country_name": "Spain", + "region_name": "Barcelona", + "location": { + "lon": 2.1611, + "lat": 41.3891 + } + }, + "address": "81.32.170.205", + "user": { + "name": "Administrator" + }, + "ip": "81.32.170.205" + }, + "tags": [ + "preserve_original_event" + ], + "network": { + "application": "ssh", + "direction": "external" + }, + "observer": { + "product": "Vault", + "hostname": "VAULT", + "version": "11.7.0000", + "vendor": "Cyber-Ark" + }, + "@timestamp": "2021-03-15T10:34:50.000Z", + "file": { + "path": "Root\\Operating System-UnixSSH-34.123.103.115-testark" + }, + "ecs": { + "version": "1.10.0" + }, + "related": { + "user": [ + "Administrator", + "testark" + ], + "ip": [ + "81.32.170.205", + "34.123.103.115", + "34.71.250.247" + ] + }, + "cyberarkpas": { + "audit": { + "severity": "Info", + "iso_timestamp": "2021-03-15T10:34:50Z", + "raw": "\u003csyslog\u003e\n\n \u003caudit_record\u003e\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\n \u003cTimestamp\u003eMar 15 03:34:50\u003c/Timestamp\u003e\n \u003cIsoTimestamp\u003e2021-03-15T10:34:50Z\u003c/IsoTimestamp\u003e\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\n \u003cProduct\u003eVault\u003c/Product\u003e\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\n \u003cMessageID\u003e302\u003c/MessageID\u003e\n \u003cDesc\u003ePSM Disconnect\u003c/Desc\u003e\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\n \u003cAction\u003ePSM Disconnect\u003c/Action\u003e\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\n \u003cSafe\u003epartner\u003c/Safe\u003e\n \u003cFile\u003eRoot\\Operating System-UnixSSH-34.123.103.115-testark\u003c/File\u003e\n \u003cStation\u003e34.71.250.247\u003c/Station\u003e\n \u003cLocation\u003e\u003c/Location\u003e\n \u003cCategory\u003e\u003c/Category\u003e\n \u003cRequestId\u003e\u003c/RequestId\u003e\n \u003cReason\u003e\u003c/Reason\u003e\n \u003cExtraDetails\u003eApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionDuration=00:01:13;SessionID=f1654cf8-8ce5-472a-8205-ba731b0fab46;SrcHost=81.32.170.205;User=testark;\u003c/ExtraDetails\u003e\n \u003cMessage\u003ePSM Disconnect\u003c/Message\u003e\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\n \u003cCAProperties\u003e\n \u003cCAProperty Name=\"PolicyID\" Value=\"UnixSSH\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"UserName\" Value=\"testark\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"Address\" Value=\"34.123.103.115\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"CPMStatus\" Value=\"success\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"RetriesCount\" Value=\"-1\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"LastTask\" Value=\"VerifyTask\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"LastSuccessVerification\" Value=\"1615803764\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"CreationMethod\" Value=\"PVWA\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"DeviceType\" Value=\"Operating System\"\u003e\u003c/CAProperty\u003e\n \u003c/CAProperties\u003e\n \u003c/audit_record\u003e\n\n\u003c/syslog\u003e", + "message": "PSM Disconnect", + "issuer": "Administrator", + "extra_details": { + "protocol": "SSH", + "other": { + "user": "testark" + }, + "managed_account": "Yes", + "application_type": "PSMP-SSH", + "psmid": "PSMServer", + "session_id": "f1654cf8-8ce5-472a-8205-ba731b0fab46", + "src_host": "81.32.170.205", + "dst_host": "34.123.103.115", + "session_duration": "00:01:13" + }, + "rfc5424": true, + "ca_properties": { + "other": {}, + "address": "34.123.103.115", + "creation_method": "PVWA", + "cpm_status": "success", + "policy_id": "UnixSSH", + "user_name": "testark", + "device_type": "Operating System", + "retries_count": "-1", + "last_success_verification": "1615803764", + "last_task": "VerifyTask" + }, + "file": "Root\\Operating System-UnixSSH-34.123.103.115-testark", + "safe": "partner", + "station": "34.71.250.247", + "action": "PSM Disconnect", + "timestamp": "Mar 15 03:34:50", + "desc": "PSM Disconnect" + } + }, + "host": { + "name": "VAULT" + }, + "event": { + "severity": 2, + "duration": 73000000000, + "ingested": "2021-05-31T15:30:19.830786800Z", + "original": "\u003c5\u003e1 2021-03-15T10:34:50Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 15 03:34:50\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-15T10:34:50Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e302\u003c/MessageID\u003e\\n \u003cDesc\u003ePSM Disconnect\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003ePSM Disconnect\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003epartner\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Operating System-UnixSSH-34.123.103.115-testark\u003c/File\u003e\\n \u003cStation\u003e34.71.250.247\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003eApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionDuration=00:01:13;SessionID=f1654cf8-8ce5-472a-8205-ba731b0fab46;SrcHost=81.32.170.205;User=testark;\u003c/ExtraDetails\u003e\\n \u003cMessage\u003ePSM Disconnect\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"UnixSSH\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"testark\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"34.123.103.115\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMStatus\\\" Value=\\\"success\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"RetriesCount\\\" Value=\\\"-1\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastTask\\\" Value=\\\"VerifyTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastSuccessVerification\\\" Value=\\\"1615803764\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Operating System\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 15 03:34:50\",\"IsoTimestamp\":\"2021-03-15T10:34:50Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"302\",\"Desc\":\"PSM Disconnect\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"PSM Disconnect\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"partner\",\"File\":\"Root\\\\Operating System-UnixSSH-34.123.103.115-testark\",\"Station\":\"34.71.250.247\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionDuration=00:01:13;SessionID=f1654cf8-8ce5-472a-8205-ba731b0fab46;SrcHost=81.32.170.205;User=testark;\",\"Message\":\"PSM Disconnect\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"UnixSSH\"},{\"Name\":\"UserName\",\"Value\":\"testark\"},{\"Name\":\"Address\",\"Value\":\"34.123.103.115\"},{\"Name\":\"CPMStatus\",\"Value\":\"success\"},{\"Name\":\"RetriesCount\",\"Value\":\"-1\"},{\"Name\":\"LastTask\",\"Value\":\"VerifyTask\"},{\"Name\":\"LastSuccessVerification\",\"Value\":\"1615803764\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"}]}}}}", + "code": "302", + "kind": "event", + "action": "psm disconnect", + "category": [ + "session" + ], + "type": [ + "end" + ], + "outcome": "success" + }, + "user": { + "name": "Administrator" + } + }, + { + "log": { + "syslog": { + "priority": 5 + } + }, + "destination": { + "geo": { + "continent_name": "North America", + "country_name": "United States", + "location": { + "lon": -97.822, + "lat": 37.751 + }, + "country_iso_code": "US" + }, + "address": "34.123.103.115", + "user": { + "name": "testark" + }, + "ip": "34.123.103.115" + }, + "source": { + "geo": { + "continent_name": "Europe", + "region_iso_code": "ES-B", + "city_name": "Barcelona", + "country_iso_code": "ES", + "country_name": "Spain", + "region_name": "Barcelona", + "location": { + "lon": 2.1611, + "lat": 41.3891 + } + }, + "address": "81.32.170.205", + "user": { + "name": "Administrator" + }, + "ip": "81.32.170.205" + }, + "tags": [ + "preserve_original_event" + ], + "network": { + "application": "ssh", + "direction": "external" + }, + "observer": { + "product": "Vault", + "hostname": "VAULT", + "version": "11.7.0000", + "vendor": "Cyber-Ark" + }, + "@timestamp": "2021-03-15T11:12:09.000Z", + "file": { + "path": "Root\\Operating System-UnixSSH-34.123.103.115-testark" + }, + "ecs": { + "version": "1.10.0" + }, + "related": { + "user": [ + "Administrator", + "testark" + ], + "ip": [ + "81.32.170.205", + "34.123.103.115", + "34.71.250.247" + ] + }, + "cyberarkpas": { + "audit": { + "severity": "Info", + "iso_timestamp": "2021-03-15T11:12:09Z", + "raw": "\u003csyslog\u003e\n\n \u003caudit_record\u003e\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\n \u003cTimestamp\u003eMar 15 04:12:09\u003c/Timestamp\u003e\n \u003cIsoTimestamp\u003e2021-03-15T11:12:09Z\u003c/IsoTimestamp\u003e\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\n \u003cProduct\u003eVault\u003c/Product\u003e\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\n \u003cMessageID\u003e302\u003c/MessageID\u003e\n \u003cDesc\u003ePSM Disconnect\u003c/Desc\u003e\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\n \u003cAction\u003ePSM Disconnect\u003c/Action\u003e\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\n \u003cSafe\u003epartner\u003c/Safe\u003e\n \u003cFile\u003eRoot\\Operating System-UnixSSH-34.123.103.115-testark\u003c/File\u003e\n \u003cStation\u003e34.71.250.247\u003c/Station\u003e\n \u003cLocation\u003e\u003c/Location\u003e\n \u003cCategory\u003e\u003c/Category\u003e\n \u003cRequestId\u003e\u003c/RequestId\u003e\n \u003cReason\u003e\u003c/Reason\u003e\n \u003cExtraDetails\u003eApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionDuration=00:37:10;SessionID=8b3d0b38-aef5-49d9-bdd7-d57706887d8b;SrcHost=81.32.170.205;User=testark;\u003c/ExtraDetails\u003e\n \u003cMessage\u003ePSM Disconnect\u003c/Message\u003e\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\n \u003cCAProperties\u003e\n \u003cCAProperty Name=\"PolicyID\" Value=\"UnixSSH\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"UserName\" Value=\"testark\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"Address\" Value=\"34.123.103.115\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"CPMStatus\" Value=\"success\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"RetriesCount\" Value=\"-1\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"LastTask\" Value=\"VerifyTask\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"LastSuccessVerification\" Value=\"1615803764\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"CreationMethod\" Value=\"PVWA\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"DeviceType\" Value=\"Operating System\"\u003e\u003c/CAProperty\u003e\n \u003c/CAProperties\u003e\n \u003c/audit_record\u003e\n\n\u003c/syslog\u003e", + "message": "PSM Disconnect", + "issuer": "Administrator", + "extra_details": { + "protocol": "SSH", + "other": { + "user": "testark" + }, + "managed_account": "Yes", + "application_type": "PSMP-SSH", + "psmid": "PSMServer", + "session_id": "8b3d0b38-aef5-49d9-bdd7-d57706887d8b", + "src_host": "81.32.170.205", + "dst_host": "34.123.103.115", + "session_duration": "00:37:10" + }, + "rfc5424": true, + "ca_properties": { + "other": {}, + "address": "34.123.103.115", + "creation_method": "PVWA", + "cpm_status": "success", + "policy_id": "UnixSSH", + "user_name": "testark", + "device_type": "Operating System", + "retries_count": "-1", + "last_success_verification": "1615803764", + "last_task": "VerifyTask" + }, + "file": "Root\\Operating System-UnixSSH-34.123.103.115-testark", + "safe": "partner", + "station": "34.71.250.247", + "action": "PSM Disconnect", + "timestamp": "Mar 15 04:12:09", + "desc": "PSM Disconnect" + } + }, + "host": { + "name": "VAULT" + }, + "event": { + "severity": 2, + "duration": 2230000000000, + "ingested": "2021-05-31T15:30:19.830789700Z", + "original": "\u003c5\u003e1 2021-03-15T11:12:09Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 15 04:12:09\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-15T11:12:09Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e302\u003c/MessageID\u003e\\n \u003cDesc\u003ePSM Disconnect\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003ePSM Disconnect\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003epartner\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Operating System-UnixSSH-34.123.103.115-testark\u003c/File\u003e\\n \u003cStation\u003e34.71.250.247\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003eApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionDuration=00:37:10;SessionID=8b3d0b38-aef5-49d9-bdd7-d57706887d8b;SrcHost=81.32.170.205;User=testark;\u003c/ExtraDetails\u003e\\n \u003cMessage\u003ePSM Disconnect\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"UnixSSH\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"testark\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"34.123.103.115\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMStatus\\\" Value=\\\"success\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"RetriesCount\\\" Value=\\\"-1\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastTask\\\" Value=\\\"VerifyTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastSuccessVerification\\\" Value=\\\"1615803764\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Operating System\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 15 04:12:09\",\"IsoTimestamp\":\"2021-03-15T11:12:09Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"302\",\"Desc\":\"PSM Disconnect\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"PSM Disconnect\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"partner\",\"File\":\"Root\\\\Operating System-UnixSSH-34.123.103.115-testark\",\"Station\":\"34.71.250.247\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionDuration=00:37:10;SessionID=8b3d0b38-aef5-49d9-bdd7-d57706887d8b;SrcHost=81.32.170.205;User=testark;\",\"Message\":\"PSM Disconnect\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"UnixSSH\"},{\"Name\":\"UserName\",\"Value\":\"testark\"},{\"Name\":\"Address\",\"Value\":\"34.123.103.115\"},{\"Name\":\"CPMStatus\",\"Value\":\"success\"},{\"Name\":\"RetriesCount\",\"Value\":\"-1\"},{\"Name\":\"LastTask\",\"Value\":\"VerifyTask\"},{\"Name\":\"LastSuccessVerification\",\"Value\":\"1615803764\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"}]}}}}", + "code": "302", + "kind": "event", + "action": "psm disconnect", + "category": [ + "session" + ], + "type": [ + "end" + ], + "outcome": "success" + }, + "user": { + "name": "Administrator" + } + }, + { + "log": { + "syslog": { + "priority": 5 + } + }, + "destination": { + "geo": { + "continent_name": "North America", + "country_name": "United States", + "location": { + "lon": -97.822, + "lat": 37.751 + }, + "country_iso_code": "US" + }, + "address": "34.123.103.115", + "user": { + "name": "adrian" + }, + "ip": "34.123.103.115" + }, + "source": { + "geo": { + "continent_name": "Europe", + "region_iso_code": "ES-B", + "city_name": "Barcelona", + "country_iso_code": "ES", + "country_name": "Spain", + "region_name": "Barcelona", + "location": { + "lon": 2.1611, + "lat": 41.3891 + } + }, + "address": "81.32.170.205", + "user": { + "name": "Administrator" + }, + "ip": "81.32.170.205" + }, + "tags": [ + "preserve_original_event" + ], + "network": { + "application": "ssh", + "direction": "external" + }, + "observer": { + "product": "Vault", + "hostname": "VAULT", + "version": "11.7.0000", + "vendor": "Cyber-Ark" + }, + "@timestamp": "2021-03-15T13:18:36.000Z", + "file": { + "path": "Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian" + }, + "ecs": { + "version": "1.10.0" + }, + "related": { + "user": [ + "Administrator", + "adrian" + ], + "ip": [ + "81.32.170.205", + "34.123.103.115", + "34.71.250.247" + ] + }, + "cyberarkpas": { + "audit": { + "severity": "Info", + "iso_timestamp": "2021-03-15T13:18:36Z", + "raw": "\u003csyslog\u003e\n\n \u003caudit_record\u003e\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\n \u003cTimestamp\u003eMar 15 06:18:36\u003c/Timestamp\u003e\n \u003cIsoTimestamp\u003e2021-03-15T13:18:36Z\u003c/IsoTimestamp\u003e\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\n \u003cProduct\u003eVault\u003c/Product\u003e\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\n \u003cMessageID\u003e302\u003c/MessageID\u003e\n \u003cDesc\u003ePSM Disconnect\u003c/Desc\u003e\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\n \u003cAction\u003ePSM Disconnect\u003c/Action\u003e\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\n \u003cSafe\u003ePSM\u003c/Safe\u003e\n \u003cFile\u003eRoot\\Operating System-UnixSSHKeys-34.123.103.115-adrian\u003c/File\u003e\n \u003cStation\u003e34.71.250.247\u003c/Station\u003e\n \u003cLocation\u003e\u003c/Location\u003e\n \u003cCategory\u003e\u003c/Category\u003e\n \u003cRequestId\u003e\u003c/RequestId\u003e\n \u003cReason\u003e\u003c/Reason\u003e\n \u003cExtraDetails\u003eApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionDuration=00:00:05;SessionID=692fe25f-f940-4170-8ea4-5241b35173f0;SrcHost=81.32.170.205;User=adrian;\u003c/ExtraDetails\u003e\n \u003cMessage\u003ePSM Disconnect\u003c/Message\u003e\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\n \u003cCAProperties\u003e\n \u003cCAProperty Name=\"PolicyID\" Value=\"UnixSSHKeys\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"UserName\" Value=\"adrian\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"Address\" Value=\"34.123.103.115\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"CreationMethod\" Value=\"PVWA\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"DeviceType\" Value=\"Operating System\"\u003e\u003c/CAProperty\u003e\n \u003c/CAProperties\u003e\n \u003c/audit_record\u003e\n\n\u003c/syslog\u003e", + "message": "PSM Disconnect", + "issuer": "Administrator", + "extra_details": { + "protocol": "SSH", + "other": { + "user": "adrian" + }, + "managed_account": "Yes", + "application_type": "PSMP-SSH", + "psmid": "PSMServer", + "session_id": "692fe25f-f940-4170-8ea4-5241b35173f0", + "src_host": "81.32.170.205", + "dst_host": "34.123.103.115", + "session_duration": "00:00:05" + }, + "rfc5424": true, + "ca_properties": { + "other": {}, + "device_type": "Operating System", + "address": "34.123.103.115", + "creation_method": "PVWA", + "policy_id": "UnixSSHKeys", + "user_name": "adrian" + }, + "file": "Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian", + "safe": "PSM", + "station": "34.71.250.247", + "action": "PSM Disconnect", + "timestamp": "Mar 15 06:18:36", + "desc": "PSM Disconnect" + } + }, + "host": { + "name": "VAULT" + }, + "event": { + "severity": 2, + "duration": 5000000000, + "ingested": "2021-05-31T15:30:19.830792400Z", + "original": "\u003c5\u003e1 2021-03-15T13:18:36Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 15 06:18:36\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-15T13:18:36Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e302\u003c/MessageID\u003e\\n \u003cDesc\u003ePSM Disconnect\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003ePSM Disconnect\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003ePSM\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Operating System-UnixSSHKeys-34.123.103.115-adrian\u003c/File\u003e\\n \u003cStation\u003e34.71.250.247\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003eApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionDuration=00:00:05;SessionID=692fe25f-f940-4170-8ea4-5241b35173f0;SrcHost=81.32.170.205;User=adrian;\u003c/ExtraDetails\u003e\\n \u003cMessage\u003ePSM Disconnect\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"UnixSSHKeys\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"adrian\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"34.123.103.115\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Operating System\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 15 06:18:36\",\"IsoTimestamp\":\"2021-03-15T13:18:36Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"302\",\"Desc\":\"PSM Disconnect\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"PSM Disconnect\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"PSM\",\"File\":\"Root\\\\Operating System-UnixSSHKeys-34.123.103.115-adrian\",\"Station\":\"34.71.250.247\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionDuration=00:00:05;SessionID=692fe25f-f940-4170-8ea4-5241b35173f0;SrcHost=81.32.170.205;User=adrian;\",\"Message\":\"PSM Disconnect\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"UnixSSHKeys\"},{\"Name\":\"UserName\",\"Value\":\"adrian\"},{\"Name\":\"Address\",\"Value\":\"34.123.103.115\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"}]}}}}", + "code": "302", + "kind": "event", + "action": "psm disconnect", + "category": [ + "session" + ], + "type": [ + "end" + ], + "outcome": "success" + }, + "user": { + "name": "Administrator" + } + }, + { + "log": { + "syslog": { + "priority": 5 + } + }, + "destination": { + "geo": { + "continent_name": "North America", + "country_name": "United States", + "location": { + "lon": -97.822, + "lat": 37.751 + }, + "country_iso_code": "US" + }, + "address": "34.123.103.115", + "user": { + "name": "adrian" + }, + "ip": "34.123.103.115" + }, + "source": { + "geo": { + "continent_name": "Europe", + "region_iso_code": "ES-B", + "city_name": "Barcelona", + "country_iso_code": "ES", + "country_name": "Spain", + "region_name": "Barcelona", + "location": { + "lon": 2.1611, + "lat": 41.3891 + } + }, + "address": "81.32.170.205", + "user": { + "name": "Administrator" + }, + "ip": "81.32.170.205" + }, + "tags": [ + "preserve_original_event" + ], + "network": { + "application": "ssh", + "direction": "external" + }, + "observer": { + "product": "Vault", + "hostname": "VAULT", + "version": "11.7.0000", + "vendor": "Cyber-Ark" + }, + "@timestamp": "2021-03-15T14:08:11.000Z", + "file": { + "path": "Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian" + }, + "ecs": { + "version": "1.10.0" + }, + "related": { + "user": [ + "Administrator", + "adrian" + ], + "ip": [ + "81.32.170.205", + "34.123.103.115", + "34.71.250.247" + ] + }, + "cyberarkpas": { + "audit": { + "severity": "Info", + "iso_timestamp": "2021-03-15T14:08:11Z", + "raw": "\u003csyslog\u003e\n\n \u003caudit_record\u003e\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\n \u003cTimestamp\u003eMar 15 07:08:11\u003c/Timestamp\u003e\n \u003cIsoTimestamp\u003e2021-03-15T14:08:11Z\u003c/IsoTimestamp\u003e\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\n \u003cProduct\u003eVault\u003c/Product\u003e\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\n \u003cMessageID\u003e302\u003c/MessageID\u003e\n \u003cDesc\u003ePSM Disconnect\u003c/Desc\u003e\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\n \u003cAction\u003ePSM Disconnect\u003c/Action\u003e\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\n \u003cSafe\u003ePSM\u003c/Safe\u003e\n \u003cFile\u003eRoot\\Operating System-UnixSSHKeys-34.123.103.115-adrian\u003c/File\u003e\n \u003cStation\u003e34.71.250.247\u003c/Station\u003e\n \u003cLocation\u003e\u003c/Location\u003e\n \u003cCategory\u003e\u003c/Category\u003e\n \u003cRequestId\u003e\u003c/RequestId\u003e\n \u003cReason\u003e\u003c/Reason\u003e\n \u003cExtraDetails\u003eApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionDuration=00:00:06;SessionID=f5725611-ca57-4a2a-a089-f45b3174a358;SrcHost=81.32.170.205;User=adrian;\u003c/ExtraDetails\u003e\n \u003cMessage\u003ePSM Disconnect\u003c/Message\u003e\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\n \u003cCAProperties\u003e\n \u003cCAProperty Name=\"PolicyID\" Value=\"UnixSSHKeys\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"UserName\" Value=\"adrian\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"Address\" Value=\"34.123.103.115\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"CreationMethod\" Value=\"PVWA\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"DeviceType\" Value=\"Operating System\"\u003e\u003c/CAProperty\u003e\n \u003c/CAProperties\u003e\n \u003c/audit_record\u003e\n\n\u003c/syslog\u003e", + "message": "PSM Disconnect", + "issuer": "Administrator", + "extra_details": { + "protocol": "SSH", + "other": { + "user": "adrian" + }, + "managed_account": "Yes", + "application_type": "PSMP-SSH", + "psmid": "PSMServer", + "session_id": "f5725611-ca57-4a2a-a089-f45b3174a358", + "src_host": "81.32.170.205", + "dst_host": "34.123.103.115", + "session_duration": "00:00:06" + }, + "rfc5424": true, + "ca_properties": { + "other": {}, + "device_type": "Operating System", + "address": "34.123.103.115", + "creation_method": "PVWA", + "policy_id": "UnixSSHKeys", + "user_name": "adrian" + }, + "file": "Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian", + "safe": "PSM", + "station": "34.71.250.247", + "action": "PSM Disconnect", + "timestamp": "Mar 15 07:08:11", + "desc": "PSM Disconnect" + } + }, + "host": { + "name": "VAULT" + }, + "event": { + "severity": 2, + "duration": 6000000000, + "ingested": "2021-05-31T15:30:19.830795200Z", + "original": "\u003c5\u003e1 2021-03-15T14:08:11Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 15 07:08:11\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-15T14:08:11Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e302\u003c/MessageID\u003e\\n \u003cDesc\u003ePSM Disconnect\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003ePSM Disconnect\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003ePSM\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Operating System-UnixSSHKeys-34.123.103.115-adrian\u003c/File\u003e\\n \u003cStation\u003e34.71.250.247\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003eApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionDuration=00:00:06;SessionID=f5725611-ca57-4a2a-a089-f45b3174a358;SrcHost=81.32.170.205;User=adrian;\u003c/ExtraDetails\u003e\\n \u003cMessage\u003ePSM Disconnect\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"UnixSSHKeys\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"adrian\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"34.123.103.115\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Operating System\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 15 07:08:11\",\"IsoTimestamp\":\"2021-03-15T14:08:11Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"302\",\"Desc\":\"PSM Disconnect\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"PSM Disconnect\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"PSM\",\"File\":\"Root\\\\Operating System-UnixSSHKeys-34.123.103.115-adrian\",\"Station\":\"34.71.250.247\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionDuration=00:00:06;SessionID=f5725611-ca57-4a2a-a089-f45b3174a358;SrcHost=81.32.170.205;User=adrian;\",\"Message\":\"PSM Disconnect\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"UnixSSHKeys\"},{\"Name\":\"UserName\",\"Value\":\"adrian\"},{\"Name\":\"Address\",\"Value\":\"34.123.103.115\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"}]}}}}", + "code": "302", + "kind": "event", + "action": "psm disconnect", + "category": [ + "session" + ], + "type": [ + "end" + ], + "outcome": "success" + }, + "user": { + "name": "Administrator" + } + }, + { + "log": { + "syslog": { + "priority": 5 + } + }, + "destination": { + "geo": { + "continent_name": "North America", + "country_name": "United States", + "location": { + "lon": -97.822, + "lat": 37.751 + }, + "country_iso_code": "US" + }, + "address": "34.123.103.115", + "user": { + "name": "testark" + }, + "ip": "34.123.103.115" + }, + "source": { + "geo": { + "continent_name": "Europe", + "region_iso_code": "ES-B", + "city_name": "Barcelona", + "country_iso_code": "ES", + "country_name": "Spain", + "region_name": "Barcelona", + "location": { + "lon": 2.1611, + "lat": 41.3891 + } + }, + "address": "81.32.170.205", + "user": { + "name": "Administrator" + }, + "ip": "81.32.170.205" + }, + "tags": [ + "preserve_original_event" + ], + "network": { + "application": "ssh", + "direction": "external" + }, + "observer": { + "product": "Vault", + "hostname": "VAULT", + "version": "11.7.0000", + "vendor": "Cyber-Ark" + }, + "@timestamp": "2021-03-15T14:08:36.000Z", + "file": { + "path": "Root\\Operating System-UnixSSH-34.123.103.115-testark" + }, + "ecs": { + "version": "1.10.0" + }, + "related": { + "user": [ + "Administrator", + "testark" + ], + "ip": [ + "81.32.170.205", + "34.123.103.115", + "34.71.250.247" + ] + }, + "cyberarkpas": { + "audit": { + "severity": "Info", + "iso_timestamp": "2021-03-15T14:08:36Z", + "raw": "\u003csyslog\u003e\n\n \u003caudit_record\u003e\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\n \u003cTimestamp\u003eMar 15 07:08:36\u003c/Timestamp\u003e\n \u003cIsoTimestamp\u003e2021-03-15T14:08:36Z\u003c/IsoTimestamp\u003e\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\n \u003cProduct\u003eVault\u003c/Product\u003e\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\n \u003cMessageID\u003e302\u003c/MessageID\u003e\n \u003cDesc\u003ePSM Disconnect\u003c/Desc\u003e\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\n \u003cAction\u003ePSM Disconnect\u003c/Action\u003e\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\n \u003cSafe\u003epartner\u003c/Safe\u003e\n \u003cFile\u003eRoot\\Operating System-UnixSSH-34.123.103.115-testark\u003c/File\u003e\n \u003cStation\u003e34.71.250.247\u003c/Station\u003e\n \u003cLocation\u003e\u003c/Location\u003e\n \u003cCategory\u003e\u003c/Category\u003e\n \u003cRequestId\u003e\u003c/RequestId\u003e\n \u003cReason\u003e\u003c/Reason\u003e\n \u003cExtraDetails\u003eApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionDuration=00:00:09;SessionID=7db90436-8a1a-4203-9a96-65137625ab2d;SrcHost=81.32.170.205;User=testark;\u003c/ExtraDetails\u003e\n \u003cMessage\u003ePSM Disconnect\u003c/Message\u003e\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\n \u003cCAProperties\u003e\n \u003cCAProperty Name=\"PolicyID\" Value=\"UnixSSH\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"UserName\" Value=\"testark\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"Address\" Value=\"34.123.103.115\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"ResetImmediately\" Value=\"ReconcileTask\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"CPMStatus\" Value=\"failure\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"RetriesCount\" Value=\"0\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"LastFailDate\" Value=\"1615814025\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"LastTask\" Value=\"ReconcileTask\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"LastSuccessVerification\" Value=\"1615803764\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"CPMErrorDetails\" Value=\"First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"CreationMethod\" Value=\"PVWA\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"DeviceType\" Value=\"Operating System\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"UseSudoOnReconcile\" Value=\"Yes\"\u003e\u003c/CAProperty\u003e\n \u003c/CAProperties\u003e\n \u003c/audit_record\u003e\n\n\u003c/syslog\u003e", + "message": "PSM Disconnect", + "issuer": "Administrator", + "extra_details": { + "protocol": "SSH", + "other": { + "user": "testark" + }, + "managed_account": "Yes", + "application_type": "PSMP-SSH", + "psmid": "PSMServer", + "session_id": "7db90436-8a1a-4203-9a96-65137625ab2d", + "src_host": "81.32.170.205", + "dst_host": "34.123.103.115", + "session_duration": "00:00:09" + }, + "rfc5424": true, + "ca_properties": { + "other": { + "use_sudo_on_reconcile": "Yes" + }, + "address": "34.123.103.115", + "creation_method": "PVWA", + "cpm_status": "failure", + "policy_id": "UnixSSH", + "user_name": "testark", + "device_type": "Operating System", + "retries_count": "0", + "last_success_verification": "1615803764", + "reset_immediately": "ReconcileTask", + "last_task": "ReconcileTask", + "cpm_error_details": "First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031", + "last_fail_date": "1615814025" + }, + "file": "Root\\Operating System-UnixSSH-34.123.103.115-testark", + "safe": "partner", + "station": "34.71.250.247", + "action": "PSM Disconnect", + "timestamp": "Mar 15 07:08:36", + "desc": "PSM Disconnect" + } + }, + "host": { + "name": "VAULT" + }, + "event": { + "severity": 2, + "duration": 9000000000, + "ingested": "2021-05-31T15:30:19.830797700Z", + "original": "\u003c5\u003e1 2021-03-15T14:08:36Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 15 07:08:36\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-15T14:08:36Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e302\u003c/MessageID\u003e\\n \u003cDesc\u003ePSM Disconnect\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003ePSM Disconnect\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003epartner\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Operating System-UnixSSH-34.123.103.115-testark\u003c/File\u003e\\n \u003cStation\u003e34.71.250.247\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003eApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionDuration=00:00:09;SessionID=7db90436-8a1a-4203-9a96-65137625ab2d;SrcHost=81.32.170.205;User=testark;\u003c/ExtraDetails\u003e\\n \u003cMessage\u003ePSM Disconnect\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"UnixSSH\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"testark\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"34.123.103.115\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"ResetImmediately\\\" Value=\\\"ReconcileTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMStatus\\\" Value=\\\"failure\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"RetriesCount\\\" Value=\\\"0\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastFailDate\\\" Value=\\\"1615814025\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastTask\\\" Value=\\\"ReconcileTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastSuccessVerification\\\" Value=\\\"1615803764\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMErrorDetails\\\" Value=\\\"First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Operating System\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UseSudoOnReconcile\\\" Value=\\\"Yes\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 15 07:08:36\",\"IsoTimestamp\":\"2021-03-15T14:08:36Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"302\",\"Desc\":\"PSM Disconnect\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"PSM Disconnect\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"partner\",\"File\":\"Root\\\\Operating System-UnixSSH-34.123.103.115-testark\",\"Station\":\"34.71.250.247\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionDuration=00:00:09;SessionID=7db90436-8a1a-4203-9a96-65137625ab2d;SrcHost=81.32.170.205;User=testark;\",\"Message\":\"PSM Disconnect\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"UnixSSH\"},{\"Name\":\"UserName\",\"Value\":\"testark\"},{\"Name\":\"Address\",\"Value\":\"34.123.103.115\"},{\"Name\":\"ResetImmediately\",\"Value\":\"ReconcileTask\"},{\"Name\":\"CPMStatus\",\"Value\":\"failure\"},{\"Name\":\"RetriesCount\",\"Value\":\"0\"},{\"Name\":\"LastFailDate\",\"Value\":\"1615814025\"},{\"Name\":\"LastTask\",\"Value\":\"ReconcileTask\"},{\"Name\":\"LastSuccessVerification\",\"Value\":\"1615803764\"},{\"Name\":\"CPMErrorDetails\",\"Value\":\"First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"},{\"Name\":\"UseSudoOnReconcile\",\"Value\":\"Yes\"}]}}}}", + "code": "302", + "kind": "event", + "action": "psm disconnect", + "category": [ + "session" + ], + "type": [ + "end" + ], + "outcome": "success" + }, + "user": { + "name": "Administrator" + } + }, + { + "log": { + "syslog": { + "priority": 5 + } + }, + "destination": { + "geo": { + "continent_name": "North America", + "country_name": "United States", + "location": { + "lon": -97.822, + "lat": 37.751 + }, + "country_iso_code": "US" + }, + "address": "34.123.103.115", + "user": { + "name": "testark" + }, + "ip": "34.123.103.115" + }, + "source": { + "geo": { + "continent_name": "Europe", + "region_iso_code": "ES-B", + "city_name": "Barcelona", + "country_iso_code": "ES", + "country_name": "Spain", + "region_name": "Barcelona", + "location": { + "lon": 2.1611, + "lat": 41.3891 + } + }, + "address": "81.32.170.205", + "user": { + "name": "Administrator" + }, + "ip": "81.32.170.205" + }, + "tags": [ + "preserve_original_event" + ], + "network": { + "application": "ssh", + "direction": "external" + }, + "observer": { + "product": "Vault", + "hostname": "VAULT", + "version": "11.7.0000", + "vendor": "Cyber-Ark" + }, + "@timestamp": "2021-03-15T15:00:21.000Z", + "file": { + "path": "Root\\Operating System-UnixSSH-34.123.103.115-testark" + }, + "ecs": { + "version": "1.10.0" + }, + "related": { + "user": [ + "Administrator", + "testark" + ], + "ip": [ + "81.32.170.205", + "34.123.103.115", + "34.71.250.247" + ] + }, + "cyberarkpas": { + "audit": { + "severity": "Info", + "iso_timestamp": "2021-03-15T15:00:21Z", + "raw": "\u003csyslog\u003e\n\n \u003caudit_record\u003e\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\n \u003cTimestamp\u003eMar 15 08:00:21\u003c/Timestamp\u003e\n \u003cIsoTimestamp\u003e2021-03-15T15:00:21Z\u003c/IsoTimestamp\u003e\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\n \u003cProduct\u003eVault\u003c/Product\u003e\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\n \u003cMessageID\u003e302\u003c/MessageID\u003e\n \u003cDesc\u003ePSM Disconnect\u003c/Desc\u003e\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\n \u003cAction\u003ePSM Disconnect\u003c/Action\u003e\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\n \u003cSafe\u003epartner\u003c/Safe\u003e\n \u003cFile\u003eRoot\\Operating System-UnixSSH-34.123.103.115-testark\u003c/File\u003e\n \u003cStation\u003e34.71.250.247\u003c/Station\u003e\n \u003cLocation\u003e\u003c/Location\u003e\n \u003cCategory\u003e\u003c/Category\u003e\n \u003cRequestId\u003e\u003c/RequestId\u003e\n \u003cReason\u003e\u003c/Reason\u003e\n \u003cExtraDetails\u003eApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionDuration=00:49:12;SessionID=27f74dce-f5d5-4c94-bf99-ca6aafe2c518;SrcHost=81.32.170.205;User=testark;\u003c/ExtraDetails\u003e\n \u003cMessage\u003ePSM Disconnect\u003c/Message\u003e\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\n \u003cCAProperties\u003e\n \u003cCAProperty Name=\"PolicyID\" Value=\"UnixSSH\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"UserName\" Value=\"testark\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"Address\" Value=\"34.123.103.115\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"ResetImmediately\" Value=\"ReconcileTask\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"CPMStatus\" Value=\"failure\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"RetriesCount\" Value=\"1\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"LastFailDate\" Value=\"1615819476\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"LastTask\" Value=\"ReconcileTask\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"LastSuccessVerification\" Value=\"1615803764\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"CPMErrorDetails\" Value=\"First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"CreationMethod\" Value=\"PVWA\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"DeviceType\" Value=\"Operating System\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"UseSudoOnReconcile\" Value=\"Yes\"\u003e\u003c/CAProperty\u003e\n \u003c/CAProperties\u003e\n \u003c/audit_record\u003e\n\n\u003c/syslog\u003e", + "message": "PSM Disconnect", + "issuer": "Administrator", + "extra_details": { + "protocol": "SSH", + "other": { + "user": "testark" + }, + "managed_account": "Yes", + "application_type": "PSMP-SSH", + "psmid": "PSMServer", + "session_id": "27f74dce-f5d5-4c94-bf99-ca6aafe2c518", + "src_host": "81.32.170.205", + "dst_host": "34.123.103.115", + "session_duration": "00:49:12" + }, + "rfc5424": true, + "ca_properties": { + "other": { + "use_sudo_on_reconcile": "Yes" + }, + "address": "34.123.103.115", + "creation_method": "PVWA", + "cpm_status": "failure", + "policy_id": "UnixSSH", + "user_name": "testark", + "device_type": "Operating System", + "retries_count": "1", + "last_success_verification": "1615803764", + "reset_immediately": "ReconcileTask", + "last_task": "ReconcileTask", + "cpm_error_details": "First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031", + "last_fail_date": "1615819476" + }, + "file": "Root\\Operating System-UnixSSH-34.123.103.115-testark", + "safe": "partner", + "station": "34.71.250.247", + "action": "PSM Disconnect", + "timestamp": "Mar 15 08:00:21", + "desc": "PSM Disconnect" + } + }, + "host": { + "name": "VAULT" + }, + "event": { + "severity": 2, + "duration": 2952000000000, + "ingested": "2021-05-31T15:30:19.830800600Z", + "original": "\u003c5\u003e1 2021-03-15T15:00:21Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 15 08:00:21\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-15T15:00:21Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e302\u003c/MessageID\u003e\\n \u003cDesc\u003ePSM Disconnect\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003ePSM Disconnect\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003epartner\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Operating System-UnixSSH-34.123.103.115-testark\u003c/File\u003e\\n \u003cStation\u003e34.71.250.247\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003eApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionDuration=00:49:12;SessionID=27f74dce-f5d5-4c94-bf99-ca6aafe2c518;SrcHost=81.32.170.205;User=testark;\u003c/ExtraDetails\u003e\\n \u003cMessage\u003ePSM Disconnect\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"UnixSSH\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"testark\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"34.123.103.115\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"ResetImmediately\\\" Value=\\\"ReconcileTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMStatus\\\" Value=\\\"failure\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"RetriesCount\\\" Value=\\\"1\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastFailDate\\\" Value=\\\"1615819476\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastTask\\\" Value=\\\"ReconcileTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastSuccessVerification\\\" Value=\\\"1615803764\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMErrorDetails\\\" Value=\\\"First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Operating System\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UseSudoOnReconcile\\\" Value=\\\"Yes\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 15 08:00:21\",\"IsoTimestamp\":\"2021-03-15T15:00:21Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"302\",\"Desc\":\"PSM Disconnect\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"PSM Disconnect\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"partner\",\"File\":\"Root\\\\Operating System-UnixSSH-34.123.103.115-testark\",\"Station\":\"34.71.250.247\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionDuration=00:49:12;SessionID=27f74dce-f5d5-4c94-bf99-ca6aafe2c518;SrcHost=81.32.170.205;User=testark;\",\"Message\":\"PSM Disconnect\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"UnixSSH\"},{\"Name\":\"UserName\",\"Value\":\"testark\"},{\"Name\":\"Address\",\"Value\":\"34.123.103.115\"},{\"Name\":\"ResetImmediately\",\"Value\":\"ReconcileTask\"},{\"Name\":\"CPMStatus\",\"Value\":\"failure\"},{\"Name\":\"RetriesCount\",\"Value\":\"1\"},{\"Name\":\"LastFailDate\",\"Value\":\"1615819476\"},{\"Name\":\"LastTask\",\"Value\":\"ReconcileTask\"},{\"Name\":\"LastSuccessVerification\",\"Value\":\"1615803764\"},{\"Name\":\"CPMErrorDetails\",\"Value\":\"First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"},{\"Name\":\"UseSudoOnReconcile\",\"Value\":\"Yes\"}]}}}}", + "code": "302", + "kind": "event", + "action": "psm disconnect", + "category": [ + "session" + ], + "type": [ + "end" + ], + "outcome": "success" + }, + "user": { + "name": "Administrator" + } + } + ] +} \ No newline at end of file diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-304-psm-upload-recording.log-expected.json b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-304-psm-upload-recording.log-expected.json new file mode 100644 index 00000000000..62887f4c6b7 --- /dev/null +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-304-psm-upload-recording.log-expected.json @@ -0,0 +1,75 @@ +{ + "expected": [ + { + "log": { + "syslog": { + "priority": 5 + } + }, + "source": { + "address": "10.0.0.15", + "ip": "10.0.0.15" + }, + "tags": [ + "preserve_original_event" + ], + "observer": { + "product": "Vault", + "hostname": "VLT01", + "version": "12.0.0000", + "vendor": "Cyber-Ark" + }, + "@timestamp": "2021-03-25T09:20:56.000Z", + "file": { + "path": "Root\\a4636750-50a2-492e-984c-e08743d8a883.SSH.txt" + }, + "ecs": { + "version": "1.10.0" + }, + "related": { + "ip": [ + "10.0.0.15" + ] + }, + "cyberarkpas": { + "audit": { + "severity": "Info", + "iso_timestamp": "2021-03-25T09:20:56Z", + "raw": "\u003csyslog\u003e\n\n \u003caudit_record\u003e\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\n \u003cTimestamp\u003eMar 25 05:20:56\u003c/Timestamp\u003e\n \u003cIsoTimestamp\u003e2021-03-25T09:20:56Z\u003c/IsoTimestamp\u003e\n \u003cHostname\u003eVLT01\u003c/Hostname\u003e\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\n \u003cProduct\u003eVault\u003c/Product\u003e\n \u003cVersion\u003e12.0.0000\u003c/Version\u003e\n \u003cMessageID\u003e304\u003c/MessageID\u003e\n \u003cDesc\u003ePSM Upload Recording\u003c/Desc\u003e\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\n \u003cIssuer\u003ePSMApp_COMP01\u003c/Issuer\u003e\n \u003cAction\u003ePSM Upload Recording\u003c/Action\u003e\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\n \u003cSafe\u003ePSMRecordings\u003c/Safe\u003e\n \u003cFile\u003eRoot\\a4636750-50a2-492e-984c-e08743d8a883.SSH.txt\u003c/File\u003e\n \u003cStation\u003e10.0.0.15\u003c/Station\u003e\n \u003cLocation\u003e\u003c/Location\u003e\n \u003cCategory\u003e\u003c/Category\u003e\n \u003cRequestId\u003e\u003c/RequestId\u003e\n \u003cReason\u003e\u003c/Reason\u003e\n \u003cExtraDetails\u003eDstHost=rhel7.cybr.com;LogonAccount=logon;Protocol=SSH;PSMID=PSMServer;SessionDuration=00:00:46;SessionID=a4636750-50a2-492e-984c-e08743d8a883;SrcHost=127.0.0.1;User=root;\u003c/ExtraDetails\u003e\n \u003cMessage\u003ePSM Upload Recording\u003c/Message\u003e\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\n \u003c/audit_record\u003e\n\n\u003c/syslog\u003e", + "message": "PSM Upload Recording", + "issuer": "PSMApp_COMP01", + "rfc5424": true, + "extra_details": { + "protocol": "SSH", + "other": { + "user": "root" + }, + "logon_account": "logon", + "psmid": "PSMServer", + "session_id": "a4636750-50a2-492e-984c-e08743d8a883", + "src_host": "127.0.0.1", + "dst_host": "rhel7.cybr.com", + "session_duration": "00:00:46" + }, + "file": "Root\\a4636750-50a2-492e-984c-e08743d8a883.SSH.txt", + "safe": "PSMRecordings", + "station": "10.0.0.15", + "action": "PSM Upload Recording", + "timestamp": "Mar 25 05:20:56", + "desc": "PSM Upload Recording" + } + }, + "host": { + "name": "VLT01" + }, + "event": { + "severity": 2, + "action": "psm upload recording", + "ingested": "2021-05-31T15:30:20.491148200Z", + "original": "\u003c5\u003e1 2021-03-25T09:20:56Z VLT01 {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 25 05:20:56\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-25T09:20:56Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVLT01\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e12.0.0000\u003c/Version\u003e\\n \u003cMessageID\u003e304\u003c/MessageID\u003e\\n \u003cDesc\u003ePSM Upload Recording\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003ePSMApp_COMP01\u003c/Issuer\u003e\\n \u003cAction\u003ePSM Upload Recording\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003ePSMRecordings\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\a4636750-50a2-492e-984c-e08743d8a883.SSH.txt\u003c/File\u003e\\n \u003cStation\u003e10.0.0.15\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003eDstHost=rhel7.cybr.com;LogonAccount=logon;Protocol=SSH;PSMID=PSMServer;SessionDuration=00:00:46;SessionID=a4636750-50a2-492e-984c-e08743d8a883;SrcHost=127.0.0.1;User=root;\u003c/ExtraDetails\u003e\\n \u003cMessage\u003ePSM Upload Recording\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 25 05:20:56\",\"IsoTimestamp\":\"2021-03-25T09:20:56Z\",\"Hostname\":\"VLT01\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"12.0.0000\",\"MessageID\":\"304\",\"Desc\":\"PSM Upload Recording\",\"Severity\":\"Info\",\"Issuer\":\"PSMApp_COMP01\",\"Action\":\"PSM Upload Recording\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"PSMRecordings\",\"File\":\"Root\\\\a4636750-50a2-492e-984c-e08743d8a883.SSH.txt\",\"Station\":\"10.0.0.15\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"DstHost=rhel7.cybr.com;LogonAccount=logon;Protocol=SSH;PSMID=PSMServer;SessionDuration=00:00:46;SessionID=a4636750-50a2-492e-984c-e08743d8a883;SrcHost=127.0.0.1;User=root;\",\"Message\":\"PSM Upload Recording\",\"GatewayStation\":\"\"}}}", + "code": "304", + "kind": "event" + } + } + ] +} \ No newline at end of file diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-308-use-password.log-expected.json b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-308-use-password.log-expected.json new file mode 100644 index 00000000000..0b7cbaa9500 --- /dev/null +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-308-use-password.log-expected.json @@ -0,0 +1,1249 @@ +{ + "expected": [ + { + "destination": { + "user": { + "name": "Administrator2" + }, + "address": "dbserver.cyberark.local", + "domain": "dbserver.cyberark.local" + }, + "source": { + "user": { + "name": "adm2" + }, + "address": "10.2.0.6", + "ip": "10.2.0.6" + }, + "tags": [ + "preserve_original_event" + ], + "observer": { + "version": "11.6.0000", + "product": "Vault", + "vendor": "Cyber-Ark" + }, + "@timestamp": "2021-03-16T15:01:00.000Z", + "file": { + "path": "Root\\Operating System-WIN-SERVER-LOCAL-dbserver.cyberark.local-Administrator2" + }, + "ecs": { + "version": "1.10.0" + }, + "related": { + "user": [ + "adm2", + "Administrator2" + ], + "ip": [ + "10.2.0.6", + "10.2.0.3" + ] + }, + "cyberarkpas": { + "audit": { + "severity": "Info", + "reason": "(Action: Connect)", + "iso_timestamp": "2021-03-16T15:01:00Z", + "gateway_station": "10.2.0.3", + "raw": "\u003csyslog\u003e\n \u003caudit_record\u003e\n \u003cRfc5424\u003eno\u003c/Rfc5424\u003e\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\n \u003cProduct\u003eVault\u003c/Product\u003e\n \u003cVersion\u003e11.6.0000\u003c/Version\u003e\n \u003cMessageID\u003e308\u003c/MessageID\u003e\n \u003cDesc\u003eUse Password\u003c/Desc\u003e\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\n \u003cIssuer\u003eadm2\u003c/Issuer\u003e\n \u003cAction\u003eUse Password\u003c/Action\u003e\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\n \u003cSafe\u003eWindows\u003c/Safe\u003e\n \u003cFile\u003eRoot\\Operating System-WIN-SERVER-LOCAL-dbserver.cyberark.local-Administrator2\u003c/File\u003e\n \u003cStation\u003e10.2.0.6\u003c/Station\u003e\n \u003cLocation\u003e\u003c/Location\u003e\n \u003cCategory\u003e\u003c/Category\u003e\n \u003cRequestId\u003e\u003c/RequestId\u003e\n \u003cReason\u003e(Action: Connect)\u003c/Reason\u003e\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\n \u003cMessage\u003eUse Password\u003c/Message\u003e\n \u003cGatewayStation\u003e10.2.0.3\u003c/GatewayStation\u003e\n \u003cCAProperties\u003e\n \u003cCAProperty Name=\"PolicyID\" Value=\"WIN-SERVER-LOCAL\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"UserName\" Value=\"Administrator2\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"Address\" Value=\"dbserver.cyberark.local\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"DeviceType\" Value=\"Operating System\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"LogonDomain\" Value=\"DBServer\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"SequenceID\" Value=\"1\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"RetriesCount\" Value=\"-1\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"LastTask\" Value=\"ReconcileTask\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"CPMStatus\" Value=\"success\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"CreationMethod\" Value=\"PVWA\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"LastSuccessReconciliation\" Value=\"1604944215\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"Customer\" Value=\"EvilCorp\"\u003e\u003c/CAProperty\u003e\n \u003c/CAProperties\u003e\n \u003c/audit_record\u003e\n\u003c/syslog\u003e", + "message": "Use Password", + "issuer": "adm2", + "rfc5424": false, + "file": "Root\\Operating System-WIN-SERVER-LOCAL-dbserver.cyberark.local-Administrator2", + "ca_properties": { + "other": {}, + "address": "dbserver.cyberark.local", + "creation_method": "PVWA", + "cpm_status": "success", + "policy_id": "WIN-SERVER-LOCAL", + "last_success_reconciliation": "1604944215", + "user_name": "Administrator2", + "device_type": "Operating System", + "retries_count": "-1", + "last_task": "ReconcileTask", + "sequence_id": "1", + "logon_domain": "DBServer", + "customer": "EvilCorp" + }, + "safe": "Windows", + "station": "10.2.0.6", + "action": "Use Password", + "desc": "Use Password" + } + }, + "event": { + "severity": 2, + "reason": "(Action: Connect)", + "ingested": "2021-05-31T15:30:20.525192800Z", + "original": "{\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eno\u003c/Rfc5424\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.6.0000\u003c/Version\u003e\\n \u003cMessageID\u003e308\u003c/MessageID\u003e\\n \u003cDesc\u003eUse Password\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eadm2\u003c/Issuer\u003e\\n \u003cAction\u003eUse Password\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003eWindows\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Operating System-WIN-SERVER-LOCAL-dbserver.cyberark.local-Administrator2\u003c/File\u003e\\n \u003cStation\u003e10.2.0.6\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e(Action: Connect)\u003c/Reason\u003e\\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eUse Password\u003c/Message\u003e\\n \u003cGatewayStation\u003e10.2.0.3\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"WIN-SERVER-LOCAL\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"Administrator2\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"dbserver.cyberark.local\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Operating System\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LogonDomain\\\" Value=\\\"DBServer\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"SequenceID\\\" Value=\\\"1\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"RetriesCount\\\" Value=\\\"-1\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastTask\\\" Value=\\\"ReconcileTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMStatus\\\" Value=\\\"success\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastSuccessReconciliation\\\" Value=\\\"1604944215\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Customer\\\" Value=\\\"EvilCorp\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"no\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.6.0000\",\"MessageID\":\"308\",\"IsoTimestamp\":\"2021-03-16T15:01:00Z\",\"Desc\":\"Use Password\",\"Severity\":\"Info\",\"Issuer\":\"adm2\",\"Action\":\"Use Password\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"Windows\",\"File\":\"Root\\\\Operating System-WIN-SERVER-LOCAL-dbserver.cyberark.local-Administrator2\",\"Station\":\"10.2.0.6\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"(Action: Connect)\",\"ExtraDetails\":\"\",\"Message\":\"Use Password\",\"GatewayStation\":\"10.2.0.3\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"WIN-SERVER-LOCAL\"},{\"Name\":\"UserName\",\"Value\":\"Administrator2\"},{\"Name\":\"Address\",\"Value\":\"dbserver.cyberark.local\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"},{\"Name\":\"LogonDomain\",\"Value\":\"DBServer\"},{\"Name\":\"SequenceID\",\"Value\":\"1\"},{\"Name\":\"RetriesCount\",\"Value\":\"-1\"},{\"Name\":\"LastTask\",\"Value\":\"ReconcileTask\"},{\"Name\":\"CPMStatus\",\"Value\":\"success\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"LastSuccessReconciliation\",\"Value\":\"1604944215\"},{\"Name\":\"Customer\",\"Value\":\"EvilCorp\"}]}}}}", + "code": "308", + "kind": "event", + "action": "use password", + "category": [ + "iam" + ], + "type": [ + "admin", + "access" + ], + "outcome": "success" + }, + "user": { + "name": "adm2" + } + }, + { + "log": { + "syslog": { + "priority": 5 + } + }, + "destination": { + "geo": { + "continent_name": "North America", + "country_name": "United States", + "location": { + "lon": -97.822, + "lat": 37.751 + }, + "country_iso_code": "US" + }, + "address": "34.123.103.115", + "user": { + "name": "adrian" + }, + "ip": "34.123.103.115" + }, + "source": { + "user": { + "name": "Administrator" + }, + "address": "127.0.0.1", + "ip": "127.0.0.1" + }, + "tags": [ + "preserve_original_event" + ], + "network": { + "direction": "outbound" + }, + "observer": { + "product": "Vault", + "hostname": "VAULT", + "version": "11.7.0000", + "vendor": "Cyber-Ark" + }, + "@timestamp": "2021-03-11T17:38:12.000Z", + "file": { + "path": "Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian" + }, + "ecs": { + "version": "1.10.0" + }, + "related": { + "user": [ + "Administrator", + "adrian" + ], + "ip": [ + "127.0.0.1", + "34.123.103.115", + "81.32.170.205" + ] + }, + "cyberarkpas": { + "audit": { + "severity": "Info", + "reason": "fun and profit", + "iso_timestamp": "2021-03-11T17:38:12Z", + "gateway_station": "81.32.170.205", + "raw": "\u003csyslog\u003e\n\n \u003caudit_record\u003e\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\n \u003cTimestamp\u003eMar 11 09:38:12\u003c/Timestamp\u003e\n \u003cIsoTimestamp\u003e2021-03-11T17:38:12Z\u003c/IsoTimestamp\u003e\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\n \u003cProduct\u003eVault\u003c/Product\u003e\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\n \u003cMessageID\u003e308\u003c/MessageID\u003e\n \u003cDesc\u003eUse Password\u003c/Desc\u003e\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\n \u003cAction\u003eUse Password\u003c/Action\u003e\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\n \u003cSafe\u003ePSM\u003c/Safe\u003e\n \u003cFile\u003eRoot\\Operating System-UnixSSHKeys-34.123.103.115-adrian\u003c/File\u003e\n \u003cStation\u003e127.0.0.1\u003c/Station\u003e\n \u003cLocation\u003e\u003c/Location\u003e\n \u003cCategory\u003e\u003c/Category\u003e\n \u003cRequestId\u003e\u003c/RequestId\u003e\n \u003cReason\u003efun and profit\u003c/Reason\u003e\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\n \u003cMessage\u003eUse Password\u003c/Message\u003e\n \u003cGatewayStation\u003e81.32.170.205\u003c/GatewayStation\u003e\n \u003cCAProperties\u003e\n \u003cCAProperty Name=\"PolicyID\" Value=\"UnixSSHKeys\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"UserName\" Value=\"adrian\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"Address\" Value=\"34.123.103.115\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"CreationMethod\" Value=\"PVWA\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"DeviceType\" Value=\"Operating System\"\u003e\u003c/CAProperty\u003e\n \u003c/CAProperties\u003e\n \u003c/audit_record\u003e\n\n\u003c/syslog\u003e", + "message": "Use Password", + "issuer": "Administrator", + "rfc5424": true, + "ca_properties": { + "other": {}, + "device_type": "Operating System", + "address": "34.123.103.115", + "creation_method": "PVWA", + "policy_id": "UnixSSHKeys", + "user_name": "adrian" + }, + "file": "Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian", + "safe": "PSM", + "station": "127.0.0.1", + "action": "Use Password", + "timestamp": "Mar 11 09:38:12", + "desc": "Use Password" + } + }, + "host": { + "name": "VAULT" + }, + "event": { + "severity": 2, + "reason": "fun and profit", + "ingested": "2021-05-31T15:30:20.525207800Z", + "original": "\u003c5\u003e1 2021-03-11T17:38:12Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 11 09:38:12\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-11T17:38:12Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e308\u003c/MessageID\u003e\\n \u003cDesc\u003eUse Password\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003eUse Password\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003ePSM\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Operating System-UnixSSHKeys-34.123.103.115-adrian\u003c/File\u003e\\n \u003cStation\u003e127.0.0.1\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003efun and profit\u003c/Reason\u003e\\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eUse Password\u003c/Message\u003e\\n \u003cGatewayStation\u003e81.32.170.205\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"UnixSSHKeys\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"adrian\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"34.123.103.115\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Operating System\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 11 09:38:12\",\"IsoTimestamp\":\"2021-03-11T17:38:12Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"308\",\"Desc\":\"Use Password\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Use Password\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"PSM\",\"File\":\"Root\\\\Operating System-UnixSSHKeys-34.123.103.115-adrian\",\"Station\":\"127.0.0.1\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"fun and profit\",\"ExtraDetails\":\"\",\"Message\":\"Use Password\",\"GatewayStation\":\"81.32.170.205\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"UnixSSHKeys\"},{\"Name\":\"UserName\",\"Value\":\"adrian\"},{\"Name\":\"Address\",\"Value\":\"34.123.103.115\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"}]}}}}", + "code": "308", + "kind": "event", + "action": "use password", + "category": [ + "iam" + ], + "type": [ + "admin", + "access" + ] + }, + "user": { + "name": "Administrator" + } + }, + { + "log": { + "syslog": { + "priority": 5 + } + }, + "destination": { + "geo": { + "continent_name": "North America", + "country_name": "United States", + "location": { + "lon": -97.822, + "lat": 37.751 + }, + "country_iso_code": "US" + }, + "address": "34.123.103.115", + "user": { + "name": "adrian" + }, + "ip": "34.123.103.115" + }, + "source": { + "user": { + "name": "Administrator" + }, + "address": "127.0.0.1", + "ip": "127.0.0.1" + }, + "tags": [ + "preserve_original_event" + ], + "network": { + "direction": "outbound" + }, + "observer": { + "product": "Vault", + "hostname": "VAULT", + "version": "11.7.0000", + "vendor": "Cyber-Ark" + }, + "@timestamp": "2021-03-11T17:46:49.000Z", + "file": { + "path": "Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian" + }, + "ecs": { + "version": "1.10.0" + }, + "related": { + "user": [ + "Administrator", + "adrian" + ], + "ip": [ + "127.0.0.1", + "34.123.103.115", + "81.32.170.205" + ] + }, + "cyberarkpas": { + "audit": { + "severity": "Info", + "reason": "FOR FUN.", + "iso_timestamp": "2021-03-11T17:46:49Z", + "gateway_station": "81.32.170.205", + "raw": "\u003csyslog\u003e\n\n \u003caudit_record\u003e\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\n \u003cTimestamp\u003eMar 11 09:46:49\u003c/Timestamp\u003e\n \u003cIsoTimestamp\u003e2021-03-11T17:46:49Z\u003c/IsoTimestamp\u003e\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\n \u003cProduct\u003eVault\u003c/Product\u003e\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\n \u003cMessageID\u003e308\u003c/MessageID\u003e\n \u003cDesc\u003eUse Password\u003c/Desc\u003e\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\n \u003cAction\u003eUse Password\u003c/Action\u003e\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\n \u003cSafe\u003ePSM\u003c/Safe\u003e\n \u003cFile\u003eRoot\\Operating System-UnixSSHKeys-34.123.103.115-adrian\u003c/File\u003e\n \u003cStation\u003e127.0.0.1\u003c/Station\u003e\n \u003cLocation\u003e\u003c/Location\u003e\n \u003cCategory\u003e\u003c/Category\u003e\n \u003cRequestId\u003e\u003c/RequestId\u003e\n \u003cReason\u003eFOR FUN.\u003c/Reason\u003e\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\n \u003cMessage\u003eUse Password\u003c/Message\u003e\n \u003cGatewayStation\u003e81.32.170.205\u003c/GatewayStation\u003e\n \u003cCAProperties\u003e\n \u003cCAProperty Name=\"PolicyID\" Value=\"UnixSSHKeys\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"UserName\" Value=\"adrian\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"Address\" Value=\"34.123.103.115\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"CreationMethod\" Value=\"PVWA\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"DeviceType\" Value=\"Operating System\"\u003e\u003c/CAProperty\u003e\n \u003c/CAProperties\u003e\n \u003c/audit_record\u003e\n\n\u003c/syslog\u003e", + "message": "Use Password", + "issuer": "Administrator", + "rfc5424": true, + "ca_properties": { + "other": {}, + "device_type": "Operating System", + "address": "34.123.103.115", + "creation_method": "PVWA", + "policy_id": "UnixSSHKeys", + "user_name": "adrian" + }, + "file": "Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian", + "safe": "PSM", + "station": "127.0.0.1", + "action": "Use Password", + "timestamp": "Mar 11 09:46:49", + "desc": "Use Password" + } + }, + "host": { + "name": "VAULT" + }, + "event": { + "severity": 2, + "reason": "FOR FUN.", + "ingested": "2021-05-31T15:30:20.525211500Z", + "original": "\u003c5\u003e1 2021-03-11T17:46:49Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 11 09:46:49\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-11T17:46:49Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e308\u003c/MessageID\u003e\\n \u003cDesc\u003eUse Password\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003eUse Password\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003ePSM\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Operating System-UnixSSHKeys-34.123.103.115-adrian\u003c/File\u003e\\n \u003cStation\u003e127.0.0.1\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003eFOR FUN.\u003c/Reason\u003e\\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eUse Password\u003c/Message\u003e\\n \u003cGatewayStation\u003e81.32.170.205\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"UnixSSHKeys\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"adrian\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"34.123.103.115\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Operating System\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 11 09:46:49\",\"IsoTimestamp\":\"2021-03-11T17:46:49Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"308\",\"Desc\":\"Use Password\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Use Password\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"PSM\",\"File\":\"Root\\\\Operating System-UnixSSHKeys-34.123.103.115-adrian\",\"Station\":\"127.0.0.1\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"FOR FUN.\",\"ExtraDetails\":\"\",\"Message\":\"Use Password\",\"GatewayStation\":\"81.32.170.205\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"UnixSSHKeys\"},{\"Name\":\"UserName\",\"Value\":\"adrian\"},{\"Name\":\"Address\",\"Value\":\"34.123.103.115\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"}]}}}}", + "code": "308", + "kind": "event", + "action": "use password", + "category": [ + "iam" + ], + "type": [ + "admin", + "access" + ] + }, + "user": { + "name": "Administrator" + } + }, + { + "log": { + "syslog": { + "priority": 5 + } + }, + "destination": { + "geo": { + "continent_name": "North America", + "country_name": "United States", + "location": { + "lon": -97.822, + "lat": 37.751 + }, + "country_iso_code": "US" + }, + "address": "34.123.103.115", + "user": { + "name": "adrian" + }, + "ip": "34.123.103.115" + }, + "source": { + "user": { + "name": "Administrator" + }, + "address": "10.0.2.2", + "ip": "10.0.2.2" + }, + "tags": [ + "preserve_original_event" + ], + "network": { + "direction": "outbound" + }, + "observer": { + "product": "Vault", + "hostname": "VAULT", + "version": "11.7.0000", + "vendor": "Cyber-Ark" + }, + "@timestamp": "2021-03-11T17:48:27.000Z", + "file": { + "path": "Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian" + }, + "ecs": { + "version": "1.10.0" + }, + "related": { + "user": [ + "Administrator", + "adrian" + ], + "ip": [ + "10.0.2.2", + "34.123.103.115", + "81.32.170.205" + ] + }, + "cyberarkpas": { + "audit": { + "severity": "Info", + "reason": "For fun and profit", + "iso_timestamp": "2021-03-11T17:48:27Z", + "gateway_station": "81.32.170.205", + "raw": "\u003csyslog\u003e\n\n \u003caudit_record\u003e\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\n \u003cTimestamp\u003eMar 11 09:48:27\u003c/Timestamp\u003e\n \u003cIsoTimestamp\u003e2021-03-11T17:48:27Z\u003c/IsoTimestamp\u003e\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\n \u003cProduct\u003eVault\u003c/Product\u003e\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\n \u003cMessageID\u003e308\u003c/MessageID\u003e\n \u003cDesc\u003eUse Password\u003c/Desc\u003e\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\n \u003cAction\u003eUse Password\u003c/Action\u003e\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\n \u003cSafe\u003ePSM\u003c/Safe\u003e\n \u003cFile\u003eRoot\\Operating System-UnixSSHKeys-34.123.103.115-adrian\u003c/File\u003e\n \u003cStation\u003e10.0.2.2\u003c/Station\u003e\n \u003cLocation\u003e\u003c/Location\u003e\n \u003cCategory\u003e\u003c/Category\u003e\n \u003cRequestId\u003e\u003c/RequestId\u003e\n \u003cReason\u003eFor fun and profit\u003c/Reason\u003e\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\n \u003cMessage\u003eUse Password\u003c/Message\u003e\n \u003cGatewayStation\u003e81.32.170.205\u003c/GatewayStation\u003e\n \u003cCAProperties\u003e\n \u003cCAProperty Name=\"PolicyID\" Value=\"UnixSSHKeys\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"UserName\" Value=\"adrian\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"Address\" Value=\"34.123.103.115\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"CreationMethod\" Value=\"PVWA\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"DeviceType\" Value=\"Operating System\"\u003e\u003c/CAProperty\u003e\n \u003c/CAProperties\u003e\n \u003c/audit_record\u003e\n\n\u003c/syslog\u003e", + "message": "Use Password", + "issuer": "Administrator", + "rfc5424": true, + "ca_properties": { + "other": {}, + "device_type": "Operating System", + "address": "34.123.103.115", + "creation_method": "PVWA", + "policy_id": "UnixSSHKeys", + "user_name": "adrian" + }, + "file": "Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian", + "safe": "PSM", + "station": "10.0.2.2", + "action": "Use Password", + "timestamp": "Mar 11 09:48:27", + "desc": "Use Password" + } + }, + "host": { + "name": "VAULT" + }, + "event": { + "severity": 2, + "reason": "For fun and profit", + "ingested": "2021-05-31T15:30:20.525214500Z", + "original": "\u003c5\u003e1 2021-03-11T17:48:27Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 11 09:48:27\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-11T17:48:27Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e308\u003c/MessageID\u003e\\n \u003cDesc\u003eUse Password\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003eUse Password\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003ePSM\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Operating System-UnixSSHKeys-34.123.103.115-adrian\u003c/File\u003e\\n \u003cStation\u003e10.0.2.2\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003eFor fun and profit\u003c/Reason\u003e\\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eUse Password\u003c/Message\u003e\\n \u003cGatewayStation\u003e81.32.170.205\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"UnixSSHKeys\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"adrian\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"34.123.103.115\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Operating System\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 11 09:48:27\",\"IsoTimestamp\":\"2021-03-11T17:48:27Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"308\",\"Desc\":\"Use Password\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Use Password\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"PSM\",\"File\":\"Root\\\\Operating System-UnixSSHKeys-34.123.103.115-adrian\",\"Station\":\"10.0.2.2\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"For fun and profit\",\"ExtraDetails\":\"\",\"Message\":\"Use Password\",\"GatewayStation\":\"81.32.170.205\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"UnixSSHKeys\"},{\"Name\":\"UserName\",\"Value\":\"adrian\"},{\"Name\":\"Address\",\"Value\":\"34.123.103.115\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"}]}}}}", + "code": "308", + "kind": "event", + "action": "use password", + "category": [ + "iam" + ], + "type": [ + "admin", + "access" + ] + }, + "user": { + "name": "Administrator" + } + }, + { + "log": { + "syslog": { + "priority": 5 + } + }, + "destination": { + "geo": { + "continent_name": "North America", + "country_name": "United States", + "location": { + "lon": -97.822, + "lat": 37.751 + }, + "country_iso_code": "US" + }, + "address": "34.123.103.115", + "user": { + "name": "adrian" + }, + "ip": "34.123.103.115" + }, + "source": { + "user": { + "name": "Administrator" + }, + "address": "10.0.2.2", + "ip": "10.0.2.2" + }, + "tags": [ + "preserve_original_event" + ], + "network": { + "direction": "outbound" + }, + "observer": { + "product": "Vault", + "hostname": "VAULT", + "version": "11.7.0000", + "vendor": "Cyber-Ark" + }, + "@timestamp": "2021-03-11T17:54:49.000Z", + "file": { + "path": "Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian" + }, + "ecs": { + "version": "1.10.0" + }, + "related": { + "user": [ + "Administrator", + "adrian" + ], + "ip": [ + "10.0.2.2", + "34.123.103.115", + "81.32.170.205" + ] + }, + "cyberarkpas": { + "audit": { + "severity": "Info", + "reason": "Because I say so", + "iso_timestamp": "2021-03-11T17:54:49Z", + "gateway_station": "81.32.170.205", + "raw": "\u003csyslog\u003e\n\n \u003caudit_record\u003e\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\n \u003cTimestamp\u003eMar 11 09:54:49\u003c/Timestamp\u003e\n \u003cIsoTimestamp\u003e2021-03-11T17:54:49Z\u003c/IsoTimestamp\u003e\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\n \u003cProduct\u003eVault\u003c/Product\u003e\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\n \u003cMessageID\u003e308\u003c/MessageID\u003e\n \u003cDesc\u003eUse Password\u003c/Desc\u003e\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\n \u003cAction\u003eUse Password\u003c/Action\u003e\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\n \u003cSafe\u003ePSM\u003c/Safe\u003e\n \u003cFile\u003eRoot\\Operating System-UnixSSHKeys-34.123.103.115-adrian\u003c/File\u003e\n \u003cStation\u003e10.0.2.2\u003c/Station\u003e\n \u003cLocation\u003e\u003c/Location\u003e\n \u003cCategory\u003e\u003c/Category\u003e\n \u003cRequestId\u003e\u003c/RequestId\u003e\n \u003cReason\u003eBecause I say so\u003c/Reason\u003e\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\n \u003cMessage\u003eUse Password\u003c/Message\u003e\n \u003cGatewayStation\u003e81.32.170.205\u003c/GatewayStation\u003e\n \u003cCAProperties\u003e\n \u003cCAProperty Name=\"PolicyID\" Value=\"UnixSSHKeys\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"UserName\" Value=\"adrian\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"Address\" Value=\"34.123.103.115\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"CreationMethod\" Value=\"PVWA\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"DeviceType\" Value=\"Operating System\"\u003e\u003c/CAProperty\u003e\n \u003c/CAProperties\u003e\n \u003c/audit_record\u003e\n\n\u003c/syslog\u003e", + "message": "Use Password", + "issuer": "Administrator", + "rfc5424": true, + "ca_properties": { + "other": {}, + "device_type": "Operating System", + "address": "34.123.103.115", + "creation_method": "PVWA", + "policy_id": "UnixSSHKeys", + "user_name": "adrian" + }, + "file": "Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian", + "safe": "PSM", + "station": "10.0.2.2", + "action": "Use Password", + "timestamp": "Mar 11 09:54:49", + "desc": "Use Password" + } + }, + "host": { + "name": "VAULT" + }, + "event": { + "severity": 2, + "reason": "Because I say so", + "ingested": "2021-05-31T15:30:20.525217400Z", + "original": "\u003c5\u003e1 2021-03-11T17:54:49Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 11 09:54:49\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-11T17:54:49Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e308\u003c/MessageID\u003e\\n \u003cDesc\u003eUse Password\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003eUse Password\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003ePSM\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Operating System-UnixSSHKeys-34.123.103.115-adrian\u003c/File\u003e\\n \u003cStation\u003e10.0.2.2\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003eBecause I say so\u003c/Reason\u003e\\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eUse Password\u003c/Message\u003e\\n \u003cGatewayStation\u003e81.32.170.205\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"UnixSSHKeys\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"adrian\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"34.123.103.115\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Operating System\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 11 09:54:49\",\"IsoTimestamp\":\"2021-03-11T17:54:49Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"308\",\"Desc\":\"Use Password\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Use Password\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"PSM\",\"File\":\"Root\\\\Operating System-UnixSSHKeys-34.123.103.115-adrian\",\"Station\":\"10.0.2.2\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"Because I say so\",\"ExtraDetails\":\"\",\"Message\":\"Use Password\",\"GatewayStation\":\"81.32.170.205\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"UnixSSHKeys\"},{\"Name\":\"UserName\",\"Value\":\"adrian\"},{\"Name\":\"Address\",\"Value\":\"34.123.103.115\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"}]}}}}", + "code": "308", + "kind": "event", + "action": "use password", + "category": [ + "iam" + ], + "type": [ + "admin", + "access" + ] + }, + "user": { + "name": "Administrator" + } + }, + { + "log": { + "syslog": { + "priority": 5 + } + }, + "destination": { + "geo": { + "continent_name": "North America", + "country_name": "United States", + "location": { + "lon": -97.822, + "lat": 37.751 + }, + "country_iso_code": "US" + }, + "address": "34.123.103.115", + "user": { + "name": "adrian" + }, + "ip": "34.123.103.115" + }, + "source": { + "user": { + "name": "Administrator" + }, + "address": "10.0.2.2", + "ip": "10.0.2.2" + }, + "tags": [ + "preserve_original_event" + ], + "network": { + "direction": "outbound" + }, + "observer": { + "product": "Vault", + "hostname": "VAULT", + "version": "11.7.0000", + "vendor": "Cyber-Ark" + }, + "@timestamp": "2021-03-11T17:56:30.000Z", + "file": { + "path": "Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian" + }, + "ecs": { + "version": "1.10.0" + }, + "related": { + "user": [ + "Administrator", + "adrian" + ], + "ip": [ + "10.0.2.2", + "34.123.103.115", + "81.32.170.205" + ] + }, + "cyberarkpas": { + "audit": { + "severity": "Info", + "reason": "for fun", + "iso_timestamp": "2021-03-11T17:56:30Z", + "gateway_station": "81.32.170.205", + "raw": "\u003csyslog\u003e\n\n \u003caudit_record\u003e\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\n \u003cTimestamp\u003eMar 11 09:56:30\u003c/Timestamp\u003e\n \u003cIsoTimestamp\u003e2021-03-11T17:56:30Z\u003c/IsoTimestamp\u003e\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\n \u003cProduct\u003eVault\u003c/Product\u003e\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\n \u003cMessageID\u003e308\u003c/MessageID\u003e\n \u003cDesc\u003eUse Password\u003c/Desc\u003e\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\n \u003cAction\u003eUse Password\u003c/Action\u003e\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\n \u003cSafe\u003ePSM\u003c/Safe\u003e\n \u003cFile\u003eRoot\\Operating System-UnixSSHKeys-34.123.103.115-adrian\u003c/File\u003e\n \u003cStation\u003e10.0.2.2\u003c/Station\u003e\n \u003cLocation\u003e\u003c/Location\u003e\n \u003cCategory\u003e\u003c/Category\u003e\n \u003cRequestId\u003e\u003c/RequestId\u003e\n \u003cReason\u003efor fun\u003c/Reason\u003e\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\n \u003cMessage\u003eUse Password\u003c/Message\u003e\n \u003cGatewayStation\u003e81.32.170.205\u003c/GatewayStation\u003e\n \u003cCAProperties\u003e\n \u003cCAProperty Name=\"PolicyID\" Value=\"UnixSSHKeys\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"UserName\" Value=\"adrian\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"Address\" Value=\"34.123.103.115\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"CreationMethod\" Value=\"PVWA\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"DeviceType\" Value=\"Operating System\"\u003e\u003c/CAProperty\u003e\n \u003c/CAProperties\u003e\n \u003c/audit_record\u003e\n\n\u003c/syslog\u003e", + "message": "Use Password", + "issuer": "Administrator", + "rfc5424": true, + "ca_properties": { + "other": {}, + "device_type": "Operating System", + "address": "34.123.103.115", + "creation_method": "PVWA", + "policy_id": "UnixSSHKeys", + "user_name": "adrian" + }, + "file": "Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian", + "safe": "PSM", + "station": "10.0.2.2", + "action": "Use Password", + "timestamp": "Mar 11 09:56:30", + "desc": "Use Password" + } + }, + "host": { + "name": "VAULT" + }, + "event": { + "severity": 2, + "reason": "for fun", + "ingested": "2021-05-31T15:30:20.525257300Z", + "original": "\u003c5\u003e1 2021-03-11T17:56:30Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 11 09:56:30\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-11T17:56:30Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e308\u003c/MessageID\u003e\\n \u003cDesc\u003eUse Password\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003eUse Password\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003ePSM\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Operating System-UnixSSHKeys-34.123.103.115-adrian\u003c/File\u003e\\n \u003cStation\u003e10.0.2.2\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003efor fun\u003c/Reason\u003e\\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eUse Password\u003c/Message\u003e\\n \u003cGatewayStation\u003e81.32.170.205\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"UnixSSHKeys\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"adrian\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"34.123.103.115\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Operating System\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 11 09:56:30\",\"IsoTimestamp\":\"2021-03-11T17:56:30Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"308\",\"Desc\":\"Use Password\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Use Password\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"PSM\",\"File\":\"Root\\\\Operating System-UnixSSHKeys-34.123.103.115-adrian\",\"Station\":\"10.0.2.2\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"for fun\",\"ExtraDetails\":\"\",\"Message\":\"Use Password\",\"GatewayStation\":\"81.32.170.205\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"UnixSSHKeys\"},{\"Name\":\"UserName\",\"Value\":\"adrian\"},{\"Name\":\"Address\",\"Value\":\"34.123.103.115\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"}]}}}}", + "code": "308", + "kind": "event", + "action": "use password", + "category": [ + "iam" + ], + "type": [ + "admin", + "access" + ] + }, + "user": { + "name": "Administrator" + } + }, + { + "log": { + "syslog": { + "priority": 5 + } + }, + "destination": { + "geo": { + "continent_name": "North America", + "country_name": "United States", + "location": { + "lon": -97.822, + "lat": 37.751 + }, + "country_iso_code": "US" + }, + "address": "34.123.103.115", + "user": { + "name": "adrian" + }, + "ip": "34.123.103.115" + }, + "source": { + "user": { + "name": "Administrator" + }, + "address": "10.0.2.2", + "ip": "10.0.2.2" + }, + "tags": [ + "preserve_original_event" + ], + "network": { + "direction": "outbound" + }, + "observer": { + "product": "Vault", + "hostname": "VAULT", + "version": "11.7.0000", + "vendor": "Cyber-Ark" + }, + "@timestamp": "2021-03-11T20:23:17.000Z", + "file": { + "path": "Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian" + }, + "ecs": { + "version": "1.10.0" + }, + "related": { + "user": [ + "Administrator", + "adrian" + ], + "ip": [ + "10.0.2.2", + "34.123.103.115", + "81.32.170.205" + ] + }, + "cyberarkpas": { + "audit": { + "severity": "Info", + "reason": "testing", + "iso_timestamp": "2021-03-11T20:23:17Z", + "gateway_station": "81.32.170.205", + "raw": "\u003csyslog\u003e\n\n \u003caudit_record\u003e\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\n \u003cTimestamp\u003eMar 11 12:23:17\u003c/Timestamp\u003e\n \u003cIsoTimestamp\u003e2021-03-11T20:23:17Z\u003c/IsoTimestamp\u003e\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\n \u003cProduct\u003eVault\u003c/Product\u003e\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\n \u003cMessageID\u003e308\u003c/MessageID\u003e\n \u003cDesc\u003eUse Password\u003c/Desc\u003e\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\n \u003cAction\u003eUse Password\u003c/Action\u003e\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\n \u003cSafe\u003ePSM\u003c/Safe\u003e\n \u003cFile\u003eRoot\\Operating System-UnixSSHKeys-34.123.103.115-adrian\u003c/File\u003e\n \u003cStation\u003e10.0.2.2\u003c/Station\u003e\n \u003cLocation\u003e\u003c/Location\u003e\n \u003cCategory\u003e\u003c/Category\u003e\n \u003cRequestId\u003e\u003c/RequestId\u003e\n \u003cReason\u003etesting\u003c/Reason\u003e\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\n \u003cMessage\u003eUse Password\u003c/Message\u003e\n \u003cGatewayStation\u003e81.32.170.205\u003c/GatewayStation\u003e\n \u003cCAProperties\u003e\n \u003cCAProperty Name=\"PolicyID\" Value=\"UnixSSHKeys\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"UserName\" Value=\"adrian\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"Address\" Value=\"34.123.103.115\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"CreationMethod\" Value=\"PVWA\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"DeviceType\" Value=\"Operating System\"\u003e\u003c/CAProperty\u003e\n \u003c/CAProperties\u003e\n \u003c/audit_record\u003e\n\n\u003c/syslog\u003e", + "message": "Use Password", + "issuer": "Administrator", + "rfc5424": true, + "ca_properties": { + "other": {}, + "device_type": "Operating System", + "address": "34.123.103.115", + "creation_method": "PVWA", + "policy_id": "UnixSSHKeys", + "user_name": "adrian" + }, + "file": "Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian", + "safe": "PSM", + "station": "10.0.2.2", + "action": "Use Password", + "timestamp": "Mar 11 12:23:17", + "desc": "Use Password" + } + }, + "host": { + "name": "VAULT" + }, + "event": { + "severity": 2, + "reason": "testing", + "ingested": "2021-05-31T15:30:20.525274800Z", + "original": "\u003c5\u003e1 2021-03-11T20:23:17Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 11 12:23:17\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-11T20:23:17Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e308\u003c/MessageID\u003e\\n \u003cDesc\u003eUse Password\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003eUse Password\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003ePSM\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Operating System-UnixSSHKeys-34.123.103.115-adrian\u003c/File\u003e\\n \u003cStation\u003e10.0.2.2\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003etesting\u003c/Reason\u003e\\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eUse Password\u003c/Message\u003e\\n \u003cGatewayStation\u003e81.32.170.205\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"UnixSSHKeys\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"adrian\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"34.123.103.115\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Operating System\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 11 12:23:17\",\"IsoTimestamp\":\"2021-03-11T20:23:17Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"308\",\"Desc\":\"Use Password\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Use Password\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"PSM\",\"File\":\"Root\\\\Operating System-UnixSSHKeys-34.123.103.115-adrian\",\"Station\":\"10.0.2.2\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"testing\",\"ExtraDetails\":\"\",\"Message\":\"Use Password\",\"GatewayStation\":\"81.32.170.205\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"UnixSSHKeys\"},{\"Name\":\"UserName\",\"Value\":\"adrian\"},{\"Name\":\"Address\",\"Value\":\"34.123.103.115\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"}]}}}}", + "code": "308", + "kind": "event", + "action": "use password", + "category": [ + "iam" + ], + "type": [ + "admin", + "access" + ] + }, + "user": { + "name": "Administrator" + } + }, + { + "log": { + "syslog": { + "priority": 5 + } + }, + "destination": { + "geo": { + "continent_name": "North America", + "country_name": "United States", + "location": { + "lon": -97.822, + "lat": 37.751 + }, + "country_iso_code": "US" + }, + "address": "34.123.103.115", + "user": { + "name": "testark" + }, + "ip": "34.123.103.115" + }, + "source": { + "geo": { + "continent_name": "Europe", + "region_iso_code": "ES-B", + "city_name": "Barcelona", + "country_iso_code": "ES", + "country_name": "Spain", + "region_name": "Barcelona", + "location": { + "lon": 2.1611, + "lat": 41.3891 + } + }, + "address": "81.32.170.205", + "user": { + "name": "Administrator" + }, + "ip": "81.32.170.205" + }, + "tags": [ + "preserve_original_event" + ], + "network": { + "direction": "external" + }, + "observer": { + "product": "Vault", + "hostname": "VAULT", + "version": "11.7.0000", + "vendor": "Cyber-Ark" + }, + "@timestamp": "2021-03-14T13:49:35.000Z", + "file": { + "path": "Root\\Operating System-UnixSSH-34.123.103.115-testark" + }, + "ecs": { + "version": "1.10.0" + }, + "related": { + "user": [ + "Administrator", + "testark" + ], + "ip": [ + "81.32.170.205", + "34.123.103.115", + "34.71.250.247" + ] + }, + "cyberarkpas": { + "audit": { + "severity": "Info", + "iso_timestamp": "2021-03-14T13:49:35Z", + "gateway_station": "34.71.250.247", + "raw": "\u003csyslog\u003e\n\n \u003caudit_record\u003e\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\n \u003cTimestamp\u003eMar 14 06:49:35\u003c/Timestamp\u003e\n \u003cIsoTimestamp\u003e2021-03-14T13:49:35Z\u003c/IsoTimestamp\u003e\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\n \u003cProduct\u003eVault\u003c/Product\u003e\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\n \u003cMessageID\u003e308\u003c/MessageID\u003e\n \u003cDesc\u003eUse Password\u003c/Desc\u003e\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\n \u003cAction\u003eUse Password\u003c/Action\u003e\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\n \u003cSafe\u003epartner\u003c/Safe\u003e\n \u003cFile\u003eRoot\\Operating System-UnixSSH-34.123.103.115-testark\u003c/File\u003e\n \u003cStation\u003e81.32.170.205\u003c/Station\u003e\n \u003cLocation\u003e\u003c/Location\u003e\n \u003cCategory\u003e\u003c/Category\u003e\n \u003cRequestId\u003e\u003c/RequestId\u003e\n \u003cReason\u003e\u003c/Reason\u003e\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\n \u003cMessage\u003eUse Password\u003c/Message\u003e\n \u003cGatewayStation\u003e34.71.250.247\u003c/GatewayStation\u003e\n \u003cCAProperties\u003e\n \u003cCAProperty Name=\"PolicyID\" Value=\"UnixSSH\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"UserName\" Value=\"testark\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"Address\" Value=\"34.123.103.115\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"ResetImmediately\" Value=\"ReconcileTask\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"CPMStatus\" Value=\"failure\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"RetriesCount\" Value=\"0\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"LastFailDate\" Value=\"1615729572\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"LastTask\" Value=\"ReconcileTask\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"CPMErrorDetails\" Value=\"First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"CreationMethod\" Value=\"PVWA\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"DeviceType\" Value=\"Operating System\"\u003e\u003c/CAProperty\u003e\n \u003c/CAProperties\u003e\n \u003c/audit_record\u003e\n\n\u003c/syslog\u003e", + "message": "Use Password", + "issuer": "Administrator", + "rfc5424": true, + "ca_properties": { + "other": {}, + "address": "34.123.103.115", + "creation_method": "PVWA", + "cpm_status": "failure", + "policy_id": "UnixSSH", + "cpm_error_details": "First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031", + "user_name": "testark", + "last_fail_date": "1615729572", + "device_type": "Operating System", + "retries_count": "0", + "reset_immediately": "ReconcileTask", + "last_task": "ReconcileTask" + }, + "file": "Root\\Operating System-UnixSSH-34.123.103.115-testark", + "safe": "partner", + "station": "81.32.170.205", + "action": "Use Password", + "timestamp": "Mar 14 06:49:35", + "desc": "Use Password" + } + }, + "host": { + "name": "VAULT" + }, + "event": { + "severity": 2, + "ingested": "2021-05-31T15:30:20.525279Z", + "original": "\u003c5\u003e1 2021-03-14T13:49:35Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 14 06:49:35\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-14T13:49:35Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e308\u003c/MessageID\u003e\\n \u003cDesc\u003eUse Password\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003eUse Password\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003epartner\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Operating System-UnixSSH-34.123.103.115-testark\u003c/File\u003e\\n \u003cStation\u003e81.32.170.205\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eUse Password\u003c/Message\u003e\\n \u003cGatewayStation\u003e34.71.250.247\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"UnixSSH\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"testark\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"34.123.103.115\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"ResetImmediately\\\" Value=\\\"ReconcileTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMStatus\\\" Value=\\\"failure\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"RetriesCount\\\" Value=\\\"0\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastFailDate\\\" Value=\\\"1615729572\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastTask\\\" Value=\\\"ReconcileTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMErrorDetails\\\" Value=\\\"First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Operating System\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 14 06:49:35\",\"IsoTimestamp\":\"2021-03-14T13:49:35Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"308\",\"Desc\":\"Use Password\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Use Password\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"partner\",\"File\":\"Root\\\\Operating System-UnixSSH-34.123.103.115-testark\",\"Station\":\"81.32.170.205\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Use Password\",\"GatewayStation\":\"34.71.250.247\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"UnixSSH\"},{\"Name\":\"UserName\",\"Value\":\"testark\"},{\"Name\":\"Address\",\"Value\":\"34.123.103.115\"},{\"Name\":\"ResetImmediately\",\"Value\":\"ReconcileTask\"},{\"Name\":\"CPMStatus\",\"Value\":\"failure\"},{\"Name\":\"RetriesCount\",\"Value\":\"0\"},{\"Name\":\"LastFailDate\",\"Value\":\"1615729572\"},{\"Name\":\"LastTask\",\"Value\":\"ReconcileTask\"},{\"Name\":\"CPMErrorDetails\",\"Value\":\"First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"}]}}}}", + "code": "308", + "kind": "event", + "action": "use password", + "category": [ + "iam" + ], + "type": [ + "admin", + "access" + ], + "outcome": "failure" + }, + "user": { + "name": "Administrator" + } + }, + { + "log": { + "syslog": { + "priority": 5 + } + }, + "destination": { + "geo": { + "continent_name": "North America", + "country_name": "United States", + "location": { + "lon": -97.822, + "lat": 37.751 + }, + "country_iso_code": "US" + }, + "address": "34.123.103.115", + "user": { + "name": "testark" + }, + "ip": "34.123.103.115" + }, + "source": { + "geo": { + "continent_name": "Europe", + "region_iso_code": "ES-B", + "city_name": "Barcelona", + "country_iso_code": "ES", + "country_name": "Spain", + "region_name": "Barcelona", + "location": { + "lon": 2.1611, + "lat": 41.3891 + } + }, + "address": "81.32.170.205", + "user": { + "name": "Administrator" + }, + "ip": "81.32.170.205" + }, + "tags": [ + "preserve_original_event" + ], + "network": { + "direction": "external" + }, + "observer": { + "product": "Vault", + "hostname": "VAULT", + "version": "11.7.0000", + "vendor": "Cyber-Ark" + }, + "@timestamp": "2021-03-15T10:31:54.000Z", + "file": { + "path": "Root\\Operating System-UnixSSH-34.123.103.115-testark" + }, + "ecs": { + "version": "1.10.0" + }, + "related": { + "user": [ + "Administrator", + "testark" + ], + "ip": [ + "81.32.170.205", + "34.123.103.115", + "34.71.250.247" + ] + }, + "cyberarkpas": { + "audit": { + "severity": "Info", + "iso_timestamp": "2021-03-15T10:31:54Z", + "gateway_station": "34.71.250.247", + "raw": "\u003csyslog\u003e\n\n \u003caudit_record\u003e\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\n \u003cTimestamp\u003eMar 15 03:31:54\u003c/Timestamp\u003e\n \u003cIsoTimestamp\u003e2021-03-15T10:31:54Z\u003c/IsoTimestamp\u003e\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\n \u003cProduct\u003eVault\u003c/Product\u003e\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\n \u003cMessageID\u003e308\u003c/MessageID\u003e\n \u003cDesc\u003eUse Password\u003c/Desc\u003e\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\n \u003cAction\u003eUse Password\u003c/Action\u003e\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\n \u003cSafe\u003epartner\u003c/Safe\u003e\n \u003cFile\u003eRoot\\Operating System-UnixSSH-34.123.103.115-testark\u003c/File\u003e\n \u003cStation\u003e81.32.170.205\u003c/Station\u003e\n \u003cLocation\u003e\u003c/Location\u003e\n \u003cCategory\u003e\u003c/Category\u003e\n \u003cRequestId\u003e\u003c/RequestId\u003e\n \u003cReason\u003e\u003c/Reason\u003e\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\n \u003cMessage\u003eUse Password\u003c/Message\u003e\n \u003cGatewayStation\u003e34.71.250.247\u003c/GatewayStation\u003e\n \u003cCAProperties\u003e\n \u003cCAProperty Name=\"PolicyID\" Value=\"UnixSSH\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"UserName\" Value=\"testark\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"Address\" Value=\"34.123.103.115\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"CPMStatus\" Value=\"success\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"RetriesCount\" Value=\"-1\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"LastTask\" Value=\"VerifyTask\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"LastSuccessVerification\" Value=\"1615803764\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"CreationMethod\" Value=\"PVWA\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"DeviceType\" Value=\"Operating System\"\u003e\u003c/CAProperty\u003e\n \u003c/CAProperties\u003e\n \u003c/audit_record\u003e\n\n\u003c/syslog\u003e", + "message": "Use Password", + "issuer": "Administrator", + "rfc5424": true, + "ca_properties": { + "other": {}, + "address": "34.123.103.115", + "creation_method": "PVWA", + "cpm_status": "success", + "policy_id": "UnixSSH", + "user_name": "testark", + "device_type": "Operating System", + "retries_count": "-1", + "last_success_verification": "1615803764", + "last_task": "VerifyTask" + }, + "file": "Root\\Operating System-UnixSSH-34.123.103.115-testark", + "safe": "partner", + "station": "81.32.170.205", + "action": "Use Password", + "timestamp": "Mar 15 03:31:54", + "desc": "Use Password" + } + }, + "host": { + "name": "VAULT" + }, + "event": { + "severity": 2, + "ingested": "2021-05-31T15:30:20.525282500Z", + "original": "\u003c5\u003e1 2021-03-15T10:31:54Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 15 03:31:54\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-15T10:31:54Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e308\u003c/MessageID\u003e\\n \u003cDesc\u003eUse Password\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003eUse Password\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003epartner\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Operating System-UnixSSH-34.123.103.115-testark\u003c/File\u003e\\n \u003cStation\u003e81.32.170.205\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eUse Password\u003c/Message\u003e\\n \u003cGatewayStation\u003e34.71.250.247\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"UnixSSH\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"testark\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"34.123.103.115\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMStatus\\\" Value=\\\"success\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"RetriesCount\\\" Value=\\\"-1\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastTask\\\" Value=\\\"VerifyTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastSuccessVerification\\\" Value=\\\"1615803764\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Operating System\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 15 03:31:54\",\"IsoTimestamp\":\"2021-03-15T10:31:54Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"308\",\"Desc\":\"Use Password\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Use Password\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"partner\",\"File\":\"Root\\\\Operating System-UnixSSH-34.123.103.115-testark\",\"Station\":\"81.32.170.205\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Use Password\",\"GatewayStation\":\"34.71.250.247\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"UnixSSH\"},{\"Name\":\"UserName\",\"Value\":\"testark\"},{\"Name\":\"Address\",\"Value\":\"34.123.103.115\"},{\"Name\":\"CPMStatus\",\"Value\":\"success\"},{\"Name\":\"RetriesCount\",\"Value\":\"-1\"},{\"Name\":\"LastTask\",\"Value\":\"VerifyTask\"},{\"Name\":\"LastSuccessVerification\",\"Value\":\"1615803764\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"}]}}}}", + "code": "308", + "kind": "event", + "action": "use password", + "category": [ + "iam" + ], + "type": [ + "admin", + "access" + ], + "outcome": "success" + }, + "user": { + "name": "Administrator" + } + }, + { + "log": { + "syslog": { + "priority": 5 + } + }, + "destination": { + "geo": { + "continent_name": "North America", + "country_name": "United States", + "location": { + "lon": -97.822, + "lat": 37.751 + }, + "country_iso_code": "US" + }, + "address": "34.123.103.115", + "user": { + "name": "testark" + }, + "ip": "34.123.103.115" + }, + "source": { + "geo": { + "continent_name": "Europe", + "region_iso_code": "ES-B", + "city_name": "Barcelona", + "country_iso_code": "ES", + "country_name": "Spain", + "region_name": "Barcelona", + "location": { + "lon": 2.1611, + "lat": 41.3891 + } + }, + "address": "81.32.170.205", + "user": { + "name": "Administrator" + }, + "ip": "81.32.170.205" + }, + "tags": [ + "preserve_original_event" + ], + "network": { + "direction": "external" + }, + "observer": { + "product": "Vault", + "hostname": "VAULT", + "version": "11.7.0000", + "vendor": "Cyber-Ark" + }, + "@timestamp": "2021-03-15T14:08:26.000Z", + "file": { + "path": "Root\\Operating System-UnixSSH-34.123.103.115-testark" + }, + "ecs": { + "version": "1.10.0" + }, + "related": { + "user": [ + "Administrator", + "testark" + ], + "ip": [ + "81.32.170.205", + "34.123.103.115", + "34.71.250.247" + ] + }, + "cyberarkpas": { + "audit": { + "severity": "Info", + "iso_timestamp": "2021-03-15T14:08:26Z", + "gateway_station": "34.71.250.247", + "raw": "\u003csyslog\u003e\n\n \u003caudit_record\u003e\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\n \u003cTimestamp\u003eMar 15 07:08:26\u003c/Timestamp\u003e\n \u003cIsoTimestamp\u003e2021-03-15T14:08:26Z\u003c/IsoTimestamp\u003e\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\n \u003cProduct\u003eVault\u003c/Product\u003e\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\n \u003cMessageID\u003e308\u003c/MessageID\u003e\n \u003cDesc\u003eUse Password\u003c/Desc\u003e\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\n \u003cAction\u003eUse Password\u003c/Action\u003e\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\n \u003cSafe\u003epartner\u003c/Safe\u003e\n \u003cFile\u003eRoot\\Operating System-UnixSSH-34.123.103.115-testark\u003c/File\u003e\n \u003cStation\u003e81.32.170.205\u003c/Station\u003e\n \u003cLocation\u003e\u003c/Location\u003e\n \u003cCategory\u003e\u003c/Category\u003e\n \u003cRequestId\u003e\u003c/RequestId\u003e\n \u003cReason\u003e\u003c/Reason\u003e\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\n \u003cMessage\u003eUse Password\u003c/Message\u003e\n \u003cGatewayStation\u003e34.71.250.247\u003c/GatewayStation\u003e\n \u003cCAProperties\u003e\n \u003cCAProperty Name=\"PolicyID\" Value=\"UnixSSH\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"UserName\" Value=\"testark\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"Address\" Value=\"34.123.103.115\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"ResetImmediately\" Value=\"ReconcileTask\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"CPMStatus\" Value=\"failure\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"RetriesCount\" Value=\"0\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"LastFailDate\" Value=\"1615814025\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"LastTask\" Value=\"ReconcileTask\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"LastSuccessVerification\" Value=\"1615803764\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"CPMErrorDetails\" Value=\"First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"CreationMethod\" Value=\"PVWA\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"DeviceType\" Value=\"Operating System\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"UseSudoOnReconcile\" Value=\"Yes\"\u003e\u003c/CAProperty\u003e\n \u003c/CAProperties\u003e\n \u003c/audit_record\u003e\n\n\u003c/syslog\u003e", + "message": "Use Password", + "issuer": "Administrator", + "rfc5424": true, + "ca_properties": { + "other": { + "use_sudo_on_reconcile": "Yes" + }, + "address": "34.123.103.115", + "creation_method": "PVWA", + "cpm_status": "failure", + "policy_id": "UnixSSH", + "user_name": "testark", + "device_type": "Operating System", + "retries_count": "0", + "last_success_verification": "1615803764", + "reset_immediately": "ReconcileTask", + "last_task": "ReconcileTask", + "cpm_error_details": "First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031", + "last_fail_date": "1615814025" + }, + "file": "Root\\Operating System-UnixSSH-34.123.103.115-testark", + "safe": "partner", + "station": "81.32.170.205", + "action": "Use Password", + "timestamp": "Mar 15 07:08:26", + "desc": "Use Password" + } + }, + "host": { + "name": "VAULT" + }, + "event": { + "severity": 2, + "ingested": "2021-05-31T15:30:20.525285500Z", + "original": "\u003c5\u003e1 2021-03-15T14:08:26Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 15 07:08:26\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-15T14:08:26Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e308\u003c/MessageID\u003e\\n \u003cDesc\u003eUse Password\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003eUse Password\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003epartner\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Operating System-UnixSSH-34.123.103.115-testark\u003c/File\u003e\\n \u003cStation\u003e81.32.170.205\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eUse Password\u003c/Message\u003e\\n \u003cGatewayStation\u003e34.71.250.247\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"UnixSSH\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"testark\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"34.123.103.115\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"ResetImmediately\\\" Value=\\\"ReconcileTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMStatus\\\" Value=\\\"failure\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"RetriesCount\\\" Value=\\\"0\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastFailDate\\\" Value=\\\"1615814025\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastTask\\\" Value=\\\"ReconcileTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastSuccessVerification\\\" Value=\\\"1615803764\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMErrorDetails\\\" Value=\\\"First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Operating System\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UseSudoOnReconcile\\\" Value=\\\"Yes\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 15 07:08:26\",\"IsoTimestamp\":\"2021-03-15T14:08:26Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"308\",\"Desc\":\"Use Password\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Use Password\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"partner\",\"File\":\"Root\\\\Operating System-UnixSSH-34.123.103.115-testark\",\"Station\":\"81.32.170.205\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Use Password\",\"GatewayStation\":\"34.71.250.247\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"UnixSSH\"},{\"Name\":\"UserName\",\"Value\":\"testark\"},{\"Name\":\"Address\",\"Value\":\"34.123.103.115\"},{\"Name\":\"ResetImmediately\",\"Value\":\"ReconcileTask\"},{\"Name\":\"CPMStatus\",\"Value\":\"failure\"},{\"Name\":\"RetriesCount\",\"Value\":\"0\"},{\"Name\":\"LastFailDate\",\"Value\":\"1615814025\"},{\"Name\":\"LastTask\",\"Value\":\"ReconcileTask\"},{\"Name\":\"LastSuccessVerification\",\"Value\":\"1615803764\"},{\"Name\":\"CPMErrorDetails\",\"Value\":\"First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"},{\"Name\":\"UseSudoOnReconcile\",\"Value\":\"Yes\"}]}}}}", + "code": "308", + "kind": "event", + "action": "use password", + "category": [ + "iam" + ], + "type": [ + "admin", + "access" + ], + "outcome": "failure" + }, + "user": { + "name": "Administrator" + } + }, + { + "log": { + "syslog": { + "priority": 5 + } + }, + "destination": { + "geo": { + "continent_name": "North America", + "country_name": "United States", + "location": { + "lon": -97.822, + "lat": 37.751 + }, + "country_iso_code": "US" + }, + "address": "34.123.103.115", + "user": { + "name": "testark" + }, + "ip": "34.123.103.115" + }, + "source": { + "geo": { + "continent_name": "Europe", + "region_iso_code": "ES-B", + "city_name": "Barcelona", + "country_iso_code": "ES", + "country_name": "Spain", + "region_name": "Barcelona", + "location": { + "lon": 2.1611, + "lat": 41.3891 + } + }, + "address": "81.32.170.205", + "user": { + "name": "Administrator" + }, + "ip": "81.32.170.205" + }, + "tags": [ + "preserve_original_event" + ], + "network": { + "direction": "external" + }, + "observer": { + "product": "Vault", + "hostname": "VAULT", + "version": "11.7.0000", + "vendor": "Cyber-Ark" + }, + "@timestamp": "2021-03-16T10:04:49.000Z", + "file": { + "path": "Root\\Operating System-UnixSSH-34.123.103.115-testark" + }, + "ecs": { + "version": "1.10.0" + }, + "related": { + "user": [ + "Administrator", + "testark" + ], + "ip": [ + "81.32.170.205", + "34.123.103.115", + "34.71.250.247" + ] + }, + "cyberarkpas": { + "audit": { + "severity": "Info", + "iso_timestamp": "2021-03-16T10:04:49Z", + "gateway_station": "34.71.250.247", + "raw": "\u003csyslog\u003e\n\n \u003caudit_record\u003e\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\n \u003cTimestamp\u003eMar 16 03:04:49\u003c/Timestamp\u003e\n \u003cIsoTimestamp\u003e2021-03-16T10:04:49Z\u003c/IsoTimestamp\u003e\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\n \u003cProduct\u003eVault\u003c/Product\u003e\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\n \u003cMessageID\u003e308\u003c/MessageID\u003e\n \u003cDesc\u003eUse Password\u003c/Desc\u003e\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\n \u003cAction\u003eUse Password\u003c/Action\u003e\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\n \u003cSafe\u003epartner\u003c/Safe\u003e\n \u003cFile\u003eRoot\\Operating System-UnixSSH-34.123.103.115-testark\u003c/File\u003e\n \u003cStation\u003e81.32.170.205\u003c/Station\u003e\n \u003cLocation\u003e\u003c/Location\u003e\n \u003cCategory\u003e\u003c/Category\u003e\n \u003cRequestId\u003e\u003c/RequestId\u003e\n \u003cReason\u003e\u003c/Reason\u003e\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\n \u003cMessage\u003eUse Password\u003c/Message\u003e\n \u003cGatewayStation\u003e34.71.250.247\u003c/GatewayStation\u003e\n \u003cCAProperties\u003e\n \u003cCAProperty Name=\"PolicyID\" Value=\"UnixSSH\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"UserName\" Value=\"testark\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"Address\" Value=\"34.123.103.115\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"ResetImmediately\" Value=\"ReconcileTask\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"CPMStatus\" Value=\"failure\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"RetriesCount\" Value=\"4\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"LastFailDate\" Value=\"1615888216\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"LastTask\" Value=\"ReconcileTask\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"LastSuccessVerification\" Value=\"1615803764\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"CPMErrorDetails\" Value=\"First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"CreationMethod\" Value=\"PVWA\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"DeviceType\" Value=\"Operating System\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"UseSudoOnReconcile\" Value=\"Yes\"\u003e\u003c/CAProperty\u003e\n \u003c/CAProperties\u003e\n \u003c/audit_record\u003e\n\n\u003c/syslog\u003e", + "message": "Use Password", + "issuer": "Administrator", + "rfc5424": true, + "ca_properties": { + "other": { + "use_sudo_on_reconcile": "Yes" + }, + "address": "34.123.103.115", + "creation_method": "PVWA", + "cpm_status": "failure", + "policy_id": "UnixSSH", + "user_name": "testark", + "device_type": "Operating System", + "retries_count": "4", + "last_success_verification": "1615803764", + "reset_immediately": "ReconcileTask", + "last_task": "ReconcileTask", + "cpm_error_details": "First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031", + "last_fail_date": "1615888216" + }, + "file": "Root\\Operating System-UnixSSH-34.123.103.115-testark", + "safe": "partner", + "station": "81.32.170.205", + "action": "Use Password", + "timestamp": "Mar 16 03:04:49", + "desc": "Use Password" + } + }, + "host": { + "name": "VAULT" + }, + "event": { + "severity": 2, + "ingested": "2021-05-31T15:30:20.525288500Z", + "original": "\u003c5\u003e1 2021-03-16T10:04:49Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 16 03:04:49\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-16T10:04:49Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e308\u003c/MessageID\u003e\\n \u003cDesc\u003eUse Password\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003eUse Password\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003epartner\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Operating System-UnixSSH-34.123.103.115-testark\u003c/File\u003e\\n \u003cStation\u003e81.32.170.205\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eUse Password\u003c/Message\u003e\\n \u003cGatewayStation\u003e34.71.250.247\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"UnixSSH\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"testark\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"34.123.103.115\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"ResetImmediately\\\" Value=\\\"ReconcileTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMStatus\\\" Value=\\\"failure\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"RetriesCount\\\" Value=\\\"4\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastFailDate\\\" Value=\\\"1615888216\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastTask\\\" Value=\\\"ReconcileTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastSuccessVerification\\\" Value=\\\"1615803764\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMErrorDetails\\\" Value=\\\"First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Operating System\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UseSudoOnReconcile\\\" Value=\\\"Yes\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 16 03:04:49\",\"IsoTimestamp\":\"2021-03-16T10:04:49Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"308\",\"Desc\":\"Use Password\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Use Password\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"partner\",\"File\":\"Root\\\\Operating System-UnixSSH-34.123.103.115-testark\",\"Station\":\"81.32.170.205\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Use Password\",\"GatewayStation\":\"34.71.250.247\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"UnixSSH\"},{\"Name\":\"UserName\",\"Value\":\"testark\"},{\"Name\":\"Address\",\"Value\":\"34.123.103.115\"},{\"Name\":\"ResetImmediately\",\"Value\":\"ReconcileTask\"},{\"Name\":\"CPMStatus\",\"Value\":\"failure\"},{\"Name\":\"RetriesCount\",\"Value\":\"4\"},{\"Name\":\"LastFailDate\",\"Value\":\"1615888216\"},{\"Name\":\"LastTask\",\"Value\":\"ReconcileTask\"},{\"Name\":\"LastSuccessVerification\",\"Value\":\"1615803764\"},{\"Name\":\"CPMErrorDetails\",\"Value\":\"First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"},{\"Name\":\"UseSudoOnReconcile\",\"Value\":\"Yes\"}]}}}}", + "code": "308", + "kind": "event", + "action": "use password", + "category": [ + "iam" + ], + "type": [ + "admin", + "access" + ], + "outcome": "failure" + }, + "user": { + "name": "Administrator" + } + } + ] +} \ No newline at end of file diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-309-undefined-user-logon.log-expected.json b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-309-undefined-user-logon.log-expected.json new file mode 100644 index 00000000000..d7e4552eb46 --- /dev/null +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-309-undefined-user-logon.log-expected.json @@ -0,0 +1,418 @@ +{ + "expected": [ + { + "log": { + "syslog": { + "priority": 7 + } + }, + "destination": { + "address": "10.0.1.20", + "ip": "10.0.1.20" + }, + "source": { + "address": "127.0.0.1", + "ip": "127.0.0.1" + }, + "tags": [ + "preserve_original_event" + ], + "network": { + "direction": "internal" + }, + "observer": { + "product": "Vault", + "hostname": "VAULT", + "version": "11.7.0000", + "vendor": "Cyber-Ark" + }, + "@timestamp": "2021-03-08T18:31:52.000Z", + "ecs": { + "version": "1.10.0" + }, + "related": { + "user": [ + "adriansr" + ], + "ip": [ + "127.0.0.1", + "10.0.1.20" + ] + }, + "cyberarkpas": { + "audit": { + "severity": "Error", + "rfc5424": true, + "iso_timestamp": "2021-03-08T18:31:52Z", + "gateway_station": "10.0.1.20", + "station": "127.0.0.1", + "action": "Undefined User Logon", + "message": "Undefined User Logon", + "issuer": "adriansr", + "timestamp": "Mar 08 10:31:52", + "desc": "Undefined User Logon" + } + }, + "host": { + "name": "VAULT" + }, + "event": { + "severity": 7, + "ingested": "2021-05-31T15:30:20.886786200Z", + "original": "\u003c7\u003e1 2021-03-08T18:31:52Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 08 10:31:52\",\"IsoTimestamp\":\"2021-03-08T18:31:52Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"309\",\"Desc\":\"Undefined User Logon\",\"Severity\":\"Error\",\"Issuer\":\"adriansr\",\"Action\":\"Undefined User Logon\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"127.0.0.1\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Undefined User Logon\",\"GatewayStation\":\"10.0.1.20\"}}}", + "code": "309", + "kind": "event", + "action": "authentication_failure", + "type": [ + "error" + ], + "category": [ + "authentication" + ], + "outcome": "failure" + }, + "user": { + "name": "adriansr" + } + }, + { + "log": { + "syslog": { + "priority": 7 + } + }, + "destination": { + "address": "10.0.1.20", + "ip": "10.0.1.20" + }, + "source": { + "address": "127.0.0.1", + "ip": "127.0.0.1" + }, + "tags": [ + "preserve_original_event" + ], + "network": { + "direction": "internal" + }, + "observer": { + "product": "Vault", + "hostname": "VAULT", + "version": "11.7.0000", + "vendor": "Cyber-Ark" + }, + "@timestamp": "2021-03-08T18:32:03.000Z", + "ecs": { + "version": "1.10.0" + }, + "related": { + "user": [ + "adriansra" + ], + "ip": [ + "127.0.0.1", + "10.0.1.20" + ] + }, + "cyberarkpas": { + "audit": { + "severity": "Error", + "rfc5424": true, + "iso_timestamp": "2021-03-08T18:32:03Z", + "gateway_station": "10.0.1.20", + "station": "127.0.0.1", + "action": "Undefined User Logon", + "message": "Undefined User Logon", + "issuer": "adriansra", + "timestamp": "Mar 08 10:32:03", + "desc": "Undefined User Logon" + } + }, + "host": { + "name": "VAULT" + }, + "event": { + "severity": 7, + "ingested": "2021-05-31T15:30:20.886811900Z", + "original": "\u003c7\u003e1 2021-03-08T18:32:03Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 08 10:32:03\",\"IsoTimestamp\":\"2021-03-08T18:32:03Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"309\",\"Desc\":\"Undefined User Logon\",\"Severity\":\"Error\",\"Issuer\":\"adriansra\",\"Action\":\"Undefined User Logon\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"127.0.0.1\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Undefined User Logon\",\"GatewayStation\":\"10.0.1.20\"}}}", + "code": "309", + "kind": "event", + "action": "authentication_failure", + "type": [ + "error" + ], + "category": [ + "authentication" + ], + "outcome": "failure" + }, + "user": { + "name": "adriansra" + } + }, + { + "log": { + "syslog": { + "priority": 7 + } + }, + "source": { + "geo": { + "continent_name": "Europe", + "region_iso_code": "ES-B", + "city_name": "Barcelona", + "country_iso_code": "ES", + "country_name": "Spain", + "region_name": "Barcelona", + "location": { + "lon": 2.1611, + "lat": 41.3891 + } + }, + "address": "81.32.170.205", + "ip": "81.32.170.205" + }, + "tags": [ + "preserve_original_event" + ], + "observer": { + "product": "Vault", + "hostname": "VAULT", + "version": "11.7.0000", + "vendor": "Cyber-Ark" + }, + "@timestamp": "2021-03-11T16:43:26.000Z", + "ecs": { + "version": "1.10.0" + }, + "related": { + "user": [ + "PSMAdmin" + ], + "ip": [ + "81.32.170.205" + ] + }, + "cyberarkpas": { + "audit": { + "severity": "Error", + "rfc5424": true, + "iso_timestamp": "2021-03-11T16:43:26Z", + "station": "81.32.170.205", + "raw": "\u003csyslog\u003e\n\n \u003caudit_record\u003e\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\n \u003cTimestamp\u003eMar 11 08:43:26\u003c/Timestamp\u003e\n \u003cIsoTimestamp\u003e2021-03-11T16:43:26Z\u003c/IsoTimestamp\u003e\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\n \u003cProduct\u003eVault\u003c/Product\u003e\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\n \u003cMessageID\u003e309\u003c/MessageID\u003e\n \u003cDesc\u003eUndefined User Logon\u003c/Desc\u003e\n \u003cSeverity\u003eError\u003c/Severity\u003e\n \u003cIssuer\u003ePSMAdmin\u003c/Issuer\u003e\n \u003cAction\u003eUndefined User Logon\u003c/Action\u003e\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\n \u003cSafe\u003e\u003c/Safe\u003e\n \u003cFile\u003e\u003c/File\u003e\n \u003cStation\u003e81.32.170.205\u003c/Station\u003e\n \u003cLocation\u003e\u003c/Location\u003e\n \u003cCategory\u003e\u003c/Category\u003e\n \u003cRequestId\u003e\u003c/RequestId\u003e\n \u003cReason\u003e\u003c/Reason\u003e\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\n \u003cMessage\u003eUndefined User Logon\u003c/Message\u003e\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\n \u003c/audit_record\u003e\n\n\u003c/syslog\u003e", + "action": "Undefined User Logon", + "message": "Undefined User Logon", + "issuer": "PSMAdmin", + "timestamp": "Mar 11 08:43:26", + "desc": "Undefined User Logon" + } + }, + "host": { + "name": "VAULT" + }, + "event": { + "severity": 7, + "ingested": "2021-05-31T15:30:20.886815500Z", + "original": "\u003c7\u003e1 2021-03-11T16:43:26Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 11 08:43:26\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-11T16:43:26Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e309\u003c/MessageID\u003e\\n \u003cDesc\u003eUndefined User Logon\u003c/Desc\u003e\\n \u003cSeverity\u003eError\u003c/Severity\u003e\\n \u003cIssuer\u003ePSMAdmin\u003c/Issuer\u003e\\n \u003cAction\u003eUndefined User Logon\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003e\u003c/Safe\u003e\\n \u003cFile\u003e\u003c/File\u003e\\n \u003cStation\u003e81.32.170.205\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eUndefined User Logon\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 11 08:43:26\",\"IsoTimestamp\":\"2021-03-11T16:43:26Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"309\",\"Desc\":\"Undefined User Logon\",\"Severity\":\"Error\",\"Issuer\":\"PSMAdmin\",\"Action\":\"Undefined User Logon\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"81.32.170.205\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Undefined User Logon\",\"GatewayStation\":\"\"}}}", + "code": "309", + "kind": "event", + "action": "authentication_failure", + "type": [ + "error" + ], + "category": [ + "authentication" + ], + "outcome": "failure" + }, + "user": { + "name": "PSMAdmin" + } + }, + { + "log": { + "syslog": { + "priority": 7 + } + }, + "destination": { + "geo": { + "continent_name": "Europe", + "region_iso_code": "ES-B", + "city_name": "Barcelona", + "country_iso_code": "ES", + "country_name": "Spain", + "region_name": "Barcelona", + "location": { + "lon": 2.1611, + "lat": 41.3891 + } + }, + "address": "81.32.170.205", + "ip": "81.32.170.205" + }, + "source": { + "address": "127.0.0.1", + "ip": "127.0.0.1" + }, + "tags": [ + "preserve_original_event" + ], + "network": { + "direction": "outbound" + }, + "observer": { + "product": "Vault", + "hostname": "VAULT", + "version": "11.7.0000", + "vendor": "Cyber-Ark" + }, + "@timestamp": "2021-03-11T17:46:28.000Z", + "ecs": { + "version": "1.10.0" + }, + "related": { + "user": [ + "adrian" + ], + "ip": [ + "127.0.0.1", + "81.32.170.205" + ] + }, + "cyberarkpas": { + "audit": { + "severity": "Error", + "rfc5424": true, + "iso_timestamp": "2021-03-11T17:46:28Z", + "gateway_station": "81.32.170.205", + "station": "127.0.0.1", + "raw": "\u003csyslog\u003e\n\n \u003caudit_record\u003e\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\n \u003cTimestamp\u003eMar 11 09:46:28\u003c/Timestamp\u003e\n \u003cIsoTimestamp\u003e2021-03-11T17:46:28Z\u003c/IsoTimestamp\u003e\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\n \u003cProduct\u003eVault\u003c/Product\u003e\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\n \u003cMessageID\u003e309\u003c/MessageID\u003e\n \u003cDesc\u003eUndefined User Logon\u003c/Desc\u003e\n \u003cSeverity\u003eError\u003c/Severity\u003e\n \u003cIssuer\u003eadrian\u003c/Issuer\u003e\n \u003cAction\u003eUndefined User Logon\u003c/Action\u003e\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\n \u003cSafe\u003e\u003c/Safe\u003e\n \u003cFile\u003e\u003c/File\u003e\n \u003cStation\u003e127.0.0.1\u003c/Station\u003e\n \u003cLocation\u003e\u003c/Location\u003e\n \u003cCategory\u003e\u003c/Category\u003e\n \u003cRequestId\u003e\u003c/RequestId\u003e\n \u003cReason\u003e\u003c/Reason\u003e\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\n \u003cMessage\u003eUndefined User Logon\u003c/Message\u003e\n \u003cGatewayStation\u003e81.32.170.205\u003c/GatewayStation\u003e\n \u003c/audit_record\u003e\n\n\u003c/syslog\u003e", + "action": "Undefined User Logon", + "message": "Undefined User Logon", + "issuer": "adrian", + "timestamp": "Mar 11 09:46:28", + "desc": "Undefined User Logon" + } + }, + "host": { + "name": "VAULT" + }, + "event": { + "severity": 7, + "ingested": "2021-05-31T15:30:20.886818400Z", + "original": "\u003c7\u003e1 2021-03-11T17:46:28Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 11 09:46:28\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-11T17:46:28Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e309\u003c/MessageID\u003e\\n \u003cDesc\u003eUndefined User Logon\u003c/Desc\u003e\\n \u003cSeverity\u003eError\u003c/Severity\u003e\\n \u003cIssuer\u003eadrian\u003c/Issuer\u003e\\n \u003cAction\u003eUndefined User Logon\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003e\u003c/Safe\u003e\\n \u003cFile\u003e\u003c/File\u003e\\n \u003cStation\u003e127.0.0.1\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eUndefined User Logon\u003c/Message\u003e\\n \u003cGatewayStation\u003e81.32.170.205\u003c/GatewayStation\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 11 09:46:28\",\"IsoTimestamp\":\"2021-03-11T17:46:28Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"309\",\"Desc\":\"Undefined User Logon\",\"Severity\":\"Error\",\"Issuer\":\"adrian\",\"Action\":\"Undefined User Logon\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"127.0.0.1\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Undefined User Logon\",\"GatewayStation\":\"81.32.170.205\"}}}", + "code": "309", + "kind": "event", + "action": "authentication_failure", + "type": [ + "error" + ], + "category": [ + "authentication" + ], + "outcome": "failure" + }, + "user": { + "name": "adrian" + } + }, + { + "log": { + "syslog": { + "priority": 7 + } + }, + "destination": { + "geo": { + "continent_name": "North America", + "country_name": "United States", + "location": { + "lon": -97.822, + "lat": 37.751 + }, + "country_iso_code": "US" + }, + "address": "34.71.250.247", + "ip": "34.71.250.247" + }, + "source": { + "geo": { + "continent_name": "Europe", + "region_iso_code": "ES-B", + "city_name": "Barcelona", + "country_iso_code": "ES", + "country_name": "Spain", + "region_name": "Barcelona", + "location": { + "lon": 2.1611, + "lat": 41.3891 + } + }, + "address": "81.32.170.205", + "ip": "81.32.170.205" + }, + "tags": [ + "preserve_original_event" + ], + "network": { + "direction": "external" + }, + "observer": { + "product": "Vault", + "hostname": "VAULT", + "version": "11.7.0000", + "vendor": "Cyber-Ark" + }, + "@timestamp": "2021-03-14T13:28:00.000Z", + "ecs": { + "version": "1.10.0" + }, + "related": { + "user": [ + "testark" + ], + "ip": [ + "81.32.170.205", + "34.71.250.247" + ] + }, + "cyberarkpas": { + "audit": { + "severity": "Error", + "rfc5424": true, + "iso_timestamp": "2021-03-14T13:28:00Z", + "gateway_station": "34.71.250.247", + "station": "81.32.170.205", + "raw": "\u003csyslog\u003e\n\n \u003caudit_record\u003e\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\n \u003cTimestamp\u003eMar 14 06:28:00\u003c/Timestamp\u003e\n \u003cIsoTimestamp\u003e2021-03-14T13:28:00Z\u003c/IsoTimestamp\u003e\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\n \u003cProduct\u003eVault\u003c/Product\u003e\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\n \u003cMessageID\u003e309\u003c/MessageID\u003e\n \u003cDesc\u003eUndefined User Logon\u003c/Desc\u003e\n \u003cSeverity\u003eError\u003c/Severity\u003e\n \u003cIssuer\u003etestark\u003c/Issuer\u003e\n \u003cAction\u003eUndefined User Logon\u003c/Action\u003e\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\n \u003cSafe\u003e\u003c/Safe\u003e\n \u003cFile\u003e\u003c/File\u003e\n \u003cStation\u003e81.32.170.205\u003c/Station\u003e\n \u003cLocation\u003e\u003c/Location\u003e\n \u003cCategory\u003e\u003c/Category\u003e\n \u003cRequestId\u003e\u003c/RequestId\u003e\n \u003cReason\u003e\u003c/Reason\u003e\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\n \u003cMessage\u003eUndefined User Logon\u003c/Message\u003e\n \u003cGatewayStation\u003e34.71.250.247\u003c/GatewayStation\u003e\n \u003c/audit_record\u003e\n\n\u003c/syslog\u003e", + "action": "Undefined User Logon", + "message": "Undefined User Logon", + "issuer": "testark", + "timestamp": "Mar 14 06:28:00", + "desc": "Undefined User Logon" + } + }, + "host": { + "name": "VAULT" + }, + "event": { + "severity": 7, + "ingested": "2021-05-31T15:30:20.886820900Z", + "original": "\u003c7\u003e1 2021-03-14T13:28:00Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 14 06:28:00\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-14T13:28:00Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e309\u003c/MessageID\u003e\\n \u003cDesc\u003eUndefined User Logon\u003c/Desc\u003e\\n \u003cSeverity\u003eError\u003c/Severity\u003e\\n \u003cIssuer\u003etestark\u003c/Issuer\u003e\\n \u003cAction\u003eUndefined User Logon\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003e\u003c/Safe\u003e\\n \u003cFile\u003e\u003c/File\u003e\\n \u003cStation\u003e81.32.170.205\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eUndefined User Logon\u003c/Message\u003e\\n \u003cGatewayStation\u003e34.71.250.247\u003c/GatewayStation\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 14 06:28:00\",\"IsoTimestamp\":\"2021-03-14T13:28:00Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"309\",\"Desc\":\"Undefined User Logon\",\"Severity\":\"Error\",\"Issuer\":\"testark\",\"Action\":\"Undefined User Logon\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"81.32.170.205\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Undefined User Logon\",\"GatewayStation\":\"34.71.250.247\"}}}", + "code": "309", + "kind": "event", + "action": "authentication_failure", + "type": [ + "error" + ], + "category": [ + "authentication" + ], + "outcome": "failure" + }, + "user": { + "name": "testark" + } + } + ] +} \ No newline at end of file diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-31-cpm-reconcile-password.log-expected.json b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-31-cpm-reconcile-password.log-expected.json new file mode 100644 index 00000000000..2b87f5b6212 --- /dev/null +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-31-cpm-reconcile-password.log-expected.json @@ -0,0 +1,97 @@ +{ + "expected": [ + { + "destination": { + "address": "dbserver.cyberark.local", + "domain": "dbserver.cyberark.local" + }, + "source": { + "address": "10.2.0.4", + "ip": "10.2.0.4" + }, + "tags": [ + "preserve_original_event" + ], + "observer": { + "version": "11.6.0000", + "product": "Vault", + "vendor": "Cyber-Ark" + }, + "@timestamp": "2021-03-16T15:01:00.000Z", + "file": { + "path": "Root\\Operating System-WIN-SERVER-LOCAL-dbserver.cyberark.local-Administrator2" + }, + "ecs": { + "version": "1.10.0" + }, + "related": { + "user": [ + "PasswordManager", + "Administrator2" + ], + "ip": [ + "10.2.0.4" + ] + }, + "cyberarkpas": { + "audit": { + "severity": "Info", + "reason": "ImmediateTask", + "iso_timestamp": "2021-03-16T15:01:00Z", + "raw": "\u003csyslog\u003e\n \u003caudit_record\u003e\n \u003cRfc5424\u003eno\u003c/Rfc5424\u003e\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\n \u003cProduct\u003eVault\u003c/Product\u003e\n \u003cVersion\u003e11.6.0000\u003c/Version\u003e\n \u003cMessageID\u003e31\u003c/MessageID\u003e\n \u003cDesc\u003eCPM Reconcile Password\u003c/Desc\u003e\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\n \u003cIssuer\u003ePasswordManager\u003c/Issuer\u003e\n \u003cAction\u003eCPM Reconcile Password\u003c/Action\u003e\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\n \u003cSafe\u003eWindows\u003c/Safe\u003e\n \u003cFile\u003eRoot\\Operating System-WIN-SERVER-LOCAL-dbserver.cyberark.local-Administrator2\u003c/File\u003e\n \u003cStation\u003e10.2.0.4\u003c/Station\u003e\n \u003cLocation\u003e\u003c/Location\u003e\n \u003cCategory\u003e\u003c/Category\u003e\n \u003cRequestId\u003e\u003c/RequestId\u003e\n \u003cReason\u003eImmediateTask\u003c/Reason\u003e\n \u003cExtraDetails\u003eaddress=dbserver.cyberark.local;username=Administrator2;\u003c/ExtraDetails\u003e\n \u003cMessage\u003eCPM Reconcile Password\u003c/Message\u003e\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\n \u003cCAProperties\u003e\n \u003cCAProperty Name=\"PolicyID\" Value=\"WIN-SERVER-LOCAL\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"UserName\" Value=\"Administrator2\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"Address\" Value=\"dbserver.cyberark.local\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"DeviceType\" Value=\"Operating System\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"LogonDomain\" Value=\"DBServer\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"SequenceID\" Value=\"1\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"RetriesCount\" Value=\"-1\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"LastTask\" Value=\"ReconcileTask\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"CPMStatus\" Value=\"success\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"CreationMethod\" Value=\"PVWA\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"LastSuccessReconciliation\" Value=\"1604944215\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"Customer\" Value=\"EvilCorp\"\u003e\u003c/CAProperty\u003e\n \u003c/CAProperties\u003e\n \u003c/audit_record\u003e\n\u003c/syslog\u003e", + "message": "CPM Reconcile Password", + "issuer": "PasswordManager", + "rfc5424": false, + "extra_details": { + "other": { + "address": "dbserver.cyberark.local" + }, + "username": "Administrator2" + }, + "file": "Root\\Operating System-WIN-SERVER-LOCAL-dbserver.cyberark.local-Administrator2", + "ca_properties": { + "other": {}, + "address": "dbserver.cyberark.local", + "creation_method": "PVWA", + "cpm_status": "success", + "policy_id": "WIN-SERVER-LOCAL", + "last_success_reconciliation": "1604944215", + "user_name": "Administrator2", + "device_type": "Operating System", + "retries_count": "-1", + "last_task": "ReconcileTask", + "sequence_id": "1", + "logon_domain": "DBServer", + "customer": "EvilCorp" + }, + "safe": "Windows", + "station": "10.2.0.4", + "action": "CPM Reconcile Password", + "desc": "CPM Reconcile Password" + } + }, + "event": { + "severity": 2, + "ingested": "2021-05-31T15:30:21.012386200Z", + "original": "{\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eno\u003c/Rfc5424\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.6.0000\u003c/Version\u003e\\n \u003cMessageID\u003e31\u003c/MessageID\u003e\\n \u003cDesc\u003eCPM Reconcile Password\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003ePasswordManager\u003c/Issuer\u003e\\n \u003cAction\u003eCPM Reconcile Password\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003eWindows\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Operating System-WIN-SERVER-LOCAL-dbserver.cyberark.local-Administrator2\u003c/File\u003e\\n \u003cStation\u003e10.2.0.4\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003eImmediateTask\u003c/Reason\u003e\\n \u003cExtraDetails\u003eaddress=dbserver.cyberark.local;username=Administrator2;\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eCPM Reconcile Password\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"WIN-SERVER-LOCAL\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"Administrator2\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"dbserver.cyberark.local\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Operating System\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LogonDomain\\\" Value=\\\"DBServer\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"SequenceID\\\" Value=\\\"1\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"RetriesCount\\\" Value=\\\"-1\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastTask\\\" Value=\\\"ReconcileTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMStatus\\\" Value=\\\"success\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastSuccessReconciliation\\\" Value=\\\"1604944215\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Customer\\\" Value=\\\"EvilCorp\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"no\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"IsoTimestamp\":\"2021-03-16T15:01:00Z\",\"Version\":\"11.6.0000\",\"MessageID\":\"31\",\"Desc\":\"CPM Reconcile Password\",\"Severity\":\"Info\",\"Issuer\":\"PasswordManager\",\"Action\":\"CPM Reconcile Password\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"Windows\",\"File\":\"Root\\\\Operating System-WIN-SERVER-LOCAL-dbserver.cyberark.local-Administrator2\",\"Station\":\"10.2.0.4\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"ImmediateTask\",\"ExtraDetails\":\"address=dbserver.cyberark.local;username=Administrator2;\",\"Message\":\"CPM Reconcile Password\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"WIN-SERVER-LOCAL\"},{\"Name\":\"UserName\",\"Value\":\"Administrator2\"},{\"Name\":\"Address\",\"Value\":\"dbserver.cyberark.local\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"},{\"Name\":\"LogonDomain\",\"Value\":\"DBServer\"},{\"Name\":\"SequenceID\",\"Value\":\"1\"},{\"Name\":\"RetriesCount\",\"Value\":\"-1\"},{\"Name\":\"LastTask\",\"Value\":\"ReconcileTask\"},{\"Name\":\"CPMStatus\",\"Value\":\"success\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"LastSuccessReconciliation\",\"Value\":\"1604944215\"},{\"Name\":\"Customer\",\"Value\":\"EvilCorp\"}]}}}}", + "code": "31", + "kind": "event", + "action": "cpm reconcile password", + "category": [ + "iam" + ], + "type": [ + "user", + "change" + ], + "outcome": "success" + }, + "user": { + "name": "PasswordManager", + "target": { + "name": "Administrator2" + } + } + } + ] +} \ No newline at end of file diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-310-monitor-dr-replication-start.log-expected.json b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-310-monitor-dr-replication-start.log-expected.json new file mode 100644 index 00000000000..88c9e117319 --- /dev/null +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-310-monitor-dr-replication-start.log-expected.json @@ -0,0 +1,103 @@ +{ + "expected": [ + { + "log": { + "syslog": { + "priority": 5 + } + }, + "source": { + "address": "0.0.0.0", + "ip": "0.0.0.0" + }, + "tags": [ + "preserve_original_event" + ], + "observer": { + "product": "Vault", + "hostname": "VAULT", + "version": "11.7.0000", + "vendor": "Cyber-Ark" + }, + "@timestamp": "2021-03-04T19:10:01.000Z", + "ecs": { + "version": "1.10.0" + }, + "related": { + "ip": [ + "0.0.0.0" + ] + }, + "cyberarkpas": { + "audit": { + "severity": "Info", + "rfc5424": true, + "iso_timestamp": "2021-03-04T19:10:01Z", + "station": "0.0.0.0", + "action": "Monitor DR Replication start", + "message": "Monitor DR Replication start", + "issuer": "Batch", + "timestamp": "Mar 04 11:10:01", + "desc": "Monitor DR Replication start" + } + }, + "host": { + "name": "VAULT" + }, + "event": { + "severity": 2, + "action": "monitor dr replication start", + "ingested": "2021-05-31T15:30:21.062012500Z", + "original": "\u003c5\u003e1 2021-03-04T19:10:01Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 04 11:10:01\",\"IsoTimestamp\":\"2021-03-04T19:10:01Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"310\",\"Desc\":\"Monitor DR Replication start\",\"Severity\":\"Info\",\"Issuer\":\"Batch\",\"Action\":\"Monitor DR Replication start\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"0.0.0.0\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Monitor DR Replication start\",\"GatewayStation\":\"\"}}}", + "code": "310", + "kind": "event" + } + }, + { + "observer": { + "product": "Vault", + "hostname": "VAULT", + "version": "11.7.0000", + "vendor": "Cyber-Ark" + }, + "@timestamp": "2021-03-08T02:48:07.000Z", + "ecs": { + "version": "1.10.0" + }, + "related": { + "ip": [ + "0.0.0.0" + ] + }, + "cyberarkpas": { + "audit": { + "rfc5424": false, + "severity": "Info", + "station": "0.0.0.0", + "action": "Monitor DR Replication start", + "message": "Monitor DR Replication start", + "issuer": "Batch", + "desc": "Monitor DR Replication start" + } + }, + "host": { + "name": "VAULT" + }, + "source": { + "address": "0.0.0.0", + "ip": "0.0.0.0" + }, + "event": { + "severity": 2, + "action": "monitor dr replication start", + "ingested": "2021-05-31T15:30:21.062027700Z", + "original": "Mar 08 02:48:07 VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"no\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"310\",\"Desc\":\"Monitor DR Replication start\",\"Severity\":\"Info\",\"Issuer\":\"Batch\",\"Action\":\"Monitor DR Replication start\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"0.0.0.0\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Monitor DR Replication start\",\"GatewayStation\":\"\"}}}", + "code": "310", + "kind": "event" + }, + "tags": [ + "preserve_original_event" + ] + } + ] +} \ No newline at end of file diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-311-monitor-dr-replication-end.log-expected.json b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-311-monitor-dr-replication-end.log-expected.json new file mode 100644 index 00000000000..6c761623f1e --- /dev/null +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-311-monitor-dr-replication-end.log-expected.json @@ -0,0 +1,103 @@ +{ + "expected": [ + { + "log": { + "syslog": { + "priority": 5 + } + }, + "source": { + "address": "0.0.0.0", + "ip": "0.0.0.0" + }, + "tags": [ + "preserve_original_event" + ], + "observer": { + "product": "Vault", + "hostname": "VAULT", + "version": "11.7.0000", + "vendor": "Cyber-Ark" + }, + "@timestamp": "2021-03-04T19:10:01.000Z", + "ecs": { + "version": "1.10.0" + }, + "related": { + "ip": [ + "0.0.0.0" + ] + }, + "cyberarkpas": { + "audit": { + "severity": "Info", + "rfc5424": true, + "iso_timestamp": "2021-03-04T19:10:01Z", + "station": "0.0.0.0", + "action": "Monitor DR Replication end", + "message": "Monitor DR Replication end", + "issuer": "Batch", + "timestamp": "Mar 04 11:10:01", + "desc": "Monitor DR Replication end" + } + }, + "host": { + "name": "VAULT" + }, + "event": { + "severity": 2, + "action": "monitor dr replication end", + "ingested": "2021-05-31T15:30:21.100917900Z", + "original": "\u003c5\u003e1 2021-03-04T19:10:01Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 04 11:10:01\",\"IsoTimestamp\":\"2021-03-04T19:10:01Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"311\",\"Desc\":\"Monitor DR Replication end\",\"Severity\":\"Info\",\"Issuer\":\"Batch\",\"Action\":\"Monitor DR Replication end\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"0.0.0.0\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Monitor DR Replication end\",\"GatewayStation\":\"\"}}}", + "code": "311", + "kind": "event" + } + }, + { + "observer": { + "product": "Vault", + "hostname": "VAULT", + "version": "11.7.0000", + "vendor": "Cyber-Ark" + }, + "@timestamp": "2021-03-08T02:48:07.000Z", + "ecs": { + "version": "1.10.0" + }, + "related": { + "ip": [ + "0.0.0.0" + ] + }, + "cyberarkpas": { + "audit": { + "rfc5424": false, + "severity": "Info", + "station": "0.0.0.0", + "action": "Monitor DR Replication end", + "message": "Monitor DR Replication end", + "issuer": "Batch", + "desc": "Monitor DR Replication end" + } + }, + "host": { + "name": "VAULT" + }, + "source": { + "address": "0.0.0.0", + "ip": "0.0.0.0" + }, + "event": { + "severity": 2, + "action": "monitor dr replication end", + "ingested": "2021-05-31T15:30:21.100932600Z", + "original": "Mar 08 02:48:07 VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"no\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"311\",\"Desc\":\"Monitor DR Replication end\",\"Severity\":\"Info\",\"Issuer\":\"Batch\",\"Action\":\"Monitor DR Replication end\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"0.0.0.0\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Monitor DR Replication end\",\"GatewayStation\":\"\"}}}", + "code": "311", + "kind": "event" + }, + "tags": [ + "preserve_original_event" + ] + } + ] +} \ No newline at end of file diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-316-reset-user-password-detailed-information.log-expected.json b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-316-reset-user-password-detailed-information.log-expected.json new file mode 100644 index 00000000000..f941d4c5f05 --- /dev/null +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-316-reset-user-password-detailed-information.log-expected.json @@ -0,0 +1,71 @@ +{ + "expected": [ + { + "log": { + "syslog": { + "priority": 5 + } + }, + "source": { + "geo": { + "continent_name": "Europe", + "region_iso_code": "ES-B", + "city_name": "Barcelona", + "country_iso_code": "ES", + "country_name": "Spain", + "region_name": "Barcelona", + "location": { + "lon": 2.1611, + "lat": 41.3891 + } + }, + "address": "81.32.170.205", + "ip": "81.32.170.205" + }, + "tags": [ + "preserve_original_event" + ], + "observer": { + "product": "Vault", + "hostname": "VAULT", + "version": "11.7.0000", + "vendor": "Cyber-Ark" + }, + "@timestamp": "2021-03-10T18:16:45.000Z", + "ecs": { + "version": "1.10.0" + }, + "related": { + "ip": [ + "81.32.170.205" + ] + }, + "cyberarkpas": { + "audit": { + "severity": "Info", + "rfc5424": true, + "reason": "Password changed", + "iso_timestamp": "2021-03-10T18:16:45Z", + "station": "81.32.170.205", + "action": "Reset User Password Detailed Information", + "source_user": "PSMGw_VAGRANT", + "message": "Reset User Password Detailed Information", + "issuer": "Administrator", + "timestamp": "Mar 10 10:16:45", + "desc": "Reset User Password Detailed Information" + } + }, + "host": { + "name": "VAULT" + }, + "event": { + "severity": 2, + "action": "reset user password detailed information", + "ingested": "2021-05-31T15:30:21.142743500Z", + "original": "\u003c5\u003e1 2021-03-10T18:16:45Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 10:16:45\",\"IsoTimestamp\":\"2021-03-10T18:16:45Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"316\",\"Desc\":\"Reset User Password Detailed Information\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Reset User Password Detailed Information\",\"SourceUser\":\"PSMGw_VAGRANT\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"81.32.170.205\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"Password changed\",\"ExtraDetails\":\"\",\"Message\":\"Reset User Password Detailed Information\",\"GatewayStation\":\"\"}}}", + "code": "316", + "kind": "event" + } + } + ] +} \ No newline at end of file diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-317-reset-user-password.log-expected.json b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-317-reset-user-password.log-expected.json new file mode 100644 index 00000000000..58ec72323f7 --- /dev/null +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-317-reset-user-password.log-expected.json @@ -0,0 +1,70 @@ +{ + "expected": [ + { + "log": { + "syslog": { + "priority": 5 + } + }, + "source": { + "geo": { + "continent_name": "Europe", + "region_iso_code": "ES-B", + "city_name": "Barcelona", + "country_iso_code": "ES", + "country_name": "Spain", + "region_name": "Barcelona", + "location": { + "lon": 2.1611, + "lat": 41.3891 + } + }, + "address": "81.32.170.205", + "ip": "81.32.170.205" + }, + "tags": [ + "preserve_original_event" + ], + "observer": { + "product": "Vault", + "hostname": "VAULT", + "version": "11.7.0000", + "vendor": "Cyber-Ark" + }, + "@timestamp": "2021-03-10T18:16:45.000Z", + "ecs": { + "version": "1.10.0" + }, + "related": { + "ip": [ + "81.32.170.205" + ] + }, + "cyberarkpas": { + "audit": { + "severity": "Info", + "rfc5424": true, + "iso_timestamp": "2021-03-10T18:16:45Z", + "station": "81.32.170.205", + "action": "Reset User Password", + "source_user": "PSMGw_VAGRANT", + "message": "Reset User Password", + "issuer": "Administrator", + "timestamp": "Mar 10 10:16:45", + "desc": "Reset User Password" + } + }, + "host": { + "name": "VAULT" + }, + "event": { + "severity": 2, + "action": "reset user password", + "ingested": "2021-05-31T15:30:21.177432100Z", + "original": "\u003c5\u003e1 2021-03-10T18:16:45Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 10:16:45\",\"IsoTimestamp\":\"2021-03-10T18:16:45Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"317\",\"Desc\":\"Reset User Password\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Reset User Password\",\"SourceUser\":\"PSMGw_VAGRANT\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"81.32.170.205\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Reset User Password\",\"GatewayStation\":\"\"}}}", + "code": "317", + "kind": "event" + } + } + ] +} \ No newline at end of file diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-32-add-owner.log-expected.json b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-32-add-owner.log-expected.json new file mode 100644 index 00000000000..a4b334bc4e7 --- /dev/null +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-32-add-owner.log-expected.json @@ -0,0 +1,1363 @@ +{ + "expected": [ + { + "log": { + "syslog": { + "priority": 5 + } + }, + "source": { + "geo": { + "continent_name": "Europe", + "region_iso_code": "ES-B", + "city_name": "Barcelona", + "country_iso_code": "ES", + "country_name": "Spain", + "region_name": "Barcelona", + "location": { + "lon": 2.1611, + "lat": 41.3891 + } + }, + "address": "81.32.170.205", + "ip": "81.32.170.205" + }, + "tags": [ + "preserve_original_event" + ], + "observer": { + "product": "Vault", + "hostname": "VAULT", + "version": "11.7.0000", + "vendor": "Cyber-Ark" + }, + "@timestamp": "2021-03-10T09:11:20.000Z", + "ecs": { + "version": "1.10.0" + }, + "related": { + "user": [ + "Administrator", + "Master" + ], + "ip": [ + "81.32.170.205" + ] + }, + "cyberarkpas": { + "audit": { + "severity": "Info", + "rfc5424": true, + "iso_timestamp": "2021-03-10T09:11:20Z", + "safe": "PSMPConf", + "station": "81.32.170.205", + "action": "Add Owner", + "source_user": "Master", + "message": "Add Owner", + "issuer": "Administrator", + "timestamp": "Mar 10 01:11:20", + "desc": "Add Owner" + } + }, + "host": { + "name": "VAULT" + }, + "event": { + "severity": 2, + "ingested": "2021-05-31T15:30:21.206498800Z", + "original": "\u003c5\u003e1 2021-03-10T09:11:20Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 01:11:20\",\"IsoTimestamp\":\"2021-03-10T09:11:20Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"32\",\"Desc\":\"Add Owner\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Add Owner\",\"SourceUser\":\"Master\",\"TargetUser\":\"\",\"Safe\":\"PSMPConf\",\"File\":\"\",\"Station\":\"81.32.170.205\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Add Owner\",\"GatewayStation\":\"\"}}}", + "code": "32", + "kind": "event", + "action": "add owner", + "category": [ + "iam" + ], + "type": [ + "admin", + "change" + ], + "outcome": "success" + }, + "user": { + "name": "Administrator", + "target": { + "name": "Master" + } + } + }, + { + "log": { + "syslog": { + "priority": 5 + } + }, + "source": { + "geo": { + "continent_name": "Europe", + "region_iso_code": "ES-B", + "city_name": "Barcelona", + "country_iso_code": "ES", + "country_name": "Spain", + "region_name": "Barcelona", + "location": { + "lon": 2.1611, + "lat": 41.3891 + } + }, + "address": "81.32.170.205", + "ip": "81.32.170.205" + }, + "tags": [ + "preserve_original_event" + ], + "observer": { + "product": "Vault", + "hostname": "VAULT", + "version": "11.7.0000", + "vendor": "Cyber-Ark" + }, + "@timestamp": "2021-03-10T09:11:20.000Z", + "ecs": { + "version": "1.10.0" + }, + "related": { + "user": [ + "Administrator" + ], + "ip": [ + "81.32.170.205" + ] + }, + "cyberarkpas": { + "audit": { + "severity": "Info", + "rfc5424": true, + "iso_timestamp": "2021-03-10T09:11:20Z", + "safe": "PSMPConf", + "station": "81.32.170.205", + "action": "Add Owner", + "source_user": "Administrator", + "message": "Add Owner", + "issuer": "Administrator", + "timestamp": "Mar 10 01:11:20", + "desc": "Add Owner" + } + }, + "host": { + "name": "VAULT" + }, + "event": { + "severity": 2, + "ingested": "2021-05-31T15:30:21.206512700Z", + "original": "\u003c5\u003e1 2021-03-10T09:11:20Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 01:11:20\",\"IsoTimestamp\":\"2021-03-10T09:11:20Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"32\",\"Desc\":\"Add Owner\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Add Owner\",\"SourceUser\":\"Administrator\",\"TargetUser\":\"\",\"Safe\":\"PSMPConf\",\"File\":\"\",\"Station\":\"81.32.170.205\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Add Owner\",\"GatewayStation\":\"\"}}}", + "code": "32", + "kind": "event", + "action": "add owner", + "category": [ + "iam" + ], + "type": [ + "admin", + "change" + ], + "outcome": "success" + }, + "user": { + "name": "Administrator", + "target": { + "name": "Administrator" + } + } + }, + { + "log": { + "syslog": { + "priority": 5 + } + }, + "source": { + "geo": { + "continent_name": "Europe", + "region_iso_code": "ES-B", + "city_name": "Barcelona", + "country_iso_code": "ES", + "country_name": "Spain", + "region_name": "Barcelona", + "location": { + "lon": 2.1611, + "lat": 41.3891 + } + }, + "address": "81.32.170.205", + "ip": "81.32.170.205" + }, + "tags": [ + "preserve_original_event" + ], + "observer": { + "product": "Vault", + "hostname": "VAULT", + "version": "11.7.0000", + "vendor": "Cyber-Ark" + }, + "@timestamp": "2021-03-10T09:11:20.000Z", + "ecs": { + "version": "1.10.0" + }, + "related": { + "user": [ + "Administrator", + "Batch" + ], + "ip": [ + "81.32.170.205" + ] + }, + "cyberarkpas": { + "audit": { + "severity": "Info", + "rfc5424": true, + "iso_timestamp": "2021-03-10T09:11:20Z", + "safe": "PSMPConf", + "station": "81.32.170.205", + "action": "Add Owner", + "source_user": "Batch", + "message": "Add Owner", + "issuer": "Administrator", + "timestamp": "Mar 10 01:11:20", + "desc": "Add Owner" + } + }, + "host": { + "name": "VAULT" + }, + "event": { + "severity": 2, + "ingested": "2021-05-31T15:30:21.206516100Z", + "original": "\u003c5\u003e1 2021-03-10T09:11:20Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 01:11:20\",\"IsoTimestamp\":\"2021-03-10T09:11:20Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"32\",\"Desc\":\"Add Owner\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Add Owner\",\"SourceUser\":\"Batch\",\"TargetUser\":\"\",\"Safe\":\"PSMPConf\",\"File\":\"\",\"Station\":\"81.32.170.205\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Add Owner\",\"GatewayStation\":\"\"}}}", + "code": "32", + "kind": "event", + "action": "add owner", + "category": [ + "iam" + ], + "type": [ + "admin", + "change" + ], + "outcome": "success" + }, + "user": { + "name": "Administrator", + "target": { + "name": "Batch" + } + } + }, + { + "log": { + "syslog": { + "priority": 5 + } + }, + "source": { + "geo": { + "continent_name": "Europe", + "region_iso_code": "ES-B", + "city_name": "Barcelona", + "country_iso_code": "ES", + "country_name": "Spain", + "region_name": "Barcelona", + "location": { + "lon": 2.1611, + "lat": 41.3891 + } + }, + "address": "81.32.170.205", + "ip": "81.32.170.205" + }, + "tags": [ + "preserve_original_event" + ], + "observer": { + "product": "Vault", + "hostname": "VAULT", + "version": "11.7.0000", + "vendor": "Cyber-Ark" + }, + "@timestamp": "2021-03-10T09:11:20.000Z", + "ecs": { + "version": "1.10.0" + }, + "related": { + "user": [ + "Administrator", + "Operators" + ], + "ip": [ + "81.32.170.205" + ] + }, + "cyberarkpas": { + "audit": { + "severity": "Info", + "rfc5424": true, + "iso_timestamp": "2021-03-10T09:11:20Z", + "safe": "PSMPConf", + "station": "81.32.170.205", + "action": "Add Owner", + "source_user": "Operators", + "message": "Add Owner", + "issuer": "Administrator", + "timestamp": "Mar 10 01:11:20", + "desc": "Add Owner" + } + }, + "host": { + "name": "VAULT" + }, + "event": { + "severity": 2, + "ingested": "2021-05-31T15:30:21.206518800Z", + "original": "\u003c5\u003e1 2021-03-10T09:11:20Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 01:11:20\",\"IsoTimestamp\":\"2021-03-10T09:11:20Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"32\",\"Desc\":\"Add Owner\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Add Owner\",\"SourceUser\":\"Operators\",\"TargetUser\":\"\",\"Safe\":\"PSMPConf\",\"File\":\"\",\"Station\":\"81.32.170.205\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Add Owner\",\"GatewayStation\":\"\"}}}", + "code": "32", + "kind": "event", + "action": "add owner", + "category": [ + "iam" + ], + "type": [ + "admin", + "change" + ], + "outcome": "success" + }, + "user": { + "name": "Administrator", + "target": { + "name": "Operators" + } + } + }, + { + "log": { + "syslog": { + "priority": 5 + } + }, + "source": { + "geo": { + "continent_name": "Europe", + "region_iso_code": "ES-B", + "city_name": "Barcelona", + "country_iso_code": "ES", + "country_name": "Spain", + "region_name": "Barcelona", + "location": { + "lon": 2.1611, + "lat": 41.3891 + } + }, + "address": "81.32.170.205", + "ip": "81.32.170.205" + }, + "tags": [ + "preserve_original_event" + ], + "observer": { + "product": "Vault", + "hostname": "VAULT", + "version": "11.7.0000", + "vendor": "Cyber-Ark" + }, + "@timestamp": "2021-03-10T09:11:20.000Z", + "ecs": { + "version": "1.10.0" + }, + "related": { + "user": [ + "Administrator", + "Backup Users" + ], + "ip": [ + "81.32.170.205" + ] + }, + "cyberarkpas": { + "audit": { + "severity": "Info", + "rfc5424": true, + "iso_timestamp": "2021-03-10T09:11:20Z", + "safe": "PSMPConf", + "station": "81.32.170.205", + "action": "Add Owner", + "source_user": "Backup Users", + "message": "Add Owner", + "issuer": "Administrator", + "timestamp": "Mar 10 01:11:20", + "desc": "Add Owner" + } + }, + "host": { + "name": "VAULT" + }, + "event": { + "severity": 2, + "ingested": "2021-05-31T15:30:21.206521500Z", + "original": "\u003c5\u003e1 2021-03-10T09:11:20Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 01:11:20\",\"IsoTimestamp\":\"2021-03-10T09:11:20Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"32\",\"Desc\":\"Add Owner\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Add Owner\",\"SourceUser\":\"Backup Users\",\"TargetUser\":\"\",\"Safe\":\"PSMPConf\",\"File\":\"\",\"Station\":\"81.32.170.205\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Add Owner\",\"GatewayStation\":\"\"}}}", + "code": "32", + "kind": "event", + "action": "add owner", + "category": [ + "iam" + ], + "type": [ + "admin", + "change" + ], + "outcome": "success" + }, + "user": { + "name": "Administrator", + "target": { + "name": "Backup Users" + } + } + }, + { + "log": { + "syslog": { + "priority": 5 + } + }, + "source": { + "geo": { + "continent_name": "Europe", + "region_iso_code": "ES-B", + "city_name": "Barcelona", + "country_iso_code": "ES", + "country_name": "Spain", + "region_name": "Barcelona", + "location": { + "lon": 2.1611, + "lat": 41.3891 + } + }, + "address": "81.32.170.205", + "ip": "81.32.170.205" + }, + "tags": [ + "preserve_original_event" + ], + "observer": { + "product": "Vault", + "hostname": "VAULT", + "version": "11.7.0000", + "vendor": "Cyber-Ark" + }, + "@timestamp": "2021-03-10T09:11:20.000Z", + "ecs": { + "version": "1.10.0" + }, + "related": { + "user": [ + "Administrator", + "Auditors" + ], + "ip": [ + "81.32.170.205" + ] + }, + "cyberarkpas": { + "audit": { + "severity": "Info", + "rfc5424": true, + "iso_timestamp": "2021-03-10T09:11:20Z", + "safe": "PSMPConf", + "station": "81.32.170.205", + "action": "Add Owner", + "source_user": "Auditors", + "message": "Add Owner", + "issuer": "Administrator", + "timestamp": "Mar 10 01:11:20", + "desc": "Add Owner" + } + }, + "host": { + "name": "VAULT" + }, + "event": { + "severity": 2, + "ingested": "2021-05-31T15:30:21.206523800Z", + "original": "\u003c5\u003e1 2021-03-10T09:11:20Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 01:11:20\",\"IsoTimestamp\":\"2021-03-10T09:11:20Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"32\",\"Desc\":\"Add Owner\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Add Owner\",\"SourceUser\":\"Auditors\",\"TargetUser\":\"\",\"Safe\":\"PSMPConf\",\"File\":\"\",\"Station\":\"81.32.170.205\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Add Owner\",\"GatewayStation\":\"\"}}}", + "code": "32", + "kind": "event", + "action": "add owner", + "category": [ + "iam" + ], + "type": [ + "admin", + "change" + ], + "outcome": "success" + }, + "user": { + "name": "Administrator", + "target": { + "name": "Auditors" + } + } + }, + { + "log": { + "syslog": { + "priority": 5 + } + }, + "source": { + "geo": { + "continent_name": "Europe", + "region_iso_code": "ES-B", + "city_name": "Barcelona", + "country_iso_code": "ES", + "country_name": "Spain", + "region_name": "Barcelona", + "location": { + "lon": 2.1611, + "lat": 41.3891 + } + }, + "address": "81.32.170.205", + "ip": "81.32.170.205" + }, + "tags": [ + "preserve_original_event" + ], + "observer": { + "product": "Vault", + "hostname": "VAULT", + "version": "11.7.0000", + "vendor": "Cyber-Ark" + }, + "@timestamp": "2021-03-10T09:11:20.000Z", + "ecs": { + "version": "1.10.0" + }, + "related": { + "user": [ + "Administrator", + "DR Users" + ], + "ip": [ + "81.32.170.205" + ] + }, + "cyberarkpas": { + "audit": { + "severity": "Info", + "rfc5424": true, + "iso_timestamp": "2021-03-10T09:11:20Z", + "safe": "PSMPConf", + "station": "81.32.170.205", + "action": "Add Owner", + "source_user": "DR Users", + "message": "Add Owner", + "issuer": "Administrator", + "timestamp": "Mar 10 01:11:20", + "desc": "Add Owner" + } + }, + "host": { + "name": "VAULT" + }, + "event": { + "severity": 2, + "ingested": "2021-05-31T15:30:21.206526200Z", + "original": "\u003c5\u003e1 2021-03-10T09:11:20Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 01:11:20\",\"IsoTimestamp\":\"2021-03-10T09:11:20Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"32\",\"Desc\":\"Add Owner\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Add Owner\",\"SourceUser\":\"DR Users\",\"TargetUser\":\"\",\"Safe\":\"PSMPConf\",\"File\":\"\",\"Station\":\"81.32.170.205\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Add Owner\",\"GatewayStation\":\"\"}}}", + "code": "32", + "kind": "event", + "action": "add owner", + "category": [ + "iam" + ], + "type": [ + "admin", + "change" + ], + "outcome": "success" + }, + "user": { + "name": "Administrator", + "target": { + "name": "DR Users" + } + } + }, + { + "log": { + "syslog": { + "priority": 5 + } + }, + "source": { + "geo": { + "continent_name": "Europe", + "region_iso_code": "ES-B", + "city_name": "Barcelona", + "country_iso_code": "ES", + "country_name": "Spain", + "region_name": "Barcelona", + "location": { + "lon": 2.1611, + "lat": 41.3891 + } + }, + "address": "81.32.170.205", + "ip": "81.32.170.205" + }, + "tags": [ + "preserve_original_event" + ], + "observer": { + "product": "Vault", + "hostname": "VAULT", + "version": "11.7.0000", + "vendor": "Cyber-Ark" + }, + "@timestamp": "2021-03-10T09:11:20.000Z", + "ecs": { + "version": "1.10.0" + }, + "related": { + "user": [ + "Administrator", + "Notification Engines" + ], + "ip": [ + "81.32.170.205" + ] + }, + "cyberarkpas": { + "audit": { + "severity": "Info", + "rfc5424": true, + "iso_timestamp": "2021-03-10T09:11:20Z", + "safe": "PSMPConf", + "station": "81.32.170.205", + "action": "Add Owner", + "source_user": "Notification Engines", + "message": "Add Owner", + "issuer": "Administrator", + "timestamp": "Mar 10 01:11:20", + "desc": "Add Owner" + } + }, + "host": { + "name": "VAULT" + }, + "event": { + "severity": 2, + "ingested": "2021-05-31T15:30:21.206528500Z", + "original": "\u003c5\u003e1 2021-03-10T09:11:20Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 01:11:20\",\"IsoTimestamp\":\"2021-03-10T09:11:20Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"32\",\"Desc\":\"Add Owner\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Add Owner\",\"SourceUser\":\"Notification Engines\",\"TargetUser\":\"\",\"Safe\":\"PSMPConf\",\"File\":\"\",\"Station\":\"81.32.170.205\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Add Owner\",\"GatewayStation\":\"\"}}}", + "code": "32", + "kind": "event", + "action": "add owner", + "category": [ + "iam" + ], + "type": [ + "admin", + "change" + ], + "outcome": "success" + }, + "user": { + "name": "Administrator", + "target": { + "name": "Notification Engines" + } + } + }, + { + "log": { + "syslog": { + "priority": 5 + } + }, + "source": { + "geo": { + "continent_name": "Europe", + "region_iso_code": "ES-B", + "city_name": "Barcelona", + "country_iso_code": "ES", + "country_name": "Spain", + "region_name": "Barcelona", + "location": { + "lon": 2.1611, + "lat": 41.3891 + } + }, + "address": "81.32.170.205", + "ip": "81.32.170.205" + }, + "tags": [ + "preserve_original_event" + ], + "observer": { + "product": "Vault", + "hostname": "VAULT", + "version": "11.7.0000", + "vendor": "Cyber-Ark" + }, + "@timestamp": "2021-03-10T09:11:22.000Z", + "ecs": { + "version": "1.10.0" + }, + "related": { + "user": [ + "Administrator", + "PSMPApp_localhost.localdomain" + ], + "ip": [ + "81.32.170.205" + ] + }, + "cyberarkpas": { + "audit": { + "severity": "Info", + "rfc5424": true, + "iso_timestamp": "2021-03-10T09:11:22Z", + "safe": "PVWAConfig", + "station": "81.32.170.205", + "action": "Add Owner", + "source_user": "PSMPApp_localhost.localdomain", + "message": "Add Owner", + "issuer": "Administrator", + "timestamp": "Mar 10 01:11:22", + "desc": "Add Owner" + } + }, + "host": { + "name": "VAULT" + }, + "event": { + "severity": 2, + "ingested": "2021-05-31T15:30:21.206530900Z", + "original": "\u003c5\u003e1 2021-03-10T09:11:22Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 01:11:22\",\"IsoTimestamp\":\"2021-03-10T09:11:22Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"32\",\"Desc\":\"Add Owner\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Add Owner\",\"SourceUser\":\"PSMPApp_localhost.localdomain\",\"TargetUser\":\"\",\"Safe\":\"PVWAConfig\",\"File\":\"\",\"Station\":\"81.32.170.205\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Add Owner\",\"GatewayStation\":\"\"}}}", + "code": "32", + "kind": "event", + "action": "add owner", + "category": [ + "iam" + ], + "type": [ + "admin", + "change" + ], + "outcome": "success" + }, + "user": { + "name": "Administrator", + "target": { + "name": "PSMPApp_localhost.localdomain" + } + } + }, + { + "log": { + "syslog": { + "priority": 5 + } + }, + "source": { + "geo": { + "continent_name": "Europe", + "region_iso_code": "ES-B", + "city_name": "Barcelona", + "country_iso_code": "ES", + "country_name": "Spain", + "region_name": "Barcelona", + "location": { + "lon": 2.1611, + "lat": 41.3891 + } + }, + "address": "81.32.170.205", + "ip": "81.32.170.205" + }, + "tags": [ + "preserve_original_event" + ], + "observer": { + "product": "Vault", + "hostname": "VAULT", + "version": "11.7.0000", + "vendor": "Cyber-Ark" + }, + "@timestamp": "2021-03-10T09:11:23.000Z", + "ecs": { + "version": "1.10.0" + }, + "related": { + "user": [ + "Administrator", + "PSMAppUsers" + ], + "ip": [ + "81.32.170.205" + ] + }, + "cyberarkpas": { + "audit": { + "severity": "Info", + "rfc5424": true, + "iso_timestamp": "2021-03-10T09:11:23Z", + "safe": "PSMPLiveSessions", + "station": "81.32.170.205", + "action": "Add Owner", + "source_user": "PSMAppUsers", + "message": "Add Owner", + "issuer": "Administrator", + "timestamp": "Mar 10 01:11:23", + "desc": "Add Owner" + } + }, + "host": { + "name": "VAULT" + }, + "event": { + "severity": 2, + "ingested": "2021-05-31T15:30:21.206533300Z", + "original": "\u003c5\u003e1 2021-03-10T09:11:23Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 01:11:23\",\"IsoTimestamp\":\"2021-03-10T09:11:23Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"32\",\"Desc\":\"Add Owner\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Add Owner\",\"SourceUser\":\"PSMAppUsers\",\"TargetUser\":\"\",\"Safe\":\"PSMPLiveSessions\",\"File\":\"\",\"Station\":\"81.32.170.205\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Add Owner\",\"GatewayStation\":\"\"}}}", + "code": "32", + "kind": "event", + "action": "add owner", + "category": [ + "iam" + ], + "type": [ + "admin", + "change" + ], + "outcome": "success" + }, + "user": { + "name": "Administrator", + "target": { + "name": "PSMAppUsers" + } + } + }, + { + "log": { + "syslog": { + "priority": 5 + } + }, + "source": { + "geo": { + "continent_name": "Europe", + "region_iso_code": "ES-B", + "city_name": "Barcelona", + "country_iso_code": "ES", + "country_name": "Spain", + "region_name": "Barcelona", + "location": { + "lon": 2.1611, + "lat": 41.3891 + } + }, + "address": "81.32.170.205", + "ip": "81.32.170.205" + }, + "tags": [ + "preserve_original_event" + ], + "observer": { + "product": "Vault", + "hostname": "VAULT", + "version": "11.7.0000", + "vendor": "Cyber-Ark" + }, + "@timestamp": "2021-03-10T09:11:23.000Z", + "ecs": { + "version": "1.10.0" + }, + "related": { + "user": [ + "Administrator", + "Vault Admins" + ], + "ip": [ + "81.32.170.205" + ] + }, + "cyberarkpas": { + "audit": { + "severity": "Info", + "rfc5424": true, + "iso_timestamp": "2021-03-10T09:11:23Z", + "safe": "PSMPConf", + "station": "81.32.170.205", + "action": "Add Owner", + "source_user": "Vault Admins", + "message": "Add Owner", + "issuer": "Administrator", + "timestamp": "Mar 10 01:11:23", + "desc": "Add Owner" + } + }, + "host": { + "name": "VAULT" + }, + "event": { + "severity": 2, + "ingested": "2021-05-31T15:30:21.206535500Z", + "original": "\u003c5\u003e1 2021-03-10T09:11:23Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 01:11:23\",\"IsoTimestamp\":\"2021-03-10T09:11:23Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"32\",\"Desc\":\"Add Owner\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Add Owner\",\"SourceUser\":\"Vault Admins\",\"TargetUser\":\"\",\"Safe\":\"PSMPConf\",\"File\":\"\",\"Station\":\"81.32.170.205\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Add Owner\",\"GatewayStation\":\"\"}}}", + "code": "32", + "kind": "event", + "action": "add owner", + "category": [ + "iam" + ], + "type": [ + "admin", + "change" + ], + "outcome": "success" + }, + "user": { + "name": "Administrator", + "target": { + "name": "Vault Admins" + } + } + }, + { + "log": { + "syslog": { + "priority": 5 + } + }, + "source": { + "geo": { + "continent_name": "Europe", + "region_iso_code": "ES-B", + "city_name": "Barcelona", + "country_iso_code": "ES", + "country_name": "Spain", + "region_name": "Barcelona", + "location": { + "lon": 2.1611, + "lat": 41.3891 + } + }, + "address": "81.32.170.205", + "ip": "81.32.170.205" + }, + "tags": [ + "preserve_original_event" + ], + "observer": { + "product": "Vault", + "hostname": "VAULT", + "version": "11.7.0000", + "vendor": "Cyber-Ark" + }, + "@timestamp": "2021-03-10T09:11:23.000Z", + "ecs": { + "version": "1.10.0" + }, + "related": { + "user": [ + "Administrator", + "PVWAAppUsers" + ], + "ip": [ + "81.32.170.205" + ] + }, + "cyberarkpas": { + "audit": { + "severity": "Info", + "rfc5424": true, + "iso_timestamp": "2021-03-10T09:11:23Z", + "safe": "PSMPLiveSessions", + "station": "81.32.170.205", + "action": "Add Owner", + "source_user": "PVWAAppUsers", + "message": "Add Owner", + "issuer": "Administrator", + "timestamp": "Mar 10 01:11:23", + "desc": "Add Owner" + } + }, + "host": { + "name": "VAULT" + }, + "event": { + "severity": 2, + "ingested": "2021-05-31T15:30:21.206538400Z", + "original": "\u003c5\u003e1 2021-03-10T09:11:23Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 01:11:23\",\"IsoTimestamp\":\"2021-03-10T09:11:23Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"32\",\"Desc\":\"Add Owner\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Add Owner\",\"SourceUser\":\"PVWAAppUsers\",\"TargetUser\":\"\",\"Safe\":\"PSMPLiveSessions\",\"File\":\"\",\"Station\":\"81.32.170.205\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Add Owner\",\"GatewayStation\":\"\"}}}", + "code": "32", + "kind": "event", + "action": "add owner", + "category": [ + "iam" + ], + "type": [ + "admin", + "change" + ], + "outcome": "success" + }, + "user": { + "name": "Administrator", + "target": { + "name": "PVWAAppUsers" + } + } + }, + { + "log": { + "syslog": { + "priority": 5 + } + }, + "source": { + "geo": { + "continent_name": "Europe", + "region_iso_code": "ES-B", + "city_name": "Barcelona", + "country_iso_code": "ES", + "country_name": "Spain", + "region_name": "Barcelona", + "location": { + "lon": 2.1611, + "lat": 41.3891 + } + }, + "address": "81.32.170.205", + "ip": "81.32.170.205" + }, + "tags": [ + "preserve_original_event" + ], + "observer": { + "product": "Vault", + "hostname": "VAULT", + "version": "11.7.0000", + "vendor": "Cyber-Ark" + }, + "@timestamp": "2021-03-10T09:11:36.000Z", + "ecs": { + "version": "1.10.0" + }, + "related": { + "user": [ + "Administrator", + "PVWAGWAccounts" + ], + "ip": [ + "81.32.170.205" + ] + }, + "cyberarkpas": { + "audit": { + "severity": "Info", + "rfc5424": true, + "iso_timestamp": "2021-03-10T09:11:36Z", + "safe": "PSMPADBUserProfile", + "station": "81.32.170.205", + "action": "Add Owner", + "source_user": "PVWAGWAccounts", + "message": "Add Owner", + "issuer": "Administrator", + "timestamp": "Mar 10 01:11:36", + "desc": "Add Owner" + } + }, + "host": { + "name": "VAULT" + }, + "event": { + "severity": 2, + "ingested": "2021-05-31T15:30:21.206540800Z", + "original": "\u003c5\u003e1 2021-03-10T09:11:36Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 01:11:36\",\"IsoTimestamp\":\"2021-03-10T09:11:36Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"32\",\"Desc\":\"Add Owner\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Add Owner\",\"SourceUser\":\"PVWAGWAccounts\",\"TargetUser\":\"\",\"Safe\":\"PSMPADBUserProfile\",\"File\":\"\",\"Station\":\"81.32.170.205\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Add Owner\",\"GatewayStation\":\"\"}}}", + "code": "32", + "kind": "event", + "action": "add owner", + "category": [ + "iam" + ], + "type": [ + "admin", + "change" + ], + "outcome": "success" + }, + "user": { + "name": "Administrator", + "target": { + "name": "PVWAGWAccounts" + } + } + }, + { + "log": { + "syslog": { + "priority": 5 + } + }, + "source": { + "geo": { + "continent_name": "Europe", + "region_iso_code": "ES-B", + "city_name": "Barcelona", + "country_iso_code": "ES", + "country_name": "Spain", + "region_name": "Barcelona", + "location": { + "lon": 2.1611, + "lat": 41.3891 + } + }, + "address": "81.32.170.205", + "ip": "81.32.170.205" + }, + "tags": [ + "preserve_original_event" + ], + "observer": { + "product": "Vault", + "hostname": "VAULT", + "version": "11.7.0000", + "vendor": "Cyber-Ark" + }, + "@timestamp": "2021-03-10T09:11:37.000Z", + "ecs": { + "version": "1.10.0" + }, + "related": { + "user": [ + "Administrator", + "PSMP_ADB_localhost.localdomain" + ], + "ip": [ + "81.32.170.205" + ] + }, + "cyberarkpas": { + "audit": { + "severity": "Info", + "rfc5424": true, + "iso_timestamp": "2021-03-10T09:11:37Z", + "safe": "PSMPADBridgeConf", + "station": "81.32.170.205", + "action": "Add Owner", + "source_user": "PSMP_ADB_localhost.localdomain", + "message": "Add Owner", + "issuer": "Administrator", + "timestamp": "Mar 10 01:11:37", + "desc": "Add Owner" + } + }, + "host": { + "name": "VAULT" + }, + "event": { + "severity": 2, + "ingested": "2021-05-31T15:30:21.206543100Z", + "original": "\u003c5\u003e1 2021-03-10T09:11:37Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 01:11:37\",\"IsoTimestamp\":\"2021-03-10T09:11:37Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"32\",\"Desc\":\"Add Owner\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Add Owner\",\"SourceUser\":\"PSMP_ADB_localhost.localdomain\",\"TargetUser\":\"\",\"Safe\":\"PSMPADBridgeConf\",\"File\":\"\",\"Station\":\"81.32.170.205\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Add Owner\",\"GatewayStation\":\"\"}}}", + "code": "32", + "kind": "event", + "action": "add owner", + "category": [ + "iam" + ], + "type": [ + "admin", + "change" + ], + "outcome": "success" + }, + "user": { + "name": "Administrator", + "target": { + "name": "PSMP_ADB_localhost.localdomain" + } + } + }, + { + "log": { + "syslog": { + "priority": 5 + } + }, + "source": { + "geo": { + "continent_name": "Europe", + "region_iso_code": "ES-B", + "city_name": "Barcelona", + "country_iso_code": "ES", + "country_name": "Spain", + "region_name": "Barcelona", + "location": { + "lon": 2.1611, + "lat": 41.3891 + } + }, + "address": "81.32.170.205", + "ip": "81.32.170.205" + }, + "tags": [ + "preserve_original_event" + ], + "observer": { + "product": "Vault", + "hostname": "VAULT", + "version": "11.7.0000", + "vendor": "Cyber-Ark" + }, + "@timestamp": "2021-03-10T09:11:38.000Z", + "ecs": { + "version": "1.10.0" + }, + "related": { + "user": [ + "Administrator", + "PSMP_ADB_AppUsers" + ], + "ip": [ + "81.32.170.205" + ] + }, + "cyberarkpas": { + "audit": { + "severity": "Info", + "rfc5424": true, + "iso_timestamp": "2021-03-10T09:11:38Z", + "safe": "PSMPADBridgeCustom", + "station": "81.32.170.205", + "action": "Add Owner", + "source_user": "PSMP_ADB_AppUsers", + "message": "Add Owner", + "issuer": "Administrator", + "timestamp": "Mar 10 01:11:38", + "desc": "Add Owner" + } + }, + "host": { + "name": "VAULT" + }, + "event": { + "severity": 2, + "ingested": "2021-05-31T15:30:21.206545500Z", + "original": "\u003c5\u003e1 2021-03-10T09:11:38Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 01:11:38\",\"IsoTimestamp\":\"2021-03-10T09:11:38Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"32\",\"Desc\":\"Add Owner\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Add Owner\",\"SourceUser\":\"PSMP_ADB_AppUsers\",\"TargetUser\":\"\",\"Safe\":\"PSMPADBridgeCustom\",\"File\":\"\",\"Station\":\"81.32.170.205\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Add Owner\",\"GatewayStation\":\"\"}}}", + "code": "32", + "kind": "event", + "action": "add owner", + "category": [ + "iam" + ], + "type": [ + "admin", + "change" + ], + "outcome": "success" + }, + "user": { + "name": "Administrator", + "target": { + "name": "PSMP_ADB_AppUsers" + } + } + }, + { + "log": { + "syslog": { + "priority": 5 + } + }, + "source": { + "geo": { + "continent_name": "Europe", + "region_iso_code": "ES-B", + "city_name": "Barcelona", + "country_iso_code": "ES", + "country_name": "Spain", + "region_name": "Barcelona", + "location": { + "lon": 2.1611, + "lat": 41.3891 + } + }, + "address": "81.32.170.205", + "ip": "81.32.170.205" + }, + "tags": [ + "preserve_original_event" + ], + "observer": { + "product": "Vault", + "hostname": "VAULT", + "version": "11.7.0000", + "vendor": "Cyber-Ark" + }, + "@timestamp": "2021-03-10T17:59:32.000Z", + "ecs": { + "version": "1.10.0" + }, + "related": { + "user": [ + "Administrator", + "PSMApp_VAGRANT" + ], + "ip": [ + "81.32.170.205" + ] + }, + "cyberarkpas": { + "audit": { + "severity": "Info", + "rfc5424": true, + "iso_timestamp": "2021-03-10T17:59:32Z", + "safe": "PVWAConfig", + "station": "81.32.170.205", + "action": "Add Owner", + "source_user": "PSMApp_VAGRANT", + "message": "Add Owner", + "issuer": "Administrator", + "timestamp": "Mar 10 09:59:32", + "desc": "Add Owner" + } + }, + "host": { + "name": "VAULT" + }, + "event": { + "severity": 2, + "ingested": "2021-05-31T15:30:21.206547800Z", + "original": "\u003c5\u003e1 2021-03-10T17:59:32Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 09:59:32\",\"IsoTimestamp\":\"2021-03-10T17:59:32Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"32\",\"Desc\":\"Add Owner\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Add Owner\",\"SourceUser\":\"PSMApp_VAGRANT\",\"TargetUser\":\"\",\"Safe\":\"PVWAConfig\",\"File\":\"\",\"Station\":\"81.32.170.205\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Add Owner\",\"GatewayStation\":\"\"}}}", + "code": "32", + "kind": "event", + "action": "add owner", + "category": [ + "iam" + ], + "type": [ + "admin", + "change" + ], + "outcome": "success" + }, + "user": { + "name": "Administrator", + "target": { + "name": "PSMApp_VAGRANT" + } + } + } + ] +} \ No newline at end of file diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-326-cpm-auto-detection-start.log-expected.json b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-326-cpm-auto-detection-start.log-expected.json new file mode 100644 index 00000000000..70b232ef8d7 --- /dev/null +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-326-cpm-auto-detection-start.log-expected.json @@ -0,0 +1,69 @@ +{ + "expected": [ + { + "log": { + "syslog": { + "priority": 5 + } + }, + "source": { + "address": "10.0.1.20", + "ip": "10.0.1.20" + }, + "tags": [ + "preserve_original_event" + ], + "observer": { + "product": "Vault", + "hostname": "VAULT", + "version": "11.7.0000", + "vendor": "Cyber-Ark" + }, + "@timestamp": "2021-03-11T16:21:37.000Z", + "file": { + "path": " " + }, + "ecs": { + "version": "1.10.0" + }, + "related": { + "ip": [ + "10.0.1.20" + ] + }, + "cyberarkpas": { + "audit": { + "severity": "Info", + "reason": " ", + "iso_timestamp": "2021-03-11T16:21:37Z", + "raw": "\u003csyslog\u003e\n\n \u003caudit_record\u003e\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\n \u003cTimestamp\u003eMar 11 08:21:37\u003c/Timestamp\u003e\n \u003cIsoTimestamp\u003e2021-03-11T16:21:37Z\u003c/IsoTimestamp\u003e\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\n \u003cProduct\u003eVault\u003c/Product\u003e\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\n \u003cMessageID\u003e326\u003c/MessageID\u003e\n \u003cDesc\u003eCPM Auto-detection Start\u003c/Desc\u003e\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\n \u003cIssuer\u003ePasswordManager\u003c/Issuer\u003e\n \u003cAction\u003eCPM Auto-detection Start\u003c/Action\u003e\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\n \u003cSafe\u003ePasswordManager_info\u003c/Safe\u003e\n \u003cFile\u003e \u003c/File\u003e\n \u003cStation\u003e10.0.1.20\u003c/Station\u003e\n \u003cLocation\u003e\u003c/Location\u003e\n \u003cCategory\u003e\u003c/Category\u003e\n \u003cRequestId\u003e\u003c/RequestId\u003e\n \u003cReason\u003e \u003c/Reason\u003e\n \u003cExtraDetails\u003eADProcessID=2b2d3024-be5a-4b57-9f64-3813fb56e9b9;ADProcessName=LDAP Based Windows Local Administrator Account Provisioning;\u003c/ExtraDetails\u003e\n \u003cMessage\u003eCPM Auto-detection Start\u003c/Message\u003e\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\n \u003c/audit_record\u003e\n\n\u003c/syslog\u003e", + "message": "CPM Auto-detection Start", + "issuer": "PasswordManager", + "rfc5424": true, + "extra_details": { + "ad_process_name": "LDAP Based Windows Local Administrator Account Provisioning", + "ad_process_id": "2b2d3024-be5a-4b57-9f64-3813fb56e9b9", + "other": {} + }, + "file": " ", + "safe": "PasswordManager_info", + "station": "10.0.1.20", + "action": "CPM Auto-detection Start", + "timestamp": "Mar 11 08:21:37", + "desc": "CPM Auto-detection Start" + } + }, + "host": { + "name": "VAULT" + }, + "event": { + "severity": 2, + "action": "cpm auto-detection start", + "ingested": "2021-05-31T15:30:21.610055Z", + "original": "\u003c5\u003e1 2021-03-11T16:21:37Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 11 08:21:37\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-11T16:21:37Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e326\u003c/MessageID\u003e\\n \u003cDesc\u003eCPM Auto-detection Start\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003ePasswordManager\u003c/Issuer\u003e\\n \u003cAction\u003eCPM Auto-detection Start\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003ePasswordManager_info\u003c/Safe\u003e\\n \u003cFile\u003e \u003c/File\u003e\\n \u003cStation\u003e10.0.1.20\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e \u003c/Reason\u003e\\n \u003cExtraDetails\u003eADProcessID=2b2d3024-be5a-4b57-9f64-3813fb56e9b9;ADProcessName=LDAP Based Windows Local Administrator Account Provisioning;\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eCPM Auto-detection Start\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 11 08:21:37\",\"IsoTimestamp\":\"2021-03-11T16:21:37Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"326\",\"Desc\":\"CPM Auto-detection Start\",\"Severity\":\"Info\",\"Issuer\":\"PasswordManager\",\"Action\":\"CPM Auto-detection Start\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"PasswordManager_info\",\"File\":\" \",\"Station\":\"10.0.1.20\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\" \",\"ExtraDetails\":\"ADProcessID=2b2d3024-be5a-4b57-9f64-3813fb56e9b9;ADProcessName=LDAP Based Windows Local Administrator Account Provisioning;\",\"Message\":\"CPM Auto-detection Start\",\"GatewayStation\":\"\"}}}", + "code": "326", + "kind": "event" + } + } + ] +} \ No newline at end of file diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-327-cpm-auto-detection-end.log-expected.json b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-327-cpm-auto-detection-end.log-expected.json new file mode 100644 index 00000000000..8a01d9d5ae7 --- /dev/null +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-327-cpm-auto-detection-end.log-expected.json @@ -0,0 +1,69 @@ +{ + "expected": [ + { + "log": { + "syslog": { + "priority": 5 + } + }, + "source": { + "address": "10.0.1.20", + "ip": "10.0.1.20" + }, + "tags": [ + "preserve_original_event" + ], + "observer": { + "product": "Vault", + "hostname": "VAULT", + "version": "11.7.0000", + "vendor": "Cyber-Ark" + }, + "@timestamp": "2021-03-11T16:21:37.000Z", + "file": { + "path": " " + }, + "ecs": { + "version": "1.10.0" + }, + "related": { + "ip": [ + "10.0.1.20" + ] + }, + "cyberarkpas": { + "audit": { + "severity": "Info", + "reason": " ", + "iso_timestamp": "2021-03-11T16:21:37Z", + "raw": "\u003csyslog\u003e\n\n \u003caudit_record\u003e\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\n \u003cTimestamp\u003eMar 11 08:21:37\u003c/Timestamp\u003e\n \u003cIsoTimestamp\u003e2021-03-11T16:21:37Z\u003c/IsoTimestamp\u003e\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\n \u003cProduct\u003eVault\u003c/Product\u003e\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\n \u003cMessageID\u003e327\u003c/MessageID\u003e\n \u003cDesc\u003eCPM Auto-detection End\u003c/Desc\u003e\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\n \u003cIssuer\u003ePasswordManager\u003c/Issuer\u003e\n \u003cAction\u003eCPM Auto-detection End\u003c/Action\u003e\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\n \u003cSafe\u003ePasswordManager_info\u003c/Safe\u003e\n \u003cFile\u003e \u003c/File\u003e\n \u003cStation\u003e10.0.1.20\u003c/Station\u003e\n \u003cLocation\u003e\u003c/Location\u003e\n \u003cCategory\u003e\u003c/Category\u003e\n \u003cRequestId\u003e\u003c/RequestId\u003e\n \u003cReason\u003e \u003c/Reason\u003e\n \u003cExtraDetails\u003eADProcessID=2b2d3024-be5a-4b57-9f64-3813fb56e9b9;ADProcessName=LDAP Based Windows Local Administrator Account Provisioning;\u003c/ExtraDetails\u003e\n \u003cMessage\u003eCPM Auto-detection End\u003c/Message\u003e\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\n \u003c/audit_record\u003e\n\n\u003c/syslog\u003e", + "message": "CPM Auto-detection End", + "issuer": "PasswordManager", + "rfc5424": true, + "extra_details": { + "ad_process_name": "LDAP Based Windows Local Administrator Account Provisioning", + "ad_process_id": "2b2d3024-be5a-4b57-9f64-3813fb56e9b9", + "other": {} + }, + "file": " ", + "safe": "PasswordManager_info", + "station": "10.0.1.20", + "action": "CPM Auto-detection End", + "timestamp": "Mar 11 08:21:37", + "desc": "CPM Auto-detection End" + } + }, + "host": { + "name": "VAULT" + }, + "event": { + "severity": 2, + "action": "cpm auto-detection end", + "ingested": "2021-05-31T15:30:21.644006Z", + "original": "\u003c5\u003e1 2021-03-11T16:21:37Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 11 08:21:37\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-11T16:21:37Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e327\u003c/MessageID\u003e\\n \u003cDesc\u003eCPM Auto-detection End\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003ePasswordManager\u003c/Issuer\u003e\\n \u003cAction\u003eCPM Auto-detection End\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003ePasswordManager_info\u003c/Safe\u003e\\n \u003cFile\u003e \u003c/File\u003e\\n \u003cStation\u003e10.0.1.20\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e \u003c/Reason\u003e\\n \u003cExtraDetails\u003eADProcessID=2b2d3024-be5a-4b57-9f64-3813fb56e9b9;ADProcessName=LDAP Based Windows Local Administrator Account Provisioning;\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eCPM Auto-detection End\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 11 08:21:37\",\"IsoTimestamp\":\"2021-03-11T16:21:37Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"327\",\"Desc\":\"CPM Auto-detection End\",\"Severity\":\"Info\",\"Issuer\":\"PasswordManager\",\"Action\":\"CPM Auto-detection End\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"PasswordManager_info\",\"File\":\" \",\"Station\":\"10.0.1.20\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\" \",\"ExtraDetails\":\"ADProcessID=2b2d3024-be5a-4b57-9f64-3813fb56e9b9;ADProcessName=LDAP Based Windows Local Administrator Account Provisioning;\",\"Message\":\"CPM Auto-detection End\",\"GatewayStation\":\"\"}}}", + "code": "327", + "kind": "event" + } + } + ] +} \ No newline at end of file diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-33-update-owner.log-expected.json b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-33-update-owner.log-expected.json new file mode 100644 index 00000000000..65523adddec --- /dev/null +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-33-update-owner.log-expected.json @@ -0,0 +1,599 @@ +{ + "expected": [ + { + "log": { + "syslog": { + "priority": 5 + } + }, + "source": { + "geo": { + "continent_name": "Europe", + "region_iso_code": "ES-B", + "city_name": "Barcelona", + "country_iso_code": "ES", + "country_name": "Spain", + "region_name": "Barcelona", + "location": { + "lon": 2.1611, + "lat": 41.3891 + } + }, + "address": "81.32.170.205", + "ip": "81.32.170.205" + }, + "tags": [ + "preserve_original_event" + ], + "observer": { + "product": "Vault", + "hostname": "VAULT", + "version": "11.7.0000", + "vendor": "Cyber-Ark" + }, + "@timestamp": "2021-03-10T18:16:49.000Z", + "ecs": { + "version": "1.10.0" + }, + "related": { + "user": [ + "Administrator", + "PVWAAppUsers" + ], + "ip": [ + "81.32.170.205" + ] + }, + "cyberarkpas": { + "audit": { + "severity": "Info", + "rfc5424": true, + "iso_timestamp": "2021-03-10T18:16:49Z", + "safe": "PSM", + "station": "81.32.170.205", + "action": "Update Owner", + "source_user": "PVWAAppUsers", + "message": "Update Owner", + "issuer": "Administrator", + "timestamp": "Mar 10 10:16:49", + "desc": "Update Owner" + } + }, + "host": { + "name": "VAULT" + }, + "event": { + "severity": 2, + "ingested": "2021-05-31T15:30:21.676707Z", + "original": "\u003c5\u003e1 2021-03-10T18:16:49Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 10:16:49\",\"IsoTimestamp\":\"2021-03-10T18:16:49Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"33\",\"Desc\":\"Update Owner\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Update Owner\",\"SourceUser\":\"PVWAAppUsers\",\"TargetUser\":\"\",\"Safe\":\"PSM\",\"File\":\"\",\"Station\":\"81.32.170.205\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Update Owner\",\"GatewayStation\":\"\"}}}", + "code": "33", + "kind": "event", + "action": "update owner", + "category": [ + "iam" + ], + "type": [ + "admin", + "change" + ], + "outcome": "success" + }, + "user": { + "name": "Administrator", + "target": { + "name": "PVWAAppUsers" + } + } + }, + { + "log": { + "syslog": { + "priority": 5 + } + }, + "source": { + "geo": { + "continent_name": "Europe", + "region_iso_code": "ES-B", + "city_name": "Barcelona", + "country_iso_code": "ES", + "country_name": "Spain", + "region_name": "Barcelona", + "location": { + "lon": 2.1611, + "lat": 41.3891 + } + }, + "address": "81.32.170.205", + "ip": "81.32.170.205" + }, + "tags": [ + "preserve_original_event" + ], + "observer": { + "product": "Vault", + "hostname": "VAULT", + "version": "11.7.0000", + "vendor": "Cyber-Ark" + }, + "@timestamp": "2021-03-10T18:16:50.000Z", + "ecs": { + "version": "1.10.0" + }, + "related": { + "user": [ + "Administrator", + "PSMApp_VAGRANT" + ], + "ip": [ + "81.32.170.205" + ] + }, + "cyberarkpas": { + "audit": { + "severity": "Info", + "rfc5424": true, + "iso_timestamp": "2021-03-10T18:16:50Z", + "safe": "PVWAConfig", + "station": "81.32.170.205", + "action": "Update Owner", + "source_user": "PSMApp_VAGRANT", + "message": "Update Owner", + "issuer": "Administrator", + "timestamp": "Mar 10 10:16:50", + "desc": "Update Owner" + } + }, + "host": { + "name": "VAULT" + }, + "event": { + "severity": 2, + "ingested": "2021-05-31T15:30:21.676721300Z", + "original": "\u003c5\u003e1 2021-03-10T18:16:50Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 10:16:50\",\"IsoTimestamp\":\"2021-03-10T18:16:50Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"33\",\"Desc\":\"Update Owner\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Update Owner\",\"SourceUser\":\"PSMApp_VAGRANT\",\"TargetUser\":\"\",\"Safe\":\"PVWAConfig\",\"File\":\"\",\"Station\":\"81.32.170.205\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Update Owner\",\"GatewayStation\":\"\"}}}", + "code": "33", + "kind": "event", + "action": "update owner", + "category": [ + "iam" + ], + "type": [ + "admin", + "change" + ], + "outcome": "success" + }, + "user": { + "name": "Administrator", + "target": { + "name": "PSMApp_VAGRANT" + } + } + }, + { + "log": { + "syslog": { + "priority": 5 + } + }, + "source": { + "geo": { + "continent_name": "Europe", + "region_iso_code": "ES-B", + "city_name": "Barcelona", + "country_iso_code": "ES", + "country_name": "Spain", + "region_name": "Barcelona", + "location": { + "lon": 2.1611, + "lat": 41.3891 + } + }, + "address": "81.32.170.205", + "ip": "81.32.170.205" + }, + "tags": [ + "preserve_original_event" + ], + "observer": { + "product": "Vault", + "hostname": "VAULT", + "version": "11.7.0000", + "vendor": "Cyber-Ark" + }, + "@timestamp": "2021-03-10T18:16:51.000Z", + "ecs": { + "version": "1.10.0" + }, + "related": { + "user": [ + "Administrator", + "PSMAppUsers" + ], + "ip": [ + "81.32.170.205" + ] + }, + "cyberarkpas": { + "audit": { + "severity": "Info", + "rfc5424": true, + "iso_timestamp": "2021-03-10T18:16:51Z", + "safe": "PSM", + "station": "81.32.170.205", + "action": "Update Owner", + "source_user": "PSMAppUsers", + "message": "Update Owner", + "issuer": "Administrator", + "timestamp": "Mar 10 10:16:51", + "desc": "Update Owner" + } + }, + "host": { + "name": "VAULT" + }, + "event": { + "severity": 2, + "ingested": "2021-05-31T15:30:21.676724500Z", + "original": "\u003c5\u003e1 2021-03-10T18:16:51Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 10:16:51\",\"IsoTimestamp\":\"2021-03-10T18:16:51Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"33\",\"Desc\":\"Update Owner\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Update Owner\",\"SourceUser\":\"PSMAppUsers\",\"TargetUser\":\"\",\"Safe\":\"PSM\",\"File\":\"\",\"Station\":\"81.32.170.205\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Update Owner\",\"GatewayStation\":\"\"}}}", + "code": "33", + "kind": "event", + "action": "update owner", + "category": [ + "iam" + ], + "type": [ + "admin", + "change" + ], + "outcome": "success" + }, + "user": { + "name": "Administrator", + "target": { + "name": "PSMAppUsers" + } + } + }, + { + "log": { + "syslog": { + "priority": 5 + } + }, + "source": { + "geo": { + "continent_name": "Europe", + "region_iso_code": "ES-B", + "city_name": "Barcelona", + "country_iso_code": "ES", + "country_name": "Spain", + "region_name": "Barcelona", + "location": { + "lon": 2.1611, + "lat": 41.3891 + } + }, + "address": "81.32.170.205", + "ip": "81.32.170.205" + }, + "tags": [ + "preserve_original_event" + ], + "observer": { + "product": "Vault", + "hostname": "VAULT", + "version": "11.7.0000", + "vendor": "Cyber-Ark" + }, + "@timestamp": "2021-03-10T18:16:51.000Z", + "ecs": { + "version": "1.10.0" + }, + "related": { + "user": [ + "Administrator", + "PSMMaster" + ], + "ip": [ + "81.32.170.205" + ] + }, + "cyberarkpas": { + "audit": { + "severity": "Info", + "rfc5424": true, + "iso_timestamp": "2021-03-10T18:16:51Z", + "safe": "PSM", + "station": "81.32.170.205", + "action": "Update Owner", + "source_user": "PSMMaster", + "message": "Update Owner", + "issuer": "Administrator", + "timestamp": "Mar 10 10:16:51", + "desc": "Update Owner" + } + }, + "host": { + "name": "VAULT" + }, + "event": { + "severity": 2, + "ingested": "2021-05-31T15:30:21.676727300Z", + "original": "\u003c5\u003e1 2021-03-10T18:16:51Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 10:16:51\",\"IsoTimestamp\":\"2021-03-10T18:16:51Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"33\",\"Desc\":\"Update Owner\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Update Owner\",\"SourceUser\":\"PSMMaster\",\"TargetUser\":\"\",\"Safe\":\"PSM\",\"File\":\"\",\"Station\":\"81.32.170.205\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Update Owner\",\"GatewayStation\":\"\"}}}", + "code": "33", + "kind": "event", + "action": "update owner", + "category": [ + "iam" + ], + "type": [ + "admin", + "change" + ], + "outcome": "success" + }, + "user": { + "name": "Administrator", + "target": { + "name": "PSMMaster" + } + } + }, + { + "log": { + "syslog": { + "priority": 5 + } + }, + "source": { + "geo": { + "continent_name": "Europe", + "region_iso_code": "ES-B", + "city_name": "Barcelona", + "country_iso_code": "ES", + "country_name": "Spain", + "region_name": "Barcelona", + "location": { + "lon": 2.1611, + "lat": 41.3891 + } + }, + "address": "81.32.170.205", + "ip": "81.32.170.205" + }, + "tags": [ + "preserve_original_event" + ], + "observer": { + "product": "Vault", + "hostname": "VAULT", + "version": "11.7.0000", + "vendor": "Cyber-Ark" + }, + "@timestamp": "2021-03-10T18:16:53.000Z", + "ecs": { + "version": "1.10.0" + }, + "related": { + "user": [ + "Administrator", + "Vault Admins" + ], + "ip": [ + "81.32.170.205" + ] + }, + "cyberarkpas": { + "audit": { + "severity": "Info", + "rfc5424": true, + "iso_timestamp": "2021-03-10T18:16:53Z", + "safe": "PSMUniversalConnectors", + "station": "81.32.170.205", + "action": "Update Owner", + "source_user": "Vault Admins", + "message": "Update Owner", + "issuer": "Administrator", + "timestamp": "Mar 10 10:16:53", + "desc": "Update Owner" + } + }, + "host": { + "name": "VAULT" + }, + "event": { + "severity": 2, + "ingested": "2021-05-31T15:30:21.676730100Z", + "original": "\u003c5\u003e1 2021-03-10T18:16:53Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 10:16:53\",\"IsoTimestamp\":\"2021-03-10T18:16:53Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"33\",\"Desc\":\"Update Owner\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Update Owner\",\"SourceUser\":\"Vault Admins\",\"TargetUser\":\"\",\"Safe\":\"PSMUniversalConnectors\",\"File\":\"\",\"Station\":\"81.32.170.205\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Update Owner\",\"GatewayStation\":\"\"}}}", + "code": "33", + "kind": "event", + "action": "update owner", + "category": [ + "iam" + ], + "type": [ + "admin", + "change" + ], + "outcome": "success" + }, + "user": { + "name": "Administrator", + "target": { + "name": "Vault Admins" + } + } + }, + { + "log": { + "syslog": { + "priority": 5 + } + }, + "source": { + "geo": { + "continent_name": "North America", + "region_iso_code": "US-VA", + "country_name": "United States", + "region_name": "Virginia", + "location": { + "lon": -77.2481, + "lat": 38.6583 + }, + "country_iso_code": "US" + }, + "address": "35.192.121.42", + "ip": "35.192.121.42" + }, + "tags": [ + "preserve_original_event" + ], + "observer": { + "product": "Vault", + "hostname": "VAULT", + "version": "11.7.0000", + "vendor": "Cyber-Ark" + }, + "@timestamp": "2021-03-10T22:19:18.000Z", + "ecs": { + "version": "1.10.0" + }, + "related": { + "user": [ + "Administrator", + "PVWAAppUsers" + ], + "ip": [ + "35.192.121.42" + ] + }, + "cyberarkpas": { + "audit": { + "severity": "Info", + "rfc5424": true, + "iso_timestamp": "2021-03-10T22:19:18Z", + "safe": "PSM", + "station": "35.192.121.42", + "action": "Update Owner", + "source_user": "PVWAAppUsers", + "message": "Update Owner", + "issuer": "Administrator", + "timestamp": "Mar 10 14:19:18", + "desc": "Update Owner" + } + }, + "host": { + "name": "VAULT" + }, + "event": { + "severity": 2, + "ingested": "2021-05-31T15:30:21.676732600Z", + "original": "\u003c5\u003e1 2021-03-10T22:19:18Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 14:19:18\",\"IsoTimestamp\":\"2021-03-10T22:19:18Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"33\",\"Desc\":\"Update Owner\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Update Owner\",\"SourceUser\":\"PVWAAppUsers\",\"TargetUser\":\"\",\"Safe\":\"PSM\",\"File\":\"\",\"Station\":\"35.192.121.42\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Update Owner\",\"GatewayStation\":\"\"}}}", + "code": "33", + "kind": "event", + "action": "update owner", + "category": [ + "iam" + ], + "type": [ + "admin", + "change" + ], + "outcome": "success" + }, + "user": { + "name": "Administrator", + "target": { + "name": "PVWAAppUsers" + } + } + }, + { + "log": { + "syslog": { + "priority": 5 + } + }, + "source": { + "geo": { + "continent_name": "Europe", + "region_iso_code": "ES-B", + "city_name": "Barcelona", + "country_iso_code": "ES", + "country_name": "Spain", + "region_name": "Barcelona", + "location": { + "lon": 2.1611, + "lat": 41.3891 + } + }, + "address": "81.32.170.205", + "ip": "81.32.170.205" + }, + "tags": [ + "preserve_original_event" + ], + "observer": { + "product": "Vault", + "hostname": "VAULT", + "version": "11.7.0000", + "vendor": "Cyber-Ark" + }, + "@timestamp": "2021-03-11T17:38:14.000Z", + "ecs": { + "version": "1.10.0" + }, + "related": { + "user": [ + "PSMPApp_VAGRANT", + "Auditors" + ], + "ip": [ + "81.32.170.205" + ] + }, + "cyberarkpas": { + "audit": { + "severity": "Info", + "rfc5424": true, + "iso_timestamp": "2021-03-11T17:38:14Z", + "safe": "PSMRecordings", + "station": "81.32.170.205", + "raw": "\u003csyslog\u003e\n\n \u003caudit_record\u003e\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\n \u003cTimestamp\u003eMar 11 09:38:14\u003c/Timestamp\u003e\n \u003cIsoTimestamp\u003e2021-03-11T17:38:14Z\u003c/IsoTimestamp\u003e\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\n \u003cProduct\u003eVault\u003c/Product\u003e\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\n \u003cMessageID\u003e33\u003c/MessageID\u003e\n \u003cDesc\u003eUpdate Owner\u003c/Desc\u003e\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\n \u003cIssuer\u003ePSMPApp_VAGRANT\u003c/Issuer\u003e\n \u003cAction\u003eUpdate Owner\u003c/Action\u003e\n \u003cSourceUser\u003eAuditors\u003c/SourceUser\u003e\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\n \u003cSafe\u003ePSMRecordings\u003c/Safe\u003e\n \u003cFile\u003e\u003c/File\u003e\n \u003cStation\u003e81.32.170.205\u003c/Station\u003e\n \u003cLocation\u003e\u003c/Location\u003e\n \u003cCategory\u003e\u003c/Category\u003e\n \u003cRequestId\u003e\u003c/RequestId\u003e\n \u003cReason\u003e\u003c/Reason\u003e\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\n \u003cMessage\u003eUpdate Owner\u003c/Message\u003e\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\n \u003c/audit_record\u003e\n\n\u003c/syslog\u003e", + "action": "Update Owner", + "source_user": "Auditors", + "message": "Update Owner", + "issuer": "PSMPApp_VAGRANT", + "timestamp": "Mar 11 09:38:14", + "desc": "Update Owner" + } + }, + "host": { + "name": "VAULT" + }, + "event": { + "severity": 2, + "ingested": "2021-05-31T15:30:21.676735Z", + "original": "\u003c5\u003e1 2021-03-11T17:38:14Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 11 09:38:14\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-11T17:38:14Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e33\u003c/MessageID\u003e\\n \u003cDesc\u003eUpdate Owner\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003ePSMPApp_VAGRANT\u003c/Issuer\u003e\\n \u003cAction\u003eUpdate Owner\u003c/Action\u003e\\n \u003cSourceUser\u003eAuditors\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003ePSMRecordings\u003c/Safe\u003e\\n \u003cFile\u003e\u003c/File\u003e\\n \u003cStation\u003e81.32.170.205\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eUpdate Owner\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 11 09:38:14\",\"IsoTimestamp\":\"2021-03-11T17:38:14Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"33\",\"Desc\":\"Update Owner\",\"Severity\":\"Info\",\"Issuer\":\"PSMPApp_VAGRANT\",\"Action\":\"Update Owner\",\"SourceUser\":\"Auditors\",\"TargetUser\":\"\",\"Safe\":\"PSMRecordings\",\"File\":\"\",\"Station\":\"81.32.170.205\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Update Owner\",\"GatewayStation\":\"\"}}}", + "code": "33", + "kind": "event", + "action": "update owner", + "category": [ + "iam" + ], + "type": [ + "admin", + "change" + ], + "outcome": "success" + }, + "user": { + "name": "PSMPApp_VAGRANT", + "target": { + "name": "Auditors" + } + } + } + ] +} \ No newline at end of file diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-355-monitor-license-expiration-date-start.log-expected.json b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-355-monitor-license-expiration-date-start.log-expected.json new file mode 100644 index 00000000000..acad450bae2 --- /dev/null +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-355-monitor-license-expiration-date-start.log-expected.json @@ -0,0 +1,57 @@ +{ + "expected": [ + { + "log": { + "syslog": { + "priority": 5 + } + }, + "source": { + "address": "0.0.0.0", + "ip": "0.0.0.0" + }, + "tags": [ + "preserve_original_event" + ], + "observer": { + "product": "Vault", + "hostname": "VAULT", + "version": "11.7.0000", + "vendor": "Cyber-Ark" + }, + "@timestamp": "2021-03-09T10:17:54.000Z", + "ecs": { + "version": "1.10.0" + }, + "related": { + "ip": [ + "0.0.0.0" + ] + }, + "cyberarkpas": { + "audit": { + "severity": "Info", + "rfc5424": true, + "iso_timestamp": "2021-03-09T10:17:54Z", + "station": "0.0.0.0", + "action": "Monitor License Expiration Date start", + "message": "Monitor License Expiration Date start", + "issuer": "Batch", + "timestamp": "Mar 09 02:17:54", + "desc": "Monitor License Expiration Date start" + } + }, + "host": { + "name": "VAULT" + }, + "event": { + "severity": 2, + "action": "monitor license expiration date start", + "ingested": "2021-05-31T15:30:21.851265300Z", + "original": "\u003c5\u003e1 2021-03-09T10:17:54Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 09 02:17:54\",\"IsoTimestamp\":\"2021-03-09T10:17:54Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"355\",\"Desc\":\"Monitor License Expiration Date start\",\"Severity\":\"Info\",\"Issuer\":\"Batch\",\"Action\":\"Monitor License Expiration Date start\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"0.0.0.0\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Monitor License Expiration Date start\",\"GatewayStation\":\"\"}}}", + "code": "355", + "kind": "event" + } + } + ] +} \ No newline at end of file diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-356-monitor-license-expiration-date-end.log-expected.json b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-356-monitor-license-expiration-date-end.log-expected.json new file mode 100644 index 00000000000..140dd837eff --- /dev/null +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-356-monitor-license-expiration-date-end.log-expected.json @@ -0,0 +1,57 @@ +{ + "expected": [ + { + "log": { + "syslog": { + "priority": 5 + } + }, + "source": { + "address": "0.0.0.0", + "ip": "0.0.0.0" + }, + "tags": [ + "preserve_original_event" + ], + "observer": { + "product": "Vault", + "hostname": "VAULT", + "version": "11.7.0000", + "vendor": "Cyber-Ark" + }, + "@timestamp": "2021-03-09T10:17:54.000Z", + "ecs": { + "version": "1.10.0" + }, + "related": { + "ip": [ + "0.0.0.0" + ] + }, + "cyberarkpas": { + "audit": { + "severity": "Info", + "rfc5424": true, + "iso_timestamp": "2021-03-09T10:17:54Z", + "station": "0.0.0.0", + "action": "Monitor License Expiration Date end", + "message": "Monitor License Expiration Date end", + "issuer": "Batch", + "timestamp": "Mar 09 02:17:54", + "desc": "Monitor License Expiration Date end" + } + }, + "host": { + "name": "VAULT" + }, + "event": { + "severity": 2, + "action": "monitor license expiration date end", + "ingested": "2021-05-31T15:30:21.876955900Z", + "original": "\u003c5\u003e1 2021-03-09T10:17:54Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 09 02:17:54\",\"IsoTimestamp\":\"2021-03-09T10:17:54Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"356\",\"Desc\":\"Monitor License Expiration Date end\",\"Severity\":\"Info\",\"Issuer\":\"Batch\",\"Action\":\"Monitor License Expiration Date end\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"0.0.0.0\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Monitor License Expiration Date end\",\"GatewayStation\":\"\"}}}", + "code": "356", + "kind": "event" + } + } + ] +} \ No newline at end of file diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-357-monitor-fw-rules-start.log-expected.json b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-357-monitor-fw-rules-start.log-expected.json new file mode 100644 index 00000000000..51056144419 --- /dev/null +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-357-monitor-fw-rules-start.log-expected.json @@ -0,0 +1,103 @@ +{ + "expected": [ + { + "log": { + "syslog": { + "priority": 5 + } + }, + "source": { + "address": "0.0.0.0", + "ip": "0.0.0.0" + }, + "tags": [ + "preserve_original_event" + ], + "observer": { + "product": "Vault", + "hostname": "VAULT", + "version": "11.7.0000", + "vendor": "Cyber-Ark" + }, + "@timestamp": "2021-03-04T19:10:01.000Z", + "ecs": { + "version": "1.10.0" + }, + "related": { + "ip": [ + "0.0.0.0" + ] + }, + "cyberarkpas": { + "audit": { + "severity": "Info", + "rfc5424": true, + "iso_timestamp": "2021-03-04T19:10:01Z", + "station": "0.0.0.0", + "action": "Monitor FW rules start", + "message": "Monitor FW rules start", + "issuer": "Batch", + "timestamp": "Mar 04 11:10:01", + "desc": "Monitor FW rules start" + } + }, + "host": { + "name": "VAULT" + }, + "event": { + "severity": 2, + "action": "monitor fw rules start", + "ingested": "2021-05-31T15:30:21.901440800Z", + "original": "\u003c5\u003e1 2021-03-04T19:10:01Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 04 11:10:01\",\"IsoTimestamp\":\"2021-03-04T19:10:01Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"357\",\"Desc\":\"Monitor FW rules start\",\"Severity\":\"Info\",\"Issuer\":\"Batch\",\"Action\":\"Monitor FW rules start\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"0.0.0.0\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Monitor FW rules start\",\"GatewayStation\":\"\"}}}", + "code": "357", + "kind": "event" + } + }, + { + "observer": { + "product": "Vault", + "hostname": "VAULT", + "version": "11.7.0000", + "vendor": "Cyber-Ark" + }, + "@timestamp": "2021-03-08T02:32:56.000Z", + "ecs": { + "version": "1.10.0" + }, + "related": { + "ip": [ + "0.0.0.0" + ] + }, + "cyberarkpas": { + "audit": { + "rfc5424": false, + "severity": "Info", + "station": "0.0.0.0", + "action": "Monitor FW rules start", + "message": "Monitor FW rules start", + "issuer": "Batch", + "desc": "Monitor FW rules start" + } + }, + "host": { + "name": "VAULT" + }, + "source": { + "address": "0.0.0.0", + "ip": "0.0.0.0" + }, + "event": { + "severity": 2, + "action": "monitor fw rules start", + "ingested": "2021-05-31T15:30:21.901459500Z", + "original": "Mar 08 02:32:56 VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"no\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"357\",\"Desc\":\"Monitor FW rules start\",\"Severity\":\"Info\",\"Issuer\":\"Batch\",\"Action\":\"Monitor FW rules start\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"0.0.0.0\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Monitor FW rules start\",\"GatewayStation\":\"\"}}}", + "code": "357", + "kind": "event" + }, + "tags": [ + "preserve_original_event" + ] + } + ] +} \ No newline at end of file diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-358-monitor-fw-rules-end.log-expected.json b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-358-monitor-fw-rules-end.log-expected.json new file mode 100644 index 00000000000..c0d1e845fbd --- /dev/null +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-358-monitor-fw-rules-end.log-expected.json @@ -0,0 +1,103 @@ +{ + "expected": [ + { + "log": { + "syslog": { + "priority": 5 + } + }, + "source": { + "address": "0.0.0.0", + "ip": "0.0.0.0" + }, + "tags": [ + "preserve_original_event" + ], + "observer": { + "product": "Vault", + "hostname": "VAULT", + "version": "11.7.0000", + "vendor": "Cyber-Ark" + }, + "@timestamp": "2021-03-04T19:10:01.000Z", + "ecs": { + "version": "1.10.0" + }, + "related": { + "ip": [ + "0.0.0.0" + ] + }, + "cyberarkpas": { + "audit": { + "severity": "Info", + "rfc5424": true, + "iso_timestamp": "2021-03-04T19:10:01Z", + "station": "0.0.0.0", + "action": "Monitor FW Rules end", + "message": "Monitor FW Rules end", + "issuer": "Batch", + "timestamp": "Mar 04 11:10:01", + "desc": "Monitor FW Rules end" + } + }, + "host": { + "name": "VAULT" + }, + "event": { + "severity": 2, + "action": "monitor fw rules end", + "ingested": "2021-05-31T15:30:21.939691400Z", + "original": "\u003c5\u003e1 2021-03-04T19:10:01Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 04 11:10:01\",\"IsoTimestamp\":\"2021-03-04T19:10:01Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"358\",\"Desc\":\"Monitor FW Rules end\",\"Severity\":\"Info\",\"Issuer\":\"Batch\",\"Action\":\"Monitor FW Rules end\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"0.0.0.0\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Monitor FW Rules end\",\"GatewayStation\":\"\"}}}", + "code": "358", + "kind": "event" + } + }, + { + "observer": { + "product": "Vault", + "hostname": "VAULT", + "version": "11.7.0000", + "vendor": "Cyber-Ark" + }, + "@timestamp": "2021-03-08T02:32:56.000Z", + "ecs": { + "version": "1.10.0" + }, + "related": { + "ip": [ + "0.0.0.0" + ] + }, + "cyberarkpas": { + "audit": { + "rfc5424": false, + "severity": "Info", + "station": "0.0.0.0", + "action": "Monitor FW Rules end", + "message": "Monitor FW Rules end", + "issuer": "Batch", + "desc": "Monitor FW Rules end" + } + }, + "host": { + "name": "VAULT" + }, + "source": { + "address": "0.0.0.0", + "ip": "0.0.0.0" + }, + "event": { + "severity": 2, + "action": "monitor fw rules end", + "ingested": "2021-05-31T15:30:21.939706400Z", + "original": "Mar 08 02:32:56 VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"no\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"358\",\"Desc\":\"Monitor FW Rules end\",\"Severity\":\"Info\",\"Issuer\":\"Batch\",\"Action\":\"Monitor FW Rules end\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"0.0.0.0\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Monitor FW Rules end\",\"GatewayStation\":\"\"}}}", + "code": "358", + "kind": "event" + }, + "tags": [ + "preserve_original_event" + ] + } + ] +} \ No newline at end of file diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-359-sql-command.log-expected.json b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-359-sql-command.log-expected.json new file mode 100644 index 00000000000..aa9ab0a90fa --- /dev/null +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-359-sql-command.log-expected.json @@ -0,0 +1,1194 @@ +{ + "expected": [ + { + "log": { + "syslog": { + "priority": 5 + } + }, + "destination": { + "user": { + "name": "HR" + }, + "address": "oracle.cybr.com", + "domain": "oracle.cybr.com" + }, + "source": { + "user": { + "name": "Administrator" + }, + "address": "127.0.0.1", + "ip": "127.0.0.1" + }, + "tags": [ + "preserve_original_event" + ], + "network": { + "application": "sqlnet" + }, + "observer": { + "product": "Vault", + "hostname": "VLT01", + "version": "12.0.0000", + "vendor": "Cyber-Ark" + }, + "@timestamp": "2021-03-25T14:56:44.000Z", + "file": { + "path": "Root\\Database-Oracle-oracle.cybr.com-HR" + }, + "ecs": { + "version": "1.10.0" + }, + "related": { + "user": [ + "Administrator", + "HR" + ], + "ip": [ + "127.0.0.1", + "10.0.0.15" + ] + }, + "cyberarkpas": { + "audit": { + "severity": "Info", + "iso_timestamp": "2021-03-25T14:56:44Z", + "raw": "\u003csyslog\u003e\n\n \u003caudit_record\u003e\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\n \u003cTimestamp\u003eMar 25 10:56:44\u003c/Timestamp\u003e\n \u003cIsoTimestamp\u003e2021-03-25T14:56:44Z\u003c/IsoTimestamp\u003e\n \u003cHostname\u003eVLT01\u003c/Hostname\u003e\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\n \u003cProduct\u003eVault\u003c/Product\u003e\n \u003cVersion\u003e12.0.0000\u003c/Version\u003e\n \u003cMessageID\u003e359\u003c/MessageID\u003e\n \u003cDesc\u003eSQL Command\u003c/Desc\u003e\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\n \u003cAction\u003eSQL Command\u003c/Action\u003e\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\n \u003cSafe\u003eOracle\u003c/Safe\u003e\n \u003cFile\u003eRoot\\Database-Oracle-oracle.cybr.com-HR\u003c/File\u003e\n \u003cStation\u003e10.0.0.15\u003c/Station\u003e\n \u003cLocation\u003e\u003c/Location\u003e\n \u003cCategory\u003e\u003c/Category\u003e\n \u003cRequestId\u003e\u003c/RequestId\u003e\n \u003cReason\u003e\u003c/Reason\u003e\n \u003cExtraDetails\u003eCommand=SELECT USER FROM DUAL;ConnectionComponentId=PSM-SQLPlus;DataBase=XE;DstHost=oracle.cybr.com;Protocol=SQLNet;PSMID=PSMServer;SessionID=0887c643-42f2-4a4f-806e-58c1689de0e6;SQLOffset=69B;SrcHost=127.0.0.1;User=HR;VIDOffset=4T;\u003c/ExtraDetails\u003e\n \u003cMessage\u003eSQL Command\u003c/Message\u003e\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\n \u003cCAProperties\u003e\n \u003cCAProperty Name=\"PolicyID\" Value=\"Oracle\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"UserName\" Value=\"HR\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"Address\" Value=\"oracle.cybr.com\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"Database\" Value=\"XE\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"DeviceType\" Value=\"Database\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"CPMStatus\" Value=\"success\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"RetriesCount\" Value=\"-1\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"LastTask\" Value=\"VerifyTask\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"LastSuccessVerification\" Value=\"1616580248\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"CreationMethod\" Value=\"PVWA\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"Port\" Value=\"1521\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"LastSuccessChange\" Value=\"1616011984\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"Tags\" Value=\"Oracle;DB\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"Privcloud\" Value=\"privcloud\"\u003e\u003c/CAProperty\u003e\n \u003c/CAProperties\u003e\n \u003c/audit_record\u003e\n\n\u003c/syslog\u003e", + "message": "SQL Command", + "issuer": "Administrator", + "extra_details": { + "connection_component_id": "PSM-SQLPlus", + "protocol": "SQLNet", + "other": { + "vid_offset": "4T", + "data_base": "XE", + "user": "HR", + "sql_offset": "69B" + }, + "psmid": "PSMServer", + "session_id": "0887c643-42f2-4a4f-806e-58c1689de0e6", + "src_host": "127.0.0.1", + "dst_host": "oracle.cybr.com", + "command": "SELECT USER FROM DUAL" + }, + "rfc5424": true, + "ca_properties": { + "privcloud": "privcloud", + "other": {}, + "address": "oracle.cybr.com", + "creation_method": "PVWA", + "cpm_status": "success", + "policy_id": "Oracle", + "user_name": "HR", + "device_type": "Database", + "retries_count": "-1", + "last_success_verification": "1616580248", + "last_task": "VerifyTask", + "tags": "Oracle;DB", + "database": "XE", + "port": "1521", + "last_success_change": "1616011984" + }, + "file": "Root\\Database-Oracle-oracle.cybr.com-HR", + "safe": "Oracle", + "station": "10.0.0.15", + "action": "SQL Command", + "timestamp": "Mar 25 10:56:44", + "desc": "SQL Command" + } + }, + "host": { + "name": "VLT01" + }, + "event": { + "severity": 2, + "ingested": "2021-05-31T15:30:21.983073300Z", + "original": "\u003c5\u003e1 2021-03-25T14:56:44Z VLT01 {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 25 10:56:44\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-25T14:56:44Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVLT01\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e12.0.0000\u003c/Version\u003e\\n \u003cMessageID\u003e359\u003c/MessageID\u003e\\n \u003cDesc\u003eSQL Command\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003eSQL Command\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003eOracle\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Database-Oracle-oracle.cybr.com-HR\u003c/File\u003e\\n \u003cStation\u003e10.0.0.15\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003eCommand=SELECT USER FROM DUAL;ConnectionComponentId=PSM-SQLPlus;DataBase=XE;DstHost=oracle.cybr.com;Protocol=SQLNet;PSMID=PSMServer;SessionID=0887c643-42f2-4a4f-806e-58c1689de0e6;SQLOffset=69B;SrcHost=127.0.0.1;User=HR;VIDOffset=4T;\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eSQL Command\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"Oracle\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"HR\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"oracle.cybr.com\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Database\\\" Value=\\\"XE\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Database\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMStatus\\\" Value=\\\"success\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"RetriesCount\\\" Value=\\\"-1\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastTask\\\" Value=\\\"VerifyTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastSuccessVerification\\\" Value=\\\"1616580248\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Port\\\" Value=\\\"1521\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastSuccessChange\\\" Value=\\\"1616011984\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Tags\\\" Value=\\\"Oracle;DB\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Privcloud\\\" Value=\\\"privcloud\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 25 10:56:44\",\"IsoTimestamp\":\"2021-03-25T14:56:44Z\",\"Hostname\":\"VLT01\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"12.0.0000\",\"MessageID\":\"359\",\"Desc\":\"SQL Command\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"SQL Command\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"Oracle\",\"File\":\"Root\\\\Database-Oracle-oracle.cybr.com-HR\",\"Station\":\"10.0.0.15\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"Command=SELECT USER FROM DUAL;ConnectionComponentId=PSM-SQLPlus;DataBase=XE;DstHost=oracle.cybr.com;Protocol=SQLNet;PSMID=PSMServer;SessionID=0887c643-42f2-4a4f-806e-58c1689de0e6;SQLOffset=69B;SrcHost=127.0.0.1;User=HR;VIDOffset=4T;\",\"Message\":\"SQL Command\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"Oracle\"},{\"Name\":\"UserName\",\"Value\":\"HR\"},{\"Name\":\"Address\",\"Value\":\"oracle.cybr.com\"},{\"Name\":\"Database\",\"Value\":\"XE\"},{\"Name\":\"DeviceType\",\"Value\":\"Database\"},{\"Name\":\"CPMStatus\",\"Value\":\"success\"},{\"Name\":\"RetriesCount\",\"Value\":\"-1\"},{\"Name\":\"LastTask\",\"Value\":\"VerifyTask\"},{\"Name\":\"LastSuccessVerification\",\"Value\":\"1616580248\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"Port\",\"Value\":\"1521\"},{\"Name\":\"LastSuccessChange\",\"Value\":\"1616011984\"},{\"Name\":\"Tags\",\"Value\":\"Oracle;DB\"},{\"Name\":\"Privcloud\",\"Value\":\"privcloud\"}]}}}}", + "code": "359", + "kind": "event", + "action": "sql command", + "category": [ + "database" + ], + "type": [ + "access" + ], + "outcome": "success" + }, + "user": { + "name": "Administrator" + } + }, + { + "log": { + "syslog": { + "priority": 5 + } + }, + "destination": { + "user": { + "name": "HR" + }, + "address": "oracle.cybr.com", + "domain": "oracle.cybr.com" + }, + "source": { + "user": { + "name": "Administrator" + }, + "address": "127.0.0.1", + "ip": "127.0.0.1" + }, + "tags": [ + "preserve_original_event" + ], + "network": { + "application": "sqlnet" + }, + "observer": { + "product": "Vault", + "hostname": "VLT01", + "version": "12.0.0000", + "vendor": "Cyber-Ark" + }, + "@timestamp": "2021-03-25T14:56:44.000Z", + "file": { + "path": "Root\\Database-Oracle-oracle.cybr.com-HR" + }, + "ecs": { + "version": "1.10.0" + }, + "related": { + "user": [ + "Administrator", + "HR" + ], + "ip": [ + "127.0.0.1", + "10.0.0.15" + ] + }, + "cyberarkpas": { + "audit": { + "severity": "Info", + "iso_timestamp": "2021-03-25T14:56:44Z", + "raw": "\u003csyslog\u003e\n\n \u003caudit_record\u003e\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\n \u003cTimestamp\u003eMar 25 10:56:44\u003c/Timestamp\u003e\n \u003cIsoTimestamp\u003e2021-03-25T14:56:44Z\u003c/IsoTimestamp\u003e\n \u003cHostname\u003eVLT01\u003c/Hostname\u003e\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\n \u003cProduct\u003eVault\u003c/Product\u003e\n \u003cVersion\u003e12.0.0000\u003c/Version\u003e\n \u003cMessageID\u003e359\u003c/MessageID\u003e\n \u003cDesc\u003eSQL Command\u003c/Desc\u003e\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\n \u003cAction\u003eSQL Command\u003c/Action\u003e\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\n \u003cSafe\u003eOracle\u003c/Safe\u003e\n \u003cFile\u003eRoot\\Database-Oracle-oracle.cybr.com-HR\u003c/File\u003e\n \u003cStation\u003e10.0.0.15\u003c/Station\u003e\n \u003cLocation\u003e\u003c/Location\u003e\n \u003cCategory\u003e\u003c/Category\u003e\n \u003cRequestId\u003e\u003c/RequestId\u003e\n \u003cReason\u003e\u003c/Reason\u003e\n \u003cExtraDetails\u003eCommand=BEGIN DBMS_OUTPUT.DISABLE\\; END\\;;ConnectionComponentId=PSM-SQLPlus;DataBase=XE;DstHost=oracle.cybr.com;Protocol=SQLNet;PSMID=PSMServer;SessionID=0887c643-42f2-4a4f-806e-58c1689de0e6;SQLOffset=123B;SrcHost=127.0.0.1;User=HR;VIDOffset=4T;\u003c/ExtraDetails\u003e\n \u003cMessage\u003eSQL Command\u003c/Message\u003e\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\n \u003cCAProperties\u003e\n \u003cCAProperty Name=\"PolicyID\" Value=\"Oracle\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"UserName\" Value=\"HR\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"Address\" Value=\"oracle.cybr.com\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"Database\" Value=\"XE\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"DeviceType\" Value=\"Database\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"CPMStatus\" Value=\"success\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"RetriesCount\" Value=\"-1\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"LastTask\" Value=\"VerifyTask\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"LastSuccessVerification\" Value=\"1616580248\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"CreationMethod\" Value=\"PVWA\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"Port\" Value=\"1521\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"LastSuccessChange\" Value=\"1616011984\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"Tags\" Value=\"Oracle;DB\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"Privcloud\" Value=\"privcloud\"\u003e\u003c/CAProperty\u003e\n \u003c/CAProperties\u003e\n \u003c/audit_record\u003e\n\n\u003c/syslog\u003e", + "message": "SQL Command", + "issuer": "Administrator", + "extra_details": { + "connection_component_id": "PSM-SQLPlus", + "protocol": "SQLNet", + "other": { + "vid_offset": "4T", + "data_base": "XE", + "user": "HR", + "sql_offset": "123B" + }, + "psmid": "PSMServer", + "session_id": "0887c643-42f2-4a4f-806e-58c1689de0e6", + "src_host": "127.0.0.1", + "dst_host": "oracle.cybr.com", + "command": "BEGIN DBMS_OUTPUT.DISABLE\\; END\\;" + }, + "rfc5424": true, + "ca_properties": { + "privcloud": "privcloud", + "other": {}, + "address": "oracle.cybr.com", + "creation_method": "PVWA", + "cpm_status": "success", + "policy_id": "Oracle", + "user_name": "HR", + "device_type": "Database", + "retries_count": "-1", + "last_success_verification": "1616580248", + "last_task": "VerifyTask", + "tags": "Oracle;DB", + "database": "XE", + "port": "1521", + "last_success_change": "1616011984" + }, + "file": "Root\\Database-Oracle-oracle.cybr.com-HR", + "safe": "Oracle", + "station": "10.0.0.15", + "action": "SQL Command", + "timestamp": "Mar 25 10:56:44", + "desc": "SQL Command" + } + }, + "host": { + "name": "VLT01" + }, + "event": { + "severity": 2, + "ingested": "2021-05-31T15:30:21.983089100Z", + "original": "\u003c5\u003e1 2021-03-25T14:56:44Z VLT01 {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 25 10:56:44\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-25T14:56:44Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVLT01\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e12.0.0000\u003c/Version\u003e\\n \u003cMessageID\u003e359\u003c/MessageID\u003e\\n \u003cDesc\u003eSQL Command\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003eSQL Command\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003eOracle\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Database-Oracle-oracle.cybr.com-HR\u003c/File\u003e\\n \u003cStation\u003e10.0.0.15\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003eCommand=BEGIN DBMS_OUTPUT.DISABLE\\\\; END\\\\;;ConnectionComponentId=PSM-SQLPlus;DataBase=XE;DstHost=oracle.cybr.com;Protocol=SQLNet;PSMID=PSMServer;SessionID=0887c643-42f2-4a4f-806e-58c1689de0e6;SQLOffset=123B;SrcHost=127.0.0.1;User=HR;VIDOffset=4T;\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eSQL Command\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"Oracle\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"HR\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"oracle.cybr.com\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Database\\\" Value=\\\"XE\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Database\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMStatus\\\" Value=\\\"success\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"RetriesCount\\\" Value=\\\"-1\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastTask\\\" Value=\\\"VerifyTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastSuccessVerification\\\" Value=\\\"1616580248\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Port\\\" Value=\\\"1521\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastSuccessChange\\\" Value=\\\"1616011984\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Tags\\\" Value=\\\"Oracle;DB\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Privcloud\\\" Value=\\\"privcloud\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 25 10:56:44\",\"IsoTimestamp\":\"2021-03-25T14:56:44Z\",\"Hostname\":\"VLT01\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"12.0.0000\",\"MessageID\":\"359\",\"Desc\":\"SQL Command\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"SQL Command\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"Oracle\",\"File\":\"Root\\\\Database-Oracle-oracle.cybr.com-HR\",\"Station\":\"10.0.0.15\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"Command=BEGIN DBMS_OUTPUT.DISABLE\\\\; END\\\\;;ConnectionComponentId=PSM-SQLPlus;DataBase=XE;DstHost=oracle.cybr.com;Protocol=SQLNet;PSMID=PSMServer;SessionID=0887c643-42f2-4a4f-806e-58c1689de0e6;SQLOffset=123B;SrcHost=127.0.0.1;User=HR;VIDOffset=4T;\",\"Message\":\"SQL Command\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"Oracle\"},{\"Name\":\"UserName\",\"Value\":\"HR\"},{\"Name\":\"Address\",\"Value\":\"oracle.cybr.com\"},{\"Name\":\"Database\",\"Value\":\"XE\"},{\"Name\":\"DeviceType\",\"Value\":\"Database\"},{\"Name\":\"CPMStatus\",\"Value\":\"success\"},{\"Name\":\"RetriesCount\",\"Value\":\"-1\"},{\"Name\":\"LastTask\",\"Value\":\"VerifyTask\"},{\"Name\":\"LastSuccessVerification\",\"Value\":\"1616580248\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"Port\",\"Value\":\"1521\"},{\"Name\":\"LastSuccessChange\",\"Value\":\"1616011984\"},{\"Name\":\"Tags\",\"Value\":\"Oracle;DB\"},{\"Name\":\"Privcloud\",\"Value\":\"privcloud\"}]}}}}", + "code": "359", + "kind": "event", + "action": "sql command", + "category": [ + "database" + ], + "type": [ + "access" + ], + "outcome": "success" + }, + "user": { + "name": "Administrator" + } + }, + { + "log": { + "syslog": { + "priority": 5 + } + }, + "destination": { + "user": { + "name": "HR" + }, + "address": "oracle.cybr.com", + "domain": "oracle.cybr.com" + }, + "source": { + "user": { + "name": "Administrator" + }, + "address": "127.0.0.1", + "ip": "127.0.0.1" + }, + "tags": [ + "preserve_original_event" + ], + "network": { + "application": "sqlnet" + }, + "observer": { + "product": "Vault", + "hostname": "VLT01", + "version": "12.0.0000", + "vendor": "Cyber-Ark" + }, + "@timestamp": "2021-03-25T14:56:44.000Z", + "file": { + "path": "Root\\Database-Oracle-oracle.cybr.com-HR" + }, + "ecs": { + "version": "1.10.0" + }, + "related": { + "user": [ + "Administrator", + "HR" + ], + "ip": [ + "127.0.0.1", + "10.0.0.15" + ] + }, + "cyberarkpas": { + "audit": { + "severity": "Info", + "iso_timestamp": "2021-03-25T14:56:44Z", + "raw": "\u003csyslog\u003e\n\n \u003caudit_record\u003e\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\n \u003cTimestamp\u003eMar 25 10:56:44\u003c/Timestamp\u003e\n \u003cIsoTimestamp\u003e2021-03-25T14:56:44Z\u003c/IsoTimestamp\u003e\n \u003cHostname\u003eVLT01\u003c/Hostname\u003e\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\n \u003cProduct\u003eVault\u003c/Product\u003e\n \u003cVersion\u003e12.0.0000\u003c/Version\u003e\n \u003cMessageID\u003e359\u003c/MessageID\u003e\n \u003cDesc\u003eSQL Command\u003c/Desc\u003e\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\n \u003cAction\u003eSQL Command\u003c/Action\u003e\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\n \u003cSafe\u003eOracle\u003c/Safe\u003e\n \u003cFile\u003eRoot\\Database-Oracle-oracle.cybr.com-HR\u003c/File\u003e\n \u003cStation\u003e10.0.0.15\u003c/Station\u003e\n \u003cLocation\u003e\u003c/Location\u003e\n \u003cCategory\u003e\u003c/Category\u003e\n \u003cRequestId\u003e\u003c/RequestId\u003e\n \u003cReason\u003e\u003c/Reason\u003e\n \u003cExtraDetails\u003eCommand=SELECT ATTRIBUTE,SCOPE,NUMERIC_VALUE,CHAR_VALUE,DATE_VALUE FROM SYSTEM.PRODUCT_PRIVS WHERE (UPPER('SQL*Plus') LIKE UPPER(PRODUCT)) AND (UPPER(USER) LIKE USERID);ConnectionComponentId=PSM-SQLPlus;DataBase=XE;DstHost=oracle.cybr.com;Protocol=SQLNet;PSMID=PSMServer;SessionID=0887c643-42f2-4a4f-806e-58c1689de0e6;SQLOffset=187B;SrcHost=127.0.0.1;User=HR;VIDOffset=4T;\u003c/ExtraDetails\u003e\n \u003cMessage\u003eSQL Command\u003c/Message\u003e\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\n \u003cCAProperties\u003e\n \u003cCAProperty Name=\"PolicyID\" Value=\"Oracle\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"UserName\" Value=\"HR\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"Address\" Value=\"oracle.cybr.com\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"Database\" Value=\"XE\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"DeviceType\" Value=\"Database\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"CPMStatus\" Value=\"success\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"RetriesCount\" Value=\"-1\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"LastTask\" Value=\"VerifyTask\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"LastSuccessVerification\" Value=\"1616580248\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"CreationMethod\" Value=\"PVWA\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"Port\" Value=\"1521\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"LastSuccessChange\" Value=\"1616011984\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"Tags\" Value=\"Oracle;DB\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"Privcloud\" Value=\"privcloud\"\u003e\u003c/CAProperty\u003e\n \u003c/CAProperties\u003e\n \u003c/audit_record\u003e\n\n\u003c/syslog\u003e", + "message": "SQL Command", + "issuer": "Administrator", + "extra_details": { + "connection_component_id": "PSM-SQLPlus", + "protocol": "SQLNet", + "other": { + "vid_offset": "4T", + "data_base": "XE", + "user": "HR", + "sql_offset": "187B" + }, + "psmid": "PSMServer", + "session_id": "0887c643-42f2-4a4f-806e-58c1689de0e6", + "src_host": "127.0.0.1", + "dst_host": "oracle.cybr.com", + "command": "SELECT ATTRIBUTE,SCOPE,NUMERIC_VALUE,CHAR_VALUE,DATE_VALUE FROM SYSTEM.PRODUCT_PRIVS WHERE (UPPER('SQL*Plus') LIKE UPPER(PRODUCT)) AND (UPPER(USER) LIKE USERID)" + }, + "rfc5424": true, + "ca_properties": { + "privcloud": "privcloud", + "other": {}, + "address": "oracle.cybr.com", + "creation_method": "PVWA", + "cpm_status": "success", + "policy_id": "Oracle", + "user_name": "HR", + "device_type": "Database", + "retries_count": "-1", + "last_success_verification": "1616580248", + "last_task": "VerifyTask", + "tags": "Oracle;DB", + "database": "XE", + "port": "1521", + "last_success_change": "1616011984" + }, + "file": "Root\\Database-Oracle-oracle.cybr.com-HR", + "safe": "Oracle", + "station": "10.0.0.15", + "action": "SQL Command", + "timestamp": "Mar 25 10:56:44", + "desc": "SQL Command" + } + }, + "host": { + "name": "VLT01" + }, + "event": { + "severity": 2, + "ingested": "2021-05-31T15:30:21.983092700Z", + "original": "\u003c5\u003e1 2021-03-25T14:56:44Z VLT01 {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 25 10:56:44\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-25T14:56:44Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVLT01\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e12.0.0000\u003c/Version\u003e\\n \u003cMessageID\u003e359\u003c/MessageID\u003e\\n \u003cDesc\u003eSQL Command\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003eSQL Command\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003eOracle\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Database-Oracle-oracle.cybr.com-HR\u003c/File\u003e\\n \u003cStation\u003e10.0.0.15\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003eCommand=SELECT ATTRIBUTE,SCOPE,NUMERIC_VALUE,CHAR_VALUE,DATE_VALUE FROM SYSTEM.PRODUCT_PRIVS WHERE (UPPER('SQL*Plus') LIKE UPPER(PRODUCT)) AND (UPPER(USER) LIKE USERID);ConnectionComponentId=PSM-SQLPlus;DataBase=XE;DstHost=oracle.cybr.com;Protocol=SQLNet;PSMID=PSMServer;SessionID=0887c643-42f2-4a4f-806e-58c1689de0e6;SQLOffset=187B;SrcHost=127.0.0.1;User=HR;VIDOffset=4T;\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eSQL Command\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"Oracle\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"HR\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"oracle.cybr.com\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Database\\\" Value=\\\"XE\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Database\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMStatus\\\" Value=\\\"success\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"RetriesCount\\\" Value=\\\"-1\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastTask\\\" Value=\\\"VerifyTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastSuccessVerification\\\" Value=\\\"1616580248\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Port\\\" Value=\\\"1521\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastSuccessChange\\\" Value=\\\"1616011984\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Tags\\\" Value=\\\"Oracle;DB\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Privcloud\\\" Value=\\\"privcloud\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 25 10:56:44\",\"IsoTimestamp\":\"2021-03-25T14:56:44Z\",\"Hostname\":\"VLT01\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"12.0.0000\",\"MessageID\":\"359\",\"Desc\":\"SQL Command\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"SQL Command\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"Oracle\",\"File\":\"Root\\\\Database-Oracle-oracle.cybr.com-HR\",\"Station\":\"10.0.0.15\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"Command=SELECT ATTRIBUTE,SCOPE,NUMERIC_VALUE,CHAR_VALUE,DATE_VALUE FROM SYSTEM.PRODUCT_PRIVS WHERE (UPPER('SQL*Plus') LIKE UPPER(PRODUCT)) AND (UPPER(USER) LIKE USERID);ConnectionComponentId=PSM-SQLPlus;DataBase=XE;DstHost=oracle.cybr.com;Protocol=SQLNet;PSMID=PSMServer;SessionID=0887c643-42f2-4a4f-806e-58c1689de0e6;SQLOffset=187B;SrcHost=127.0.0.1;User=HR;VIDOffset=4T;\",\"Message\":\"SQL Command\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"Oracle\"},{\"Name\":\"UserName\",\"Value\":\"HR\"},{\"Name\":\"Address\",\"Value\":\"oracle.cybr.com\"},{\"Name\":\"Database\",\"Value\":\"XE\"},{\"Name\":\"DeviceType\",\"Value\":\"Database\"},{\"Name\":\"CPMStatus\",\"Value\":\"success\"},{\"Name\":\"RetriesCount\",\"Value\":\"-1\"},{\"Name\":\"LastTask\",\"Value\":\"VerifyTask\"},{\"Name\":\"LastSuccessVerification\",\"Value\":\"1616580248\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"Port\",\"Value\":\"1521\"},{\"Name\":\"LastSuccessChange\",\"Value\":\"1616011984\"},{\"Name\":\"Tags\",\"Value\":\"Oracle;DB\"},{\"Name\":\"Privcloud\",\"Value\":\"privcloud\"}]}}}}", + "code": "359", + "kind": "event", + "action": "sql command", + "category": [ + "database" + ], + "type": [ + "access" + ], + "outcome": "success" + }, + "user": { + "name": "Administrator" + } + }, + { + "log": { + "syslog": { + "priority": 5 + } + }, + "destination": { + "user": { + "name": "HR" + }, + "address": "oracle.cybr.com", + "domain": "oracle.cybr.com" + }, + "source": { + "user": { + "name": "Administrator" + }, + "address": "127.0.0.1", + "ip": "127.0.0.1" + }, + "tags": [ + "preserve_original_event" + ], + "network": { + "application": "sqlnet" + }, + "observer": { + "product": "Vault", + "hostname": "VLT01", + "version": "12.0.0000", + "vendor": "Cyber-Ark" + }, + "@timestamp": "2021-03-25T14:56:44.000Z", + "file": { + "path": "Root\\Database-Oracle-oracle.cybr.com-HR" + }, + "ecs": { + "version": "1.10.0" + }, + "related": { + "user": [ + "Administrator", + "HR" + ], + "ip": [ + "127.0.0.1", + "10.0.0.15" + ] + }, + "cyberarkpas": { + "audit": { + "severity": "Info", + "iso_timestamp": "2021-03-25T14:56:44Z", + "raw": "\u003csyslog\u003e\n\n \u003caudit_record\u003e\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\n \u003cTimestamp\u003eMar 25 10:56:44\u003c/Timestamp\u003e\n \u003cIsoTimestamp\u003e2021-03-25T14:56:44Z\u003c/IsoTimestamp\u003e\n \u003cHostname\u003eVLT01\u003c/Hostname\u003e\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\n \u003cProduct\u003eVault\u003c/Product\u003e\n \u003cVersion\u003e12.0.0000\u003c/Version\u003e\n \u003cMessageID\u003e359\u003c/MessageID\u003e\n \u003cDesc\u003eSQL Command\u003c/Desc\u003e\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\n \u003cAction\u003eSQL Command\u003c/Action\u003e\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\n \u003cSafe\u003eOracle\u003c/Safe\u003e\n \u003cFile\u003eRoot\\Database-Oracle-oracle.cybr.com-HR\u003c/File\u003e\n \u003cStation\u003e10.0.0.15\u003c/Station\u003e\n \u003cLocation\u003e\u003c/Location\u003e\n \u003cCategory\u003e\u003c/Category\u003e\n \u003cRequestId\u003e\u003c/RequestId\u003e\n \u003cReason\u003e\u003c/Reason\u003e\n \u003cExtraDetails\u003eCommand=SELECT CHAR_VALUE FROM SYSTEM.PRODUCT_PRIVS WHERE (UPPER('SQL*Plus') LIKE UPPER(PRODUCT)) AND ((UPPER(USER) LIKE USERID) OR (USERID \\= 'PUBLIC')) AND (UPPER(ATTRIBUTE) \\= 'ROLES');ConnectionComponentId=PSM-SQLPlus;DataBase=XE;DstHost=oracle.cybr.com;Protocol=SQLNet;PSMID=PSMServer;SessionID=0887c643-42f2-4a4f-806e-58c1689de0e6;SQLOffset=380B;SrcHost=127.0.0.1;User=HR;VIDOffset=4T;\u003c/ExtraDetails\u003e\n \u003cMessage\u003eSQL Command\u003c/Message\u003e\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\n \u003cCAProperties\u003e\n \u003cCAProperty Name=\"PolicyID\" Value=\"Oracle\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"UserName\" Value=\"HR\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"Address\" Value=\"oracle.cybr.com\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"Database\" Value=\"XE\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"DeviceType\" Value=\"Database\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"CPMStatus\" Value=\"success\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"RetriesCount\" Value=\"-1\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"LastTask\" Value=\"VerifyTask\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"LastSuccessVerification\" Value=\"1616580248\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"CreationMethod\" Value=\"PVWA\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"Port\" Value=\"1521\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"LastSuccessChange\" Value=\"1616011984\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"Tags\" Value=\"Oracle;DB\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"Privcloud\" Value=\"privcloud\"\u003e\u003c/CAProperty\u003e\n \u003c/CAProperties\u003e\n \u003c/audit_record\u003e\n\n\u003c/syslog\u003e", + "message": "SQL Command", + "issuer": "Administrator", + "extra_details": { + "connection_component_id": "PSM-SQLPlus", + "protocol": "SQLNet", + "other": { + "vid_offset": "4T", + "data_base": "XE", + "user": "HR", + "sql_offset": "380B" + }, + "psmid": "PSMServer", + "session_id": "0887c643-42f2-4a4f-806e-58c1689de0e6", + "src_host": "127.0.0.1", + "dst_host": "oracle.cybr.com", + "command": "SELECT CHAR_VALUE FROM SYSTEM.PRODUCT_PRIVS WHERE (UPPER('SQL*Plus') LIKE UPPER(PRODUCT)) AND ((UPPER(USER) LIKE USERID) OR (USERID \\= 'PUBLIC')) AND (UPPER(ATTRIBUTE) \\= 'ROLES')" + }, + "rfc5424": true, + "ca_properties": { + "privcloud": "privcloud", + "other": {}, + "address": "oracle.cybr.com", + "creation_method": "PVWA", + "cpm_status": "success", + "policy_id": "Oracle", + "user_name": "HR", + "device_type": "Database", + "retries_count": "-1", + "last_success_verification": "1616580248", + "last_task": "VerifyTask", + "tags": "Oracle;DB", + "database": "XE", + "port": "1521", + "last_success_change": "1616011984" + }, + "file": "Root\\Database-Oracle-oracle.cybr.com-HR", + "safe": "Oracle", + "station": "10.0.0.15", + "action": "SQL Command", + "timestamp": "Mar 25 10:56:44", + "desc": "SQL Command" + } + }, + "host": { + "name": "VLT01" + }, + "event": { + "severity": 2, + "ingested": "2021-05-31T15:30:21.983095800Z", + "original": "\u003c5\u003e1 2021-03-25T14:56:44Z VLT01 {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 25 10:56:44\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-25T14:56:44Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVLT01\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e12.0.0000\u003c/Version\u003e\\n \u003cMessageID\u003e359\u003c/MessageID\u003e\\n \u003cDesc\u003eSQL Command\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003eSQL Command\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003eOracle\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Database-Oracle-oracle.cybr.com-HR\u003c/File\u003e\\n \u003cStation\u003e10.0.0.15\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003eCommand=SELECT CHAR_VALUE FROM SYSTEM.PRODUCT_PRIVS WHERE (UPPER('SQL*Plus') LIKE UPPER(PRODUCT)) AND ((UPPER(USER) LIKE USERID) OR (USERID \\\\= 'PUBLIC')) AND (UPPER(ATTRIBUTE) \\\\= 'ROLES');ConnectionComponentId=PSM-SQLPlus;DataBase=XE;DstHost=oracle.cybr.com;Protocol=SQLNet;PSMID=PSMServer;SessionID=0887c643-42f2-4a4f-806e-58c1689de0e6;SQLOffset=380B;SrcHost=127.0.0.1;User=HR;VIDOffset=4T;\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eSQL Command\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"Oracle\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"HR\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"oracle.cybr.com\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Database\\\" Value=\\\"XE\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Database\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMStatus\\\" Value=\\\"success\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"RetriesCount\\\" Value=\\\"-1\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastTask\\\" Value=\\\"VerifyTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastSuccessVerification\\\" Value=\\\"1616580248\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Port\\\" Value=\\\"1521\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastSuccessChange\\\" Value=\\\"1616011984\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Tags\\\" Value=\\\"Oracle;DB\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Privcloud\\\" Value=\\\"privcloud\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 25 10:56:44\",\"IsoTimestamp\":\"2021-03-25T14:56:44Z\",\"Hostname\":\"VLT01\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"12.0.0000\",\"MessageID\":\"359\",\"Desc\":\"SQL Command\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"SQL Command\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"Oracle\",\"File\":\"Root\\\\Database-Oracle-oracle.cybr.com-HR\",\"Station\":\"10.0.0.15\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"Command=SELECT CHAR_VALUE FROM SYSTEM.PRODUCT_PRIVS WHERE (UPPER('SQL*Plus') LIKE UPPER(PRODUCT)) AND ((UPPER(USER) LIKE USERID) OR (USERID \\\\= 'PUBLIC')) AND (UPPER(ATTRIBUTE) \\\\= 'ROLES');ConnectionComponentId=PSM-SQLPlus;DataBase=XE;DstHost=oracle.cybr.com;Protocol=SQLNet;PSMID=PSMServer;SessionID=0887c643-42f2-4a4f-806e-58c1689de0e6;SQLOffset=380B;SrcHost=127.0.0.1;User=HR;VIDOffset=4T;\",\"Message\":\"SQL Command\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"Oracle\"},{\"Name\":\"UserName\",\"Value\":\"HR\"},{\"Name\":\"Address\",\"Value\":\"oracle.cybr.com\"},{\"Name\":\"Database\",\"Value\":\"XE\"},{\"Name\":\"DeviceType\",\"Value\":\"Database\"},{\"Name\":\"CPMStatus\",\"Value\":\"success\"},{\"Name\":\"RetriesCount\",\"Value\":\"-1\"},{\"Name\":\"LastTask\",\"Value\":\"VerifyTask\"},{\"Name\":\"LastSuccessVerification\",\"Value\":\"1616580248\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"Port\",\"Value\":\"1521\"},{\"Name\":\"LastSuccessChange\",\"Value\":\"1616011984\"},{\"Name\":\"Tags\",\"Value\":\"Oracle;DB\"},{\"Name\":\"Privcloud\",\"Value\":\"privcloud\"}]}}}}", + "code": "359", + "kind": "event", + "action": "sql command", + "category": [ + "database" + ], + "type": [ + "access" + ], + "outcome": "success" + }, + "user": { + "name": "Administrator" + } + }, + { + "log": { + "syslog": { + "priority": 5 + } + }, + "destination": { + "user": { + "name": "HR" + }, + "address": "oracle.cybr.com", + "domain": "oracle.cybr.com" + }, + "source": { + "user": { + "name": "Administrator" + }, + "address": "127.0.0.1", + "ip": "127.0.0.1" + }, + "tags": [ + "preserve_original_event" + ], + "network": { + "application": "sqlnet" + }, + "observer": { + "product": "Vault", + "hostname": "VLT01", + "version": "12.0.0000", + "vendor": "Cyber-Ark" + }, + "@timestamp": "2021-03-25T14:56:44.000Z", + "file": { + "path": "Root\\Database-Oracle-oracle.cybr.com-HR" + }, + "ecs": { + "version": "1.10.0" + }, + "related": { + "user": [ + "Administrator", + "HR" + ], + "ip": [ + "127.0.0.1", + "10.0.0.15" + ] + }, + "cyberarkpas": { + "audit": { + "severity": "Info", + "iso_timestamp": "2021-03-25T14:56:44Z", + "raw": "\u003csyslog\u003e\n\n \u003caudit_record\u003e\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\n \u003cTimestamp\u003eMar 25 10:56:44\u003c/Timestamp\u003e\n \u003cIsoTimestamp\u003e2021-03-25T14:56:44Z\u003c/IsoTimestamp\u003e\n \u003cHostname\u003eVLT01\u003c/Hostname\u003e\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\n \u003cProduct\u003eVault\u003c/Product\u003e\n \u003cVersion\u003e12.0.0000\u003c/Version\u003e\n \u003cMessageID\u003e359\u003c/MessageID\u003e\n \u003cDesc\u003eSQL Command\u003c/Desc\u003e\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\n \u003cAction\u003eSQL Command\u003c/Action\u003e\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\n \u003cSafe\u003eOracle\u003c/Safe\u003e\n \u003cFile\u003eRoot\\Database-Oracle-oracle.cybr.com-HR\u003c/File\u003e\n \u003cStation\u003e10.0.0.15\u003c/Station\u003e\n \u003cLocation\u003e\u003c/Location\u003e\n \u003cCategory\u003e\u003c/Category\u003e\n \u003cRequestId\u003e\u003c/RequestId\u003e\n \u003cReason\u003e\u003c/Reason\u003e\n \u003cExtraDetails\u003eCommand=BEGIN DBMS_APPLICATION_INFO.SET_MODULE(:1,NULL)\\; END\\; (Parameters bound by position: 1\\=[SQL*Plus]);ConnectionComponentId=PSM-SQLPlus;DataBase=XE;DstHost=oracle.cybr.com;Protocol=SQLNet;PSMID=PSMServer;SessionID=0887c643-42f2-4a4f-806e-58c1689de0e6;SQLOffset=596B;SrcHost=127.0.0.1;User=HR;VIDOffset=4T;\u003c/ExtraDetails\u003e\n \u003cMessage\u003eSQL Command\u003c/Message\u003e\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\n \u003cCAProperties\u003e\n \u003cCAProperty Name=\"PolicyID\" Value=\"Oracle\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"UserName\" Value=\"HR\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"Address\" Value=\"oracle.cybr.com\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"Database\" Value=\"XE\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"DeviceType\" Value=\"Database\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"CPMStatus\" Value=\"success\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"RetriesCount\" Value=\"-1\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"LastTask\" Value=\"VerifyTask\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"LastSuccessVerification\" Value=\"1616580248\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"CreationMethod\" Value=\"PVWA\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"Port\" Value=\"1521\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"LastSuccessChange\" Value=\"1616011984\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"Tags\" Value=\"Oracle;DB\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"Privcloud\" Value=\"privcloud\"\u003e\u003c/CAProperty\u003e\n \u003c/CAProperties\u003e\n \u003c/audit_record\u003e\n\n\u003c/syslog\u003e", + "message": "SQL Command", + "issuer": "Administrator", + "extra_details": { + "connection_component_id": "PSM-SQLPlus", + "protocol": "SQLNet", + "other": { + "vid_offset": "4T", + "data_base": "XE", + "user": "HR", + "sql_offset": "596B" + }, + "psmid": "PSMServer", + "session_id": "0887c643-42f2-4a4f-806e-58c1689de0e6", + "src_host": "127.0.0.1", + "dst_host": "oracle.cybr.com", + "command": "BEGIN DBMS_APPLICATION_INFO.SET_MODULE(:1,NULL)\\; END\\; (Parameters bound by position: 1\\=[SQL*Plus])" + }, + "rfc5424": true, + "ca_properties": { + "privcloud": "privcloud", + "other": {}, + "address": "oracle.cybr.com", + "creation_method": "PVWA", + "cpm_status": "success", + "policy_id": "Oracle", + "user_name": "HR", + "device_type": "Database", + "retries_count": "-1", + "last_success_verification": "1616580248", + "last_task": "VerifyTask", + "tags": "Oracle;DB", + "database": "XE", + "port": "1521", + "last_success_change": "1616011984" + }, + "file": "Root\\Database-Oracle-oracle.cybr.com-HR", + "safe": "Oracle", + "station": "10.0.0.15", + "action": "SQL Command", + "timestamp": "Mar 25 10:56:44", + "desc": "SQL Command" + } + }, + "host": { + "name": "VLT01" + }, + "event": { + "severity": 2, + "ingested": "2021-05-31T15:30:21.983098500Z", + "original": "\u003c5\u003e1 2021-03-25T14:56:44Z VLT01 {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 25 10:56:44\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-25T14:56:44Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVLT01\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e12.0.0000\u003c/Version\u003e\\n \u003cMessageID\u003e359\u003c/MessageID\u003e\\n \u003cDesc\u003eSQL Command\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003eSQL Command\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003eOracle\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Database-Oracle-oracle.cybr.com-HR\u003c/File\u003e\\n \u003cStation\u003e10.0.0.15\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003eCommand=BEGIN DBMS_APPLICATION_INFO.SET_MODULE(:1,NULL)\\\\; END\\\\; (Parameters bound by position: 1\\\\=[SQL*Plus]);ConnectionComponentId=PSM-SQLPlus;DataBase=XE;DstHost=oracle.cybr.com;Protocol=SQLNet;PSMID=PSMServer;SessionID=0887c643-42f2-4a4f-806e-58c1689de0e6;SQLOffset=596B;SrcHost=127.0.0.1;User=HR;VIDOffset=4T;\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eSQL Command\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"Oracle\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"HR\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"oracle.cybr.com\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Database\\\" Value=\\\"XE\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Database\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMStatus\\\" Value=\\\"success\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"RetriesCount\\\" Value=\\\"-1\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastTask\\\" Value=\\\"VerifyTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastSuccessVerification\\\" Value=\\\"1616580248\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Port\\\" Value=\\\"1521\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastSuccessChange\\\" Value=\\\"1616011984\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Tags\\\" Value=\\\"Oracle;DB\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Privcloud\\\" Value=\\\"privcloud\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 25 10:56:44\",\"IsoTimestamp\":\"2021-03-25T14:56:44Z\",\"Hostname\":\"VLT01\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"12.0.0000\",\"MessageID\":\"359\",\"Desc\":\"SQL Command\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"SQL Command\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"Oracle\",\"File\":\"Root\\\\Database-Oracle-oracle.cybr.com-HR\",\"Station\":\"10.0.0.15\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"Command=BEGIN DBMS_APPLICATION_INFO.SET_MODULE(:1,NULL)\\\\; END\\\\; (Parameters bound by position: 1\\\\=[SQL*Plus]);ConnectionComponentId=PSM-SQLPlus;DataBase=XE;DstHost=oracle.cybr.com;Protocol=SQLNet;PSMID=PSMServer;SessionID=0887c643-42f2-4a4f-806e-58c1689de0e6;SQLOffset=596B;SrcHost=127.0.0.1;User=HR;VIDOffset=4T;\",\"Message\":\"SQL Command\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"Oracle\"},{\"Name\":\"UserName\",\"Value\":\"HR\"},{\"Name\":\"Address\",\"Value\":\"oracle.cybr.com\"},{\"Name\":\"Database\",\"Value\":\"XE\"},{\"Name\":\"DeviceType\",\"Value\":\"Database\"},{\"Name\":\"CPMStatus\",\"Value\":\"success\"},{\"Name\":\"RetriesCount\",\"Value\":\"-1\"},{\"Name\":\"LastTask\",\"Value\":\"VerifyTask\"},{\"Name\":\"LastSuccessVerification\",\"Value\":\"1616580248\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"Port\",\"Value\":\"1521\"},{\"Name\":\"LastSuccessChange\",\"Value\":\"1616011984\"},{\"Name\":\"Tags\",\"Value\":\"Oracle;DB\"},{\"Name\":\"Privcloud\",\"Value\":\"privcloud\"}]}}}}", + "code": "359", + "kind": "event", + "action": "sql command", + "category": [ + "database" + ], + "type": [ + "access" + ], + "outcome": "success" + }, + "user": { + "name": "Administrator" + } + }, + { + "log": { + "syslog": { + "priority": 5 + } + }, + "destination": { + "user": { + "name": "HR" + }, + "address": "oracle.cybr.com", + "domain": "oracle.cybr.com" + }, + "source": { + "user": { + "name": "Administrator" + }, + "address": "127.0.0.1", + "ip": "127.0.0.1" + }, + "tags": [ + "preserve_original_event" + ], + "network": { + "application": "sqlnet" + }, + "observer": { + "product": "Vault", + "hostname": "VLT01", + "version": "12.0.0000", + "vendor": "Cyber-Ark" + }, + "@timestamp": "2021-03-25T14:56:45.000Z", + "file": { + "path": "Root\\Database-Oracle-oracle.cybr.com-HR" + }, + "ecs": { + "version": "1.10.0" + }, + "related": { + "user": [ + "Administrator", + "HR" + ], + "ip": [ + "127.0.0.1", + "10.0.0.15" + ] + }, + "cyberarkpas": { + "audit": { + "severity": "Info", + "iso_timestamp": "2021-03-25T14:56:45Z", + "raw": "\u003csyslog\u003e\n\n \u003caudit_record\u003e\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\n \u003cTimestamp\u003eMar 25 10:56:45\u003c/Timestamp\u003e\n \u003cIsoTimestamp\u003e2021-03-25T14:56:45Z\u003c/IsoTimestamp\u003e\n \u003cHostname\u003eVLT01\u003c/Hostname\u003e\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\n \u003cProduct\u003eVault\u003c/Product\u003e\n \u003cVersion\u003e12.0.0000\u003c/Version\u003e\n \u003cMessageID\u003e359\u003c/MessageID\u003e\n \u003cDesc\u003eSQL Command\u003c/Desc\u003e\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\n \u003cAction\u003eSQL Command\u003c/Action\u003e\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\n \u003cSafe\u003eOracle\u003c/Safe\u003e\n \u003cFile\u003eRoot\\Database-Oracle-oracle.cybr.com-HR\u003c/File\u003e\n \u003cStation\u003e10.0.0.15\u003c/Station\u003e\n \u003cLocation\u003e\u003c/Location\u003e\n \u003cCategory\u003e\u003c/Category\u003e\n \u003cRequestId\u003e\u003c/RequestId\u003e\n \u003cReason\u003e\u003c/Reason\u003e\n \u003cExtraDetails\u003eCommand=SELECT DECODE('A','A','1','2') FROM DUAL;ConnectionComponentId=PSM-SQLPlus;DataBase=XE;DstHost=oracle.cybr.com;Protocol=SQLNet;PSMID=PSMServer;SessionID=0887c643-42f2-4a4f-806e-58c1689de0e6;SQLOffset=727B;SrcHost=127.0.0.1;User=HR;VIDOffset=5T;\u003c/ExtraDetails\u003e\n \u003cMessage\u003eSQL Command\u003c/Message\u003e\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\n \u003cCAProperties\u003e\n \u003cCAProperty Name=\"PolicyID\" Value=\"Oracle\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"UserName\" Value=\"HR\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"Address\" Value=\"oracle.cybr.com\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"Database\" Value=\"XE\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"DeviceType\" Value=\"Database\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"CPMStatus\" Value=\"success\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"RetriesCount\" Value=\"-1\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"LastTask\" Value=\"VerifyTask\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"LastSuccessVerification\" Value=\"1616580248\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"CreationMethod\" Value=\"PVWA\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"Port\" Value=\"1521\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"LastSuccessChange\" Value=\"1616011984\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"Tags\" Value=\"Oracle;DB\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"Privcloud\" Value=\"privcloud\"\u003e\u003c/CAProperty\u003e\n \u003c/CAProperties\u003e\n \u003c/audit_record\u003e\n\n\u003c/syslog\u003e", + "message": "SQL Command", + "issuer": "Administrator", + "extra_details": { + "connection_component_id": "PSM-SQLPlus", + "protocol": "SQLNet", + "other": { + "vid_offset": "5T", + "data_base": "XE", + "user": "HR", + "sql_offset": "727B" + }, + "psmid": "PSMServer", + "session_id": "0887c643-42f2-4a4f-806e-58c1689de0e6", + "src_host": "127.0.0.1", + "dst_host": "oracle.cybr.com", + "command": "SELECT DECODE('A','A','1','2') FROM DUAL" + }, + "rfc5424": true, + "ca_properties": { + "privcloud": "privcloud", + "other": {}, + "address": "oracle.cybr.com", + "creation_method": "PVWA", + "cpm_status": "success", + "policy_id": "Oracle", + "user_name": "HR", + "device_type": "Database", + "retries_count": "-1", + "last_success_verification": "1616580248", + "last_task": "VerifyTask", + "tags": "Oracle;DB", + "database": "XE", + "port": "1521", + "last_success_change": "1616011984" + }, + "file": "Root\\Database-Oracle-oracle.cybr.com-HR", + "safe": "Oracle", + "station": "10.0.0.15", + "action": "SQL Command", + "timestamp": "Mar 25 10:56:45", + "desc": "SQL Command" + } + }, + "host": { + "name": "VLT01" + }, + "event": { + "severity": 2, + "ingested": "2021-05-31T15:30:21.983101200Z", + "original": "\u003c5\u003e1 2021-03-25T14:56:45Z VLT01 {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 25 10:56:45\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-25T14:56:45Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVLT01\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e12.0.0000\u003c/Version\u003e\\n \u003cMessageID\u003e359\u003c/MessageID\u003e\\n \u003cDesc\u003eSQL Command\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003eSQL Command\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003eOracle\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Database-Oracle-oracle.cybr.com-HR\u003c/File\u003e\\n \u003cStation\u003e10.0.0.15\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003eCommand=SELECT DECODE('A','A','1','2') FROM DUAL;ConnectionComponentId=PSM-SQLPlus;DataBase=XE;DstHost=oracle.cybr.com;Protocol=SQLNet;PSMID=PSMServer;SessionID=0887c643-42f2-4a4f-806e-58c1689de0e6;SQLOffset=727B;SrcHost=127.0.0.1;User=HR;VIDOffset=5T;\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eSQL Command\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"Oracle\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"HR\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"oracle.cybr.com\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Database\\\" Value=\\\"XE\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Database\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMStatus\\\" Value=\\\"success\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"RetriesCount\\\" Value=\\\"-1\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastTask\\\" Value=\\\"VerifyTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastSuccessVerification\\\" Value=\\\"1616580248\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Port\\\" Value=\\\"1521\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastSuccessChange\\\" Value=\\\"1616011984\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Tags\\\" Value=\\\"Oracle;DB\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Privcloud\\\" Value=\\\"privcloud\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 25 10:56:45\",\"IsoTimestamp\":\"2021-03-25T14:56:45Z\",\"Hostname\":\"VLT01\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"12.0.0000\",\"MessageID\":\"359\",\"Desc\":\"SQL Command\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"SQL Command\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"Oracle\",\"File\":\"Root\\\\Database-Oracle-oracle.cybr.com-HR\",\"Station\":\"10.0.0.15\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"Command=SELECT DECODE('A','A','1','2') FROM DUAL;ConnectionComponentId=PSM-SQLPlus;DataBase=XE;DstHost=oracle.cybr.com;Protocol=SQLNet;PSMID=PSMServer;SessionID=0887c643-42f2-4a4f-806e-58c1689de0e6;SQLOffset=727B;SrcHost=127.0.0.1;User=HR;VIDOffset=5T;\",\"Message\":\"SQL Command\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"Oracle\"},{\"Name\":\"UserName\",\"Value\":\"HR\"},{\"Name\":\"Address\",\"Value\":\"oracle.cybr.com\"},{\"Name\":\"Database\",\"Value\":\"XE\"},{\"Name\":\"DeviceType\",\"Value\":\"Database\"},{\"Name\":\"CPMStatus\",\"Value\":\"success\"},{\"Name\":\"RetriesCount\",\"Value\":\"-1\"},{\"Name\":\"LastTask\",\"Value\":\"VerifyTask\"},{\"Name\":\"LastSuccessVerification\",\"Value\":\"1616580248\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"Port\",\"Value\":\"1521\"},{\"Name\":\"LastSuccessChange\",\"Value\":\"1616011984\"},{\"Name\":\"Tags\",\"Value\":\"Oracle;DB\"},{\"Name\":\"Privcloud\",\"Value\":\"privcloud\"}]}}}}", + "code": "359", + "kind": "event", + "action": "sql command", + "category": [ + "database" + ], + "type": [ + "access" + ], + "outcome": "success" + }, + "user": { + "name": "Administrator" + } + }, + { + "log": { + "syslog": { + "priority": 5 + } + }, + "destination": { + "user": { + "name": "HR" + }, + "address": "oracle.cybr.com", + "domain": "oracle.cybr.com" + }, + "source": { + "user": { + "name": "Administrator" + }, + "address": "127.0.0.1", + "ip": "127.0.0.1" + }, + "tags": [ + "preserve_original_event" + ], + "network": { + "application": "sqlnet" + }, + "observer": { + "product": "Vault", + "hostname": "VLT01", + "version": "12.0.0000", + "vendor": "Cyber-Ark" + }, + "@timestamp": "2021-03-25T14:56:54.000Z", + "file": { + "path": "Root\\Database-Oracle-oracle.cybr.com-HR" + }, + "ecs": { + "version": "1.10.0" + }, + "related": { + "user": [ + "Administrator", + "HR" + ], + "ip": [ + "127.0.0.1", + "10.0.0.15" + ] + }, + "cyberarkpas": { + "audit": { + "severity": "Info", + "iso_timestamp": "2021-03-25T14:56:54Z", + "raw": "\u003csyslog\u003e\n\n \u003caudit_record\u003e\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\n \u003cTimestamp\u003eMar 25 10:56:54\u003c/Timestamp\u003e\n \u003cIsoTimestamp\u003e2021-03-25T14:56:54Z\u003c/IsoTimestamp\u003e\n \u003cHostname\u003eVLT01\u003c/Hostname\u003e\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\n \u003cProduct\u003eVault\u003c/Product\u003e\n \u003cVersion\u003e12.0.0000\u003c/Version\u003e\n \u003cMessageID\u003e359\u003c/MessageID\u003e\n \u003cDesc\u003eSQL Command\u003c/Desc\u003e\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\n \u003cAction\u003eSQL Command\u003c/Action\u003e\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\n \u003cSafe\u003eOracle\u003c/Safe\u003e\n \u003cFile\u003eRoot\\Database-Oracle-oracle.cybr.com-HR\u003c/File\u003e\n \u003cStation\u003e10.0.0.15\u003c/Station\u003e\n \u003cLocation\u003e\u003c/Location\u003e\n \u003cCategory\u003e\u003c/Category\u003e\n \u003cRequestId\u003e\u003c/RequestId\u003e\n \u003cReason\u003e\u003c/Reason\u003e\n \u003cExtraDetails\u003eCommand=SELECT INFO FROM SYSTEM.HELP WHERE UPPER(TOPIC) LIKE :1 ORDER BY TOPIC,SEQ (Parameters bound by position: 1\\=[HELP]);ConnectionComponentId=PSM-SQLPlus;DataBase=XE;DstHost=oracle.cybr.com;Protocol=SQLNet;PSMID=PSMServer;SessionID=0887c643-42f2-4a4f-806e-58c1689de0e6;SQLOffset=800B;SrcHost=127.0.0.1;User=HR;VIDOffset=14T;\u003c/ExtraDetails\u003e\n \u003cMessage\u003eSQL Command\u003c/Message\u003e\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\n \u003cCAProperties\u003e\n \u003cCAProperty Name=\"PolicyID\" Value=\"Oracle\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"UserName\" Value=\"HR\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"Address\" Value=\"oracle.cybr.com\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"Database\" Value=\"XE\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"DeviceType\" Value=\"Database\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"CPMStatus\" Value=\"success\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"RetriesCount\" Value=\"-1\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"LastTask\" Value=\"VerifyTask\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"LastSuccessVerification\" Value=\"1616580248\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"CreationMethod\" Value=\"PVWA\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"Port\" Value=\"1521\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"LastSuccessChange\" Value=\"1616011984\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"Tags\" Value=\"Oracle;DB\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"Privcloud\" Value=\"privcloud\"\u003e\u003c/CAProperty\u003e\n \u003c/CAProperties\u003e\n \u003c/audit_record\u003e\n\n\u003c/syslog\u003e", + "message": "SQL Command", + "issuer": "Administrator", + "extra_details": { + "connection_component_id": "PSM-SQLPlus", + "protocol": "SQLNet", + "other": { + "vid_offset": "14T", + "data_base": "XE", + "user": "HR", + "sql_offset": "800B" + }, + "psmid": "PSMServer", + "session_id": "0887c643-42f2-4a4f-806e-58c1689de0e6", + "src_host": "127.0.0.1", + "dst_host": "oracle.cybr.com", + "command": "SELECT INFO FROM SYSTEM.HELP WHERE UPPER(TOPIC) LIKE :1 ORDER BY TOPIC,SEQ (Parameters bound by position: 1\\=[HELP])" + }, + "rfc5424": true, + "ca_properties": { + "privcloud": "privcloud", + "other": {}, + "address": "oracle.cybr.com", + "creation_method": "PVWA", + "cpm_status": "success", + "policy_id": "Oracle", + "user_name": "HR", + "device_type": "Database", + "retries_count": "-1", + "last_success_verification": "1616580248", + "last_task": "VerifyTask", + "tags": "Oracle;DB", + "database": "XE", + "port": "1521", + "last_success_change": "1616011984" + }, + "file": "Root\\Database-Oracle-oracle.cybr.com-HR", + "safe": "Oracle", + "station": "10.0.0.15", + "action": "SQL Command", + "timestamp": "Mar 25 10:56:54", + "desc": "SQL Command" + } + }, + "host": { + "name": "VLT01" + }, + "event": { + "severity": 2, + "ingested": "2021-05-31T15:30:21.983104200Z", + "original": "\u003c5\u003e1 2021-03-25T14:56:54Z VLT01 {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 25 10:56:54\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-25T14:56:54Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVLT01\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e12.0.0000\u003c/Version\u003e\\n \u003cMessageID\u003e359\u003c/MessageID\u003e\\n \u003cDesc\u003eSQL Command\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003eSQL Command\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003eOracle\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Database-Oracle-oracle.cybr.com-HR\u003c/File\u003e\\n \u003cStation\u003e10.0.0.15\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003eCommand=SELECT INFO FROM SYSTEM.HELP WHERE UPPER(TOPIC) LIKE :1 ORDER BY TOPIC,SEQ (Parameters bound by position: 1\\\\=[HELP]);ConnectionComponentId=PSM-SQLPlus;DataBase=XE;DstHost=oracle.cybr.com;Protocol=SQLNet;PSMID=PSMServer;SessionID=0887c643-42f2-4a4f-806e-58c1689de0e6;SQLOffset=800B;SrcHost=127.0.0.1;User=HR;VIDOffset=14T;\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eSQL Command\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"Oracle\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"HR\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"oracle.cybr.com\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Database\\\" Value=\\\"XE\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Database\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMStatus\\\" Value=\\\"success\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"RetriesCount\\\" Value=\\\"-1\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastTask\\\" Value=\\\"VerifyTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastSuccessVerification\\\" Value=\\\"1616580248\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Port\\\" Value=\\\"1521\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastSuccessChange\\\" Value=\\\"1616011984\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Tags\\\" Value=\\\"Oracle;DB\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Privcloud\\\" Value=\\\"privcloud\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 25 10:56:54\",\"IsoTimestamp\":\"2021-03-25T14:56:54Z\",\"Hostname\":\"VLT01\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"12.0.0000\",\"MessageID\":\"359\",\"Desc\":\"SQL Command\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"SQL Command\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"Oracle\",\"File\":\"Root\\\\Database-Oracle-oracle.cybr.com-HR\",\"Station\":\"10.0.0.15\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"Command=SELECT INFO FROM SYSTEM.HELP WHERE UPPER(TOPIC) LIKE :1 ORDER BY TOPIC,SEQ (Parameters bound by position: 1\\\\=[HELP]);ConnectionComponentId=PSM-SQLPlus;DataBase=XE;DstHost=oracle.cybr.com;Protocol=SQLNet;PSMID=PSMServer;SessionID=0887c643-42f2-4a4f-806e-58c1689de0e6;SQLOffset=800B;SrcHost=127.0.0.1;User=HR;VIDOffset=14T;\",\"Message\":\"SQL Command\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"Oracle\"},{\"Name\":\"UserName\",\"Value\":\"HR\"},{\"Name\":\"Address\",\"Value\":\"oracle.cybr.com\"},{\"Name\":\"Database\",\"Value\":\"XE\"},{\"Name\":\"DeviceType\",\"Value\":\"Database\"},{\"Name\":\"CPMStatus\",\"Value\":\"success\"},{\"Name\":\"RetriesCount\",\"Value\":\"-1\"},{\"Name\":\"LastTask\",\"Value\":\"VerifyTask\"},{\"Name\":\"LastSuccessVerification\",\"Value\":\"1616580248\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"Port\",\"Value\":\"1521\"},{\"Name\":\"LastSuccessChange\",\"Value\":\"1616011984\"},{\"Name\":\"Tags\",\"Value\":\"Oracle;DB\"},{\"Name\":\"Privcloud\",\"Value\":\"privcloud\"}]}}}}", + "code": "359", + "kind": "event", + "action": "sql command", + "category": [ + "database" + ], + "type": [ + "access" + ], + "outcome": "success" + }, + "user": { + "name": "Administrator" + } + }, + { + "log": { + "syslog": { + "priority": 5 + } + }, + "destination": { + "user": { + "name": "HR" + }, + "address": "oracle.cybr.com", + "domain": "oracle.cybr.com" + }, + "source": { + "user": { + "name": "Administrator" + }, + "address": "127.0.0.1", + "ip": "127.0.0.1" + }, + "tags": [ + "preserve_original_event" + ], + "network": { + "application": "sqlnet" + }, + "observer": { + "product": "Vault", + "hostname": "VLT01", + "version": "12.0.0000", + "vendor": "Cyber-Ark" + }, + "@timestamp": "2021-03-25T14:58:02.000Z", + "file": { + "path": "Root\\Database-Oracle-oracle.cybr.com-HR" + }, + "ecs": { + "version": "1.10.0" + }, + "related": { + "user": [ + "Administrator", + "HR" + ], + "ip": [ + "127.0.0.1", + "10.0.0.15" + ] + }, + "cyberarkpas": { + "audit": { + "severity": "Info", + "iso_timestamp": "2021-03-25T14:58:02Z", + "raw": "\u003csyslog\u003e\n\n \u003caudit_record\u003e\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\n \u003cTimestamp\u003eMar 25 10:58:02\u003c/Timestamp\u003e\n \u003cIsoTimestamp\u003e2021-03-25T14:58:02Z\u003c/IsoTimestamp\u003e\n \u003cHostname\u003eVLT01\u003c/Hostname\u003e\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\n \u003cProduct\u003eVault\u003c/Product\u003e\n \u003cVersion\u003e12.0.0000\u003c/Version\u003e\n \u003cMessageID\u003e359\u003c/MessageID\u003e\n \u003cDesc\u003eSQL Command\u003c/Desc\u003e\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\n \u003cAction\u003eSQL Command\u003c/Action\u003e\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\n \u003cSafe\u003eOracle\u003c/Safe\u003e\n \u003cFile\u003eRoot\\Database-Oracle-oracle.cybr.com-HR\u003c/File\u003e\n \u003cStation\u003e10.0.0.15\u003c/Station\u003e\n \u003cLocation\u003e\u003c/Location\u003e\n \u003cCategory\u003e\u003c/Category\u003e\n \u003cRequestId\u003e\u003c/RequestId\u003e\n \u003cReason\u003e\u003c/Reason\u003e\n \u003cExtraDetails\u003eCommand=SELECT * FROM DBA_USERS;ConnectionComponentId=PSM-SQLPlus;DataBase=XE;DstHost=oracle.cybr.com;Protocol=SQLNet;PSMID=PSMServer;SessionID=0887c643-42f2-4a4f-806e-58c1689de0e6;SQLOffset=1097B;SrcHost=127.0.0.1;User=HR;VIDOffset=82T;\u003c/ExtraDetails\u003e\n \u003cMessage\u003eSQL Command\u003c/Message\u003e\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\n \u003cCAProperties\u003e\n \u003cCAProperty Name=\"PolicyID\" Value=\"Oracle\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"UserName\" Value=\"HR\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"Address\" Value=\"oracle.cybr.com\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"Database\" Value=\"XE\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"DeviceType\" Value=\"Database\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"CPMStatus\" Value=\"success\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"RetriesCount\" Value=\"-1\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"LastTask\" Value=\"VerifyTask\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"LastSuccessVerification\" Value=\"1616580248\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"CreationMethod\" Value=\"PVWA\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"Port\" Value=\"1521\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"LastSuccessChange\" Value=\"1616011984\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"Tags\" Value=\"Oracle;DB\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"Privcloud\" Value=\"privcloud\"\u003e\u003c/CAProperty\u003e\n \u003c/CAProperties\u003e\n \u003c/audit_record\u003e\n\n\u003c/syslog\u003e", + "message": "SQL Command", + "issuer": "Administrator", + "extra_details": { + "connection_component_id": "PSM-SQLPlus", + "protocol": "SQLNet", + "other": { + "vid_offset": "82T", + "data_base": "XE", + "user": "HR", + "sql_offset": "1097B" + }, + "psmid": "PSMServer", + "session_id": "0887c643-42f2-4a4f-806e-58c1689de0e6", + "src_host": "127.0.0.1", + "dst_host": "oracle.cybr.com", + "command": "SELECT * FROM DBA_USERS" + }, + "rfc5424": true, + "ca_properties": { + "privcloud": "privcloud", + "other": {}, + "address": "oracle.cybr.com", + "creation_method": "PVWA", + "cpm_status": "success", + "policy_id": "Oracle", + "user_name": "HR", + "device_type": "Database", + "retries_count": "-1", + "last_success_verification": "1616580248", + "last_task": "VerifyTask", + "tags": "Oracle;DB", + "database": "XE", + "port": "1521", + "last_success_change": "1616011984" + }, + "file": "Root\\Database-Oracle-oracle.cybr.com-HR", + "safe": "Oracle", + "station": "10.0.0.15", + "action": "SQL Command", + "timestamp": "Mar 25 10:58:02", + "desc": "SQL Command" + } + }, + "host": { + "name": "VLT01" + }, + "event": { + "severity": 2, + "ingested": "2021-05-31T15:30:21.983106800Z", + "original": "\u003c5\u003e1 2021-03-25T14:58:02Z VLT01 {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 25 10:58:02\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-25T14:58:02Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVLT01\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e12.0.0000\u003c/Version\u003e\\n \u003cMessageID\u003e359\u003c/MessageID\u003e\\n \u003cDesc\u003eSQL Command\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003eSQL Command\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003eOracle\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Database-Oracle-oracle.cybr.com-HR\u003c/File\u003e\\n \u003cStation\u003e10.0.0.15\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003eCommand=SELECT * FROM DBA_USERS;ConnectionComponentId=PSM-SQLPlus;DataBase=XE;DstHost=oracle.cybr.com;Protocol=SQLNet;PSMID=PSMServer;SessionID=0887c643-42f2-4a4f-806e-58c1689de0e6;SQLOffset=1097B;SrcHost=127.0.0.1;User=HR;VIDOffset=82T;\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eSQL Command\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"Oracle\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"HR\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"oracle.cybr.com\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Database\\\" Value=\\\"XE\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Database\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMStatus\\\" Value=\\\"success\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"RetriesCount\\\" Value=\\\"-1\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastTask\\\" Value=\\\"VerifyTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastSuccessVerification\\\" Value=\\\"1616580248\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Port\\\" Value=\\\"1521\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastSuccessChange\\\" Value=\\\"1616011984\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Tags\\\" Value=\\\"Oracle;DB\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Privcloud\\\" Value=\\\"privcloud\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 25 10:58:02\",\"IsoTimestamp\":\"2021-03-25T14:58:02Z\",\"Hostname\":\"VLT01\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"12.0.0000\",\"MessageID\":\"359\",\"Desc\":\"SQL Command\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"SQL Command\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"Oracle\",\"File\":\"Root\\\\Database-Oracle-oracle.cybr.com-HR\",\"Station\":\"10.0.0.15\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"Command=SELECT * FROM DBA_USERS;ConnectionComponentId=PSM-SQLPlus;DataBase=XE;DstHost=oracle.cybr.com;Protocol=SQLNet;PSMID=PSMServer;SessionID=0887c643-42f2-4a4f-806e-58c1689de0e6;SQLOffset=1097B;SrcHost=127.0.0.1;User=HR;VIDOffset=82T;\",\"Message\":\"SQL Command\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"Oracle\"},{\"Name\":\"UserName\",\"Value\":\"HR\"},{\"Name\":\"Address\",\"Value\":\"oracle.cybr.com\"},{\"Name\":\"Database\",\"Value\":\"XE\"},{\"Name\":\"DeviceType\",\"Value\":\"Database\"},{\"Name\":\"CPMStatus\",\"Value\":\"success\"},{\"Name\":\"RetriesCount\",\"Value\":\"-1\"},{\"Name\":\"LastTask\",\"Value\":\"VerifyTask\"},{\"Name\":\"LastSuccessVerification\",\"Value\":\"1616580248\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"Port\",\"Value\":\"1521\"},{\"Name\":\"LastSuccessChange\",\"Value\":\"1616011984\"},{\"Name\":\"Tags\",\"Value\":\"Oracle;DB\"},{\"Name\":\"Privcloud\",\"Value\":\"privcloud\"}]}}}}", + "code": "359", + "kind": "event", + "action": "sql command", + "category": [ + "database" + ], + "type": [ + "access" + ], + "outcome": "success" + }, + "user": { + "name": "Administrator" + } + }, + { + "log": { + "syslog": { + "priority": 5 + } + }, + "destination": { + "user": { + "name": "HR" + }, + "address": "oracle.cybr.com", + "domain": "oracle.cybr.com" + }, + "source": { + "user": { + "name": "Administrator" + }, + "address": "127.0.0.1", + "ip": "127.0.0.1" + }, + "tags": [ + "preserve_original_event" + ], + "network": { + "application": "sqlnet" + }, + "observer": { + "product": "Vault", + "hostname": "VLT01", + "version": "12.0.0000", + "vendor": "Cyber-Ark" + }, + "@timestamp": "2021-03-25T14:57:05.000Z", + "file": { + "path": "Root\\Database-Oracle-oracle.cybr.com-HR" + }, + "ecs": { + "version": "1.10.0" + }, + "related": { + "user": [ + "Administrator", + "HR" + ], + "ip": [ + "127.0.0.1", + "10.0.0.15" + ] + }, + "cyberarkpas": { + "audit": { + "severity": "Info", + "iso_timestamp": "2021-03-25T14:57:05Z", + "raw": "\u003csyslog\u003e\n\n \u003caudit_record\u003e\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\n \u003cTimestamp\u003eMar 25 10:57:05\u003c/Timestamp\u003e\n \u003cIsoTimestamp\u003e2021-03-25T14:57:05Z\u003c/IsoTimestamp\u003e\n \u003cHostname\u003eVLT01\u003c/Hostname\u003e\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\n \u003cProduct\u003eVault\u003c/Product\u003e\n \u003cVersion\u003e12.0.0000\u003c/Version\u003e\n \u003cMessageID\u003e359\u003c/MessageID\u003e\n \u003cDesc\u003eSQL Command\u003c/Desc\u003e\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\n \u003cAction\u003eSQL Command\u003c/Action\u003e\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\n \u003cSafe\u003eOracle\u003c/Safe\u003e\n \u003cFile\u003eRoot\\Database-Oracle-oracle.cybr.com-HR\u003c/File\u003e\n \u003cStation\u003e10.0.0.15\u003c/Station\u003e\n \u003cLocation\u003e\u003c/Location\u003e\n \u003cCategory\u003e\u003c/Category\u003e\n \u003cRequestId\u003e\u003c/RequestId\u003e\n \u003cReason\u003e\u003c/Reason\u003e\n \u003cExtraDetails\u003eCommand=SELECT INFO FROM SYSTEM.HELP WHERE UPPER(TOPIC) LIKE :1 ORDER BY TOPIC,SEQ (Parameters bound by position: 1\\=[SHOW%]);ConnectionComponentId=PSM-SQLPlus;DataBase=XE;DstHost=oracle.cybr.com;Protocol=SQLNet;PSMID=PSMServer;SessionID=0887c643-42f2-4a4f-806e-58c1689de0e6;SQLOffset=948B;SrcHost=127.0.0.1;User=HR;VIDOffset=25T;\u003c/ExtraDetails\u003e\n \u003cMessage\u003eSQL Command\u003c/Message\u003e\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\n \u003cCAProperties\u003e\n \u003cCAProperty Name=\"PolicyID\" Value=\"Oracle\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"UserName\" Value=\"HR\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"Address\" Value=\"oracle.cybr.com\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"Database\" Value=\"XE\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"DeviceType\" Value=\"Database\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"CPMStatus\" Value=\"success\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"RetriesCount\" Value=\"-1\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"LastTask\" Value=\"VerifyTask\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"LastSuccessVerification\" Value=\"1616580248\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"CreationMethod\" Value=\"PVWA\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"Port\" Value=\"1521\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"LastSuccessChange\" Value=\"1616011984\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"Tags\" Value=\"Oracle;DB\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"Privcloud\" Value=\"privcloud\"\u003e\u003c/CAProperty\u003e\n \u003c/CAProperties\u003e\n \u003c/audit_record\u003e\n\n\u003c/syslog\u003e", + "message": "SQL Command", + "issuer": "Administrator", + "extra_details": { + "connection_component_id": "PSM-SQLPlus", + "protocol": "SQLNet", + "other": { + "vid_offset": "25T", + "data_base": "XE", + "user": "HR", + "sql_offset": "948B" + }, + "psmid": "PSMServer", + "session_id": "0887c643-42f2-4a4f-806e-58c1689de0e6", + "src_host": "127.0.0.1", + "dst_host": "oracle.cybr.com", + "command": "SELECT INFO FROM SYSTEM.HELP WHERE UPPER(TOPIC) LIKE :1 ORDER BY TOPIC,SEQ (Parameters bound by position: 1\\=[SHOW%])" + }, + "rfc5424": true, + "ca_properties": { + "privcloud": "privcloud", + "other": {}, + "address": "oracle.cybr.com", + "creation_method": "PVWA", + "cpm_status": "success", + "policy_id": "Oracle", + "user_name": "HR", + "device_type": "Database", + "retries_count": "-1", + "last_success_verification": "1616580248", + "last_task": "VerifyTask", + "tags": "Oracle;DB", + "database": "XE", + "port": "1521", + "last_success_change": "1616011984" + }, + "file": "Root\\Database-Oracle-oracle.cybr.com-HR", + "safe": "Oracle", + "station": "10.0.0.15", + "action": "SQL Command", + "timestamp": "Mar 25 10:57:05", + "desc": "SQL Command" + } + }, + "host": { + "name": "VLT01" + }, + "event": { + "severity": 2, + "ingested": "2021-05-31T15:30:21.983109300Z", + "original": "\u003c5\u003e1 2021-03-25T14:57:05Z VLT01 {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 25 10:57:05\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-25T14:57:05Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVLT01\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e12.0.0000\u003c/Version\u003e\\n \u003cMessageID\u003e359\u003c/MessageID\u003e\\n \u003cDesc\u003eSQL Command\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003eSQL Command\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003eOracle\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Database-Oracle-oracle.cybr.com-HR\u003c/File\u003e\\n \u003cStation\u003e10.0.0.15\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003eCommand=SELECT INFO FROM SYSTEM.HELP WHERE UPPER(TOPIC) LIKE :1 ORDER BY TOPIC,SEQ (Parameters bound by position: 1\\\\=[SHOW%]);ConnectionComponentId=PSM-SQLPlus;DataBase=XE;DstHost=oracle.cybr.com;Protocol=SQLNet;PSMID=PSMServer;SessionID=0887c643-42f2-4a4f-806e-58c1689de0e6;SQLOffset=948B;SrcHost=127.0.0.1;User=HR;VIDOffset=25T;\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eSQL Command\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"Oracle\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"HR\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"oracle.cybr.com\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Database\\\" Value=\\\"XE\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Database\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMStatus\\\" Value=\\\"success\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"RetriesCount\\\" Value=\\\"-1\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastTask\\\" Value=\\\"VerifyTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastSuccessVerification\\\" Value=\\\"1616580248\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Port\\\" Value=\\\"1521\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastSuccessChange\\\" Value=\\\"1616011984\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Tags\\\" Value=\\\"Oracle;DB\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Privcloud\\\" Value=\\\"privcloud\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 25 10:57:05\",\"IsoTimestamp\":\"2021-03-25T14:57:05Z\",\"Hostname\":\"VLT01\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"12.0.0000\",\"MessageID\":\"359\",\"Desc\":\"SQL Command\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"SQL Command\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"Oracle\",\"File\":\"Root\\\\Database-Oracle-oracle.cybr.com-HR\",\"Station\":\"10.0.0.15\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"Command=SELECT INFO FROM SYSTEM.HELP WHERE UPPER(TOPIC) LIKE :1 ORDER BY TOPIC,SEQ (Parameters bound by position: 1\\\\=[SHOW%]);ConnectionComponentId=PSM-SQLPlus;DataBase=XE;DstHost=oracle.cybr.com;Protocol=SQLNet;PSMID=PSMServer;SessionID=0887c643-42f2-4a4f-806e-58c1689de0e6;SQLOffset=948B;SrcHost=127.0.0.1;User=HR;VIDOffset=25T;\",\"Message\":\"SQL Command\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"Oracle\"},{\"Name\":\"UserName\",\"Value\":\"HR\"},{\"Name\":\"Address\",\"Value\":\"oracle.cybr.com\"},{\"Name\":\"Database\",\"Value\":\"XE\"},{\"Name\":\"DeviceType\",\"Value\":\"Database\"},{\"Name\":\"CPMStatus\",\"Value\":\"success\"},{\"Name\":\"RetriesCount\",\"Value\":\"-1\"},{\"Name\":\"LastTask\",\"Value\":\"VerifyTask\"},{\"Name\":\"LastSuccessVerification\",\"Value\":\"1616580248\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"Port\",\"Value\":\"1521\"},{\"Name\":\"LastSuccessChange\",\"Value\":\"1616011984\"},{\"Name\":\"Tags\",\"Value\":\"Oracle;DB\"},{\"Name\":\"Privcloud\",\"Value\":\"privcloud\"}]}}}}", + "code": "359", + "kind": "event", + "action": "sql command", + "category": [ + "database" + ], + "type": [ + "access" + ], + "outcome": "success" + }, + "user": { + "name": "Administrator" + } + }, + { + "log": { + "syslog": { + "priority": 5 + } + }, + "destination": { + "user": { + "name": "HR" + }, + "address": "oracle.cybr.com", + "domain": "oracle.cybr.com" + }, + "source": { + "user": { + "name": "Administrator" + }, + "address": "127.0.0.1", + "ip": "127.0.0.1" + }, + "tags": [ + "preserve_original_event" + ], + "network": { + "application": "sqlnet" + }, + "observer": { + "product": "Vault", + "hostname": "VLT01", + "version": "12.0.0000", + "vendor": "Cyber-Ark" + }, + "@timestamp": "2021-03-25T14:58:44.000Z", + "file": { + "path": "Root\\Database-Oracle-oracle.cybr.com-HR" + }, + "ecs": { + "version": "1.10.0" + }, + "related": { + "user": [ + "Administrator", + "HR" + ], + "ip": [ + "127.0.0.1", + "10.0.0.15" + ] + }, + "cyberarkpas": { + "audit": { + "severity": "Info", + "iso_timestamp": "2021-03-25T14:58:44Z", + "raw": "\u003csyslog\u003e\n\n \u003caudit_record\u003e\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\n \u003cTimestamp\u003eMar 25 10:58:44\u003c/Timestamp\u003e\n \u003cIsoTimestamp\u003e2021-03-25T14:58:44Z\u003c/IsoTimestamp\u003e\n \u003cHostname\u003eVLT01\u003c/Hostname\u003e\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\n \u003cProduct\u003eVault\u003c/Product\u003e\n \u003cVersion\u003e12.0.0000\u003c/Version\u003e\n \u003cMessageID\u003e359\u003c/MessageID\u003e\n \u003cDesc\u003eSQL Command\u003c/Desc\u003e\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\n \u003cAction\u003eSQL Command\u003c/Action\u003e\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\n \u003cSafe\u003eOracle\u003c/Safe\u003e\n \u003cFile\u003eRoot\\Database-Oracle-oracle.cybr.com-HR\u003c/File\u003e\n \u003cStation\u003e10.0.0.15\u003c/Station\u003e\n \u003cLocation\u003e\u003c/Location\u003e\n \u003cCategory\u003e\u003c/Category\u003e\n \u003cRequestId\u003e\u003c/RequestId\u003e\n \u003cReason\u003e\u003c/Reason\u003e\n \u003cExtraDetails\u003eCommand=select distinct owner from all_objects;ConnectionComponentId=PSM-SQLPlus;DataBase=XE;DstHost=oracle.cybr.com;Protocol=SQLNet;PSMID=PSMServer;SessionID=0887c643-42f2-4a4f-806e-58c1689de0e6;SQLOffset=1153B;SrcHost=127.0.0.1;User=HR;VIDOffset=124T;\u003c/ExtraDetails\u003e\n \u003cMessage\u003eSQL Command\u003c/Message\u003e\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\n \u003cCAProperties\u003e\n \u003cCAProperty Name=\"PolicyID\" Value=\"Oracle\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"UserName\" Value=\"HR\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"Address\" Value=\"oracle.cybr.com\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"Database\" Value=\"XE\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"DeviceType\" Value=\"Database\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"CPMStatus\" Value=\"success\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"RetriesCount\" Value=\"-1\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"LastTask\" Value=\"VerifyTask\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"LastSuccessVerification\" Value=\"1616580248\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"CreationMethod\" Value=\"PVWA\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"Port\" Value=\"1521\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"LastSuccessChange\" Value=\"1616011984\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"Tags\" Value=\"Oracle;DB\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"Privcloud\" Value=\"privcloud\"\u003e\u003c/CAProperty\u003e\n \u003c/CAProperties\u003e\n \u003c/audit_record\u003e\n\n\u003c/syslog\u003e", + "message": "SQL Command", + "issuer": "Administrator", + "extra_details": { + "connection_component_id": "PSM-SQLPlus", + "protocol": "SQLNet", + "other": { + "vid_offset": "124T", + "data_base": "XE", + "user": "HR", + "sql_offset": "1153B" + }, + "psmid": "PSMServer", + "session_id": "0887c643-42f2-4a4f-806e-58c1689de0e6", + "src_host": "127.0.0.1", + "dst_host": "oracle.cybr.com", + "command": "select distinct owner from all_objects" + }, + "rfc5424": true, + "ca_properties": { + "privcloud": "privcloud", + "other": {}, + "address": "oracle.cybr.com", + "creation_method": "PVWA", + "cpm_status": "success", + "policy_id": "Oracle", + "user_name": "HR", + "device_type": "Database", + "retries_count": "-1", + "last_success_verification": "1616580248", + "last_task": "VerifyTask", + "tags": "Oracle;DB", + "database": "XE", + "port": "1521", + "last_success_change": "1616011984" + }, + "file": "Root\\Database-Oracle-oracle.cybr.com-HR", + "safe": "Oracle", + "station": "10.0.0.15", + "action": "SQL Command", + "timestamp": "Mar 25 10:58:44", + "desc": "SQL Command" + } + }, + "host": { + "name": "VLT01" + }, + "event": { + "severity": 2, + "ingested": "2021-05-31T15:30:21.983111900Z", + "original": "\u003c5\u003e1 2021-03-25T14:58:44Z VLT01 {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 25 10:58:44\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-25T14:58:44Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVLT01\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e12.0.0000\u003c/Version\u003e\\n \u003cMessageID\u003e359\u003c/MessageID\u003e\\n \u003cDesc\u003eSQL Command\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003eSQL Command\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003eOracle\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Database-Oracle-oracle.cybr.com-HR\u003c/File\u003e\\n \u003cStation\u003e10.0.0.15\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003eCommand=select distinct owner from all_objects;ConnectionComponentId=PSM-SQLPlus;DataBase=XE;DstHost=oracle.cybr.com;Protocol=SQLNet;PSMID=PSMServer;SessionID=0887c643-42f2-4a4f-806e-58c1689de0e6;SQLOffset=1153B;SrcHost=127.0.0.1;User=HR;VIDOffset=124T;\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eSQL Command\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"Oracle\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"HR\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"oracle.cybr.com\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Database\\\" Value=\\\"XE\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Database\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMStatus\\\" Value=\\\"success\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"RetriesCount\\\" Value=\\\"-1\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastTask\\\" Value=\\\"VerifyTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastSuccessVerification\\\" Value=\\\"1616580248\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Port\\\" Value=\\\"1521\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastSuccessChange\\\" Value=\\\"1616011984\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Tags\\\" Value=\\\"Oracle;DB\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Privcloud\\\" Value=\\\"privcloud\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 25 10:58:44\",\"IsoTimestamp\":\"2021-03-25T14:58:44Z\",\"Hostname\":\"VLT01\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"12.0.0000\",\"MessageID\":\"359\",\"Desc\":\"SQL Command\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"SQL Command\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"Oracle\",\"File\":\"Root\\\\Database-Oracle-oracle.cybr.com-HR\",\"Station\":\"10.0.0.15\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"Command=select distinct owner from all_objects;ConnectionComponentId=PSM-SQLPlus;DataBase=XE;DstHost=oracle.cybr.com;Protocol=SQLNet;PSMID=PSMServer;SessionID=0887c643-42f2-4a4f-806e-58c1689de0e6;SQLOffset=1153B;SrcHost=127.0.0.1;User=HR;VIDOffset=124T;\",\"Message\":\"SQL Command\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"Oracle\"},{\"Name\":\"UserName\",\"Value\":\"HR\"},{\"Name\":\"Address\",\"Value\":\"oracle.cybr.com\"},{\"Name\":\"Database\",\"Value\":\"XE\"},{\"Name\":\"DeviceType\",\"Value\":\"Database\"},{\"Name\":\"CPMStatus\",\"Value\":\"success\"},{\"Name\":\"RetriesCount\",\"Value\":\"-1\"},{\"Name\":\"LastTask\",\"Value\":\"VerifyTask\"},{\"Name\":\"LastSuccessVerification\",\"Value\":\"1616580248\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"Port\",\"Value\":\"1521\"},{\"Name\":\"LastSuccessChange\",\"Value\":\"1616011984\"},{\"Name\":\"Tags\",\"Value\":\"Oracle;DB\"},{\"Name\":\"Privcloud\",\"Value\":\"privcloud\"}]}}}}", + "code": "359", + "kind": "event", + "action": "sql command", + "category": [ + "database" + ], + "type": [ + "access" + ], + "outcome": "success" + }, + "user": { + "name": "Administrator" + } + } + ] +} \ No newline at end of file diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-361-keystroke-logging.log-expected.json b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-361-keystroke-logging.log-expected.json new file mode 100644 index 00000000000..afffaeaecd0 --- /dev/null +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-361-keystroke-logging.log-expected.json @@ -0,0 +1,933 @@ +{ + "expected": [ + { + "destination": { + "user": { + "name": "admin2" + }, + "address": "radiussrv.cyberark.local", + "domain": "radiussrv.cyberark.local" + }, + "source": { + "user": { + "name": "Administrator" + }, + "address": "10.2.0.6", + "ip": "10.2.0.6" + }, + "tags": [ + "preserve_original_event" + ], + "network": { + "application": "ssh" + }, + "observer": { + "version": "11.6.0000", + "product": "Vault", + "vendor": "Cyber-Ark" + }, + "@timestamp": "2021-03-16T15:01:00.000Z", + "file": { + "path": "Root\\Operating System-LINUX-SSH-radiussrv.cyberark.local-admin2" + }, + "ecs": { + "version": "1.10.0" + }, + "related": { + "user": [ + "Administrator", + "admin2" + ], + "ip": [ + "10.2.0.6", + "10.2.0.7" + ] + }, + "cyberarkpas": { + "audit": { + "severity": "Info", + "iso_timestamp": "2021-03-16T15:01:00Z", + "raw": "\u003csyslog\u003e\n \u003caudit_record\u003e\n \u003cRfc5424\u003eno\u003c/Rfc5424\u003e\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\n \u003cProduct\u003eVault\u003c/Product\u003e\n \u003cVersion\u003e11.6.0000\u003c/Version\u003e\n \u003cMessageID\u003e361\u003c/MessageID\u003e\n \u003cDesc\u003eKeystroke logging\u003c/Desc\u003e\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\n \u003cAction\u003eKeystroke logging\u003c/Action\u003e\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\n \u003cSafe\u003eLinux\u003c/Safe\u003e\n \u003cFile\u003eRoot\\Operating System-LINUX-SSH-radiussrv.cyberark.local-admin2\u003c/File\u003e\n \u003cStation\u003e10.2.0.7\u003c/Station\u003e\n \u003cLocation\u003e\u003c/Location\u003e\n \u003cCategory\u003e\u003c/Category\u003e\n \u003cRequestId\u003e\u003c/RequestId\u003e\n \u003cReason\u003e\u003c/Reason\u003e\n \u003cExtraDetails\u003eCommand=ls \"/var/tmp\";ConnectionComponentId=PSMP-SSH;DstHost=radiussrv.cyberark.local;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=499852f2-22b5-11eb-8bff-000c297aae88;SrcHost=10.2.0.6;SSHOffset=3642B;User=admin2;VIDOffset=125T;\u003c/ExtraDetails\u003e\n \u003cMessage\u003eKeystroke logging\u003c/Message\u003e\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\n \u003cCAProperties\u003e\n \u003cCAProperty Name=\"PolicyID\" Value=\"LINUX-SSH\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"UserName\" Value=\"admin2\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"Address\" Value=\"radiussrv.cyberark.local\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"DeviceType\" Value=\"Operating System\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"CPMDisabled\" Value=\"No Reason\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"CreationMethod\" Value=\"PVWA\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"Customer\" Value=\"Tesla\"\u003e\u003c/CAProperty\u003e\n \u003c/CAProperties\u003e\n \u003c/audit_record\u003e\n\u003c/syslog\u003e", + "message": "Keystroke logging", + "issuer": "Administrator", + "rfc5424": false, + "extra_details": { + "connection_component_id": "PSMP-SSH", + "protocol": "SSH", + "other": { + "vid_offset": "125T", + "user": "admin2", + "ssh_offset": "3642B" + }, + "managed_account": "Yes", + "psmid": "PSMServer", + "session_id": "499852f2-22b5-11eb-8bff-000c297aae88", + "src_host": "10.2.0.6", + "dst_host": "radiussrv.cyberark.local", + "command": "ls \"/var/tmp\"" + }, + "file": "Root\\Operating System-LINUX-SSH-radiussrv.cyberark.local-admin2", + "ca_properties": { + "other": {}, + "address": "radiussrv.cyberark.local", + "creation_method": "PVWA", + "policy_id": "LINUX-SSH", + "user_name": "admin2", + "cpm_disabled": "No Reason", + "device_type": "Operating System", + "customer": "Tesla" + }, + "safe": "Linux", + "station": "10.2.0.7", + "action": "Keystroke logging", + "desc": "Keystroke logging" + } + }, + "event": { + "severity": 2, + "ingested": "2021-05-31T15:30:22.392225300Z", + "original": "{\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eno\u003c/Rfc5424\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.6.0000\u003c/Version\u003e\\n \u003cMessageID\u003e361\u003c/MessageID\u003e\\n \u003cDesc\u003eKeystroke logging\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003eKeystroke logging\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003eLinux\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Operating System-LINUX-SSH-radiussrv.cyberark.local-admin2\u003c/File\u003e\\n \u003cStation\u003e10.2.0.7\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003eCommand=ls \\\"/var/tmp\\\";ConnectionComponentId=PSMP-SSH;DstHost=radiussrv.cyberark.local;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=499852f2-22b5-11eb-8bff-000c297aae88;SrcHost=10.2.0.6;SSHOffset=3642B;User=admin2;VIDOffset=125T;\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eKeystroke logging\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"LINUX-SSH\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"admin2\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"radiussrv.cyberark.local\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Operating System\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMDisabled\\\" Value=\\\"No Reason\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Customer\\\" Value=\\\"Tesla\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"no\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.6.0000\",\"MessageID\":\"361\",\"IsoTimestamp\":\"2021-03-16T15:01:00Z\",\"Desc\":\"Keystroke logging\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Keystroke logging\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"Linux\",\"File\":\"Root\\\\Operating System-LINUX-SSH-radiussrv.cyberark.local-admin2\",\"Station\":\"10.2.0.7\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"Command=ls \\\"/var/tmp\\\";ConnectionComponentId=PSMP-SSH;DstHost=radiussrv.cyberark.local;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=499852f2-22b5-11eb-8bff-000c297aae88;SrcHost=10.2.0.6;SSHOffset=3642B;User=admin2;VIDOffset=125T;\",\"Message\":\"Keystroke logging\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"LINUX-SSH\"},{\"Name\":\"UserName\",\"Value\":\"admin2\"},{\"Name\":\"Address\",\"Value\":\"radiussrv.cyberark.local\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"},{\"Name\":\"CPMDisabled\",\"Value\":\"No Reason\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"Customer\",\"Value\":\"Tesla\"}]}}}}", + "code": "361", + "kind": "event", + "action": "keystroke logging", + "category": [ + "session" + ], + "type": [ + "info" + ] + }, + "user": { + "name": "Administrator" + } + }, + { + "log": { + "syslog": { + "priority": 5 + } + }, + "destination": { + "geo": { + "continent_name": "North America", + "country_name": "United States", + "location": { + "lon": -97.822, + "lat": 37.751 + }, + "country_iso_code": "US" + }, + "address": "34.123.103.115", + "user": { + "name": "testark" + }, + "ip": "34.123.103.115" + }, + "source": { + "geo": { + "continent_name": "Europe", + "region_iso_code": "ES-B", + "city_name": "Barcelona", + "country_iso_code": "ES", + "country_name": "Spain", + "region_name": "Barcelona", + "location": { + "lon": 2.1611, + "lat": 41.3891 + } + }, + "address": "81.32.170.205", + "user": { + "name": "Administrator" + }, + "ip": "81.32.170.205" + }, + "tags": [ + "preserve_original_event" + ], + "network": { + "application": "ssh", + "direction": "external" + }, + "observer": { + "product": "Vault", + "hostname": "VAULT", + "version": "11.7.0000", + "vendor": "Cyber-Ark" + }, + "@timestamp": "2021-03-14T13:49:49.000Z", + "file": { + "path": "Root\\Operating System-UnixSSH-34.123.103.115-testark" + }, + "ecs": { + "version": "1.10.0" + }, + "related": { + "user": [ + "Administrator", + "testark" + ], + "ip": [ + "81.32.170.205", + "34.123.103.115", + "34.71.250.247" + ] + }, + "cyberarkpas": { + "audit": { + "severity": "Info", + "iso_timestamp": "2021-03-14T13:49:49Z", + "raw": "\u003csyslog\u003e\n\n \u003caudit_record\u003e\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\n \u003cTimestamp\u003eMar 14 06:49:49\u003c/Timestamp\u003e\n \u003cIsoTimestamp\u003e2021-03-14T13:49:49Z\u003c/IsoTimestamp\u003e\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\n \u003cProduct\u003eVault\u003c/Product\u003e\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\n \u003cMessageID\u003e361\u003c/MessageID\u003e\n \u003cDesc\u003eKeystroke logging\u003c/Desc\u003e\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\n \u003cAction\u003eKeystroke logging\u003c/Action\u003e\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\n \u003cSafe\u003epartner\u003c/Safe\u003e\n \u003cFile\u003eRoot\\Operating System-UnixSSH-34.123.103.115-testark\u003c/File\u003e\n \u003cStation\u003e34.71.250.247\u003c/Station\u003e\n \u003cLocation\u003e\u003c/Location\u003e\n \u003cCategory\u003e\u003c/Category\u003e\n \u003cRequestId\u003e\u003c/RequestId\u003e\n \u003cReason\u003e\u003c/Reason\u003e\n \u003cExtraDetails\u003eCommand=sudo su;ConnectionComponentId=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=d284c268-2ba0-4366-af52-e33459b073a1;SrcHost=81.32.170.205;SSHOffset=1309B;User=testark;VIDOffset=10T;\u003c/ExtraDetails\u003e\n \u003cMessage\u003eKeystroke logging\u003c/Message\u003e\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\n \u003cCAProperties\u003e\n \u003cCAProperty Name=\"PolicyID\" Value=\"UnixSSH\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"UserName\" Value=\"testark\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"Address\" Value=\"34.123.103.115\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"ResetImmediately\" Value=\"ReconcileTask\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"CPMStatus\" Value=\"failure\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"RetriesCount\" Value=\"0\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"LastFailDate\" Value=\"1615729572\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"LastTask\" Value=\"ReconcileTask\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"CPMErrorDetails\" Value=\"First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"CreationMethod\" Value=\"PVWA\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"DeviceType\" Value=\"Operating System\"\u003e\u003c/CAProperty\u003e\n \u003c/CAProperties\u003e\n \u003c/audit_record\u003e\n\n\u003c/syslog\u003e", + "message": "Keystroke logging", + "issuer": "Administrator", + "extra_details": { + "connection_component_id": "PSMP-SSH", + "protocol": "SSH", + "other": { + "vid_offset": "10T", + "user": "testark", + "ssh_offset": "1309B" + }, + "managed_account": "Yes", + "psmid": "PSMServer", + "session_id": "d284c268-2ba0-4366-af52-e33459b073a1", + "src_host": "81.32.170.205", + "dst_host": "34.123.103.115", + "command": "sudo su" + }, + "rfc5424": true, + "ca_properties": { + "other": {}, + "address": "34.123.103.115", + "creation_method": "PVWA", + "cpm_status": "failure", + "policy_id": "UnixSSH", + "cpm_error_details": "First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031", + "user_name": "testark", + "last_fail_date": "1615729572", + "device_type": "Operating System", + "retries_count": "0", + "reset_immediately": "ReconcileTask", + "last_task": "ReconcileTask" + }, + "file": "Root\\Operating System-UnixSSH-34.123.103.115-testark", + "safe": "partner", + "station": "34.71.250.247", + "action": "Keystroke logging", + "timestamp": "Mar 14 06:49:49", + "desc": "Keystroke logging" + } + }, + "host": { + "name": "VAULT" + }, + "event": { + "severity": 2, + "ingested": "2021-05-31T15:30:22.392239100Z", + "original": "\u003c5\u003e1 2021-03-14T13:49:49Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 14 06:49:49\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-14T13:49:49Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e361\u003c/MessageID\u003e\\n \u003cDesc\u003eKeystroke logging\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003eKeystroke logging\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003epartner\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Operating System-UnixSSH-34.123.103.115-testark\u003c/File\u003e\\n \u003cStation\u003e34.71.250.247\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003eCommand=sudo su;ConnectionComponentId=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=d284c268-2ba0-4366-af52-e33459b073a1;SrcHost=81.32.170.205;SSHOffset=1309B;User=testark;VIDOffset=10T;\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eKeystroke logging\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"UnixSSH\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"testark\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"34.123.103.115\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"ResetImmediately\\\" Value=\\\"ReconcileTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMStatus\\\" Value=\\\"failure\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"RetriesCount\\\" Value=\\\"0\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastFailDate\\\" Value=\\\"1615729572\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastTask\\\" Value=\\\"ReconcileTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMErrorDetails\\\" Value=\\\"First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Operating System\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 14 06:49:49\",\"IsoTimestamp\":\"2021-03-14T13:49:49Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"361\",\"Desc\":\"Keystroke logging\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Keystroke logging\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"partner\",\"File\":\"Root\\\\Operating System-UnixSSH-34.123.103.115-testark\",\"Station\":\"34.71.250.247\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"Command=sudo su;ConnectionComponentId=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=d284c268-2ba0-4366-af52-e33459b073a1;SrcHost=81.32.170.205;SSHOffset=1309B;User=testark;VIDOffset=10T;\",\"Message\":\"Keystroke logging\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"UnixSSH\"},{\"Name\":\"UserName\",\"Value\":\"testark\"},{\"Name\":\"Address\",\"Value\":\"34.123.103.115\"},{\"Name\":\"ResetImmediately\",\"Value\":\"ReconcileTask\"},{\"Name\":\"CPMStatus\",\"Value\":\"failure\"},{\"Name\":\"RetriesCount\",\"Value\":\"0\"},{\"Name\":\"LastFailDate\",\"Value\":\"1615729572\"},{\"Name\":\"LastTask\",\"Value\":\"ReconcileTask\"},{\"Name\":\"CPMErrorDetails\",\"Value\":\"First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"}]}}}}", + "code": "361", + "kind": "event", + "action": "keystroke logging", + "category": [ + "session" + ], + "type": [ + "info" + ] + }, + "user": { + "name": "Administrator" + } + }, + { + "log": { + "syslog": { + "priority": 5 + } + }, + "destination": { + "geo": { + "continent_name": "North America", + "country_name": "United States", + "location": { + "lon": -97.822, + "lat": 37.751 + }, + "country_iso_code": "US" + }, + "address": "34.123.103.115", + "user": { + "name": "testark" + }, + "ip": "34.123.103.115" + }, + "source": { + "geo": { + "continent_name": "Europe", + "region_iso_code": "ES-B", + "city_name": "Barcelona", + "country_iso_code": "ES", + "country_name": "Spain", + "region_name": "Barcelona", + "location": { + "lon": 2.1611, + "lat": 41.3891 + } + }, + "address": "81.32.170.205", + "user": { + "name": "Administrator" + }, + "ip": "81.32.170.205" + }, + "tags": [ + "preserve_original_event" + ], + "network": { + "application": "ssh", + "direction": "external" + }, + "observer": { + "product": "Vault", + "hostname": "VAULT", + "version": "11.7.0000", + "vendor": "Cyber-Ark" + }, + "@timestamp": "2021-03-15T10:32:04.000Z", + "file": { + "path": "Root\\Operating System-UnixSSH-34.123.103.115-testark" + }, + "ecs": { + "version": "1.10.0" + }, + "related": { + "user": [ + "Administrator", + "testark" + ], + "ip": [ + "81.32.170.205", + "34.123.103.115", + "34.71.250.247" + ] + }, + "cyberarkpas": { + "audit": { + "severity": "Info", + "iso_timestamp": "2021-03-15T10:32:04Z", + "raw": "\u003csyslog\u003e\n\n \u003caudit_record\u003e\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\n \u003cTimestamp\u003eMar 15 03:32:04\u003c/Timestamp\u003e\n \u003cIsoTimestamp\u003e2021-03-15T10:32:04Z\u003c/IsoTimestamp\u003e\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\n \u003cProduct\u003eVault\u003c/Product\u003e\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\n \u003cMessageID\u003e361\u003c/MessageID\u003e\n \u003cDesc\u003eKeystroke logging\u003c/Desc\u003e\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\n \u003cAction\u003eKeystroke logging\u003c/Action\u003e\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\n \u003cSafe\u003epartner\u003c/Safe\u003e\n \u003cFile\u003eRoot\\Operating System-UnixSSH-34.123.103.115-testark\u003c/File\u003e\n \u003cStation\u003e34.71.250.247\u003c/Station\u003e\n \u003cLocation\u003e\u003c/Location\u003e\n \u003cCategory\u003e\u003c/Category\u003e\n \u003cRequestId\u003e\u003c/RequestId\u003e\n \u003cReason\u003e\u003c/Reason\u003e\n \u003cExtraDetails\u003eCommand=sudo su;ConnectionComponentId=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=29f340df-89e9-405a-beae-0216390cda42;SrcHost=81.32.170.205;SSHOffset=1312B;User=testark;VIDOffset=6T;\u003c/ExtraDetails\u003e\n \u003cMessage\u003eKeystroke logging\u003c/Message\u003e\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\n \u003cCAProperties\u003e\n \u003cCAProperty Name=\"PolicyID\" Value=\"UnixSSH\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"UserName\" Value=\"testark\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"Address\" Value=\"34.123.103.115\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"CPMStatus\" Value=\"success\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"RetriesCount\" Value=\"-1\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"LastTask\" Value=\"VerifyTask\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"LastSuccessVerification\" Value=\"1615803764\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"CreationMethod\" Value=\"PVWA\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"DeviceType\" Value=\"Operating System\"\u003e\u003c/CAProperty\u003e\n \u003c/CAProperties\u003e\n \u003c/audit_record\u003e\n\n\u003c/syslog\u003e", + "message": "Keystroke logging", + "issuer": "Administrator", + "extra_details": { + "connection_component_id": "PSMP-SSH", + "protocol": "SSH", + "other": { + "vid_offset": "6T", + "user": "testark", + "ssh_offset": "1312B" + }, + "managed_account": "Yes", + "psmid": "PSMServer", + "session_id": "29f340df-89e9-405a-beae-0216390cda42", + "src_host": "81.32.170.205", + "dst_host": "34.123.103.115", + "command": "sudo su" + }, + "rfc5424": true, + "ca_properties": { + "other": {}, + "address": "34.123.103.115", + "creation_method": "PVWA", + "cpm_status": "success", + "policy_id": "UnixSSH", + "user_name": "testark", + "device_type": "Operating System", + "retries_count": "-1", + "last_success_verification": "1615803764", + "last_task": "VerifyTask" + }, + "file": "Root\\Operating System-UnixSSH-34.123.103.115-testark", + "safe": "partner", + "station": "34.71.250.247", + "action": "Keystroke logging", + "timestamp": "Mar 15 03:32:04", + "desc": "Keystroke logging" + } + }, + "host": { + "name": "VAULT" + }, + "event": { + "severity": 2, + "ingested": "2021-05-31T15:30:22.392242300Z", + "original": "\u003c5\u003e1 2021-03-15T10:32:04Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 15 03:32:04\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-15T10:32:04Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e361\u003c/MessageID\u003e\\n \u003cDesc\u003eKeystroke logging\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003eKeystroke logging\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003epartner\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Operating System-UnixSSH-34.123.103.115-testark\u003c/File\u003e\\n \u003cStation\u003e34.71.250.247\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003eCommand=sudo su;ConnectionComponentId=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=29f340df-89e9-405a-beae-0216390cda42;SrcHost=81.32.170.205;SSHOffset=1312B;User=testark;VIDOffset=6T;\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eKeystroke logging\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"UnixSSH\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"testark\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"34.123.103.115\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMStatus\\\" Value=\\\"success\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"RetriesCount\\\" Value=\\\"-1\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastTask\\\" Value=\\\"VerifyTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastSuccessVerification\\\" Value=\\\"1615803764\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Operating System\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 15 03:32:04\",\"IsoTimestamp\":\"2021-03-15T10:32:04Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"361\",\"Desc\":\"Keystroke logging\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Keystroke logging\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"partner\",\"File\":\"Root\\\\Operating System-UnixSSH-34.123.103.115-testark\",\"Station\":\"34.71.250.247\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"Command=sudo su;ConnectionComponentId=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=29f340df-89e9-405a-beae-0216390cda42;SrcHost=81.32.170.205;SSHOffset=1312B;User=testark;VIDOffset=6T;\",\"Message\":\"Keystroke logging\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"UnixSSH\"},{\"Name\":\"UserName\",\"Value\":\"testark\"},{\"Name\":\"Address\",\"Value\":\"34.123.103.115\"},{\"Name\":\"CPMStatus\",\"Value\":\"success\"},{\"Name\":\"RetriesCount\",\"Value\":\"-1\"},{\"Name\":\"LastTask\",\"Value\":\"VerifyTask\"},{\"Name\":\"LastSuccessVerification\",\"Value\":\"1615803764\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"}]}}}}", + "code": "361", + "kind": "event", + "action": "keystroke logging", + "category": [ + "session" + ], + "type": [ + "info" + ] + }, + "user": { + "name": "Administrator" + } + }, + { + "log": { + "syslog": { + "priority": 5 + } + }, + "destination": { + "geo": { + "continent_name": "North America", + "country_name": "United States", + "location": { + "lon": -97.822, + "lat": 37.751 + }, + "country_iso_code": "US" + }, + "address": "34.123.103.115", + "user": { + "name": "testark" + }, + "ip": "34.123.103.115" + }, + "source": { + "geo": { + "continent_name": "Europe", + "region_iso_code": "ES-B", + "city_name": "Barcelona", + "country_iso_code": "ES", + "country_name": "Spain", + "region_name": "Barcelona", + "location": { + "lon": 2.1611, + "lat": 41.3891 + } + }, + "address": "81.32.170.205", + "user": { + "name": "Administrator" + }, + "ip": "81.32.170.205" + }, + "tags": [ + "preserve_original_event" + ], + "network": { + "application": "ssh", + "direction": "external" + }, + "observer": { + "product": "Vault", + "hostname": "VAULT", + "version": "11.7.0000", + "vendor": "Cyber-Ark" + }, + "@timestamp": "2021-03-15T10:33:47.000Z", + "file": { + "path": "Root\\Operating System-UnixSSH-34.123.103.115-testark" + }, + "ecs": { + "version": "1.10.0" + }, + "related": { + "user": [ + "Administrator", + "testark" + ], + "ip": [ + "81.32.170.205", + "34.123.103.115", + "34.71.250.247" + ] + }, + "cyberarkpas": { + "audit": { + "severity": "Info", + "iso_timestamp": "2021-03-15T10:33:47Z", + "raw": "\u003csyslog\u003e\n\n \u003caudit_record\u003e\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\n \u003cTimestamp\u003eMar 15 03:33:47\u003c/Timestamp\u003e\n \u003cIsoTimestamp\u003e2021-03-15T10:33:47Z\u003c/IsoTimestamp\u003e\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\n \u003cProduct\u003eVault\u003c/Product\u003e\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\n \u003cMessageID\u003e361\u003c/MessageID\u003e\n \u003cDesc\u003eKeystroke logging\u003c/Desc\u003e\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\n \u003cAction\u003eKeystroke logging\u003c/Action\u003e\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\n \u003cSafe\u003epartner\u003c/Safe\u003e\n \u003cFile\u003eRoot\\Operating System-UnixSSH-34.123.103.115-testark\u003c/File\u003e\n \u003cStation\u003e34.71.250.247\u003c/Station\u003e\n \u003cLocation\u003e\u003c/Location\u003e\n \u003cCategory\u003e\u003c/Category\u003e\n \u003cRequestId\u003e\u003c/RequestId\u003e\n \u003cReason\u003e\u003c/Reason\u003e\n \u003cExtraDetails\u003eCommand=sudo su;ConnectionComponentId=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=f1654cf8-8ce5-472a-8205-ba731b0fab46;SrcHost=81.32.170.205;SSHOffset=1309B;User=testark;VIDOffset=7T;\u003c/ExtraDetails\u003e\n \u003cMessage\u003eKeystroke logging\u003c/Message\u003e\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\n \u003cCAProperties\u003e\n \u003cCAProperty Name=\"PolicyID\" Value=\"UnixSSH\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"UserName\" Value=\"testark\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"Address\" Value=\"34.123.103.115\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"CPMStatus\" Value=\"success\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"RetriesCount\" Value=\"-1\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"LastTask\" Value=\"VerifyTask\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"LastSuccessVerification\" Value=\"1615803764\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"CreationMethod\" Value=\"PVWA\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"DeviceType\" Value=\"Operating System\"\u003e\u003c/CAProperty\u003e\n \u003c/CAProperties\u003e\n \u003c/audit_record\u003e\n\n\u003c/syslog\u003e", + "message": "Keystroke logging", + "issuer": "Administrator", + "extra_details": { + "connection_component_id": "PSMP-SSH", + "protocol": "SSH", + "other": { + "vid_offset": "7T", + "user": "testark", + "ssh_offset": "1309B" + }, + "managed_account": "Yes", + "psmid": "PSMServer", + "session_id": "f1654cf8-8ce5-472a-8205-ba731b0fab46", + "src_host": "81.32.170.205", + "dst_host": "34.123.103.115", + "command": "sudo su" + }, + "rfc5424": true, + "ca_properties": { + "other": {}, + "address": "34.123.103.115", + "creation_method": "PVWA", + "cpm_status": "success", + "policy_id": "UnixSSH", + "user_name": "testark", + "device_type": "Operating System", + "retries_count": "-1", + "last_success_verification": "1615803764", + "last_task": "VerifyTask" + }, + "file": "Root\\Operating System-UnixSSH-34.123.103.115-testark", + "safe": "partner", + "station": "34.71.250.247", + "action": "Keystroke logging", + "timestamp": "Mar 15 03:33:47", + "desc": "Keystroke logging" + } + }, + "host": { + "name": "VAULT" + }, + "event": { + "severity": 2, + "ingested": "2021-05-31T15:30:22.392245Z", + "original": "\u003c5\u003e1 2021-03-15T10:33:47Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 15 03:33:47\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-15T10:33:47Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e361\u003c/MessageID\u003e\\n \u003cDesc\u003eKeystroke logging\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003eKeystroke logging\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003epartner\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Operating System-UnixSSH-34.123.103.115-testark\u003c/File\u003e\\n \u003cStation\u003e34.71.250.247\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003eCommand=sudo su;ConnectionComponentId=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=f1654cf8-8ce5-472a-8205-ba731b0fab46;SrcHost=81.32.170.205;SSHOffset=1309B;User=testark;VIDOffset=7T;\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eKeystroke logging\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"UnixSSH\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"testark\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"34.123.103.115\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMStatus\\\" Value=\\\"success\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"RetriesCount\\\" Value=\\\"-1\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastTask\\\" Value=\\\"VerifyTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastSuccessVerification\\\" Value=\\\"1615803764\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Operating System\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 15 03:33:47\",\"IsoTimestamp\":\"2021-03-15T10:33:47Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"361\",\"Desc\":\"Keystroke logging\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Keystroke logging\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"partner\",\"File\":\"Root\\\\Operating System-UnixSSH-34.123.103.115-testark\",\"Station\":\"34.71.250.247\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"Command=sudo su;ConnectionComponentId=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=f1654cf8-8ce5-472a-8205-ba731b0fab46;SrcHost=81.32.170.205;SSHOffset=1309B;User=testark;VIDOffset=7T;\",\"Message\":\"Keystroke logging\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"UnixSSH\"},{\"Name\":\"UserName\",\"Value\":\"testark\"},{\"Name\":\"Address\",\"Value\":\"34.123.103.115\"},{\"Name\":\"CPMStatus\",\"Value\":\"success\"},{\"Name\":\"RetriesCount\",\"Value\":\"-1\"},{\"Name\":\"LastTask\",\"Value\":\"VerifyTask\"},{\"Name\":\"LastSuccessVerification\",\"Value\":\"1615803764\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"}]}}}}", + "code": "361", + "kind": "event", + "action": "keystroke logging", + "category": [ + "session" + ], + "type": [ + "info" + ] + }, + "user": { + "name": "Administrator" + } + }, + { + "log": { + "syslog": { + "priority": 5 + } + }, + "destination": { + "geo": { + "continent_name": "North America", + "country_name": "United States", + "location": { + "lon": -97.822, + "lat": 37.751 + }, + "country_iso_code": "US" + }, + "address": "34.123.103.115", + "user": { + "name": "testark" + }, + "ip": "34.123.103.115" + }, + "source": { + "geo": { + "continent_name": "Europe", + "region_iso_code": "ES-B", + "city_name": "Barcelona", + "country_iso_code": "ES", + "country_name": "Spain", + "region_name": "Barcelona", + "location": { + "lon": 2.1611, + "lat": 41.3891 + } + }, + "address": "81.32.170.205", + "user": { + "name": "Administrator" + }, + "ip": "81.32.170.205" + }, + "tags": [ + "preserve_original_event" + ], + "network": { + "application": "ssh", + "direction": "external" + }, + "observer": { + "product": "Vault", + "hostname": "VAULT", + "version": "11.7.0000", + "vendor": "Cyber-Ark" + }, + "@timestamp": "2021-03-15T10:35:08.000Z", + "file": { + "path": "Root\\Operating System-UnixSSH-34.123.103.115-testark" + }, + "ecs": { + "version": "1.10.0" + }, + "related": { + "user": [ + "Administrator", + "testark" + ], + "ip": [ + "81.32.170.205", + "34.123.103.115", + "34.71.250.247" + ] + }, + "cyberarkpas": { + "audit": { + "severity": "Info", + "iso_timestamp": "2021-03-15T10:35:08Z", + "raw": "\u003csyslog\u003e\n\n \u003caudit_record\u003e\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\n \u003cTimestamp\u003eMar 15 03:35:08\u003c/Timestamp\u003e\n \u003cIsoTimestamp\u003e2021-03-15T10:35:08Z\u003c/IsoTimestamp\u003e\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\n \u003cProduct\u003eVault\u003c/Product\u003e\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\n \u003cMessageID\u003e361\u003c/MessageID\u003e\n \u003cDesc\u003eKeystroke logging\u003c/Desc\u003e\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\n \u003cAction\u003eKeystroke logging\u003c/Action\u003e\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\n \u003cSafe\u003epartner\u003c/Safe\u003e\n \u003cFile\u003eRoot\\Operating System-UnixSSH-34.123.103.115-testark\u003c/File\u003e\n \u003cStation\u003e34.71.250.247\u003c/Station\u003e\n \u003cLocation\u003e\u003c/Location\u003e\n \u003cCategory\u003e\u003c/Category\u003e\n \u003cRequestId\u003e\u003c/RequestId\u003e\n \u003cReason\u003e\u003c/Reason\u003e\n \u003cExtraDetails\u003eCommand=sudo su;ConnectionComponentId=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=8b3d0b38-aef5-49d9-bdd7-d57706887d8b;SrcHost=81.32.170.205;SSHOffset=1309B;User=testark;VIDOffset=7T;\u003c/ExtraDetails\u003e\n \u003cMessage\u003eKeystroke logging\u003c/Message\u003e\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\n \u003cCAProperties\u003e\n \u003cCAProperty Name=\"PolicyID\" Value=\"UnixSSH\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"UserName\" Value=\"testark\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"Address\" Value=\"34.123.103.115\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"CPMStatus\" Value=\"success\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"RetriesCount\" Value=\"-1\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"LastTask\" Value=\"VerifyTask\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"LastSuccessVerification\" Value=\"1615803764\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"CreationMethod\" Value=\"PVWA\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"DeviceType\" Value=\"Operating System\"\u003e\u003c/CAProperty\u003e\n \u003c/CAProperties\u003e\n \u003c/audit_record\u003e\n\n\u003c/syslog\u003e", + "message": "Keystroke logging", + "issuer": "Administrator", + "extra_details": { + "connection_component_id": "PSMP-SSH", + "protocol": "SSH", + "other": { + "vid_offset": "7T", + "user": "testark", + "ssh_offset": "1309B" + }, + "managed_account": "Yes", + "psmid": "PSMServer", + "session_id": "8b3d0b38-aef5-49d9-bdd7-d57706887d8b", + "src_host": "81.32.170.205", + "dst_host": "34.123.103.115", + "command": "sudo su" + }, + "rfc5424": true, + "ca_properties": { + "other": {}, + "address": "34.123.103.115", + "creation_method": "PVWA", + "cpm_status": "success", + "policy_id": "UnixSSH", + "user_name": "testark", + "device_type": "Operating System", + "retries_count": "-1", + "last_success_verification": "1615803764", + "last_task": "VerifyTask" + }, + "file": "Root\\Operating System-UnixSSH-34.123.103.115-testark", + "safe": "partner", + "station": "34.71.250.247", + "action": "Keystroke logging", + "timestamp": "Mar 15 03:35:08", + "desc": "Keystroke logging" + } + }, + "host": { + "name": "VAULT" + }, + "event": { + "severity": 2, + "ingested": "2021-05-31T15:30:22.392247600Z", + "original": "\u003c5\u003e1 2021-03-15T10:35:08Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 15 03:35:08\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-15T10:35:08Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e361\u003c/MessageID\u003e\\n \u003cDesc\u003eKeystroke logging\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003eKeystroke logging\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003epartner\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Operating System-UnixSSH-34.123.103.115-testark\u003c/File\u003e\\n \u003cStation\u003e34.71.250.247\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003eCommand=sudo su;ConnectionComponentId=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=8b3d0b38-aef5-49d9-bdd7-d57706887d8b;SrcHost=81.32.170.205;SSHOffset=1309B;User=testark;VIDOffset=7T;\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eKeystroke logging\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"UnixSSH\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"testark\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"34.123.103.115\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMStatus\\\" Value=\\\"success\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"RetriesCount\\\" Value=\\\"-1\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastTask\\\" Value=\\\"VerifyTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastSuccessVerification\\\" Value=\\\"1615803764\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Operating System\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 15 03:35:08\",\"IsoTimestamp\":\"2021-03-15T10:35:08Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"361\",\"Desc\":\"Keystroke logging\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Keystroke logging\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"partner\",\"File\":\"Root\\\\Operating System-UnixSSH-34.123.103.115-testark\",\"Station\":\"34.71.250.247\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"Command=sudo su;ConnectionComponentId=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=8b3d0b38-aef5-49d9-bdd7-d57706887d8b;SrcHost=81.32.170.205;SSHOffset=1309B;User=testark;VIDOffset=7T;\",\"Message\":\"Keystroke logging\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"UnixSSH\"},{\"Name\":\"UserName\",\"Value\":\"testark\"},{\"Name\":\"Address\",\"Value\":\"34.123.103.115\"},{\"Name\":\"CPMStatus\",\"Value\":\"success\"},{\"Name\":\"RetriesCount\",\"Value\":\"-1\"},{\"Name\":\"LastTask\",\"Value\":\"VerifyTask\"},{\"Name\":\"LastSuccessVerification\",\"Value\":\"1615803764\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"}]}}}}", + "code": "361", + "kind": "event", + "action": "keystroke logging", + "category": [ + "session" + ], + "type": [ + "info" + ] + }, + "user": { + "name": "Administrator" + } + }, + { + "log": { + "syslog": { + "priority": 5 + } + }, + "destination": { + "geo": { + "continent_name": "North America", + "country_name": "United States", + "location": { + "lon": -97.822, + "lat": 37.751 + }, + "country_iso_code": "US" + }, + "address": "34.123.103.115", + "user": { + "name": "testark" + }, + "ip": "34.123.103.115" + }, + "source": { + "geo": { + "continent_name": "Europe", + "region_iso_code": "ES-B", + "city_name": "Barcelona", + "country_iso_code": "ES", + "country_name": "Spain", + "region_name": "Barcelona", + "location": { + "lon": 2.1611, + "lat": 41.3891 + } + }, + "address": "81.32.170.205", + "user": { + "name": "Administrator" + }, + "ip": "81.32.170.205" + }, + "tags": [ + "preserve_original_event" + ], + "network": { + "application": "ssh", + "direction": "external" + }, + "observer": { + "product": "Vault", + "hostname": "VAULT", + "version": "11.7.0000", + "vendor": "Cyber-Ark" + }, + "@timestamp": "2021-03-15T14:11:18.000Z", + "file": { + "path": "Root\\Operating System-UnixSSH-34.123.103.115-testark" + }, + "ecs": { + "version": "1.10.0" + }, + "related": { + "user": [ + "Administrator", + "testark" + ], + "ip": [ + "81.32.170.205", + "34.123.103.115", + "34.71.250.247" + ] + }, + "cyberarkpas": { + "audit": { + "severity": "Info", + "iso_timestamp": "2021-03-15T14:11:18Z", + "raw": "\u003csyslog\u003e\n\n \u003caudit_record\u003e\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\n \u003cTimestamp\u003eMar 15 07:11:18\u003c/Timestamp\u003e\n \u003cIsoTimestamp\u003e2021-03-15T14:11:18Z\u003c/IsoTimestamp\u003e\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\n \u003cProduct\u003eVault\u003c/Product\u003e\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\n \u003cMessageID\u003e361\u003c/MessageID\u003e\n \u003cDesc\u003eKeystroke logging\u003c/Desc\u003e\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\n \u003cAction\u003eKeystroke logging\u003c/Action\u003e\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\n \u003cSafe\u003epartner\u003c/Safe\u003e\n \u003cFile\u003eRoot\\Operating System-UnixSSH-34.123.103.115-testark\u003c/File\u003e\n \u003cStation\u003e34.71.250.247\u003c/Station\u003e\n \u003cLocation\u003e\u003c/Location\u003e\n \u003cCategory\u003e\u003c/Category\u003e\n \u003cRequestId\u003e\u003c/RequestId\u003e\n \u003cReason\u003e\u003c/Reason\u003e\n \u003cExtraDetails\u003eCommand=sudo su;ConnectionComponentId=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=27f74dce-f5d5-4c94-bf99-ca6aafe2c518;SrcHost=81.32.170.205;SSHOffset=1309B;User=testark;VIDOffset=8T;\u003c/ExtraDetails\u003e\n \u003cMessage\u003eKeystroke logging\u003c/Message\u003e\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\n \u003cCAProperties\u003e\n \u003cCAProperty Name=\"PolicyID\" Value=\"UnixSSH\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"UserName\" Value=\"testark\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"Address\" Value=\"34.123.103.115\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"ResetImmediately\" Value=\"ReconcileTask\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"CPMStatus\" Value=\"failure\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"RetriesCount\" Value=\"0\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"LastFailDate\" Value=\"1615814025\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"LastTask\" Value=\"ReconcileTask\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"LastSuccessVerification\" Value=\"1615803764\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"CPMErrorDetails\" Value=\"First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"CreationMethod\" Value=\"PVWA\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"DeviceType\" Value=\"Operating System\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"UseSudoOnReconcile\" Value=\"Yes\"\u003e\u003c/CAProperty\u003e\n \u003c/CAProperties\u003e\n \u003c/audit_record\u003e\n\n\u003c/syslog\u003e", + "message": "Keystroke logging", + "issuer": "Administrator", + "extra_details": { + "connection_component_id": "PSMP-SSH", + "protocol": "SSH", + "other": { + "vid_offset": "8T", + "user": "testark", + "ssh_offset": "1309B" + }, + "managed_account": "Yes", + "psmid": "PSMServer", + "session_id": "27f74dce-f5d5-4c94-bf99-ca6aafe2c518", + "src_host": "81.32.170.205", + "dst_host": "34.123.103.115", + "command": "sudo su" + }, + "rfc5424": true, + "ca_properties": { + "other": { + "use_sudo_on_reconcile": "Yes" + }, + "address": "34.123.103.115", + "creation_method": "PVWA", + "cpm_status": "failure", + "policy_id": "UnixSSH", + "user_name": "testark", + "device_type": "Operating System", + "retries_count": "0", + "last_success_verification": "1615803764", + "reset_immediately": "ReconcileTask", + "last_task": "ReconcileTask", + "cpm_error_details": "First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031", + "last_fail_date": "1615814025" + }, + "file": "Root\\Operating System-UnixSSH-34.123.103.115-testark", + "safe": "partner", + "station": "34.71.250.247", + "action": "Keystroke logging", + "timestamp": "Mar 15 07:11:18", + "desc": "Keystroke logging" + } + }, + "host": { + "name": "VAULT" + }, + "event": { + "severity": 2, + "ingested": "2021-05-31T15:30:22.392250100Z", + "original": "\u003c5\u003e1 2021-03-15T14:11:18Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 15 07:11:18\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-15T14:11:18Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e361\u003c/MessageID\u003e\\n \u003cDesc\u003eKeystroke logging\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003eKeystroke logging\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003epartner\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Operating System-UnixSSH-34.123.103.115-testark\u003c/File\u003e\\n \u003cStation\u003e34.71.250.247\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003eCommand=sudo su;ConnectionComponentId=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=27f74dce-f5d5-4c94-bf99-ca6aafe2c518;SrcHost=81.32.170.205;SSHOffset=1309B;User=testark;VIDOffset=8T;\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eKeystroke logging\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"UnixSSH\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"testark\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"34.123.103.115\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"ResetImmediately\\\" Value=\\\"ReconcileTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMStatus\\\" Value=\\\"failure\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"RetriesCount\\\" Value=\\\"0\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastFailDate\\\" Value=\\\"1615814025\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastTask\\\" Value=\\\"ReconcileTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastSuccessVerification\\\" Value=\\\"1615803764\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMErrorDetails\\\" Value=\\\"First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Operating System\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UseSudoOnReconcile\\\" Value=\\\"Yes\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 15 07:11:18\",\"IsoTimestamp\":\"2021-03-15T14:11:18Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"361\",\"Desc\":\"Keystroke logging\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Keystroke logging\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"partner\",\"File\":\"Root\\\\Operating System-UnixSSH-34.123.103.115-testark\",\"Station\":\"34.71.250.247\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"Command=sudo su;ConnectionComponentId=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=27f74dce-f5d5-4c94-bf99-ca6aafe2c518;SrcHost=81.32.170.205;SSHOffset=1309B;User=testark;VIDOffset=8T;\",\"Message\":\"Keystroke logging\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"UnixSSH\"},{\"Name\":\"UserName\",\"Value\":\"testark\"},{\"Name\":\"Address\",\"Value\":\"34.123.103.115\"},{\"Name\":\"ResetImmediately\",\"Value\":\"ReconcileTask\"},{\"Name\":\"CPMStatus\",\"Value\":\"failure\"},{\"Name\":\"RetriesCount\",\"Value\":\"0\"},{\"Name\":\"LastFailDate\",\"Value\":\"1615814025\"},{\"Name\":\"LastTask\",\"Value\":\"ReconcileTask\"},{\"Name\":\"LastSuccessVerification\",\"Value\":\"1615803764\"},{\"Name\":\"CPMErrorDetails\",\"Value\":\"First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"},{\"Name\":\"UseSudoOnReconcile\",\"Value\":\"Yes\"}]}}}}", + "code": "361", + "kind": "event", + "action": "keystroke logging", + "category": [ + "session" + ], + "type": [ + "info" + ] + }, + "user": { + "name": "Administrator" + } + }, + { + "log": { + "syslog": { + "priority": 5 + } + }, + "destination": { + "geo": { + "continent_name": "North America", + "country_name": "United States", + "location": { + "lon": -97.822, + "lat": 37.751 + }, + "country_iso_code": "US" + }, + "address": "34.123.103.115", + "user": { + "name": "testark" + }, + "ip": "34.123.103.115" + }, + "source": { + "geo": { + "continent_name": "Europe", + "region_iso_code": "ES-B", + "city_name": "Barcelona", + "country_iso_code": "ES", + "country_name": "Spain", + "region_name": "Barcelona", + "location": { + "lon": 2.1611, + "lat": 41.3891 + } + }, + "address": "81.32.170.205", + "user": { + "name": "Administrator" + }, + "ip": "81.32.170.205" + }, + "tags": [ + "preserve_original_event" + ], + "network": { + "application": "ssh", + "direction": "external" + }, + "observer": { + "product": "Vault", + "hostname": "VAULT", + "version": "11.7.0000", + "vendor": "Cyber-Ark" + }, + "@timestamp": "2021-03-15T14:45:51.000Z", + "file": { + "path": "Root\\Operating System-UnixSSH-34.123.103.115-testark" + }, + "ecs": { + "version": "1.10.0" + }, + "related": { + "user": [ + "Administrator", + "testark" + ], + "ip": [ + "81.32.170.205", + "34.123.103.115", + "34.71.250.247" + ] + }, + "cyberarkpas": { + "audit": { + "severity": "Info", + "iso_timestamp": "2021-03-15T14:45:51Z", + "raw": "\u003csyslog\u003e\n\n \u003caudit_record\u003e\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\n \u003cTimestamp\u003eMar 15 07:45:51\u003c/Timestamp\u003e\n \u003cIsoTimestamp\u003e2021-03-15T14:45:51Z\u003c/IsoTimestamp\u003e\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\n \u003cProduct\u003eVault\u003c/Product\u003e\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\n \u003cMessageID\u003e361\u003c/MessageID\u003e\n \u003cDesc\u003eKeystroke logging\u003c/Desc\u003e\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\n \u003cAction\u003eKeystroke logging\u003c/Action\u003e\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\n \u003cSafe\u003epartner\u003c/Safe\u003e\n \u003cFile\u003eRoot\\Operating System-UnixSSH-34.123.103.115-testark\u003c/File\u003e\n \u003cStation\u003e34.71.250.247\u003c/Station\u003e\n \u003cLocation\u003e\u003c/Location\u003e\n \u003cCategory\u003e\u003c/Category\u003e\n \u003cRequestId\u003e\u003c/RequestId\u003e\n \u003cReason\u003e\u003c/Reason\u003e\n \u003cExtraDetails\u003eCommand=(reverse-i-search)`grant': grant all privileges on *.* TO 'root'@'%' with grant option\\;;ConnectionComponentId=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=27f74dce-f5d5-4c94-bf99-ca6aafe2c518;SrcHost=81.32.170.205;SSHOffset=296291B;User=testark;VIDOffset=2081T;\u003c/ExtraDetails\u003e\n \u003cMessage\u003eKeystroke logging\u003c/Message\u003e\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\n \u003cCAProperties\u003e\n \u003cCAProperty Name=\"PolicyID\" Value=\"UnixSSH\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"UserName\" Value=\"testark\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"Address\" Value=\"34.123.103.115\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"ResetImmediately\" Value=\"ReconcileTask\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"CPMStatus\" Value=\"failure\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"RetriesCount\" Value=\"1\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"LastFailDate\" Value=\"1615819476\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"LastTask\" Value=\"ReconcileTask\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"LastSuccessVerification\" Value=\"1615803764\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"CPMErrorDetails\" Value=\"First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"CreationMethod\" Value=\"PVWA\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"DeviceType\" Value=\"Operating System\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"UseSudoOnReconcile\" Value=\"Yes\"\u003e\u003c/CAProperty\u003e\n \u003c/CAProperties\u003e\n \u003c/audit_record\u003e\n\n\u003c/syslog\u003e", + "message": "Keystroke logging", + "issuer": "Administrator", + "extra_details": { + "connection_component_id": "PSMP-SSH", + "protocol": "SSH", + "other": { + "vid_offset": "2081T", + "user": "testark", + "ssh_offset": "296291B" + }, + "managed_account": "Yes", + "psmid": "PSMServer", + "session_id": "27f74dce-f5d5-4c94-bf99-ca6aafe2c518", + "src_host": "81.32.170.205", + "dst_host": "34.123.103.115", + "command": "(reverse-i-search)`grant': grant all privileges on *.* TO 'root'@'%' with grant option\\;" + }, + "rfc5424": true, + "ca_properties": { + "other": { + "use_sudo_on_reconcile": "Yes" + }, + "address": "34.123.103.115", + "creation_method": "PVWA", + "cpm_status": "failure", + "policy_id": "UnixSSH", + "user_name": "testark", + "device_type": "Operating System", + "retries_count": "1", + "last_success_verification": "1615803764", + "reset_immediately": "ReconcileTask", + "last_task": "ReconcileTask", + "cpm_error_details": "First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031", + "last_fail_date": "1615819476" + }, + "file": "Root\\Operating System-UnixSSH-34.123.103.115-testark", + "safe": "partner", + "station": "34.71.250.247", + "action": "Keystroke logging", + "timestamp": "Mar 15 07:45:51", + "desc": "Keystroke logging" + } + }, + "host": { + "name": "VAULT" + }, + "event": { + "severity": 2, + "ingested": "2021-05-31T15:30:22.392291400Z", + "original": "\u003c5\u003e1 2021-03-15T14:45:51Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 15 07:45:51\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-15T14:45:51Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e361\u003c/MessageID\u003e\\n \u003cDesc\u003eKeystroke logging\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003eKeystroke logging\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003epartner\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Operating System-UnixSSH-34.123.103.115-testark\u003c/File\u003e\\n \u003cStation\u003e34.71.250.247\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003eCommand=(reverse-i-search)`grant': grant all privileges on *.* TO 'root'@'%' with grant option\\\\;;ConnectionComponentId=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=27f74dce-f5d5-4c94-bf99-ca6aafe2c518;SrcHost=81.32.170.205;SSHOffset=296291B;User=testark;VIDOffset=2081T;\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eKeystroke logging\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"UnixSSH\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"testark\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"34.123.103.115\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"ResetImmediately\\\" Value=\\\"ReconcileTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMStatus\\\" Value=\\\"failure\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"RetriesCount\\\" Value=\\\"1\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastFailDate\\\" Value=\\\"1615819476\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastTask\\\" Value=\\\"ReconcileTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastSuccessVerification\\\" Value=\\\"1615803764\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMErrorDetails\\\" Value=\\\"First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Operating System\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UseSudoOnReconcile\\\" Value=\\\"Yes\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 15 07:45:51\",\"IsoTimestamp\":\"2021-03-15T14:45:51Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"361\",\"Desc\":\"Keystroke logging\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Keystroke logging\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"partner\",\"File\":\"Root\\\\Operating System-UnixSSH-34.123.103.115-testark\",\"Station\":\"34.71.250.247\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"Command=(reverse-i-search)`grant': grant all privileges on *.* TO 'root'@'%' with grant option\\\\;;ConnectionComponentId=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=27f74dce-f5d5-4c94-bf99-ca6aafe2c518;SrcHost=81.32.170.205;SSHOffset=296291B;User=testark;VIDOffset=2081T;\",\"Message\":\"Keystroke logging\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"UnixSSH\"},{\"Name\":\"UserName\",\"Value\":\"testark\"},{\"Name\":\"Address\",\"Value\":\"34.123.103.115\"},{\"Name\":\"ResetImmediately\",\"Value\":\"ReconcileTask\"},{\"Name\":\"CPMStatus\",\"Value\":\"failure\"},{\"Name\":\"RetriesCount\",\"Value\":\"1\"},{\"Name\":\"LastFailDate\",\"Value\":\"1615819476\"},{\"Name\":\"LastTask\",\"Value\":\"ReconcileTask\"},{\"Name\":\"LastSuccessVerification\",\"Value\":\"1615803764\"},{\"Name\":\"CPMErrorDetails\",\"Value\":\"First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"},{\"Name\":\"UseSudoOnReconcile\",\"Value\":\"Yes\"}]}}}}", + "code": "361", + "kind": "event", + "action": "keystroke logging", + "category": [ + "session" + ], + "type": [ + "info" + ] + }, + "user": { + "name": "Administrator" + } + } + ] +} \ No newline at end of file diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-38-cpm-verify-password-failed.log-expected.json b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-38-cpm-verify-password-failed.log-expected.json new file mode 100644 index 00000000000..92274921ebc --- /dev/null +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-38-cpm-verify-password-failed.log-expected.json @@ -0,0 +1,1740 @@ +{ + "expected": [ + { + "log": { + "syslog": { + "priority": 7 + } + }, + "destination": { + "geo": { + "continent_name": "North America", + "region_iso_code": "US-VA", + "country_name": "United States", + "region_name": "Virginia", + "location": { + "lon": -77.2481, + "lat": 38.6583 + }, + "country_iso_code": "US" + }, + "address": "34.66.114.180", + "user": { + "name": "ELASTIC\\bart" + }, + "ip": "34.66.114.180" + }, + "source": { + "user": { + "name": "PasswordManager" + }, + "address": "10.0.1.20", + "ip": "10.0.1.20" + }, + "tags": [ + "preserve_original_event" + ], + "network": { + "direction": "outbound" + }, + "observer": { + "product": "Vault", + "hostname": "VAULT", + "version": "11.7.0000", + "vendor": "Cyber-Ark" + }, + "@timestamp": "2021-03-15T13:19:58.000Z", + "file": { + "path": "Root\\Operating System-WinDomain-35.192.121.42-ELASTICbart" + }, + "ecs": { + "version": "1.10.0" + }, + "related": { + "user": [ + "PasswordManager", + "ELASTIC\\bart" + ], + "ip": [ + "10.0.1.20", + "34.66.114.180" + ] + }, + "cyberarkpas": { + "audit": { + "severity": "Error", + "reason": "ImmediateTask. Failure Description: CACPM344E Verifying Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-35.192.121.42-ELASTICbart failed (try #0). Code: 2101, Error: Error in verifypass to user 34.66.114.180\\ELASTIC\\bart on domain 34.66.114.180(\\\\34.66.114.180). Reason: The specified username is invalid. (winRc=2202). \n", + "iso_timestamp": "2021-03-15T13:19:58Z", + "raw": "\u003csyslog\u003e\n\n \u003caudit_record\u003e\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\n \u003cTimestamp\u003eMar 15 06:19:58\u003c/Timestamp\u003e\n \u003cIsoTimestamp\u003e2021-03-15T13:19:58Z\u003c/IsoTimestamp\u003e\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\n \u003cProduct\u003eVault\u003c/Product\u003e\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\n \u003cMessageID\u003e38\u003c/MessageID\u003e\n \u003cDesc\u003eCPM Verify Password Failed\u003c/Desc\u003e\n \u003cSeverity\u003eError\u003c/Severity\u003e\n \u003cIssuer\u003ePasswordManager\u003c/Issuer\u003e\n \u003cAction\u003eCPM Verify Password Failed\u003c/Action\u003e\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\n \u003cSafe\u003epartner\u003c/Safe\u003e\n \u003cFile\u003eRoot\\Operating System-WinDomain-35.192.121.42-ELASTICbart\u003c/File\u003e\n \u003cStation\u003e10.0.1.20\u003c/Station\u003e\n \u003cLocation\u003e\u003c/Location\u003e\n \u003cCategory\u003e\u003c/Category\u003e\n \u003cRequestId\u003e\u003c/RequestId\u003e\n \u003cReason\u003eImmediateTask. Failure Description: CACPM344E Verifying Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-35.192.121.42-ELASTICbart failed (try #0). Code: 2101, Error: Error in verifypass to user 34.66.114.180\\ELASTIC\\bart on domain 34.66.114.180(\\\\34.66.114.180). Reason: The specified username is invalid. (winRc=2202). \n\u003c/Reason\u003e\n \u003cExtraDetails\u003eaddress=34.66.114.180;username=ELASTIC\\bart;\u003c/ExtraDetails\u003e\n \u003cMessage\u003eCPM Verify Password Failed\u003c/Message\u003e\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\n \u003cCAProperties\u003e\n \u003cCAProperty Name=\"PolicyID\" Value=\"WinDomain\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"UserName\" Value=\"ELASTIC\\bart\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"Address\" Value=\"34.66.114.180\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"ResetImmediately\" Value=\"VerifyTask\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"CPMStatus\" Value=\"failure\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"RetriesCount\" Value=\"0\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"LastFailDate\" Value=\"1615814397\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"LastTask\" Value=\"VerifyTask\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"LogonDomain\" Value=\"34.66.114.180\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"CPMErrorDetails\" Value=\"Error in verifypass to user 34.66.114.180\\ELASTIC\\bart on domain 34.66.114.180(\\\\34.66.114.180). Reason: The specified username is invalid. (winRc=2202). \"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"CreationMethod\" Value=\"PVWA\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"DeviceType\" Value=\"Operating System\"\u003e\u003c/CAProperty\u003e\n \u003c/CAProperties\u003e\n \u003c/audit_record\u003e\n\n\u003c/syslog\u003e", + "message": "CPM Verify Password Failed", + "issuer": "PasswordManager", + "extra_details": { + "other": { + "address": "34.66.114.180" + }, + "username": "ELASTIC\\bart" + }, + "rfc5424": true, + "ca_properties": { + "other": {}, + "address": "34.66.114.180", + "creation_method": "PVWA", + "cpm_status": "failure", + "policy_id": "WinDomain", + "user_name": "ELASTIC\\bart", + "device_type": "Operating System", + "retries_count": "0", + "reset_immediately": "VerifyTask", + "last_task": "VerifyTask", + "cpm_error_details": "Error in verifypass to user 34.66.114.180\\ELASTIC\\bart on domain 34.66.114.180(\\\\34.66.114.180). Reason: The specified username is invalid. (winRc=2202). ", + "last_fail_date": "1615814397", + "logon_domain": "34.66.114.180" + }, + "file": "Root\\Operating System-WinDomain-35.192.121.42-ELASTICbart", + "safe": "partner", + "station": "10.0.1.20", + "action": "CPM Verify Password Failed", + "timestamp": "Mar 15 06:19:58", + "desc": "CPM Verify Password Failed" + } + }, + "host": { + "name": "VAULT" + }, + "event": { + "severity": 7, + "reason": "Error in verifypass to user 34.66.114.180\\ELASTIC\\bart on domain 34.66.114.180(\\\\34.66.114.180). Reason: The specified username is invalid. (winRc=2202). ", + "ingested": "2021-05-31T15:30:22.703434Z", + "original": "\u003c7\u003e1 2021-03-15T13:19:58Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 15 06:19:58\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-15T13:19:58Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e38\u003c/MessageID\u003e\\n \u003cDesc\u003eCPM Verify Password Failed\u003c/Desc\u003e\\n \u003cSeverity\u003eError\u003c/Severity\u003e\\n \u003cIssuer\u003ePasswordManager\u003c/Issuer\u003e\\n \u003cAction\u003eCPM Verify Password Failed\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003epartner\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Operating System-WinDomain-35.192.121.42-ELASTICbart\u003c/File\u003e\\n \u003cStation\u003e10.0.1.20\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003eImmediateTask. Failure Description: CACPM344E Verifying Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-35.192.121.42-ELASTICbart failed (try #0). Code: 2101, Error: Error in verifypass to user 34.66.114.180\\\\ELASTIC\\\\bart on domain 34.66.114.180(\\\\\\\\34.66.114.180). Reason: The specified username is invalid. (winRc=2202). \\n\u003c/Reason\u003e\\n \u003cExtraDetails\u003eaddress=34.66.114.180;username=ELASTIC\\\\bart;\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eCPM Verify Password Failed\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"WinDomain\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"ELASTIC\\\\bart\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"34.66.114.180\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"ResetImmediately\\\" Value=\\\"VerifyTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMStatus\\\" Value=\\\"failure\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"RetriesCount\\\" Value=\\\"0\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastFailDate\\\" Value=\\\"1615814397\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastTask\\\" Value=\\\"VerifyTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LogonDomain\\\" Value=\\\"34.66.114.180\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMErrorDetails\\\" Value=\\\"Error in verifypass to user 34.66.114.180\\\\ELASTIC\\\\bart on domain 34.66.114.180(\\\\\\\\34.66.114.180). Reason: The specified username is invalid. (winRc=2202). \\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Operating System\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 15 06:19:58\",\"IsoTimestamp\":\"2021-03-15T13:19:58Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"38\",\"Desc\":\"CPM Verify Password Failed\",\"Severity\":\"Error\",\"Issuer\":\"PasswordManager\",\"Action\":\"CPM Verify Password Failed\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"partner\",\"File\":\"Root\\\\Operating System-WinDomain-35.192.121.42-ELASTICbart\",\"Station\":\"10.0.1.20\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"ImmediateTask. Failure Description: CACPM344E Verifying Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-35.192.121.42-ELASTICbart failed (try #0). Code: 2101, Error: Error in verifypass to user 34.66.114.180\\\\ELASTIC\\\\bart on domain 34.66.114.180(\\\\\\\\34.66.114.180). Reason: The specified username is invalid. (winRc=2202). \\n\",\"ExtraDetails\":\"address=34.66.114.180;username=ELASTIC\\\\bart;\",\"Message\":\"CPM Verify Password Failed\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"WinDomain\"},{\"Name\":\"UserName\",\"Value\":\"ELASTIC\\\\bart\"},{\"Name\":\"Address\",\"Value\":\"34.66.114.180\"},{\"Name\":\"ResetImmediately\",\"Value\":\"VerifyTask\"},{\"Name\":\"CPMStatus\",\"Value\":\"failure\"},{\"Name\":\"RetriesCount\",\"Value\":\"0\"},{\"Name\":\"LastFailDate\",\"Value\":\"1615814397\"},{\"Name\":\"LastTask\",\"Value\":\"VerifyTask\"},{\"Name\":\"LogonDomain\",\"Value\":\"34.66.114.180\"},{\"Name\":\"CPMErrorDetails\",\"Value\":\"Error in verifypass to user 34.66.114.180\\\\ELASTIC\\\\bart on domain 34.66.114.180(\\\\\\\\34.66.114.180). Reason: The specified username is invalid. (winRc=2202). \"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"}]}}}}", + "code": "38", + "kind": "event", + "action": "cpm verify password failed", + "type": [ + "error" + ], + "category": [ + "iam" + ], + "outcome": "failure" + }, + "user": { + "name": "PasswordManager" + } + }, + { + "log": { + "syslog": { + "priority": 7 + } + }, + "destination": { + "geo": { + "continent_name": "North America", + "region_iso_code": "US-VA", + "country_name": "United States", + "region_name": "Virginia", + "location": { + "lon": -77.2481, + "lat": 38.6583 + }, + "country_iso_code": "US" + }, + "address": "34.66.114.180", + "user": { + "name": "bart" + }, + "ip": "34.66.114.180" + }, + "source": { + "user": { + "name": "PasswordManager" + }, + "address": "10.0.1.20", + "ip": "10.0.1.20" + }, + "tags": [ + "preserve_original_event" + ], + "network": { + "direction": "outbound" + }, + "observer": { + "product": "Vault", + "hostname": "VAULT", + "version": "11.7.0000", + "vendor": "Cyber-Ark" + }, + "@timestamp": "2021-03-15T13:25:32.000Z", + "file": { + "path": "Root\\Operating System-WinDomain-35.192.121.42-ELASTICbart" + }, + "ecs": { + "version": "1.10.0" + }, + "related": { + "user": [ + "PasswordManager", + "bart" + ], + "ip": [ + "10.0.1.20", + "34.66.114.180" + ] + }, + "cyberarkpas": { + "audit": { + "severity": "Error", + "reason": "ImmediateTask. Failure Description: CACPM344E Verifying Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-35.192.121.42-ELASTICbart failed (try #0). Code: 2101, Error: Error in verifypass to user 34.66.114.180\\bart on domain 34.66.114.180(\\\\34.66.114.180). Reason: The network name cannot be found. (winRc=67). \n", + "iso_timestamp": "2021-03-15T13:25:32Z", + "raw": "\u003csyslog\u003e\n\n \u003caudit_record\u003e\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\n \u003cTimestamp\u003eMar 15 06:25:32\u003c/Timestamp\u003e\n \u003cIsoTimestamp\u003e2021-03-15T13:25:32Z\u003c/IsoTimestamp\u003e\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\n \u003cProduct\u003eVault\u003c/Product\u003e\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\n \u003cMessageID\u003e38\u003c/MessageID\u003e\n \u003cDesc\u003eCPM Verify Password Failed\u003c/Desc\u003e\n \u003cSeverity\u003eError\u003c/Severity\u003e\n \u003cIssuer\u003ePasswordManager\u003c/Issuer\u003e\n \u003cAction\u003eCPM Verify Password Failed\u003c/Action\u003e\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\n \u003cSafe\u003epartner\u003c/Safe\u003e\n \u003cFile\u003eRoot\\Operating System-WinDomain-35.192.121.42-ELASTICbart\u003c/File\u003e\n \u003cStation\u003e10.0.1.20\u003c/Station\u003e\n \u003cLocation\u003e\u003c/Location\u003e\n \u003cCategory\u003e\u003c/Category\u003e\n \u003cRequestId\u003e\u003c/RequestId\u003e\n \u003cReason\u003eImmediateTask. Failure Description: CACPM344E Verifying Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-35.192.121.42-ELASTICbart failed (try #0). Code: 2101, Error: Error in verifypass to user 34.66.114.180\\bart on domain 34.66.114.180(\\\\34.66.114.180). Reason: The network name cannot be found. (winRc=67). \n\u003c/Reason\u003e\n \u003cExtraDetails\u003eaddress=34.66.114.180;username=bart;\u003c/ExtraDetails\u003e\n \u003cMessage\u003eCPM Verify Password Failed\u003c/Message\u003e\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\n \u003cCAProperties\u003e\n \u003cCAProperty Name=\"PolicyID\" Value=\"WinDomain\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"UserName\" Value=\"bart\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"Address\" Value=\"34.66.114.180\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"ResetImmediately\" Value=\"VerifyTask\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"CPMStatus\" Value=\"failure\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"RetriesCount\" Value=\"0\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"LastFailDate\" Value=\"1615814709\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"LastTask\" Value=\"VerifyTask\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"UserDN\" Value=\"ELASTIC.local\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"LogonDomain\" Value=\"34.66.114.180\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"CPMErrorDetails\" Value=\"Error in verifypass to user 34.66.114.180\\bart on domain 34.66.114.180(\\\\34.66.114.180). Reason: The network name cannot be found. (winRc=67). \"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"CreationMethod\" Value=\"PVWA\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"DeviceType\" Value=\"Operating System\"\u003e\u003c/CAProperty\u003e\n \u003c/CAProperties\u003e\n \u003c/audit_record\u003e\n\n\u003c/syslog\u003e", + "message": "CPM Verify Password Failed", + "issuer": "PasswordManager", + "extra_details": { + "other": { + "address": "34.66.114.180" + }, + "username": "bart" + }, + "rfc5424": true, + "ca_properties": { + "other": {}, + "address": "34.66.114.180", + "creation_method": "PVWA", + "cpm_status": "failure", + "policy_id": "WinDomain", + "user_dn": "ELASTIC.local", + "user_name": "bart", + "device_type": "Operating System", + "retries_count": "0", + "reset_immediately": "VerifyTask", + "last_task": "VerifyTask", + "cpm_error_details": "Error in verifypass to user 34.66.114.180\\bart on domain 34.66.114.180(\\\\34.66.114.180). Reason: The network name cannot be found. (winRc=67). ", + "last_fail_date": "1615814709", + "logon_domain": "34.66.114.180" + }, + "file": "Root\\Operating System-WinDomain-35.192.121.42-ELASTICbart", + "safe": "partner", + "station": "10.0.1.20", + "action": "CPM Verify Password Failed", + "timestamp": "Mar 15 06:25:32", + "desc": "CPM Verify Password Failed" + } + }, + "host": { + "name": "VAULT" + }, + "event": { + "severity": 7, + "reason": "Error in verifypass to user 34.66.114.180\\bart on domain 34.66.114.180(\\\\34.66.114.180). Reason: The network name cannot be found. (winRc=67). ", + "ingested": "2021-05-31T15:30:22.703448900Z", + "original": "\u003c7\u003e1 2021-03-15T13:25:32Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 15 06:25:32\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-15T13:25:32Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e38\u003c/MessageID\u003e\\n \u003cDesc\u003eCPM Verify Password Failed\u003c/Desc\u003e\\n \u003cSeverity\u003eError\u003c/Severity\u003e\\n \u003cIssuer\u003ePasswordManager\u003c/Issuer\u003e\\n \u003cAction\u003eCPM Verify Password Failed\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003epartner\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Operating System-WinDomain-35.192.121.42-ELASTICbart\u003c/File\u003e\\n \u003cStation\u003e10.0.1.20\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003eImmediateTask. Failure Description: CACPM344E Verifying Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-35.192.121.42-ELASTICbart failed (try #0). Code: 2101, Error: Error in verifypass to user 34.66.114.180\\\\bart on domain 34.66.114.180(\\\\\\\\34.66.114.180). Reason: The network name cannot be found. (winRc=67). \\n\u003c/Reason\u003e\\n \u003cExtraDetails\u003eaddress=34.66.114.180;username=bart;\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eCPM Verify Password Failed\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"WinDomain\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"bart\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"34.66.114.180\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"ResetImmediately\\\" Value=\\\"VerifyTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMStatus\\\" Value=\\\"failure\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"RetriesCount\\\" Value=\\\"0\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastFailDate\\\" Value=\\\"1615814709\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastTask\\\" Value=\\\"VerifyTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserDN\\\" Value=\\\"ELASTIC.local\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LogonDomain\\\" Value=\\\"34.66.114.180\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMErrorDetails\\\" Value=\\\"Error in verifypass to user 34.66.114.180\\\\bart on domain 34.66.114.180(\\\\\\\\34.66.114.180). Reason: The network name cannot be found. (winRc=67). \\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Operating System\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 15 06:25:32\",\"IsoTimestamp\":\"2021-03-15T13:25:32Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"38\",\"Desc\":\"CPM Verify Password Failed\",\"Severity\":\"Error\",\"Issuer\":\"PasswordManager\",\"Action\":\"CPM Verify Password Failed\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"partner\",\"File\":\"Root\\\\Operating System-WinDomain-35.192.121.42-ELASTICbart\",\"Station\":\"10.0.1.20\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"ImmediateTask. Failure Description: CACPM344E Verifying Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-35.192.121.42-ELASTICbart failed (try #0). Code: 2101, Error: Error in verifypass to user 34.66.114.180\\\\bart on domain 34.66.114.180(\\\\\\\\34.66.114.180). Reason: The network name cannot be found. (winRc=67). \\n\",\"ExtraDetails\":\"address=34.66.114.180;username=bart;\",\"Message\":\"CPM Verify Password Failed\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"WinDomain\"},{\"Name\":\"UserName\",\"Value\":\"bart\"},{\"Name\":\"Address\",\"Value\":\"34.66.114.180\"},{\"Name\":\"ResetImmediately\",\"Value\":\"VerifyTask\"},{\"Name\":\"CPMStatus\",\"Value\":\"failure\"},{\"Name\":\"RetriesCount\",\"Value\":\"0\"},{\"Name\":\"LastFailDate\",\"Value\":\"1615814709\"},{\"Name\":\"LastTask\",\"Value\":\"VerifyTask\"},{\"Name\":\"UserDN\",\"Value\":\"ELASTIC.local\"},{\"Name\":\"LogonDomain\",\"Value\":\"34.66.114.180\"},{\"Name\":\"CPMErrorDetails\",\"Value\":\"Error in verifypass to user 34.66.114.180\\\\bart on domain 34.66.114.180(\\\\\\\\34.66.114.180). Reason: The network name cannot be found. (winRc=67). \"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"}]}}}}", + "code": "38", + "kind": "event", + "action": "cpm verify password failed", + "type": [ + "error" + ], + "category": [ + "iam" + ], + "outcome": "failure" + }, + "user": { + "name": "PasswordManager" + } + }, + { + "log": { + "syslog": { + "priority": 7 + } + }, + "destination": { + "geo": { + "continent_name": "North America", + "region_iso_code": "US-VA", + "country_name": "United States", + "region_name": "Virginia", + "location": { + "lon": -77.2481, + "lat": 38.6583 + }, + "country_iso_code": "US" + }, + "address": "34.66.114.180", + "user": { + "name": "ELASTIC.local\\bart" + }, + "ip": "34.66.114.180" + }, + "source": { + "user": { + "name": "PasswordManager" + }, + "address": "10.0.1.20", + "ip": "10.0.1.20" + }, + "tags": [ + "preserve_original_event" + ], + "network": { + "direction": "outbound" + }, + "observer": { + "product": "Vault", + "hostname": "VAULT", + "version": "11.7.0000", + "vendor": "Cyber-Ark" + }, + "@timestamp": "2021-03-15T13:33:26.000Z", + "file": { + "path": "Root\\Operating System-WinDomain-34.66.114.180-ELASTICbart" + }, + "ecs": { + "version": "1.10.0" + }, + "related": { + "user": [ + "PasswordManager", + "ELASTIC.local\\bart" + ], + "ip": [ + "10.0.1.20", + "34.66.114.180" + ] + }, + "cyberarkpas": { + "audit": { + "severity": "Error", + "reason": "ImmediateTask. Failure Description: CACPM344E Verifying Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-34.66.114.180-ELASTICbart failed (try #0). Code: 2101, Error: Error in verifypass to user 34.66.114.180\\ELASTIC.local\\bart on domain 34.66.114.180(\\\\34.66.114.180). Reason: The specified username is invalid. (winRc=2202). \n", + "iso_timestamp": "2021-03-15T13:33:26Z", + "raw": "\u003csyslog\u003e\n\n \u003caudit_record\u003e\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\n \u003cTimestamp\u003eMar 15 06:33:26\u003c/Timestamp\u003e\n \u003cIsoTimestamp\u003e2021-03-15T13:33:26Z\u003c/IsoTimestamp\u003e\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\n \u003cProduct\u003eVault\u003c/Product\u003e\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\n \u003cMessageID\u003e38\u003c/MessageID\u003e\n \u003cDesc\u003eCPM Verify Password Failed\u003c/Desc\u003e\n \u003cSeverity\u003eError\u003c/Severity\u003e\n \u003cIssuer\u003ePasswordManager\u003c/Issuer\u003e\n \u003cAction\u003eCPM Verify Password Failed\u003c/Action\u003e\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\n \u003cSafe\u003epartner\u003c/Safe\u003e\n \u003cFile\u003eRoot\\Operating System-WinDomain-34.66.114.180-ELASTICbart\u003c/File\u003e\n \u003cStation\u003e10.0.1.20\u003c/Station\u003e\n \u003cLocation\u003e\u003c/Location\u003e\n \u003cCategory\u003e\u003c/Category\u003e\n \u003cRequestId\u003e\u003c/RequestId\u003e\n \u003cReason\u003eImmediateTask. Failure Description: CACPM344E Verifying Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-34.66.114.180-ELASTICbart failed (try #0). Code: 2101, Error: Error in verifypass to user 34.66.114.180\\ELASTIC.local\\bart on domain 34.66.114.180(\\\\34.66.114.180). Reason: The specified username is invalid. (winRc=2202). \n\u003c/Reason\u003e\n \u003cExtraDetails\u003eaddress=34.66.114.180;username=ELASTIC.local\\bart;\u003c/ExtraDetails\u003e\n \u003cMessage\u003eCPM Verify Password Failed\u003c/Message\u003e\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\n \u003cCAProperties\u003e\n \u003cCAProperty Name=\"PolicyID\" Value=\"WinDomain\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"UserName\" Value=\"ELASTIC.local\\bart\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"Address\" Value=\"34.66.114.180\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"ResetImmediately\" Value=\"VerifyTask\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"CPMStatus\" Value=\"failure\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"RetriesCount\" Value=\"0\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"LastFailDate\" Value=\"1615815206\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"LastTask\" Value=\"VerifyTask\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"LogonDomain\" Value=\"34.66.114.180\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"CPMErrorDetails\" Value=\"Error in verifypass to user 34.66.114.180\\ELASTIC.local\\bart on domain 34.66.114.180(\\\\34.66.114.180). Reason: The specified username is invalid. (winRc=2202). \"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"CreationMethod\" Value=\"PVWA\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"DeviceType\" Value=\"Operating System\"\u003e\u003c/CAProperty\u003e\n \u003c/CAProperties\u003e\n \u003c/audit_record\u003e\n\n\u003c/syslog\u003e", + "message": "CPM Verify Password Failed", + "issuer": "PasswordManager", + "extra_details": { + "other": { + "address": "34.66.114.180" + }, + "username": "ELASTIC.local\\bart" + }, + "rfc5424": true, + "ca_properties": { + "other": {}, + "address": "34.66.114.180", + "creation_method": "PVWA", + "cpm_status": "failure", + "policy_id": "WinDomain", + "user_name": "ELASTIC.local\\bart", + "device_type": "Operating System", + "retries_count": "0", + "reset_immediately": "VerifyTask", + "last_task": "VerifyTask", + "cpm_error_details": "Error in verifypass to user 34.66.114.180\\ELASTIC.local\\bart on domain 34.66.114.180(\\\\34.66.114.180). Reason: The specified username is invalid. (winRc=2202). ", + "last_fail_date": "1615815206", + "logon_domain": "34.66.114.180" + }, + "file": "Root\\Operating System-WinDomain-34.66.114.180-ELASTICbart", + "safe": "partner", + "station": "10.0.1.20", + "action": "CPM Verify Password Failed", + "timestamp": "Mar 15 06:33:26", + "desc": "CPM Verify Password Failed" + } + }, + "host": { + "name": "VAULT" + }, + "event": { + "severity": 7, + "reason": "Error in verifypass to user 34.66.114.180\\ELASTIC.local\\bart on domain 34.66.114.180(\\\\34.66.114.180). Reason: The specified username is invalid. (winRc=2202). ", + "ingested": "2021-05-31T15:30:22.703451800Z", + "original": "\u003c7\u003e1 2021-03-15T13:33:26Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 15 06:33:26\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-15T13:33:26Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e38\u003c/MessageID\u003e\\n \u003cDesc\u003eCPM Verify Password Failed\u003c/Desc\u003e\\n \u003cSeverity\u003eError\u003c/Severity\u003e\\n \u003cIssuer\u003ePasswordManager\u003c/Issuer\u003e\\n \u003cAction\u003eCPM Verify Password Failed\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003epartner\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Operating System-WinDomain-34.66.114.180-ELASTICbart\u003c/File\u003e\\n \u003cStation\u003e10.0.1.20\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003eImmediateTask. Failure Description: CACPM344E Verifying Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-34.66.114.180-ELASTICbart failed (try #0). Code: 2101, Error: Error in verifypass to user 34.66.114.180\\\\ELASTIC.local\\\\bart on domain 34.66.114.180(\\\\\\\\34.66.114.180). Reason: The specified username is invalid. (winRc=2202). \\n\u003c/Reason\u003e\\n \u003cExtraDetails\u003eaddress=34.66.114.180;username=ELASTIC.local\\\\bart;\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eCPM Verify Password Failed\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"WinDomain\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"ELASTIC.local\\\\bart\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"34.66.114.180\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"ResetImmediately\\\" Value=\\\"VerifyTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMStatus\\\" Value=\\\"failure\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"RetriesCount\\\" Value=\\\"0\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastFailDate\\\" Value=\\\"1615815206\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastTask\\\" Value=\\\"VerifyTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LogonDomain\\\" Value=\\\"34.66.114.180\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMErrorDetails\\\" Value=\\\"Error in verifypass to user 34.66.114.180\\\\ELASTIC.local\\\\bart on domain 34.66.114.180(\\\\\\\\34.66.114.180). Reason: The specified username is invalid. (winRc=2202). \\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Operating System\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 15 06:33:26\",\"IsoTimestamp\":\"2021-03-15T13:33:26Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"38\",\"Desc\":\"CPM Verify Password Failed\",\"Severity\":\"Error\",\"Issuer\":\"PasswordManager\",\"Action\":\"CPM Verify Password Failed\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"partner\",\"File\":\"Root\\\\Operating System-WinDomain-34.66.114.180-ELASTICbart\",\"Station\":\"10.0.1.20\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"ImmediateTask. Failure Description: CACPM344E Verifying Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-34.66.114.180-ELASTICbart failed (try #0). Code: 2101, Error: Error in verifypass to user 34.66.114.180\\\\ELASTIC.local\\\\bart on domain 34.66.114.180(\\\\\\\\34.66.114.180). Reason: The specified username is invalid. (winRc=2202). \\n\",\"ExtraDetails\":\"address=34.66.114.180;username=ELASTIC.local\\\\bart;\",\"Message\":\"CPM Verify Password Failed\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"WinDomain\"},{\"Name\":\"UserName\",\"Value\":\"ELASTIC.local\\\\bart\"},{\"Name\":\"Address\",\"Value\":\"34.66.114.180\"},{\"Name\":\"ResetImmediately\",\"Value\":\"VerifyTask\"},{\"Name\":\"CPMStatus\",\"Value\":\"failure\"},{\"Name\":\"RetriesCount\",\"Value\":\"0\"},{\"Name\":\"LastFailDate\",\"Value\":\"1615815206\"},{\"Name\":\"LastTask\",\"Value\":\"VerifyTask\"},{\"Name\":\"LogonDomain\",\"Value\":\"34.66.114.180\"},{\"Name\":\"CPMErrorDetails\",\"Value\":\"Error in verifypass to user 34.66.114.180\\\\ELASTIC.local\\\\bart on domain 34.66.114.180(\\\\\\\\34.66.114.180). Reason: The specified username is invalid. (winRc=2202). \"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"}]}}}}", + "code": "38", + "kind": "event", + "action": "cpm verify password failed", + "type": [ + "error" + ], + "category": [ + "iam" + ], + "outcome": "failure" + }, + "user": { + "name": "PasswordManager" + } + }, + { + "log": { + "syslog": { + "priority": 7 + } + }, + "destination": { + "geo": { + "continent_name": "North America", + "region_iso_code": "US-VA", + "country_name": "United States", + "region_name": "Virginia", + "location": { + "lon": -77.2481, + "lat": 38.6583 + }, + "country_iso_code": "US" + }, + "address": "34.66.114.180", + "user": { + "name": "ELASTIC.local\\bart" + }, + "ip": "34.66.114.180" + }, + "source": { + "user": { + "name": "PasswordManager" + }, + "address": "10.0.1.20", + "ip": "10.0.1.20" + }, + "tags": [ + "preserve_original_event" + ], + "network": { + "direction": "outbound" + }, + "observer": { + "product": "Vault", + "hostname": "VAULT", + "version": "11.7.0000", + "vendor": "Cyber-Ark" + }, + "@timestamp": "2021-03-15T15:04:11.000Z", + "file": { + "path": "Root\\Operating System-WinDomain-34.66.114.180-ELASTICbart" + }, + "ecs": { + "version": "1.10.0" + }, + "related": { + "user": [ + "PasswordManager", + "ELASTIC.local\\bart" + ], + "ip": [ + "10.0.1.20", + "34.66.114.180" + ] + }, + "cyberarkpas": { + "audit": { + "severity": "Error", + "reason": "ImmediateTask,Failure. Failure Description: CACPM344E Verifying Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-34.66.114.180-ELASTICbart failed (try #1). Code: 2101, Error: Error in verifypass to user 34.66.114.180\\ELASTIC.local\\bart on domain 34.66.114.180(\\\\34.66.114.180). Reason: The specified username is invalid. (winRc=2202). \n", + "iso_timestamp": "2021-03-15T15:04:11Z", + "raw": "\u003csyslog\u003e\n\n \u003caudit_record\u003e\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\n \u003cTimestamp\u003eMar 15 08:04:11\u003c/Timestamp\u003e\n \u003cIsoTimestamp\u003e2021-03-15T15:04:11Z\u003c/IsoTimestamp\u003e\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\n \u003cProduct\u003eVault\u003c/Product\u003e\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\n \u003cMessageID\u003e38\u003c/MessageID\u003e\n \u003cDesc\u003eCPM Verify Password Failed\u003c/Desc\u003e\n \u003cSeverity\u003eError\u003c/Severity\u003e\n \u003cIssuer\u003ePasswordManager\u003c/Issuer\u003e\n \u003cAction\u003eCPM Verify Password Failed\u003c/Action\u003e\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\n \u003cSafe\u003epartner\u003c/Safe\u003e\n \u003cFile\u003eRoot\\Operating System-WinDomain-34.66.114.180-ELASTICbart\u003c/File\u003e\n \u003cStation\u003e10.0.1.20\u003c/Station\u003e\n \u003cLocation\u003e\u003c/Location\u003e\n \u003cCategory\u003e\u003c/Category\u003e\n \u003cRequestId\u003e\u003c/RequestId\u003e\n \u003cReason\u003eImmediateTask,Failure. Failure Description: CACPM344E Verifying Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-34.66.114.180-ELASTICbart failed (try #1). Code: 2101, Error: Error in verifypass to user 34.66.114.180\\ELASTIC.local\\bart on domain 34.66.114.180(\\\\34.66.114.180). Reason: The specified username is invalid. (winRc=2202). \n\u003c/Reason\u003e\n \u003cExtraDetails\u003eaddress=34.66.114.180;retriescount=1;username=ELASTIC.local\\bart;\u003c/ExtraDetails\u003e\n \u003cMessage\u003eCPM Verify Password Failed\u003c/Message\u003e\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\n \u003cCAProperties\u003e\n \u003cCAProperty Name=\"PolicyID\" Value=\"WinDomain\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"UserName\" Value=\"ELASTIC.local\\bart\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"Address\" Value=\"34.66.114.180\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"ResetImmediately\" Value=\"VerifyTask\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"CPMStatus\" Value=\"failure\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"RetriesCount\" Value=\"1\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"LastFailDate\" Value=\"1615820651\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"LastTask\" Value=\"VerifyTask\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"LogonDomain\" Value=\"34.66.114.180\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"CPMErrorDetails\" Value=\"Error in verifypass to user 34.66.114.180\\ELASTIC.local\\bart on domain 34.66.114.180(\\\\34.66.114.180). Reason: The specified username is invalid. (winRc=2202). \"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"CreationMethod\" Value=\"PVWA\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"DeviceType\" Value=\"Operating System\"\u003e\u003c/CAProperty\u003e\n \u003c/CAProperties\u003e\n \u003c/audit_record\u003e\n\n\u003c/syslog\u003e", + "message": "CPM Verify Password Failed", + "issuer": "PasswordManager", + "extra_details": { + "other": { + "retriescount": "1", + "address": "34.66.114.180" + }, + "username": "ELASTIC.local\\bart" + }, + "rfc5424": true, + "ca_properties": { + "other": {}, + "address": "34.66.114.180", + "creation_method": "PVWA", + "cpm_status": "failure", + "policy_id": "WinDomain", + "user_name": "ELASTIC.local\\bart", + "device_type": "Operating System", + "retries_count": "1", + "reset_immediately": "VerifyTask", + "last_task": "VerifyTask", + "cpm_error_details": "Error in verifypass to user 34.66.114.180\\ELASTIC.local\\bart on domain 34.66.114.180(\\\\34.66.114.180). Reason: The specified username is invalid. (winRc=2202). ", + "last_fail_date": "1615820651", + "logon_domain": "34.66.114.180" + }, + "file": "Root\\Operating System-WinDomain-34.66.114.180-ELASTICbart", + "safe": "partner", + "station": "10.0.1.20", + "action": "CPM Verify Password Failed", + "timestamp": "Mar 15 08:04:11", + "desc": "CPM Verify Password Failed" + } + }, + "host": { + "name": "VAULT" + }, + "event": { + "severity": 7, + "reason": "Error in verifypass to user 34.66.114.180\\ELASTIC.local\\bart on domain 34.66.114.180(\\\\34.66.114.180). Reason: The specified username is invalid. (winRc=2202). ", + "ingested": "2021-05-31T15:30:22.703454400Z", + "original": "\u003c7\u003e1 2021-03-15T15:04:11Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 15 08:04:11\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-15T15:04:11Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e38\u003c/MessageID\u003e\\n \u003cDesc\u003eCPM Verify Password Failed\u003c/Desc\u003e\\n \u003cSeverity\u003eError\u003c/Severity\u003e\\n \u003cIssuer\u003ePasswordManager\u003c/Issuer\u003e\\n \u003cAction\u003eCPM Verify Password Failed\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003epartner\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Operating System-WinDomain-34.66.114.180-ELASTICbart\u003c/File\u003e\\n \u003cStation\u003e10.0.1.20\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003eImmediateTask,Failure. Failure Description: CACPM344E Verifying Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-34.66.114.180-ELASTICbart failed (try #1). Code: 2101, Error: Error in verifypass to user 34.66.114.180\\\\ELASTIC.local\\\\bart on domain 34.66.114.180(\\\\\\\\34.66.114.180). Reason: The specified username is invalid. (winRc=2202). \\n\u003c/Reason\u003e\\n \u003cExtraDetails\u003eaddress=34.66.114.180;retriescount=1;username=ELASTIC.local\\\\bart;\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eCPM Verify Password Failed\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"WinDomain\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"ELASTIC.local\\\\bart\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"34.66.114.180\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"ResetImmediately\\\" Value=\\\"VerifyTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMStatus\\\" Value=\\\"failure\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"RetriesCount\\\" Value=\\\"1\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastFailDate\\\" Value=\\\"1615820651\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastTask\\\" Value=\\\"VerifyTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LogonDomain\\\" Value=\\\"34.66.114.180\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMErrorDetails\\\" Value=\\\"Error in verifypass to user 34.66.114.180\\\\ELASTIC.local\\\\bart on domain 34.66.114.180(\\\\\\\\34.66.114.180). Reason: The specified username is invalid. (winRc=2202). \\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Operating System\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 15 08:04:11\",\"IsoTimestamp\":\"2021-03-15T15:04:11Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"38\",\"Desc\":\"CPM Verify Password Failed\",\"Severity\":\"Error\",\"Issuer\":\"PasswordManager\",\"Action\":\"CPM Verify Password Failed\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"partner\",\"File\":\"Root\\\\Operating System-WinDomain-34.66.114.180-ELASTICbart\",\"Station\":\"10.0.1.20\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"ImmediateTask,Failure. Failure Description: CACPM344E Verifying Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-34.66.114.180-ELASTICbart failed (try #1). Code: 2101, Error: Error in verifypass to user 34.66.114.180\\\\ELASTIC.local\\\\bart on domain 34.66.114.180(\\\\\\\\34.66.114.180). Reason: The specified username is invalid. (winRc=2202). \\n\",\"ExtraDetails\":\"address=34.66.114.180;retriescount=1;username=ELASTIC.local\\\\bart;\",\"Message\":\"CPM Verify Password Failed\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"WinDomain\"},{\"Name\":\"UserName\",\"Value\":\"ELASTIC.local\\\\bart\"},{\"Name\":\"Address\",\"Value\":\"34.66.114.180\"},{\"Name\":\"ResetImmediately\",\"Value\":\"VerifyTask\"},{\"Name\":\"CPMStatus\",\"Value\":\"failure\"},{\"Name\":\"RetriesCount\",\"Value\":\"1\"},{\"Name\":\"LastFailDate\",\"Value\":\"1615820651\"},{\"Name\":\"LastTask\",\"Value\":\"VerifyTask\"},{\"Name\":\"LogonDomain\",\"Value\":\"34.66.114.180\"},{\"Name\":\"CPMErrorDetails\",\"Value\":\"Error in verifypass to user 34.66.114.180\\\\ELASTIC.local\\\\bart on domain 34.66.114.180(\\\\\\\\34.66.114.180). Reason: The specified username is invalid. (winRc=2202). \"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"}]}}}}", + "code": "38", + "kind": "event", + "action": "cpm verify password failed", + "type": [ + "error" + ], + "category": [ + "iam" + ], + "outcome": "failure" + }, + "user": { + "name": "PasswordManager" + } + }, + { + "log": { + "syslog": { + "priority": 7 + } + }, + "destination": { + "geo": { + "continent_name": "North America", + "region_iso_code": "US-VA", + "country_name": "United States", + "region_name": "Virginia", + "location": { + "lon": -77.2481, + "lat": 38.6583 + }, + "country_iso_code": "US" + }, + "address": "34.66.114.180", + "user": { + "name": "ELASTIC.local\\bart" + }, + "ip": "34.66.114.180" + }, + "source": { + "user": { + "name": "PasswordManager" + }, + "address": "10.0.1.20", + "ip": "10.0.1.20" + }, + "tags": [ + "preserve_original_event" + ], + "network": { + "direction": "outbound" + }, + "observer": { + "product": "Vault", + "hostname": "VAULT", + "version": "11.7.0000", + "vendor": "Cyber-Ark" + }, + "@timestamp": "2021-03-15T16:35:01.000Z", + "file": { + "path": "Root\\Operating System-WinDomain-34.66.114.180-ELASTICbart" + }, + "ecs": { + "version": "1.10.0" + }, + "related": { + "user": [ + "PasswordManager", + "ELASTIC.local\\bart" + ], + "ip": [ + "10.0.1.20", + "34.66.114.180" + ] + }, + "cyberarkpas": { + "audit": { + "severity": "Error", + "reason": "ImmediateTask,Failure. Failure Description: CACPM344E Verifying Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-34.66.114.180-ELASTICbart failed (try #2). Code: 2101, Error: Error in verifypass to user 34.66.114.180\\ELASTIC.local\\bart on domain 34.66.114.180(\\\\34.66.114.180). Reason: The specified username is invalid. (winRc=2202). \n", + "iso_timestamp": "2021-03-15T16:35:01Z", + "raw": "\u003csyslog\u003e\n\n \u003caudit_record\u003e\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\n \u003cTimestamp\u003eMar 15 09:35:01\u003c/Timestamp\u003e\n \u003cIsoTimestamp\u003e2021-03-15T16:35:01Z\u003c/IsoTimestamp\u003e\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\n \u003cProduct\u003eVault\u003c/Product\u003e\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\n \u003cMessageID\u003e38\u003c/MessageID\u003e\n \u003cDesc\u003eCPM Verify Password Failed\u003c/Desc\u003e\n \u003cSeverity\u003eError\u003c/Severity\u003e\n \u003cIssuer\u003ePasswordManager\u003c/Issuer\u003e\n \u003cAction\u003eCPM Verify Password Failed\u003c/Action\u003e\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\n \u003cSafe\u003epartner\u003c/Safe\u003e\n \u003cFile\u003eRoot\\Operating System-WinDomain-34.66.114.180-ELASTICbart\u003c/File\u003e\n \u003cStation\u003e10.0.1.20\u003c/Station\u003e\n \u003cLocation\u003e\u003c/Location\u003e\n \u003cCategory\u003e\u003c/Category\u003e\n \u003cRequestId\u003e\u003c/RequestId\u003e\n \u003cReason\u003eImmediateTask,Failure. Failure Description: CACPM344E Verifying Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-34.66.114.180-ELASTICbart failed (try #2). Code: 2101, Error: Error in verifypass to user 34.66.114.180\\ELASTIC.local\\bart on domain 34.66.114.180(\\\\34.66.114.180). Reason: The specified username is invalid. (winRc=2202). \n\u003c/Reason\u003e\n \u003cExtraDetails\u003eaddress=34.66.114.180;retriescount=2;username=ELASTIC.local\\bart;\u003c/ExtraDetails\u003e\n \u003cMessage\u003eCPM Verify Password Failed\u003c/Message\u003e\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\n \u003cCAProperties\u003e\n \u003cCAProperty Name=\"PolicyID\" Value=\"WinDomain\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"UserName\" Value=\"ELASTIC.local\\bart\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"Address\" Value=\"34.66.114.180\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"ResetImmediately\" Value=\"VerifyTask\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"CPMStatus\" Value=\"failure\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"RetriesCount\" Value=\"2\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"LastFailDate\" Value=\"1615826099\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"LastTask\" Value=\"VerifyTask\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"LogonDomain\" Value=\"34.66.114.180\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"CPMErrorDetails\" Value=\"Error in verifypass to user 34.66.114.180\\ELASTIC.local\\bart on domain 34.66.114.180(\\\\34.66.114.180). Reason: The specified username is invalid. (winRc=2202). \"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"CreationMethod\" Value=\"PVWA\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"DeviceType\" Value=\"Operating System\"\u003e\u003c/CAProperty\u003e\n \u003c/CAProperties\u003e\n \u003c/audit_record\u003e\n\n\u003c/syslog\u003e", + "message": "CPM Verify Password Failed", + "issuer": "PasswordManager", + "extra_details": { + "other": { + "retriescount": "2", + "address": "34.66.114.180" + }, + "username": "ELASTIC.local\\bart" + }, + "rfc5424": true, + "ca_properties": { + "other": {}, + "address": "34.66.114.180", + "creation_method": "PVWA", + "cpm_status": "failure", + "policy_id": "WinDomain", + "user_name": "ELASTIC.local\\bart", + "device_type": "Operating System", + "retries_count": "2", + "reset_immediately": "VerifyTask", + "last_task": "VerifyTask", + "cpm_error_details": "Error in verifypass to user 34.66.114.180\\ELASTIC.local\\bart on domain 34.66.114.180(\\\\34.66.114.180). Reason: The specified username is invalid. (winRc=2202). ", + "last_fail_date": "1615826099", + "logon_domain": "34.66.114.180" + }, + "file": "Root\\Operating System-WinDomain-34.66.114.180-ELASTICbart", + "safe": "partner", + "station": "10.0.1.20", + "action": "CPM Verify Password Failed", + "timestamp": "Mar 15 09:35:01", + "desc": "CPM Verify Password Failed" + } + }, + "host": { + "name": "VAULT" + }, + "event": { + "severity": 7, + "reason": "Error in verifypass to user 34.66.114.180\\ELASTIC.local\\bart on domain 34.66.114.180(\\\\34.66.114.180). Reason: The specified username is invalid. (winRc=2202). ", + "ingested": "2021-05-31T15:30:22.703456800Z", + "original": "\u003c7\u003e1 2021-03-15T16:35:01Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 15 09:35:01\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-15T16:35:01Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e38\u003c/MessageID\u003e\\n \u003cDesc\u003eCPM Verify Password Failed\u003c/Desc\u003e\\n \u003cSeverity\u003eError\u003c/Severity\u003e\\n \u003cIssuer\u003ePasswordManager\u003c/Issuer\u003e\\n \u003cAction\u003eCPM Verify Password Failed\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003epartner\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Operating System-WinDomain-34.66.114.180-ELASTICbart\u003c/File\u003e\\n \u003cStation\u003e10.0.1.20\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003eImmediateTask,Failure. Failure Description: CACPM344E Verifying Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-34.66.114.180-ELASTICbart failed (try #2). Code: 2101, Error: Error in verifypass to user 34.66.114.180\\\\ELASTIC.local\\\\bart on domain 34.66.114.180(\\\\\\\\34.66.114.180). Reason: The specified username is invalid. (winRc=2202). \\n\u003c/Reason\u003e\\n \u003cExtraDetails\u003eaddress=34.66.114.180;retriescount=2;username=ELASTIC.local\\\\bart;\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eCPM Verify Password Failed\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"WinDomain\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"ELASTIC.local\\\\bart\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"34.66.114.180\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"ResetImmediately\\\" Value=\\\"VerifyTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMStatus\\\" Value=\\\"failure\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"RetriesCount\\\" Value=\\\"2\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastFailDate\\\" Value=\\\"1615826099\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastTask\\\" Value=\\\"VerifyTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LogonDomain\\\" Value=\\\"34.66.114.180\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMErrorDetails\\\" Value=\\\"Error in verifypass to user 34.66.114.180\\\\ELASTIC.local\\\\bart on domain 34.66.114.180(\\\\\\\\34.66.114.180). Reason: The specified username is invalid. (winRc=2202). \\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Operating System\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 15 09:35:01\",\"IsoTimestamp\":\"2021-03-15T16:35:01Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"38\",\"Desc\":\"CPM Verify Password Failed\",\"Severity\":\"Error\",\"Issuer\":\"PasswordManager\",\"Action\":\"CPM Verify Password Failed\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"partner\",\"File\":\"Root\\\\Operating System-WinDomain-34.66.114.180-ELASTICbart\",\"Station\":\"10.0.1.20\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"ImmediateTask,Failure. Failure Description: CACPM344E Verifying Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-34.66.114.180-ELASTICbart failed (try #2). Code: 2101, Error: Error in verifypass to user 34.66.114.180\\\\ELASTIC.local\\\\bart on domain 34.66.114.180(\\\\\\\\34.66.114.180). Reason: The specified username is invalid. (winRc=2202). \\n\",\"ExtraDetails\":\"address=34.66.114.180;retriescount=2;username=ELASTIC.local\\\\bart;\",\"Message\":\"CPM Verify Password Failed\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"WinDomain\"},{\"Name\":\"UserName\",\"Value\":\"ELASTIC.local\\\\bart\"},{\"Name\":\"Address\",\"Value\":\"34.66.114.180\"},{\"Name\":\"ResetImmediately\",\"Value\":\"VerifyTask\"},{\"Name\":\"CPMStatus\",\"Value\":\"failure\"},{\"Name\":\"RetriesCount\",\"Value\":\"2\"},{\"Name\":\"LastFailDate\",\"Value\":\"1615826099\"},{\"Name\":\"LastTask\",\"Value\":\"VerifyTask\"},{\"Name\":\"LogonDomain\",\"Value\":\"34.66.114.180\"},{\"Name\":\"CPMErrorDetails\",\"Value\":\"Error in verifypass to user 34.66.114.180\\\\ELASTIC.local\\\\bart on domain 34.66.114.180(\\\\\\\\34.66.114.180). Reason: The specified username is invalid. (winRc=2202). \"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"}]}}}}", + "code": "38", + "kind": "event", + "action": "cpm verify password failed", + "type": [ + "error" + ], + "category": [ + "iam" + ], + "outcome": "failure" + }, + "user": { + "name": "PasswordManager" + } + }, + { + "log": { + "syslog": { + "priority": 7 + } + }, + "destination": { + "user": { + "name": "root" + }, + "address": "10.0.1.20", + "ip": "10.0.1.20" + }, + "source": { + "user": { + "name": "PasswordManager" + }, + "address": "10.0.1.20", + "ip": "10.0.1.20" + }, + "tags": [ + "preserve_original_event" + ], + "network": { + "direction": "internal" + }, + "observer": { + "product": "Vault", + "hostname": "VAULT", + "version": "11.7.0000", + "vendor": "Cyber-Ark" + }, + "@timestamp": "2021-03-15T16:56:29.000Z", + "file": { + "path": "Root\\Database-MySQL-10.0.1.20-root" + }, + "ecs": { + "version": "1.10.0" + }, + "related": { + "user": [ + "PasswordManager", + "root" + ], + "ip": [ + "10.0.1.20" + ] + }, + "cyberarkpas": { + "audit": { + "severity": "Error", + "reason": "ImmediateTask. Failure Description: CACPM344E Verifying Password Safe: partner, Folder: Root, Object: Database-MySQL-10.0.1.20-root failed (try #0). Code: 2103, Error: Error when verifypass to User root on Server 10.0.1.20. State: IM002 Native error: 0 Message: [Microsoft][ODBC Driver Manager] Data source name not found and no default driver specified\n", + "iso_timestamp": "2021-03-15T16:56:29Z", + "raw": "\u003csyslog\u003e\n\n \u003caudit_record\u003e\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\n \u003cTimestamp\u003eMar 15 09:56:29\u003c/Timestamp\u003e\n \u003cIsoTimestamp\u003e2021-03-15T16:56:29Z\u003c/IsoTimestamp\u003e\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\n \u003cProduct\u003eVault\u003c/Product\u003e\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\n \u003cMessageID\u003e38\u003c/MessageID\u003e\n \u003cDesc\u003eCPM Verify Password Failed\u003c/Desc\u003e\n \u003cSeverity\u003eError\u003c/Severity\u003e\n \u003cIssuer\u003ePasswordManager\u003c/Issuer\u003e\n \u003cAction\u003eCPM Verify Password Failed\u003c/Action\u003e\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\n \u003cSafe\u003epartner\u003c/Safe\u003e\n \u003cFile\u003eRoot\\Database-MySQL-10.0.1.20-root\u003c/File\u003e\n \u003cStation\u003e10.0.1.20\u003c/Station\u003e\n \u003cLocation\u003e\u003c/Location\u003e\n \u003cCategory\u003e\u003c/Category\u003e\n \u003cRequestId\u003e\u003c/RequestId\u003e\n \u003cReason\u003eImmediateTask. Failure Description: CACPM344E Verifying Password Safe: partner, Folder: Root, Object: Database-MySQL-10.0.1.20-root failed (try #0). Code: 2103, Error: Error when verifypass to User root on Server 10.0.1.20. State: IM002 Native error: 0 Message: [Microsoft][ODBC Driver Manager] Data source name not found and no default driver specified\n\u003c/Reason\u003e\n \u003cExtraDetails\u003eaddress=10.0.1.20;username=root;\u003c/ExtraDetails\u003e\n \u003cMessage\u003eCPM Verify Password Failed\u003c/Message\u003e\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\n \u003cCAProperties\u003e\n \u003cCAProperty Name=\"PolicyID\" Value=\"MySQL\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"UserName\" Value=\"root\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"Address\" Value=\"10.0.1.20\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"ResetImmediately\" Value=\"VerifyTask\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"CPMStatus\" Value=\"failure\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"RetriesCount\" Value=\"0\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"LastFailDate\" Value=\"1615827245\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"LastTask\" Value=\"VerifyTask\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"CPMErrorDetails\" Value=\"Error when verifypass to User root on Server 10.0.1.20. State: IM002 Native error: 0 Message: [Microsoft][ODBC Driver Manager] Data source name not found and no default driver specified\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"CreationMethod\" Value=\"PVWA\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"DeviceType\" Value=\"Database\"\u003e\u003c/CAProperty\u003e\n \u003c/CAProperties\u003e\n \u003c/audit_record\u003e\n\n\u003c/syslog\u003e", + "message": "CPM Verify Password Failed", + "issuer": "PasswordManager", + "extra_details": { + "other": { + "address": "10.0.1.20" + }, + "username": "root" + }, + "rfc5424": true, + "ca_properties": { + "other": {}, + "address": "10.0.1.20", + "creation_method": "PVWA", + "cpm_status": "failure", + "policy_id": "MySQL", + "cpm_error_details": "Error when verifypass to User root on Server 10.0.1.20. State: IM002 Native error: 0 Message: [Microsoft][ODBC Driver Manager] Data source name not found and no default driver specified", + "user_name": "root", + "last_fail_date": "1615827245", + "device_type": "Database", + "retries_count": "0", + "reset_immediately": "VerifyTask", + "last_task": "VerifyTask" + }, + "file": "Root\\Database-MySQL-10.0.1.20-root", + "safe": "partner", + "station": "10.0.1.20", + "action": "CPM Verify Password Failed", + "timestamp": "Mar 15 09:56:29", + "desc": "CPM Verify Password Failed" + } + }, + "host": { + "name": "VAULT" + }, + "event": { + "severity": 7, + "reason": "Error when verifypass to User root on Server 10.0.1.20. State: IM002 Native error: 0 Message: [Microsoft][ODBC Driver Manager] Data source name not found and no default driver specified", + "ingested": "2021-05-31T15:30:22.703459Z", + "original": "\u003c7\u003e1 2021-03-15T16:56:29Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 15 09:56:29\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-15T16:56:29Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e38\u003c/MessageID\u003e\\n \u003cDesc\u003eCPM Verify Password Failed\u003c/Desc\u003e\\n \u003cSeverity\u003eError\u003c/Severity\u003e\\n \u003cIssuer\u003ePasswordManager\u003c/Issuer\u003e\\n \u003cAction\u003eCPM Verify Password Failed\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003epartner\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Database-MySQL-10.0.1.20-root\u003c/File\u003e\\n \u003cStation\u003e10.0.1.20\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003eImmediateTask. Failure Description: CACPM344E Verifying Password Safe: partner, Folder: Root, Object: Database-MySQL-10.0.1.20-root failed (try #0). Code: 2103, Error: Error when verifypass to User root on Server 10.0.1.20. State: IM002 Native error: 0 Message: [Microsoft][ODBC Driver Manager] Data source name not found and no default driver specified\\n\u003c/Reason\u003e\\n \u003cExtraDetails\u003eaddress=10.0.1.20;username=root;\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eCPM Verify Password Failed\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"MySQL\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"root\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"10.0.1.20\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"ResetImmediately\\\" Value=\\\"VerifyTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMStatus\\\" Value=\\\"failure\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"RetriesCount\\\" Value=\\\"0\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastFailDate\\\" Value=\\\"1615827245\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastTask\\\" Value=\\\"VerifyTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMErrorDetails\\\" Value=\\\"Error when verifypass to User root on Server 10.0.1.20. State: IM002 Native error: 0 Message: [Microsoft][ODBC Driver Manager] Data source name not found and no default driver specified\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Database\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 15 09:56:29\",\"IsoTimestamp\":\"2021-03-15T16:56:29Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"38\",\"Desc\":\"CPM Verify Password Failed\",\"Severity\":\"Error\",\"Issuer\":\"PasswordManager\",\"Action\":\"CPM Verify Password Failed\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"partner\",\"File\":\"Root\\\\Database-MySQL-10.0.1.20-root\",\"Station\":\"10.0.1.20\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"ImmediateTask. Failure Description: CACPM344E Verifying Password Safe: partner, Folder: Root, Object: Database-MySQL-10.0.1.20-root failed (try #0). Code: 2103, Error: Error when verifypass to User root on Server 10.0.1.20. State: IM002 Native error: 0 Message: [Microsoft][ODBC Driver Manager] Data source name not found and no default driver specified\\n\",\"ExtraDetails\":\"address=10.0.1.20;username=root;\",\"Message\":\"CPM Verify Password Failed\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"MySQL\"},{\"Name\":\"UserName\",\"Value\":\"root\"},{\"Name\":\"Address\",\"Value\":\"10.0.1.20\"},{\"Name\":\"ResetImmediately\",\"Value\":\"VerifyTask\"},{\"Name\":\"CPMStatus\",\"Value\":\"failure\"},{\"Name\":\"RetriesCount\",\"Value\":\"0\"},{\"Name\":\"LastFailDate\",\"Value\":\"1615827245\"},{\"Name\":\"LastTask\",\"Value\":\"VerifyTask\"},{\"Name\":\"CPMErrorDetails\",\"Value\":\"Error when verifypass to User root on Server 10.0.1.20. State: IM002 Native error: 0 Message: [Microsoft][ODBC Driver Manager] Data source name not found and no default driver specified\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Database\"}]}}}}", + "code": "38", + "kind": "event", + "action": "cpm verify password failed", + "type": [ + "error" + ], + "category": [ + "iam" + ], + "outcome": "failure" + }, + "user": { + "name": "PasswordManager" + } + }, + { + "log": { + "syslog": { + "priority": 7 + } + }, + "destination": { + "user": { + "name": "root" + }, + "address": "10.0.1.20", + "ip": "10.0.1.20" + }, + "source": { + "user": { + "name": "PasswordManager" + }, + "address": "10.0.1.20", + "ip": "10.0.1.20" + }, + "tags": [ + "preserve_original_event" + ], + "network": { + "direction": "internal" + }, + "observer": { + "product": "Vault", + "hostname": "VAULT", + "version": "11.7.0000", + "vendor": "Cyber-Ark" + }, + "@timestamp": "2021-03-15T17:01:07.000Z", + "file": { + "path": "Root\\Database-MySQL-10.0.1.20-root" + }, + "ecs": { + "version": "1.10.0" + }, + "related": { + "user": [ + "PasswordManager", + "root" + ], + "ip": [ + "10.0.1.20" + ] + }, + "cyberarkpas": { + "audit": { + "severity": "Error", + "reason": "ImmediateTask. Failure Description: CACPM344E Verifying Password Safe: partner, Folder: Root, Object: Database-MySQL-10.0.1.20-root failed (try #0). Code: 2103, Error: Error when verifypass to User root on Server . State: IM014 Native error: 0 Message: [Microsoft][ODBC Driver Manager] The specified DSN contains an architecture mismatch between the Driver and Application\n", + "iso_timestamp": "2021-03-15T17:01:07Z", + "raw": "\u003csyslog\u003e\n\n \u003caudit_record\u003e\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\n \u003cTimestamp\u003eMar 15 10:01:07\u003c/Timestamp\u003e\n \u003cIsoTimestamp\u003e2021-03-15T17:01:07Z\u003c/IsoTimestamp\u003e\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\n \u003cProduct\u003eVault\u003c/Product\u003e\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\n \u003cMessageID\u003e38\u003c/MessageID\u003e\n \u003cDesc\u003eCPM Verify Password Failed\u003c/Desc\u003e\n \u003cSeverity\u003eError\u003c/Severity\u003e\n \u003cIssuer\u003ePasswordManager\u003c/Issuer\u003e\n \u003cAction\u003eCPM Verify Password Failed\u003c/Action\u003e\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\n \u003cSafe\u003epartner\u003c/Safe\u003e\n \u003cFile\u003eRoot\\Database-MySQL-10.0.1.20-root\u003c/File\u003e\n \u003cStation\u003e10.0.1.20\u003c/Station\u003e\n \u003cLocation\u003e\u003c/Location\u003e\n \u003cCategory\u003e\u003c/Category\u003e\n \u003cRequestId\u003e\u003c/RequestId\u003e\n \u003cReason\u003eImmediateTask. Failure Description: CACPM344E Verifying Password Safe: partner, Folder: Root, Object: Database-MySQL-10.0.1.20-root failed (try #0). Code: 2103, Error: Error when verifypass to User root on Server . State: IM014 Native error: 0 Message: [Microsoft][ODBC Driver Manager] The specified DSN contains an architecture mismatch between the Driver and Application\n\u003c/Reason\u003e\n \u003cExtraDetails\u003eaddress=10.0.1.20;username=root;\u003c/ExtraDetails\u003e\n \u003cMessage\u003eCPM Verify Password Failed\u003c/Message\u003e\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\n \u003cCAProperties\u003e\n \u003cCAProperty Name=\"PolicyID\" Value=\"MySQL\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"UserName\" Value=\"root\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"Address\" Value=\"10.0.1.20\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"ResetImmediately\" Value=\"VerifyTask\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"CPMStatus\" Value=\"failure\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"RetriesCount\" Value=\"0\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"LastFailDate\" Value=\"1615827554\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"LastTask\" Value=\"VerifyTask\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"DSN\" Value=\"mariadb\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"CPMErrorDetails\" Value=\"Error when verifypass to User root on Server . State: IM014 Native error: 0 Message: [Microsoft][ODBC Driver Manager] The specified DSN contains an architecture mismatch between the Driver and Application\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"CreationMethod\" Value=\"PVWA\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"DeviceType\" Value=\"Database\"\u003e\u003c/CAProperty\u003e\n \u003c/CAProperties\u003e\n \u003c/audit_record\u003e\n\n\u003c/syslog\u003e", + "message": "CPM Verify Password Failed", + "issuer": "PasswordManager", + "extra_details": { + "other": { + "address": "10.0.1.20" + }, + "username": "root" + }, + "rfc5424": true, + "ca_properties": { + "other": { + "dsn": "mariadb" + }, + "address": "10.0.1.20", + "creation_method": "PVWA", + "cpm_status": "failure", + "policy_id": "MySQL", + "cpm_error_details": "Error when verifypass to User root on Server . State: IM014 Native error: 0 Message: [Microsoft][ODBC Driver Manager] The specified DSN contains an architecture mismatch between the Driver and Application", + "user_name": "root", + "last_fail_date": "1615827554", + "device_type": "Database", + "retries_count": "0", + "reset_immediately": "VerifyTask", + "last_task": "VerifyTask" + }, + "file": "Root\\Database-MySQL-10.0.1.20-root", + "safe": "partner", + "station": "10.0.1.20", + "action": "CPM Verify Password Failed", + "timestamp": "Mar 15 10:01:07", + "desc": "CPM Verify Password Failed" + } + }, + "host": { + "name": "VAULT" + }, + "event": { + "severity": 7, + "reason": "Error when verifypass to User root on Server . State: IM014 Native error: 0 Message: [Microsoft][ODBC Driver Manager] The specified DSN contains an architecture mismatch between the Driver and Application", + "ingested": "2021-05-31T15:30:22.703461400Z", + "original": "\u003c7\u003e1 2021-03-15T17:01:07Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 15 10:01:07\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-15T17:01:07Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e38\u003c/MessageID\u003e\\n \u003cDesc\u003eCPM Verify Password Failed\u003c/Desc\u003e\\n \u003cSeverity\u003eError\u003c/Severity\u003e\\n \u003cIssuer\u003ePasswordManager\u003c/Issuer\u003e\\n \u003cAction\u003eCPM Verify Password Failed\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003epartner\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Database-MySQL-10.0.1.20-root\u003c/File\u003e\\n \u003cStation\u003e10.0.1.20\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003eImmediateTask. Failure Description: CACPM344E Verifying Password Safe: partner, Folder: Root, Object: Database-MySQL-10.0.1.20-root failed (try #0). Code: 2103, Error: Error when verifypass to User root on Server . State: IM014 Native error: 0 Message: [Microsoft][ODBC Driver Manager] The specified DSN contains an architecture mismatch between the Driver and Application\\n\u003c/Reason\u003e\\n \u003cExtraDetails\u003eaddress=10.0.1.20;username=root;\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eCPM Verify Password Failed\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"MySQL\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"root\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"10.0.1.20\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"ResetImmediately\\\" Value=\\\"VerifyTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMStatus\\\" Value=\\\"failure\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"RetriesCount\\\" Value=\\\"0\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastFailDate\\\" Value=\\\"1615827554\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastTask\\\" Value=\\\"VerifyTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DSN\\\" Value=\\\"mariadb\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMErrorDetails\\\" Value=\\\"Error when verifypass to User root on Server . State: IM014 Native error: 0 Message: [Microsoft][ODBC Driver Manager] The specified DSN contains an architecture mismatch between the Driver and Application\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Database\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 15 10:01:07\",\"IsoTimestamp\":\"2021-03-15T17:01:07Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"38\",\"Desc\":\"CPM Verify Password Failed\",\"Severity\":\"Error\",\"Issuer\":\"PasswordManager\",\"Action\":\"CPM Verify Password Failed\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"partner\",\"File\":\"Root\\\\Database-MySQL-10.0.1.20-root\",\"Station\":\"10.0.1.20\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"ImmediateTask. Failure Description: CACPM344E Verifying Password Safe: partner, Folder: Root, Object: Database-MySQL-10.0.1.20-root failed (try #0). Code: 2103, Error: Error when verifypass to User root on Server . State: IM014 Native error: 0 Message: [Microsoft][ODBC Driver Manager] The specified DSN contains an architecture mismatch between the Driver and Application\\n\",\"ExtraDetails\":\"address=10.0.1.20;username=root;\",\"Message\":\"CPM Verify Password Failed\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"MySQL\"},{\"Name\":\"UserName\",\"Value\":\"root\"},{\"Name\":\"Address\",\"Value\":\"10.0.1.20\"},{\"Name\":\"ResetImmediately\",\"Value\":\"VerifyTask\"},{\"Name\":\"CPMStatus\",\"Value\":\"failure\"},{\"Name\":\"RetriesCount\",\"Value\":\"0\"},{\"Name\":\"LastFailDate\",\"Value\":\"1615827554\"},{\"Name\":\"LastTask\",\"Value\":\"VerifyTask\"},{\"Name\":\"DSN\",\"Value\":\"mariadb\"},{\"Name\":\"CPMErrorDetails\",\"Value\":\"Error when verifypass to User root on Server . State: IM014 Native error: 0 Message: [Microsoft][ODBC Driver Manager] The specified DSN contains an architecture mismatch between the Driver and Application\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Database\"}]}}}}", + "code": "38", + "kind": "event", + "action": "cpm verify password failed", + "type": [ + "error" + ], + "category": [ + "iam" + ], + "outcome": "failure" + }, + "user": { + "name": "PasswordManager" + } + }, + { + "log": { + "syslog": { + "priority": 7 + } + }, + "destination": { + "user": { + "name": "root" + }, + "address": "10.0.1.20", + "ip": "10.0.1.20" + }, + "source": { + "user": { + "name": "PasswordManager" + }, + "address": "10.0.1.20", + "ip": "10.0.1.20" + }, + "tags": [ + "preserve_original_event" + ], + "network": { + "direction": "internal" + }, + "observer": { + "product": "Vault", + "hostname": "VAULT", + "version": "11.7.0000", + "vendor": "Cyber-Ark" + }, + "@timestamp": "2021-03-15T17:05:47.000Z", + "file": { + "path": "Root\\Database-MySQL-10.0.1.20-root" + }, + "ecs": { + "version": "1.10.0" + }, + "related": { + "user": [ + "PasswordManager", + "root" + ], + "ip": [ + "10.0.1.20" + ] + }, + "cyberarkpas": { + "audit": { + "severity": "Error", + "reason": "ImmediateTask. Failure Description: CACPM344E Verifying Password Safe: partner, Folder: Root, Object: Database-MySQL-10.0.1.20-root failed (try #0). Code: 2103, Error: Error when verifypass to User root on Server . State: HY090 Native error: 0 Message: [Microsoft][ODBC Driver Manager] Invalid string or buffer length\n", + "iso_timestamp": "2021-03-15T17:05:47Z", + "raw": "\u003csyslog\u003e\n\n \u003caudit_record\u003e\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\n \u003cTimestamp\u003eMar 15 10:05:47\u003c/Timestamp\u003e\n \u003cIsoTimestamp\u003e2021-03-15T17:05:47Z\u003c/IsoTimestamp\u003e\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\n \u003cProduct\u003eVault\u003c/Product\u003e\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\n \u003cMessageID\u003e38\u003c/MessageID\u003e\n \u003cDesc\u003eCPM Verify Password Failed\u003c/Desc\u003e\n \u003cSeverity\u003eError\u003c/Severity\u003e\n \u003cIssuer\u003ePasswordManager\u003c/Issuer\u003e\n \u003cAction\u003eCPM Verify Password Failed\u003c/Action\u003e\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\n \u003cSafe\u003epartner\u003c/Safe\u003e\n \u003cFile\u003eRoot\\Database-MySQL-10.0.1.20-root\u003c/File\u003e\n \u003cStation\u003e10.0.1.20\u003c/Station\u003e\n \u003cLocation\u003e\u003c/Location\u003e\n \u003cCategory\u003e\u003c/Category\u003e\n \u003cRequestId\u003e\u003c/RequestId\u003e\n \u003cReason\u003eImmediateTask. Failure Description: CACPM344E Verifying Password Safe: partner, Folder: Root, Object: Database-MySQL-10.0.1.20-root failed (try #0). Code: 2103, Error: Error when verifypass to User root on Server . State: HY090 Native error: 0 Message: [Microsoft][ODBC Driver Manager] Invalid string or buffer length\n\u003c/Reason\u003e\n \u003cExtraDetails\u003eaddress=10.0.1.20;username=root;\u003c/ExtraDetails\u003e\n \u003cMessage\u003eCPM Verify Password Failed\u003c/Message\u003e\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\n \u003cCAProperties\u003e\n \u003cCAProperty Name=\"PolicyID\" Value=\"MySQL\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"UserName\" Value=\"root\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"Address\" Value=\"10.0.1.20\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"ResetImmediately\" Value=\"VerifyTask\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"CPMStatus\" Value=\"failure\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"RetriesCount\" Value=\"0\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"LastFailDate\" Value=\"1615827864\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"LastTask\" Value=\"VerifyTask\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"DSN\" Value=\"DRIVER={MariaDB ODBC 3.1 Driver};TCPIP=1;SERVER=localhost;UID=root;PWD=1234;DATABASE=test\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"CPMErrorDetails\" Value=\"Error when verifypass to User root on Server . State: HY090 Native error: 0 Message: [Microsoft][ODBC Driver Manager] Invalid string or buffer length\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"CreationMethod\" Value=\"PVWA\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"DeviceType\" Value=\"Database\"\u003e\u003c/CAProperty\u003e\n \u003c/CAProperties\u003e\n \u003c/audit_record\u003e\n\n\u003c/syslog\u003e", + "message": "CPM Verify Password Failed", + "issuer": "PasswordManager", + "extra_details": { + "other": { + "address": "10.0.1.20" + }, + "username": "root" + }, + "rfc5424": true, + "ca_properties": { + "other": { + "dsn": "DRIVER={MariaDB ODBC 3.1 Driver};TCPIP=1;SERVER=localhost;UID=root;PWD=1234;DATABASE=test" + }, + "address": "10.0.1.20", + "creation_method": "PVWA", + "cpm_status": "failure", + "policy_id": "MySQL", + "cpm_error_details": "Error when verifypass to User root on Server . State: HY090 Native error: 0 Message: [Microsoft][ODBC Driver Manager] Invalid string or buffer length", + "user_name": "root", + "last_fail_date": "1615827864", + "device_type": "Database", + "retries_count": "0", + "reset_immediately": "VerifyTask", + "last_task": "VerifyTask" + }, + "file": "Root\\Database-MySQL-10.0.1.20-root", + "safe": "partner", + "station": "10.0.1.20", + "action": "CPM Verify Password Failed", + "timestamp": "Mar 15 10:05:47", + "desc": "CPM Verify Password Failed" + } + }, + "host": { + "name": "VAULT" + }, + "event": { + "severity": 7, + "reason": "Error when verifypass to User root on Server . State: HY090 Native error: 0 Message: [Microsoft][ODBC Driver Manager] Invalid string or buffer length", + "ingested": "2021-05-31T15:30:22.703464200Z", + "original": "\u003c7\u003e1 2021-03-15T17:05:47Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 15 10:05:47\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-15T17:05:47Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e38\u003c/MessageID\u003e\\n \u003cDesc\u003eCPM Verify Password Failed\u003c/Desc\u003e\\n \u003cSeverity\u003eError\u003c/Severity\u003e\\n \u003cIssuer\u003ePasswordManager\u003c/Issuer\u003e\\n \u003cAction\u003eCPM Verify Password Failed\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003epartner\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Database-MySQL-10.0.1.20-root\u003c/File\u003e\\n \u003cStation\u003e10.0.1.20\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003eImmediateTask. Failure Description: CACPM344E Verifying Password Safe: partner, Folder: Root, Object: Database-MySQL-10.0.1.20-root failed (try #0). Code: 2103, Error: Error when verifypass to User root on Server . State: HY090 Native error: 0 Message: [Microsoft][ODBC Driver Manager] Invalid string or buffer length\\n\u003c/Reason\u003e\\n \u003cExtraDetails\u003eaddress=10.0.1.20;username=root;\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eCPM Verify Password Failed\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"MySQL\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"root\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"10.0.1.20\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"ResetImmediately\\\" Value=\\\"VerifyTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMStatus\\\" Value=\\\"failure\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"RetriesCount\\\" Value=\\\"0\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastFailDate\\\" Value=\\\"1615827864\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastTask\\\" Value=\\\"VerifyTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DSN\\\" Value=\\\"DRIVER={MariaDB ODBC 3.1 Driver};TCPIP=1;SERVER=localhost;UID=root;PWD=1234;DATABASE=test\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMErrorDetails\\\" Value=\\\"Error when verifypass to User root on Server . State: HY090 Native error: 0 Message: [Microsoft][ODBC Driver Manager] Invalid string or buffer length\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Database\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 15 10:05:47\",\"IsoTimestamp\":\"2021-03-15T17:05:47Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"38\",\"Desc\":\"CPM Verify Password Failed\",\"Severity\":\"Error\",\"Issuer\":\"PasswordManager\",\"Action\":\"CPM Verify Password Failed\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"partner\",\"File\":\"Root\\\\Database-MySQL-10.0.1.20-root\",\"Station\":\"10.0.1.20\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"ImmediateTask. Failure Description: CACPM344E Verifying Password Safe: partner, Folder: Root, Object: Database-MySQL-10.0.1.20-root failed (try #0). Code: 2103, Error: Error when verifypass to User root on Server . State: HY090 Native error: 0 Message: [Microsoft][ODBC Driver Manager] Invalid string or buffer length\\n\",\"ExtraDetails\":\"address=10.0.1.20;username=root;\",\"Message\":\"CPM Verify Password Failed\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"MySQL\"},{\"Name\":\"UserName\",\"Value\":\"root\"},{\"Name\":\"Address\",\"Value\":\"10.0.1.20\"},{\"Name\":\"ResetImmediately\",\"Value\":\"VerifyTask\"},{\"Name\":\"CPMStatus\",\"Value\":\"failure\"},{\"Name\":\"RetriesCount\",\"Value\":\"0\"},{\"Name\":\"LastFailDate\",\"Value\":\"1615827864\"},{\"Name\":\"LastTask\",\"Value\":\"VerifyTask\"},{\"Name\":\"DSN\",\"Value\":\"DRIVER={MariaDB ODBC 3.1 Driver};TCPIP=1;SERVER=localhost;UID=root;PWD=1234;DATABASE=test\"},{\"Name\":\"CPMErrorDetails\",\"Value\":\"Error when verifypass to User root on Server . State: HY090 Native error: 0 Message: [Microsoft][ODBC Driver Manager] Invalid string or buffer length\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Database\"}]}}}}", + "code": "38", + "kind": "event", + "action": "cpm verify password failed", + "type": [ + "error" + ], + "category": [ + "iam" + ], + "outcome": "failure" + }, + "user": { + "name": "PasswordManager" + } + }, + { + "log": { + "syslog": { + "priority": 7 + } + }, + "destination": { + "user": { + "name": "root" + }, + "address": "10.0.1.20", + "ip": "10.0.1.20" + }, + "source": { + "user": { + "name": "PasswordManager" + }, + "address": "10.0.1.20", + "ip": "10.0.1.20" + }, + "tags": [ + "preserve_original_event" + ], + "network": { + "direction": "internal" + }, + "observer": { + "product": "Vault", + "hostname": "VAULT", + "version": "11.7.0000", + "vendor": "Cyber-Ark" + }, + "@timestamp": "2021-03-15T17:10:25.000Z", + "file": { + "path": "Root\\Database-MySQL-10.0.1.20-root" + }, + "ecs": { + "version": "1.10.0" + }, + "related": { + "user": [ + "PasswordManager", + "root" + ], + "ip": [ + "10.0.1.20" + ] + }, + "cyberarkpas": { + "audit": { + "severity": "Error", + "reason": "ImmediateTask. Failure Description: CACPM344E Verifying Password Safe: partner, Folder: Root, Object: Database-MySQL-10.0.1.20-root failed (try #0). Code: 2103, Error: Error when verifypass to User root on Server . State: HY090 Native error: 0 Message: [Microsoft][ODBC Driver Manager] Invalid string or buffer length\n", + "iso_timestamp": "2021-03-15T17:10:25Z", + "raw": "\u003csyslog\u003e\n\n \u003caudit_record\u003e\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\n \u003cTimestamp\u003eMar 15 10:10:25\u003c/Timestamp\u003e\n \u003cIsoTimestamp\u003e2021-03-15T17:10:25Z\u003c/IsoTimestamp\u003e\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\n \u003cProduct\u003eVault\u003c/Product\u003e\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\n \u003cMessageID\u003e38\u003c/MessageID\u003e\n \u003cDesc\u003eCPM Verify Password Failed\u003c/Desc\u003e\n \u003cSeverity\u003eError\u003c/Severity\u003e\n \u003cIssuer\u003ePasswordManager\u003c/Issuer\u003e\n \u003cAction\u003eCPM Verify Password Failed\u003c/Action\u003e\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\n \u003cSafe\u003epartner\u003c/Safe\u003e\n \u003cFile\u003eRoot\\Database-MySQL-10.0.1.20-root\u003c/File\u003e\n \u003cStation\u003e10.0.1.20\u003c/Station\u003e\n \u003cLocation\u003e\u003c/Location\u003e\n \u003cCategory\u003e\u003c/Category\u003e\n \u003cRequestId\u003e\u003c/RequestId\u003e\n \u003cReason\u003eImmediateTask. Failure Description: CACPM344E Verifying Password Safe: partner, Folder: Root, Object: Database-MySQL-10.0.1.20-root failed (try #0). Code: 2103, Error: Error when verifypass to User root on Server . State: HY090 Native error: 0 Message: [Microsoft][ODBC Driver Manager] Invalid string or buffer length\n\u003c/Reason\u003e\n \u003cExtraDetails\u003eaddress=10.0.1.20;username=root;\u003c/ExtraDetails\u003e\n \u003cMessage\u003eCPM Verify Password Failed\u003c/Message\u003e\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\n \u003cCAProperties\u003e\n \u003cCAProperty Name=\"PolicyID\" Value=\"MySQL\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"UserName\" Value=\"root\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"Address\" Value=\"10.0.1.20\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"ResetImmediately\" Value=\"VerifyTask\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"CPMStatus\" Value=\"failure\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"RetriesCount\" Value=\"0\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"LastFailDate\" Value=\"1615828174\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"LastTask\" Value=\"VerifyTask\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"DSN\" Value=\"DSN=mariadb;TCPIP=1;SERVER=localhost;UID=root;PWD=1234;DATABASE=test\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"CPMErrorDetails\" Value=\"Error when verifypass to User root on Server . State: HY090 Native error: 0 Message: [Microsoft][ODBC Driver Manager] Invalid string or buffer length\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"CreationMethod\" Value=\"PVWA\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"DeviceType\" Value=\"Database\"\u003e\u003c/CAProperty\u003e\n \u003c/CAProperties\u003e\n \u003c/audit_record\u003e\n\n\u003c/syslog\u003e", + "message": "CPM Verify Password Failed", + "issuer": "PasswordManager", + "extra_details": { + "other": { + "address": "10.0.1.20" + }, + "username": "root" + }, + "rfc5424": true, + "ca_properties": { + "other": { + "dsn": "DSN=mariadb;TCPIP=1;SERVER=localhost;UID=root;PWD=1234;DATABASE=test" + }, + "address": "10.0.1.20", + "creation_method": "PVWA", + "cpm_status": "failure", + "policy_id": "MySQL", + "cpm_error_details": "Error when verifypass to User root on Server . State: HY090 Native error: 0 Message: [Microsoft][ODBC Driver Manager] Invalid string or buffer length", + "user_name": "root", + "last_fail_date": "1615828174", + "device_type": "Database", + "retries_count": "0", + "reset_immediately": "VerifyTask", + "last_task": "VerifyTask" + }, + "file": "Root\\Database-MySQL-10.0.1.20-root", + "safe": "partner", + "station": "10.0.1.20", + "action": "CPM Verify Password Failed", + "timestamp": "Mar 15 10:10:25", + "desc": "CPM Verify Password Failed" + } + }, + "host": { + "name": "VAULT" + }, + "event": { + "severity": 7, + "reason": "Error when verifypass to User root on Server . State: HY090 Native error: 0 Message: [Microsoft][ODBC Driver Manager] Invalid string or buffer length", + "ingested": "2021-05-31T15:30:22.703466700Z", + "original": "\u003c7\u003e1 2021-03-15T17:10:25Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 15 10:10:25\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-15T17:10:25Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e38\u003c/MessageID\u003e\\n \u003cDesc\u003eCPM Verify Password Failed\u003c/Desc\u003e\\n \u003cSeverity\u003eError\u003c/Severity\u003e\\n \u003cIssuer\u003ePasswordManager\u003c/Issuer\u003e\\n \u003cAction\u003eCPM Verify Password Failed\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003epartner\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Database-MySQL-10.0.1.20-root\u003c/File\u003e\\n \u003cStation\u003e10.0.1.20\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003eImmediateTask. Failure Description: CACPM344E Verifying Password Safe: partner, Folder: Root, Object: Database-MySQL-10.0.1.20-root failed (try #0). Code: 2103, Error: Error when verifypass to User root on Server . State: HY090 Native error: 0 Message: [Microsoft][ODBC Driver Manager] Invalid string or buffer length\\n\u003c/Reason\u003e\\n \u003cExtraDetails\u003eaddress=10.0.1.20;username=root;\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eCPM Verify Password Failed\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"MySQL\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"root\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"10.0.1.20\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"ResetImmediately\\\" Value=\\\"VerifyTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMStatus\\\" Value=\\\"failure\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"RetriesCount\\\" Value=\\\"0\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastFailDate\\\" Value=\\\"1615828174\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastTask\\\" Value=\\\"VerifyTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DSN\\\" Value=\\\"DSN=mariadb;TCPIP=1;SERVER=localhost;UID=root;PWD=1234;DATABASE=test\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMErrorDetails\\\" Value=\\\"Error when verifypass to User root on Server . State: HY090 Native error: 0 Message: [Microsoft][ODBC Driver Manager] Invalid string or buffer length\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Database\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 15 10:10:25\",\"IsoTimestamp\":\"2021-03-15T17:10:25Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"38\",\"Desc\":\"CPM Verify Password Failed\",\"Severity\":\"Error\",\"Issuer\":\"PasswordManager\",\"Action\":\"CPM Verify Password Failed\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"partner\",\"File\":\"Root\\\\Database-MySQL-10.0.1.20-root\",\"Station\":\"10.0.1.20\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"ImmediateTask. Failure Description: CACPM344E Verifying Password Safe: partner, Folder: Root, Object: Database-MySQL-10.0.1.20-root failed (try #0). Code: 2103, Error: Error when verifypass to User root on Server . State: HY090 Native error: 0 Message: [Microsoft][ODBC Driver Manager] Invalid string or buffer length\\n\",\"ExtraDetails\":\"address=10.0.1.20;username=root;\",\"Message\":\"CPM Verify Password Failed\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"MySQL\"},{\"Name\":\"UserName\",\"Value\":\"root\"},{\"Name\":\"Address\",\"Value\":\"10.0.1.20\"},{\"Name\":\"ResetImmediately\",\"Value\":\"VerifyTask\"},{\"Name\":\"CPMStatus\",\"Value\":\"failure\"},{\"Name\":\"RetriesCount\",\"Value\":\"0\"},{\"Name\":\"LastFailDate\",\"Value\":\"1615828174\"},{\"Name\":\"LastTask\",\"Value\":\"VerifyTask\"},{\"Name\":\"DSN\",\"Value\":\"DSN=mariadb;TCPIP=1;SERVER=localhost;UID=root;PWD=1234;DATABASE=test\"},{\"Name\":\"CPMErrorDetails\",\"Value\":\"Error when verifypass to User root on Server . State: HY090 Native error: 0 Message: [Microsoft][ODBC Driver Manager] Invalid string or buffer length\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Database\"}]}}}}", + "code": "38", + "kind": "event", + "action": "cpm verify password failed", + "type": [ + "error" + ], + "category": [ + "iam" + ], + "outcome": "failure" + }, + "user": { + "name": "PasswordManager" + } + }, + { + "log": { + "syslog": { + "priority": 7 + } + }, + "destination": { + "user": { + "name": "root" + }, + "address": "127.0.0.1", + "ip": "127.0.0.1" + }, + "source": { + "user": { + "name": "PasswordManager" + }, + "address": "10.0.1.20", + "ip": "10.0.1.20" + }, + "tags": [ + "preserve_original_event" + ], + "network": { + "direction": "internal" + }, + "observer": { + "product": "Vault", + "hostname": "VAULT", + "version": "11.7.0000", + "vendor": "Cyber-Ark" + }, + "@timestamp": "2021-03-15T17:28:07.000Z", + "file": { + "path": "Root\\Database-MySQL-10.0.1.20-root" + }, + "ecs": { + "version": "1.10.0" + }, + "related": { + "user": [ + "PasswordManager", + "root" + ], + "ip": [ + "10.0.1.20", + "127.0.0.1" + ] + }, + "cyberarkpas": { + "audit": { + "severity": "Error", + "reason": "ImmediateTask. Failure Description: CACPM344E Verifying Password Safe: partner, Folder: Root, Object: Database-MySQL-10.0.1.20-root failed (try #0). Code: 2103, Error: Error when verifypass to User root on Server 127.0.0.1. State: IM002 Native error: 0 Message: [Microsoft][ODBC Driver Manager] Data source name not found and no default driver specified\n", + "iso_timestamp": "2021-03-15T17:28:07Z", + "raw": "\u003csyslog\u003e\n\n \u003caudit_record\u003e\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\n \u003cTimestamp\u003eMar 15 10:28:07\u003c/Timestamp\u003e\n \u003cIsoTimestamp\u003e2021-03-15T17:28:07Z\u003c/IsoTimestamp\u003e\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\n \u003cProduct\u003eVault\u003c/Product\u003e\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\n \u003cMessageID\u003e38\u003c/MessageID\u003e\n \u003cDesc\u003eCPM Verify Password Failed\u003c/Desc\u003e\n \u003cSeverity\u003eError\u003c/Severity\u003e\n \u003cIssuer\u003ePasswordManager\u003c/Issuer\u003e\n \u003cAction\u003eCPM Verify Password Failed\u003c/Action\u003e\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\n \u003cSafe\u003epartner\u003c/Safe\u003e\n \u003cFile\u003eRoot\\Database-MySQL-10.0.1.20-root\u003c/File\u003e\n \u003cStation\u003e10.0.1.20\u003c/Station\u003e\n \u003cLocation\u003e\u003c/Location\u003e\n \u003cCategory\u003e\u003c/Category\u003e\n \u003cRequestId\u003e\u003c/RequestId\u003e\n \u003cReason\u003eImmediateTask. Failure Description: CACPM344E Verifying Password Safe: partner, Folder: Root, Object: Database-MySQL-10.0.1.20-root failed (try #0). Code: 2103, Error: Error when verifypass to User root on Server 127.0.0.1. State: IM002 Native error: 0 Message: [Microsoft][ODBC Driver Manager] Data source name not found and no default driver specified\n\u003c/Reason\u003e\n \u003cExtraDetails\u003eaddress=127.0.0.1;username=root;\u003c/ExtraDetails\u003e\n \u003cMessage\u003eCPM Verify Password Failed\u003c/Message\u003e\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\n \u003cCAProperties\u003e\n \u003cCAProperty Name=\"PolicyID\" Value=\"MySQL\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"UserName\" Value=\"root\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"Address\" Value=\"127.0.0.1\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"ResetImmediately\" Value=\"VerifyTask\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"CPMStatus\" Value=\"failure\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"RetriesCount\" Value=\"0\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"LastFailDate\" Value=\"1615829287\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"LastTask\" Value=\"VerifyTask\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"Port\" Value=\"3306\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"Database\" Value=\"test\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"CPMErrorDetails\" Value=\"Error when verifypass to User root on Server 127.0.0.1. State: IM002 Native error: 0 Message: [Microsoft][ODBC Driver Manager] Data source name not found and no default driver specified\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"CreationMethod\" Value=\"PVWA\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"DeviceType\" Value=\"Database\"\u003e\u003c/CAProperty\u003e\n \u003c/CAProperties\u003e\n \u003c/audit_record\u003e\n\n\u003c/syslog\u003e", + "message": "CPM Verify Password Failed", + "issuer": "PasswordManager", + "extra_details": { + "other": { + "address": "127.0.0.1" + }, + "username": "root" + }, + "rfc5424": true, + "ca_properties": { + "other": {}, + "address": "127.0.0.1", + "creation_method": "PVWA", + "cpm_status": "failure", + "policy_id": "MySQL", + "user_name": "root", + "device_type": "Database", + "retries_count": "0", + "reset_immediately": "VerifyTask", + "last_task": "VerifyTask", + "database": "test", + "port": "3306", + "cpm_error_details": "Error when verifypass to User root on Server 127.0.0.1. State: IM002 Native error: 0 Message: [Microsoft][ODBC Driver Manager] Data source name not found and no default driver specified", + "last_fail_date": "1615829287" + }, + "file": "Root\\Database-MySQL-10.0.1.20-root", + "safe": "partner", + "station": "10.0.1.20", + "action": "CPM Verify Password Failed", + "timestamp": "Mar 15 10:28:07", + "desc": "CPM Verify Password Failed" + } + }, + "host": { + "name": "VAULT" + }, + "event": { + "severity": 7, + "reason": "Error when verifypass to User root on Server 127.0.0.1. State: IM002 Native error: 0 Message: [Microsoft][ODBC Driver Manager] Data source name not found and no default driver specified", + "ingested": "2021-05-31T15:30:22.703469Z", + "original": "\u003c7\u003e1 2021-03-15T17:28:07Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 15 10:28:07\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-15T17:28:07Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e38\u003c/MessageID\u003e\\n \u003cDesc\u003eCPM Verify Password Failed\u003c/Desc\u003e\\n \u003cSeverity\u003eError\u003c/Severity\u003e\\n \u003cIssuer\u003ePasswordManager\u003c/Issuer\u003e\\n \u003cAction\u003eCPM Verify Password Failed\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003epartner\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Database-MySQL-10.0.1.20-root\u003c/File\u003e\\n \u003cStation\u003e10.0.1.20\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003eImmediateTask. Failure Description: CACPM344E Verifying Password Safe: partner, Folder: Root, Object: Database-MySQL-10.0.1.20-root failed (try #0). Code: 2103, Error: Error when verifypass to User root on Server 127.0.0.1. State: IM002 Native error: 0 Message: [Microsoft][ODBC Driver Manager] Data source name not found and no default driver specified\\n\u003c/Reason\u003e\\n \u003cExtraDetails\u003eaddress=127.0.0.1;username=root;\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eCPM Verify Password Failed\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"MySQL\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"root\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"127.0.0.1\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"ResetImmediately\\\" Value=\\\"VerifyTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMStatus\\\" Value=\\\"failure\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"RetriesCount\\\" Value=\\\"0\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastFailDate\\\" Value=\\\"1615829287\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastTask\\\" Value=\\\"VerifyTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Port\\\" Value=\\\"3306\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Database\\\" Value=\\\"test\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMErrorDetails\\\" Value=\\\"Error when verifypass to User root on Server 127.0.0.1. State: IM002 Native error: 0 Message: [Microsoft][ODBC Driver Manager] Data source name not found and no default driver specified\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Database\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 15 10:28:07\",\"IsoTimestamp\":\"2021-03-15T17:28:07Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"38\",\"Desc\":\"CPM Verify Password Failed\",\"Severity\":\"Error\",\"Issuer\":\"PasswordManager\",\"Action\":\"CPM Verify Password Failed\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"partner\",\"File\":\"Root\\\\Database-MySQL-10.0.1.20-root\",\"Station\":\"10.0.1.20\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"ImmediateTask. Failure Description: CACPM344E Verifying Password Safe: partner, Folder: Root, Object: Database-MySQL-10.0.1.20-root failed (try #0). Code: 2103, Error: Error when verifypass to User root on Server 127.0.0.1. State: IM002 Native error: 0 Message: [Microsoft][ODBC Driver Manager] Data source name not found and no default driver specified\\n\",\"ExtraDetails\":\"address=127.0.0.1;username=root;\",\"Message\":\"CPM Verify Password Failed\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"MySQL\"},{\"Name\":\"UserName\",\"Value\":\"root\"},{\"Name\":\"Address\",\"Value\":\"127.0.0.1\"},{\"Name\":\"ResetImmediately\",\"Value\":\"VerifyTask\"},{\"Name\":\"CPMStatus\",\"Value\":\"failure\"},{\"Name\":\"RetriesCount\",\"Value\":\"0\"},{\"Name\":\"LastFailDate\",\"Value\":\"1615829287\"},{\"Name\":\"LastTask\",\"Value\":\"VerifyTask\"},{\"Name\":\"Port\",\"Value\":\"3306\"},{\"Name\":\"Database\",\"Value\":\"test\"},{\"Name\":\"CPMErrorDetails\",\"Value\":\"Error when verifypass to User root on Server 127.0.0.1. State: IM002 Native error: 0 Message: [Microsoft][ODBC Driver Manager] Data source name not found and no default driver specified\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Database\"}]}}}}", + "code": "38", + "kind": "event", + "action": "cpm verify password failed", + "type": [ + "error" + ], + "category": [ + "iam" + ], + "outcome": "failure" + }, + "user": { + "name": "PasswordManager" + } + }, + { + "log": { + "syslog": { + "priority": 7 + } + }, + "destination": { + "user": { + "name": "root" + }, + "address": "127.0.0.1", + "ip": "127.0.0.1" + }, + "source": { + "user": { + "name": "PasswordManager" + }, + "address": "10.0.1.20", + "ip": "10.0.1.20" + }, + "tags": [ + "preserve_original_event" + ], + "network": { + "direction": "internal" + }, + "observer": { + "product": "Vault", + "hostname": "VAULT", + "version": "11.7.0000", + "vendor": "Cyber-Ark" + }, + "@timestamp": "2021-03-15T17:33:17.000Z", + "file": { + "path": "Root\\Database-MySQL-10.0.1.20-root" + }, + "ecs": { + "version": "1.10.0" + }, + "related": { + "user": [ + "PasswordManager", + "root" + ], + "ip": [ + "10.0.1.20", + "127.0.0.1" + ] + }, + "cyberarkpas": { + "audit": { + "severity": "Error", + "reason": "ImmediateTask. Failure Description: CACPM344E Verifying Password Safe: partner, Folder: Root, Object: Database-MySQL-10.0.1.20-root failed (try #0). Code: 2103, Error: Error when verifypass to User root on Server . State: IM002 Native error: 0 Message: [Microsoft][ODBC Driver Manager] Data source name not found and no default driver specified\n", + "iso_timestamp": "2021-03-15T17:33:17Z", + "raw": "\u003csyslog\u003e\n\n \u003caudit_record\u003e\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\n \u003cTimestamp\u003eMar 15 10:33:17\u003c/Timestamp\u003e\n \u003cIsoTimestamp\u003e2021-03-15T17:33:17Z\u003c/IsoTimestamp\u003e\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\n \u003cProduct\u003eVault\u003c/Product\u003e\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\n \u003cMessageID\u003e38\u003c/MessageID\u003e\n \u003cDesc\u003eCPM Verify Password Failed\u003c/Desc\u003e\n \u003cSeverity\u003eError\u003c/Severity\u003e\n \u003cIssuer\u003ePasswordManager\u003c/Issuer\u003e\n \u003cAction\u003eCPM Verify Password Failed\u003c/Action\u003e\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\n \u003cSafe\u003epartner\u003c/Safe\u003e\n \u003cFile\u003eRoot\\Database-MySQL-10.0.1.20-root\u003c/File\u003e\n \u003cStation\u003e10.0.1.20\u003c/Station\u003e\n \u003cLocation\u003e\u003c/Location\u003e\n \u003cCategory\u003e\u003c/Category\u003e\n \u003cRequestId\u003e\u003c/RequestId\u003e\n \u003cReason\u003eImmediateTask. Failure Description: CACPM344E Verifying Password Safe: partner, Folder: Root, Object: Database-MySQL-10.0.1.20-root failed (try #0). Code: 2103, Error: Error when verifypass to User root on Server . State: IM002 Native error: 0 Message: [Microsoft][ODBC Driver Manager] Data source name not found and no default driver specified\n\u003c/Reason\u003e\n \u003cExtraDetails\u003eaddress=127.0.0.1;username=root;\u003c/ExtraDetails\u003e\n \u003cMessage\u003eCPM Verify Password Failed\u003c/Message\u003e\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\n \u003cCAProperties\u003e\n \u003cCAProperty Name=\"PolicyID\" Value=\"MySQL\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"UserName\" Value=\"root\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"Address\" Value=\"127.0.0.1\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"ResetImmediately\" Value=\"VerifyTask\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"CPMStatus\" Value=\"failure\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"RetriesCount\" Value=\"0\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"LastFailDate\" Value=\"1615829597\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"LastTask\" Value=\"VerifyTask\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"Port\" Value=\"3306\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"Database\" Value=\"test\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"DSN\" Value=\"mysql\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"CPMErrorDetails\" Value=\"Error when verifypass to User root on Server . State: IM002 Native error: 0 Message: [Microsoft][ODBC Driver Manager] Data source name not found and no default driver specified\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"CreationMethod\" Value=\"PVWA\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"DeviceType\" Value=\"Database\"\u003e\u003c/CAProperty\u003e\n \u003c/CAProperties\u003e\n \u003c/audit_record\u003e\n\n\u003c/syslog\u003e", + "message": "CPM Verify Password Failed", + "issuer": "PasswordManager", + "extra_details": { + "other": { + "address": "127.0.0.1" + }, + "username": "root" + }, + "rfc5424": true, + "ca_properties": { + "other": { + "dsn": "mysql" + }, + "address": "127.0.0.1", + "creation_method": "PVWA", + "cpm_status": "failure", + "policy_id": "MySQL", + "user_name": "root", + "device_type": "Database", + "retries_count": "0", + "reset_immediately": "VerifyTask", + "last_task": "VerifyTask", + "database": "test", + "port": "3306", + "cpm_error_details": "Error when verifypass to User root on Server . State: IM002 Native error: 0 Message: [Microsoft][ODBC Driver Manager] Data source name not found and no default driver specified", + "last_fail_date": "1615829597" + }, + "file": "Root\\Database-MySQL-10.0.1.20-root", + "safe": "partner", + "station": "10.0.1.20", + "action": "CPM Verify Password Failed", + "timestamp": "Mar 15 10:33:17", + "desc": "CPM Verify Password Failed" + } + }, + "host": { + "name": "VAULT" + }, + "event": { + "severity": 7, + "reason": "Error when verifypass to User root on Server . State: IM002 Native error: 0 Message: [Microsoft][ODBC Driver Manager] Data source name not found and no default driver specified", + "ingested": "2021-05-31T15:30:22.703471300Z", + "original": "\u003c7\u003e1 2021-03-15T17:33:17Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 15 10:33:17\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-15T17:33:17Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e38\u003c/MessageID\u003e\\n \u003cDesc\u003eCPM Verify Password Failed\u003c/Desc\u003e\\n \u003cSeverity\u003eError\u003c/Severity\u003e\\n \u003cIssuer\u003ePasswordManager\u003c/Issuer\u003e\\n \u003cAction\u003eCPM Verify Password Failed\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003epartner\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Database-MySQL-10.0.1.20-root\u003c/File\u003e\\n \u003cStation\u003e10.0.1.20\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003eImmediateTask. Failure Description: CACPM344E Verifying Password Safe: partner, Folder: Root, Object: Database-MySQL-10.0.1.20-root failed (try #0). Code: 2103, Error: Error when verifypass to User root on Server . State: IM002 Native error: 0 Message: [Microsoft][ODBC Driver Manager] Data source name not found and no default driver specified\\n\u003c/Reason\u003e\\n \u003cExtraDetails\u003eaddress=127.0.0.1;username=root;\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eCPM Verify Password Failed\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"MySQL\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"root\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"127.0.0.1\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"ResetImmediately\\\" Value=\\\"VerifyTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMStatus\\\" Value=\\\"failure\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"RetriesCount\\\" Value=\\\"0\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastFailDate\\\" Value=\\\"1615829597\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastTask\\\" Value=\\\"VerifyTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Port\\\" Value=\\\"3306\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Database\\\" Value=\\\"test\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DSN\\\" Value=\\\"mysql\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMErrorDetails\\\" Value=\\\"Error when verifypass to User root on Server . State: IM002 Native error: 0 Message: [Microsoft][ODBC Driver Manager] Data source name not found and no default driver specified\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Database\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 15 10:33:17\",\"IsoTimestamp\":\"2021-03-15T17:33:17Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"38\",\"Desc\":\"CPM Verify Password Failed\",\"Severity\":\"Error\",\"Issuer\":\"PasswordManager\",\"Action\":\"CPM Verify Password Failed\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"partner\",\"File\":\"Root\\\\Database-MySQL-10.0.1.20-root\",\"Station\":\"10.0.1.20\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"ImmediateTask. Failure Description: CACPM344E Verifying Password Safe: partner, Folder: Root, Object: Database-MySQL-10.0.1.20-root failed (try #0). Code: 2103, Error: Error when verifypass to User root on Server . State: IM002 Native error: 0 Message: [Microsoft][ODBC Driver Manager] Data source name not found and no default driver specified\\n\",\"ExtraDetails\":\"address=127.0.0.1;username=root;\",\"Message\":\"CPM Verify Password Failed\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"MySQL\"},{\"Name\":\"UserName\",\"Value\":\"root\"},{\"Name\":\"Address\",\"Value\":\"127.0.0.1\"},{\"Name\":\"ResetImmediately\",\"Value\":\"VerifyTask\"},{\"Name\":\"CPMStatus\",\"Value\":\"failure\"},{\"Name\":\"RetriesCount\",\"Value\":\"0\"},{\"Name\":\"LastFailDate\",\"Value\":\"1615829597\"},{\"Name\":\"LastTask\",\"Value\":\"VerifyTask\"},{\"Name\":\"Port\",\"Value\":\"3306\"},{\"Name\":\"Database\",\"Value\":\"test\"},{\"Name\":\"DSN\",\"Value\":\"mysql\"},{\"Name\":\"CPMErrorDetails\",\"Value\":\"Error when verifypass to User root on Server . State: IM002 Native error: 0 Message: [Microsoft][ODBC Driver Manager] Data source name not found and no default driver specified\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Database\"}]}}}}", + "code": "38", + "kind": "event", + "action": "cpm verify password failed", + "type": [ + "error" + ], + "category": [ + "iam" + ], + "outcome": "failure" + }, + "user": { + "name": "PasswordManager" + } + }, + { + "log": { + "syslog": { + "priority": 7 + } + }, + "destination": { + "user": { + "name": "root" + }, + "address": "127.0.0.1", + "ip": "127.0.0.1" + }, + "source": { + "user": { + "name": "PasswordManager" + }, + "address": "10.0.1.20", + "ip": "10.0.1.20" + }, + "tags": [ + "preserve_original_event" + ], + "network": { + "direction": "internal" + }, + "observer": { + "product": "Vault", + "hostname": "VAULT", + "version": "11.7.0000", + "vendor": "Cyber-Ark" + }, + "@timestamp": "2021-03-15T17:38:27.000Z", + "file": { + "path": "Root\\Database-MySQL-10.0.1.20-root" + }, + "ecs": { + "version": "1.10.0" + }, + "related": { + "user": [ + "PasswordManager", + "root" + ], + "ip": [ + "10.0.1.20", + "127.0.0.1" + ] + }, + "cyberarkpas": { + "audit": { + "severity": "Error", + "reason": "ImmediateTask. Failure Description: CACPM344E Verifying Password Safe: partner, Folder: Root, Object: Database-MySQL-10.0.1.20-root failed (try #0). Code: 2103, Error: Error when verifypass to User root on Server . State: HY090 Native error: 0 Message: [Microsoft][ODBC Driver Manager] Invalid string or buffer length\n", + "iso_timestamp": "2021-03-15T17:38:27Z", + "raw": "\u003csyslog\u003e\n\n \u003caudit_record\u003e\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\n \u003cTimestamp\u003eMar 15 10:38:27\u003c/Timestamp\u003e\n \u003cIsoTimestamp\u003e2021-03-15T17:38:27Z\u003c/IsoTimestamp\u003e\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\n \u003cProduct\u003eVault\u003c/Product\u003e\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\n \u003cMessageID\u003e38\u003c/MessageID\u003e\n \u003cDesc\u003eCPM Verify Password Failed\u003c/Desc\u003e\n \u003cSeverity\u003eError\u003c/Severity\u003e\n \u003cIssuer\u003ePasswordManager\u003c/Issuer\u003e\n \u003cAction\u003eCPM Verify Password Failed\u003c/Action\u003e\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\n \u003cSafe\u003epartner\u003c/Safe\u003e\n \u003cFile\u003eRoot\\Database-MySQL-10.0.1.20-root\u003c/File\u003e\n \u003cStation\u003e10.0.1.20\u003c/Station\u003e\n \u003cLocation\u003e\u003c/Location\u003e\n \u003cCategory\u003e\u003c/Category\u003e\n \u003cRequestId\u003e\u003c/RequestId\u003e\n \u003cReason\u003eImmediateTask. Failure Description: CACPM344E Verifying Password Safe: partner, Folder: Root, Object: Database-MySQL-10.0.1.20-root failed (try #0). Code: 2103, Error: Error when verifypass to User root on Server . State: HY090 Native error: 0 Message: [Microsoft][ODBC Driver Manager] Invalid string or buffer length\n\u003c/Reason\u003e\n \u003cExtraDetails\u003eaddress=127.0.0.1;username=root;\u003c/ExtraDetails\u003e\n \u003cMessage\u003eCPM Verify Password Failed\u003c/Message\u003e\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\n \u003cCAProperties\u003e\n \u003cCAProperty Name=\"PolicyID\" Value=\"MySQL\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"UserName\" Value=\"root\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"Address\" Value=\"127.0.0.1\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"ResetImmediately\" Value=\"VerifyTask\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"CPMStatus\" Value=\"failure\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"RetriesCount\" Value=\"0\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"LastFailDate\" Value=\"1615829907\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"LastTask\" Value=\"VerifyTask\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"Port\" Value=\"3306\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"Database\" Value=\"test\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"DSN\" Value=\"Driver={MySQL ODBC 5.3 Unicode Driver};server=%ADDRESS%;user=%USER%;option=3;port=%PORT%;Password=%LOGONPASSWORD%\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"CPMErrorDetails\" Value=\"Error when verifypass to User root on Server . State: HY090 Native error: 0 Message: [Microsoft][ODBC Driver Manager] Invalid string or buffer length\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"CreationMethod\" Value=\"PVWA\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"DeviceType\" Value=\"Database\"\u003e\u003c/CAProperty\u003e\n \u003c/CAProperties\u003e\n \u003c/audit_record\u003e\n\n\u003c/syslog\u003e", + "message": "CPM Verify Password Failed", + "issuer": "PasswordManager", + "extra_details": { + "other": { + "address": "127.0.0.1" + }, + "username": "root" + }, + "rfc5424": true, + "ca_properties": { + "other": { + "dsn": "Driver={MySQL ODBC 5.3 Unicode Driver};server=%ADDRESS%;user=%USER%;option=3;port=%PORT%;Password=%LOGONPASSWORD%" + }, + "address": "127.0.0.1", + "creation_method": "PVWA", + "cpm_status": "failure", + "policy_id": "MySQL", + "user_name": "root", + "device_type": "Database", + "retries_count": "0", + "reset_immediately": "VerifyTask", + "last_task": "VerifyTask", + "database": "test", + "port": "3306", + "cpm_error_details": "Error when verifypass to User root on Server . State: HY090 Native error: 0 Message: [Microsoft][ODBC Driver Manager] Invalid string or buffer length", + "last_fail_date": "1615829907" + }, + "file": "Root\\Database-MySQL-10.0.1.20-root", + "safe": "partner", + "station": "10.0.1.20", + "action": "CPM Verify Password Failed", + "timestamp": "Mar 15 10:38:27", + "desc": "CPM Verify Password Failed" + } + }, + "host": { + "name": "VAULT" + }, + "event": { + "severity": 7, + "reason": "Error when verifypass to User root on Server . State: HY090 Native error: 0 Message: [Microsoft][ODBC Driver Manager] Invalid string or buffer length", + "ingested": "2021-05-31T15:30:22.703473600Z", + "original": "\u003c7\u003e1 2021-03-15T17:38:27Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 15 10:38:27\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-15T17:38:27Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e38\u003c/MessageID\u003e\\n \u003cDesc\u003eCPM Verify Password Failed\u003c/Desc\u003e\\n \u003cSeverity\u003eError\u003c/Severity\u003e\\n \u003cIssuer\u003ePasswordManager\u003c/Issuer\u003e\\n \u003cAction\u003eCPM Verify Password Failed\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003epartner\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Database-MySQL-10.0.1.20-root\u003c/File\u003e\\n \u003cStation\u003e10.0.1.20\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003eImmediateTask. Failure Description: CACPM344E Verifying Password Safe: partner, Folder: Root, Object: Database-MySQL-10.0.1.20-root failed (try #0). Code: 2103, Error: Error when verifypass to User root on Server . State: HY090 Native error: 0 Message: [Microsoft][ODBC Driver Manager] Invalid string or buffer length\\n\u003c/Reason\u003e\\n \u003cExtraDetails\u003eaddress=127.0.0.1;username=root;\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eCPM Verify Password Failed\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"MySQL\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"root\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"127.0.0.1\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"ResetImmediately\\\" Value=\\\"VerifyTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMStatus\\\" Value=\\\"failure\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"RetriesCount\\\" Value=\\\"0\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastFailDate\\\" Value=\\\"1615829907\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastTask\\\" Value=\\\"VerifyTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Port\\\" Value=\\\"3306\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Database\\\" Value=\\\"test\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DSN\\\" Value=\\\"Driver={MySQL ODBC 5.3 Unicode Driver};server=%ADDRESS%;user=%USER%;option=3;port=%PORT%;Password=%LOGONPASSWORD%\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMErrorDetails\\\" Value=\\\"Error when verifypass to User root on Server . State: HY090 Native error: 0 Message: [Microsoft][ODBC Driver Manager] Invalid string or buffer length\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Database\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 15 10:38:27\",\"IsoTimestamp\":\"2021-03-15T17:38:27Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"38\",\"Desc\":\"CPM Verify Password Failed\",\"Severity\":\"Error\",\"Issuer\":\"PasswordManager\",\"Action\":\"CPM Verify Password Failed\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"partner\",\"File\":\"Root\\\\Database-MySQL-10.0.1.20-root\",\"Station\":\"10.0.1.20\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"ImmediateTask. Failure Description: CACPM344E Verifying Password Safe: partner, Folder: Root, Object: Database-MySQL-10.0.1.20-root failed (try #0). Code: 2103, Error: Error when verifypass to User root on Server . State: HY090 Native error: 0 Message: [Microsoft][ODBC Driver Manager] Invalid string or buffer length\\n\",\"ExtraDetails\":\"address=127.0.0.1;username=root;\",\"Message\":\"CPM Verify Password Failed\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"MySQL\"},{\"Name\":\"UserName\",\"Value\":\"root\"},{\"Name\":\"Address\",\"Value\":\"127.0.0.1\"},{\"Name\":\"ResetImmediately\",\"Value\":\"VerifyTask\"},{\"Name\":\"CPMStatus\",\"Value\":\"failure\"},{\"Name\":\"RetriesCount\",\"Value\":\"0\"},{\"Name\":\"LastFailDate\",\"Value\":\"1615829907\"},{\"Name\":\"LastTask\",\"Value\":\"VerifyTask\"},{\"Name\":\"Port\",\"Value\":\"3306\"},{\"Name\":\"Database\",\"Value\":\"test\"},{\"Name\":\"DSN\",\"Value\":\"Driver={MySQL ODBC 5.3 Unicode Driver};server=%ADDRESS%;user=%USER%;option=3;port=%PORT%;Password=%LOGONPASSWORD%\"},{\"Name\":\"CPMErrorDetails\",\"Value\":\"Error when verifypass to User root on Server . State: HY090 Native error: 0 Message: [Microsoft][ODBC Driver Manager] Invalid string or buffer length\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Database\"}]}}}}", + "code": "38", + "kind": "event", + "action": "cpm verify password failed", + "type": [ + "error" + ], + "category": [ + "iam" + ], + "outcome": "failure" + }, + "user": { + "name": "PasswordManager" + } + }, + { + "log": { + "syslog": { + "priority": 7 + } + }, + "destination": { + "user": { + "name": "root" + }, + "address": "Driver={MySQL ODBC 5.3 Unicode Driver};server=127.0.0.1;user=root;option=3;port=3306;Password=1234", + "domain": "Driver={MySQL ODBC 5.3 Unicode Driver};server=127.0.0.1;user=root;option=3;port=3306;Password=1234" + }, + "source": { + "user": { + "name": "PasswordManager" + }, + "address": "10.0.1.20", + "ip": "10.0.1.20" + }, + "tags": [ + "preserve_original_event" + ], + "observer": { + "product": "Vault", + "hostname": "VAULT", + "version": "11.7.0000", + "vendor": "Cyber-Ark" + }, + "@timestamp": "2021-03-15T18:00:07.000Z", + "file": { + "path": "Root\\Database-MySQL-10.0.1.20-root" + }, + "ecs": { + "version": "1.10.0" + }, + "related": { + "user": [ + "PasswordManager", + "root" + ], + "ip": [ + "10.0.1.20" + ] + }, + "cyberarkpas": { + "audit": { + "severity": "Error", + "reason": "ImmediateTask. Failure Description: CACPM344E Verifying Password Safe: partner, Folder: Root, Object: Database-MySQL-10.0.1.20-root failed (try #0). Code: 2103, Error: Error when verifypass to User root on Server . State: IM002 Native error: 0 Message: [Microsoft][ODBC Driver Manager] Data source name not found and no default driver specified\n", + "iso_timestamp": "2021-03-15T18:00:07Z", + "raw": "\u003csyslog\u003e\n\n \u003caudit_record\u003e\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\n \u003cTimestamp\u003eMar 15 11:00:07\u003c/Timestamp\u003e\n \u003cIsoTimestamp\u003e2021-03-15T18:00:07Z\u003c/IsoTimestamp\u003e\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\n \u003cProduct\u003eVault\u003c/Product\u003e\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\n \u003cMessageID\u003e38\u003c/MessageID\u003e\n \u003cDesc\u003eCPM Verify Password Failed\u003c/Desc\u003e\n \u003cSeverity\u003eError\u003c/Severity\u003e\n \u003cIssuer\u003ePasswordManager\u003c/Issuer\u003e\n \u003cAction\u003eCPM Verify Password Failed\u003c/Action\u003e\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\n \u003cSafe\u003epartner\u003c/Safe\u003e\n \u003cFile\u003eRoot\\Database-MySQL-10.0.1.20-root\u003c/File\u003e\n \u003cStation\u003e10.0.1.20\u003c/Station\u003e\n \u003cLocation\u003e\u003c/Location\u003e\n \u003cCategory\u003e\u003c/Category\u003e\n \u003cRequestId\u003e\u003c/RequestId\u003e\n \u003cReason\u003eImmediateTask. Failure Description: CACPM344E Verifying Password Safe: partner, Folder: Root, Object: Database-MySQL-10.0.1.20-root failed (try #0). Code: 2103, Error: Error when verifypass to User root on Server . State: IM002 Native error: 0 Message: [Microsoft][ODBC Driver Manager] Data source name not found and no default driver specified\n\u003c/Reason\u003e\n \u003cExtraDetails\u003eaddress=Driver\\={MySQL ODBC 5.3 Unicode Driver}\\;server\\=127.0.0.1\\;user\\=root\\;option\\=3\\;port\\=3306\\;Password\\=1234;username=root;\u003c/ExtraDetails\u003e\n \u003cMessage\u003eCPM Verify Password Failed\u003c/Message\u003e\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\n \u003cCAProperties\u003e\n \u003cCAProperty Name=\"PolicyID\" Value=\"MySQL\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"UserName\" Value=\"root\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"Address\" Value=\"Driver={MySQL ODBC 5.3 Unicode Driver};server=127.0.0.1;user=root;option=3;port=3306;Password=1234\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"ResetImmediately\" Value=\"VerifyTask\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"CPMStatus\" Value=\"failure\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"RetriesCount\" Value=\"0\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"LastFailDate\" Value=\"1615831206\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"LastTask\" Value=\"VerifyTask\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"Port\" Value=\"3306\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"Database\" Value=\"test\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"DSN\" Value=\"mysql\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"CPMErrorDetails\" Value=\"Error when verifypass to User root on Server . State: IM002 Native error: 0 Message: [Microsoft][ODBC Driver Manager] Data source name not found and no default driver specified\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"CreationMethod\" Value=\"PVWA\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"DeviceType\" Value=\"Database\"\u003e\u003c/CAProperty\u003e\n \u003c/CAProperties\u003e\n \u003c/audit_record\u003e\n\n\u003c/syslog\u003e", + "message": "CPM Verify Password Failed", + "issuer": "PasswordManager", + "extra_details": { + "other": { + "address": "Driver\\={MySQL ODBC 5.3 Unicode Driver}\\;server\\=127.0.0.1\\;user\\=root\\;option\\=3\\;port\\=3306\\;Password\\=1234" + }, + "username": "root" + }, + "rfc5424": true, + "ca_properties": { + "other": { + "dsn": "mysql" + }, + "address": "Driver={MySQL ODBC 5.3 Unicode Driver};server=127.0.0.1;user=root;option=3;port=3306;Password=1234", + "creation_method": "PVWA", + "cpm_status": "failure", + "policy_id": "MySQL", + "user_name": "root", + "device_type": "Database", + "retries_count": "0", + "reset_immediately": "VerifyTask", + "last_task": "VerifyTask", + "database": "test", + "port": "3306", + "cpm_error_details": "Error when verifypass to User root on Server . State: IM002 Native error: 0 Message: [Microsoft][ODBC Driver Manager] Data source name not found and no default driver specified", + "last_fail_date": "1615831206" + }, + "file": "Root\\Database-MySQL-10.0.1.20-root", + "safe": "partner", + "station": "10.0.1.20", + "action": "CPM Verify Password Failed", + "timestamp": "Mar 15 11:00:07", + "desc": "CPM Verify Password Failed" + } + }, + "host": { + "name": "VAULT" + }, + "event": { + "severity": 7, + "reason": "Error when verifypass to User root on Server . State: IM002 Native error: 0 Message: [Microsoft][ODBC Driver Manager] Data source name not found and no default driver specified", + "ingested": "2021-05-31T15:30:22.703476Z", + "original": "\u003c7\u003e1 2021-03-15T18:00:07Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 15 11:00:07\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-15T18:00:07Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e38\u003c/MessageID\u003e\\n \u003cDesc\u003eCPM Verify Password Failed\u003c/Desc\u003e\\n \u003cSeverity\u003eError\u003c/Severity\u003e\\n \u003cIssuer\u003ePasswordManager\u003c/Issuer\u003e\\n \u003cAction\u003eCPM Verify Password Failed\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003epartner\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Database-MySQL-10.0.1.20-root\u003c/File\u003e\\n \u003cStation\u003e10.0.1.20\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003eImmediateTask. Failure Description: CACPM344E Verifying Password Safe: partner, Folder: Root, Object: Database-MySQL-10.0.1.20-root failed (try #0). Code: 2103, Error: Error when verifypass to User root on Server . State: IM002 Native error: 0 Message: [Microsoft][ODBC Driver Manager] Data source name not found and no default driver specified\\n\u003c/Reason\u003e\\n \u003cExtraDetails\u003eaddress=Driver\\\\={MySQL ODBC 5.3 Unicode Driver}\\\\;server\\\\=127.0.0.1\\\\;user\\\\=root\\\\;option\\\\=3\\\\;port\\\\=3306\\\\;Password\\\\=1234;username=root;\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eCPM Verify Password Failed\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"MySQL\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"root\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"Driver={MySQL ODBC 5.3 Unicode Driver};server=127.0.0.1;user=root;option=3;port=3306;Password=1234\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"ResetImmediately\\\" Value=\\\"VerifyTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMStatus\\\" Value=\\\"failure\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"RetriesCount\\\" Value=\\\"0\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastFailDate\\\" Value=\\\"1615831206\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastTask\\\" Value=\\\"VerifyTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Port\\\" Value=\\\"3306\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Database\\\" Value=\\\"test\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DSN\\\" Value=\\\"mysql\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMErrorDetails\\\" Value=\\\"Error when verifypass to User root on Server . State: IM002 Native error: 0 Message: [Microsoft][ODBC Driver Manager] Data source name not found and no default driver specified\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Database\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 15 11:00:07\",\"IsoTimestamp\":\"2021-03-15T18:00:07Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"38\",\"Desc\":\"CPM Verify Password Failed\",\"Severity\":\"Error\",\"Issuer\":\"PasswordManager\",\"Action\":\"CPM Verify Password Failed\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"partner\",\"File\":\"Root\\\\Database-MySQL-10.0.1.20-root\",\"Station\":\"10.0.1.20\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"ImmediateTask. Failure Description: CACPM344E Verifying Password Safe: partner, Folder: Root, Object: Database-MySQL-10.0.1.20-root failed (try #0). Code: 2103, Error: Error when verifypass to User root on Server . State: IM002 Native error: 0 Message: [Microsoft][ODBC Driver Manager] Data source name not found and no default driver specified\\n\",\"ExtraDetails\":\"address=Driver\\\\={MySQL ODBC 5.3 Unicode Driver}\\\\;server\\\\=127.0.0.1\\\\;user\\\\=root\\\\;option\\\\=3\\\\;port\\\\=3306\\\\;Password\\\\=1234;username=root;\",\"Message\":\"CPM Verify Password Failed\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"MySQL\"},{\"Name\":\"UserName\",\"Value\":\"root\"},{\"Name\":\"Address\",\"Value\":\"Driver={MySQL ODBC 5.3 Unicode Driver};server=127.0.0.1;user=root;option=3;port=3306;Password=1234\"},{\"Name\":\"ResetImmediately\",\"Value\":\"VerifyTask\"},{\"Name\":\"CPMStatus\",\"Value\":\"failure\"},{\"Name\":\"RetriesCount\",\"Value\":\"0\"},{\"Name\":\"LastFailDate\",\"Value\":\"1615831206\"},{\"Name\":\"LastTask\",\"Value\":\"VerifyTask\"},{\"Name\":\"Port\",\"Value\":\"3306\"},{\"Name\":\"Database\",\"Value\":\"test\"},{\"Name\":\"DSN\",\"Value\":\"mysql\"},{\"Name\":\"CPMErrorDetails\",\"Value\":\"Error when verifypass to User root on Server . State: IM002 Native error: 0 Message: [Microsoft][ODBC Driver Manager] Data source name not found and no default driver specified\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Database\"}]}}}}", + "code": "38", + "kind": "event", + "action": "cpm verify password failed", + "type": [ + "error" + ], + "category": [ + "iam" + ], + "outcome": "failure" + }, + "user": { + "name": "PasswordManager" + } + }, + { + "log": { + "syslog": { + "priority": 7 + } + }, + "destination": { + "geo": { + "continent_name": "North America", + "region_iso_code": "US-VA", + "country_name": "United States", + "region_name": "Virginia", + "location": { + "lon": -77.2481, + "lat": 38.6583 + }, + "country_iso_code": "US" + }, + "address": "34.66.114.180", + "user": { + "name": "ELASTIC.local\\bart" + }, + "ip": "34.66.114.180" + }, + "source": { + "user": { + "name": "PasswordManager" + }, + "address": "10.0.1.20", + "ip": "10.0.1.20" + }, + "tags": [ + "preserve_original_event" + ], + "network": { + "direction": "outbound" + }, + "observer": { + "product": "Vault", + "hostname": "VAULT", + "version": "11.7.0000", + "vendor": "Cyber-Ark" + }, + "@timestamp": "2021-03-15T18:05:16.000Z", + "file": { + "path": "Root\\Operating System-WinDomain-34.66.114.180-ELASTICbart" + }, + "ecs": { + "version": "1.10.0" + }, + "related": { + "user": [ + "PasswordManager", + "ELASTIC.local\\bart" + ], + "ip": [ + "10.0.1.20", + "34.66.114.180" + ] + }, + "cyberarkpas": { + "audit": { + "severity": "Error", + "reason": "ImmediateTask,Failure. Failure Description: CACPM344E Verifying Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-34.66.114.180-ELASTICbart failed (try #3). Code: 2101, Error: Error in verifypass to user 34.66.114.180\\ELASTIC.local\\bart on domain 34.66.114.180(\\\\34.66.114.180). Reason: The specified username is invalid. (winRc=2202). \n", + "iso_timestamp": "2021-03-15T18:05:16Z", + "raw": "\u003csyslog\u003e\n\n \u003caudit_record\u003e\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\n \u003cTimestamp\u003eMar 15 11:05:16\u003c/Timestamp\u003e\n \u003cIsoTimestamp\u003e2021-03-15T18:05:16Z\u003c/IsoTimestamp\u003e\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\n \u003cProduct\u003eVault\u003c/Product\u003e\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\n \u003cMessageID\u003e38\u003c/MessageID\u003e\n \u003cDesc\u003eCPM Verify Password Failed\u003c/Desc\u003e\n \u003cSeverity\u003eError\u003c/Severity\u003e\n \u003cIssuer\u003ePasswordManager\u003c/Issuer\u003e\n \u003cAction\u003eCPM Verify Password Failed\u003c/Action\u003e\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\n \u003cSafe\u003epartner\u003c/Safe\u003e\n \u003cFile\u003eRoot\\Operating System-WinDomain-34.66.114.180-ELASTICbart\u003c/File\u003e\n \u003cStation\u003e10.0.1.20\u003c/Station\u003e\n \u003cLocation\u003e\u003c/Location\u003e\n \u003cCategory\u003e\u003c/Category\u003e\n \u003cRequestId\u003e\u003c/RequestId\u003e\n \u003cReason\u003eImmediateTask,Failure. Failure Description: CACPM344E Verifying Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-34.66.114.180-ELASTICbart failed (try #3). Code: 2101, Error: Error in verifypass to user 34.66.114.180\\ELASTIC.local\\bart on domain 34.66.114.180(\\\\34.66.114.180). Reason: The specified username is invalid. (winRc=2202). \n\u003c/Reason\u003e\n \u003cExtraDetails\u003eaddress=34.66.114.180;retriescount=3;username=ELASTIC.local\\bart;\u003c/ExtraDetails\u003e\n \u003cMessage\u003eCPM Verify Password Failed\u003c/Message\u003e\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\n \u003cCAProperties\u003e\n \u003cCAProperty Name=\"PolicyID\" Value=\"WinDomain\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"UserName\" Value=\"ELASTIC.local\\bart\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"Address\" Value=\"34.66.114.180\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"ResetImmediately\" Value=\"VerifyTask\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"CPMStatus\" Value=\"failure\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"RetriesCount\" Value=\"3\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"LastFailDate\" Value=\"1615831516\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"LastTask\" Value=\"VerifyTask\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"LogonDomain\" Value=\"34.66.114.180\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"CPMErrorDetails\" Value=\"Error in verifypass to user 34.66.114.180\\ELASTIC.local\\bart on domain 34.66.114.180(\\\\34.66.114.180). Reason: The specified username is invalid. (winRc=2202). \"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"CreationMethod\" Value=\"PVWA\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"DeviceType\" Value=\"Operating System\"\u003e\u003c/CAProperty\u003e\n \u003c/CAProperties\u003e\n \u003c/audit_record\u003e\n\n\u003c/syslog\u003e", + "message": "CPM Verify Password Failed", + "issuer": "PasswordManager", + "extra_details": { + "other": { + "retriescount": "3", + "address": "34.66.114.180" + }, + "username": "ELASTIC.local\\bart" + }, + "rfc5424": true, + "ca_properties": { + "other": {}, + "address": "34.66.114.180", + "creation_method": "PVWA", + "cpm_status": "failure", + "policy_id": "WinDomain", + "user_name": "ELASTIC.local\\bart", + "device_type": "Operating System", + "retries_count": "3", + "reset_immediately": "VerifyTask", + "last_task": "VerifyTask", + "cpm_error_details": "Error in verifypass to user 34.66.114.180\\ELASTIC.local\\bart on domain 34.66.114.180(\\\\34.66.114.180). Reason: The specified username is invalid. (winRc=2202). ", + "last_fail_date": "1615831516", + "logon_domain": "34.66.114.180" + }, + "file": "Root\\Operating System-WinDomain-34.66.114.180-ELASTICbart", + "safe": "partner", + "station": "10.0.1.20", + "action": "CPM Verify Password Failed", + "timestamp": "Mar 15 11:05:16", + "desc": "CPM Verify Password Failed" + } + }, + "host": { + "name": "VAULT" + }, + "event": { + "severity": 7, + "reason": "Error in verifypass to user 34.66.114.180\\ELASTIC.local\\bart on domain 34.66.114.180(\\\\34.66.114.180). Reason: The specified username is invalid. (winRc=2202). ", + "ingested": "2021-05-31T15:30:22.703478200Z", + "original": "\u003c7\u003e1 2021-03-15T18:05:16Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 15 11:05:16\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-15T18:05:16Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e38\u003c/MessageID\u003e\\n \u003cDesc\u003eCPM Verify Password Failed\u003c/Desc\u003e\\n \u003cSeverity\u003eError\u003c/Severity\u003e\\n \u003cIssuer\u003ePasswordManager\u003c/Issuer\u003e\\n \u003cAction\u003eCPM Verify Password Failed\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003epartner\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Operating System-WinDomain-34.66.114.180-ELASTICbart\u003c/File\u003e\\n \u003cStation\u003e10.0.1.20\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003eImmediateTask,Failure. Failure Description: CACPM344E Verifying Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-34.66.114.180-ELASTICbart failed (try #3). Code: 2101, Error: Error in verifypass to user 34.66.114.180\\\\ELASTIC.local\\\\bart on domain 34.66.114.180(\\\\\\\\34.66.114.180). Reason: The specified username is invalid. (winRc=2202). \\n\u003c/Reason\u003e\\n \u003cExtraDetails\u003eaddress=34.66.114.180;retriescount=3;username=ELASTIC.local\\\\bart;\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eCPM Verify Password Failed\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"WinDomain\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"ELASTIC.local\\\\bart\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"34.66.114.180\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"ResetImmediately\\\" Value=\\\"VerifyTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMStatus\\\" Value=\\\"failure\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"RetriesCount\\\" Value=\\\"3\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastFailDate\\\" Value=\\\"1615831516\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastTask\\\" Value=\\\"VerifyTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LogonDomain\\\" Value=\\\"34.66.114.180\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMErrorDetails\\\" Value=\\\"Error in verifypass to user 34.66.114.180\\\\ELASTIC.local\\\\bart on domain 34.66.114.180(\\\\\\\\34.66.114.180). Reason: The specified username is invalid. (winRc=2202). \\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Operating System\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 15 11:05:16\",\"IsoTimestamp\":\"2021-03-15T18:05:16Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"38\",\"Desc\":\"CPM Verify Password Failed\",\"Severity\":\"Error\",\"Issuer\":\"PasswordManager\",\"Action\":\"CPM Verify Password Failed\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"partner\",\"File\":\"Root\\\\Operating System-WinDomain-34.66.114.180-ELASTICbart\",\"Station\":\"10.0.1.20\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"ImmediateTask,Failure. Failure Description: CACPM344E Verifying Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-34.66.114.180-ELASTICbart failed (try #3). Code: 2101, Error: Error in verifypass to user 34.66.114.180\\\\ELASTIC.local\\\\bart on domain 34.66.114.180(\\\\\\\\34.66.114.180). Reason: The specified username is invalid. (winRc=2202). \\n\",\"ExtraDetails\":\"address=34.66.114.180;retriescount=3;username=ELASTIC.local\\\\bart;\",\"Message\":\"CPM Verify Password Failed\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"WinDomain\"},{\"Name\":\"UserName\",\"Value\":\"ELASTIC.local\\\\bart\"},{\"Name\":\"Address\",\"Value\":\"34.66.114.180\"},{\"Name\":\"ResetImmediately\",\"Value\":\"VerifyTask\"},{\"Name\":\"CPMStatus\",\"Value\":\"failure\"},{\"Name\":\"RetriesCount\",\"Value\":\"3\"},{\"Name\":\"LastFailDate\",\"Value\":\"1615831516\"},{\"Name\":\"LastTask\",\"Value\":\"VerifyTask\"},{\"Name\":\"LogonDomain\",\"Value\":\"34.66.114.180\"},{\"Name\":\"CPMErrorDetails\",\"Value\":\"Error in verifypass to user 34.66.114.180\\\\ELASTIC.local\\\\bart on domain 34.66.114.180(\\\\\\\\34.66.114.180). Reason: The specified username is invalid. (winRc=2202). \"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"}]}}}}", + "code": "38", + "kind": "event", + "action": "cpm verify password failed", + "type": [ + "error" + ], + "category": [ + "iam" + ], + "outcome": "failure" + }, + "user": { + "name": "PasswordManager" + } + }, + { + "log": { + "syslog": { + "priority": 7 + } + }, + "destination": { + "geo": { + "continent_name": "North America", + "region_iso_code": "US-VA", + "country_name": "United States", + "region_name": "Virginia", + "location": { + "lon": -77.2481, + "lat": 38.6583 + }, + "country_iso_code": "US" + }, + "address": "34.66.114.180", + "user": { + "name": "ELASTIC.local\\bart" + }, + "ip": "34.66.114.180" + }, + "source": { + "user": { + "name": "PasswordManager" + }, + "address": "10.0.1.20", + "ip": "10.0.1.20" + }, + "tags": [ + "preserve_original_event" + ], + "network": { + "direction": "outbound" + }, + "observer": { + "product": "Vault", + "hostname": "VAULT", + "version": "11.7.0000", + "vendor": "Cyber-Ark" + }, + "@timestamp": "2021-03-16T09:50:19.000Z", + "file": { + "path": "Root\\Operating System-WinDomain-34.66.114.180-ELASTICbart" + }, + "ecs": { + "version": "1.10.0" + }, + "related": { + "user": [ + "PasswordManager", + "ELASTIC.local\\bart" + ], + "ip": [ + "10.0.1.20", + "34.66.114.180" + ] + }, + "cyberarkpas": { + "audit": { + "severity": "Error", + "reason": "ImmediateTask,Failure. Failure Description: CACPM344E Verifying Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-34.66.114.180-ELASTICbart failed (try #4). Code: 2101, Error: Error in verifypass to user 34.66.114.180\\ELASTIC.local\\bart on domain 34.66.114.180(\\\\34.66.114.180). Reason: The specified username is invalid. (winRc=2202). \n", + "iso_timestamp": "2021-03-16T09:50:19Z", + "raw": "\u003csyslog\u003e\n\n \u003caudit_record\u003e\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\n \u003cTimestamp\u003eMar 16 02:50:19\u003c/Timestamp\u003e\n \u003cIsoTimestamp\u003e2021-03-16T09:50:19Z\u003c/IsoTimestamp\u003e\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\n \u003cProduct\u003eVault\u003c/Product\u003e\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\n \u003cMessageID\u003e38\u003c/MessageID\u003e\n \u003cDesc\u003eCPM Verify Password Failed\u003c/Desc\u003e\n \u003cSeverity\u003eError\u003c/Severity\u003e\n \u003cIssuer\u003ePasswordManager\u003c/Issuer\u003e\n \u003cAction\u003eCPM Verify Password Failed\u003c/Action\u003e\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\n \u003cSafe\u003epartner\u003c/Safe\u003e\n \u003cFile\u003eRoot\\Operating System-WinDomain-34.66.114.180-ELASTICbart\u003c/File\u003e\n \u003cStation\u003e10.0.1.20\u003c/Station\u003e\n \u003cLocation\u003e\u003c/Location\u003e\n \u003cCategory\u003e\u003c/Category\u003e\n \u003cRequestId\u003e\u003c/RequestId\u003e\n \u003cReason\u003eImmediateTask,Failure. Failure Description: CACPM344E Verifying Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-34.66.114.180-ELASTICbart failed (try #4). Code: 2101, Error: Error in verifypass to user 34.66.114.180\\ELASTIC.local\\bart on domain 34.66.114.180(\\\\34.66.114.180). Reason: The specified username is invalid. (winRc=2202). \n\u003c/Reason\u003e\n \u003cExtraDetails\u003eaddress=34.66.114.180;retriescount=4;username=ELASTIC.local\\bart;\u003c/ExtraDetails\u003e\n \u003cMessage\u003eCPM Verify Password Failed\u003c/Message\u003e\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\n \u003cCAProperties\u003e\n \u003cCAProperty Name=\"PolicyID\" Value=\"WinDomain\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"UserName\" Value=\"ELASTIC.local\\bart\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"Address\" Value=\"34.66.114.180\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"ResetImmediately\" Value=\"VerifyTask\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"CPMStatus\" Value=\"failure\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"RetriesCount\" Value=\"4\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"LastFailDate\" Value=\"1615888216\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"LastTask\" Value=\"VerifyTask\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"LogonDomain\" Value=\"34.66.114.180\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"CPMErrorDetails\" Value=\"Error in verifypass to user 34.66.114.180\\ELASTIC.local\\bart on domain 34.66.114.180(\\\\34.66.114.180). Reason: The specified username is invalid. (winRc=2202). \"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"CreationMethod\" Value=\"PVWA\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"DeviceType\" Value=\"Operating System\"\u003e\u003c/CAProperty\u003e\n \u003c/CAProperties\u003e\n \u003c/audit_record\u003e\n\n\u003c/syslog\u003e", + "message": "CPM Verify Password Failed", + "issuer": "PasswordManager", + "extra_details": { + "other": { + "retriescount": "4", + "address": "34.66.114.180" + }, + "username": "ELASTIC.local\\bart" + }, + "rfc5424": true, + "ca_properties": { + "other": {}, + "address": "34.66.114.180", + "creation_method": "PVWA", + "cpm_status": "failure", + "policy_id": "WinDomain", + "user_name": "ELASTIC.local\\bart", + "device_type": "Operating System", + "retries_count": "4", + "reset_immediately": "VerifyTask", + "last_task": "VerifyTask", + "cpm_error_details": "Error in verifypass to user 34.66.114.180\\ELASTIC.local\\bart on domain 34.66.114.180(\\\\34.66.114.180). Reason: The specified username is invalid. (winRc=2202). ", + "last_fail_date": "1615888216", + "logon_domain": "34.66.114.180" + }, + "file": "Root\\Operating System-WinDomain-34.66.114.180-ELASTICbart", + "safe": "partner", + "station": "10.0.1.20", + "action": "CPM Verify Password Failed", + "timestamp": "Mar 16 02:50:19", + "desc": "CPM Verify Password Failed" + } + }, + "host": { + "name": "VAULT" + }, + "event": { + "severity": 7, + "reason": "Error in verifypass to user 34.66.114.180\\ELASTIC.local\\bart on domain 34.66.114.180(\\\\34.66.114.180). Reason: The specified username is invalid. (winRc=2202). ", + "ingested": "2021-05-31T15:30:22.703480400Z", + "original": "\u003c7\u003e1 2021-03-16T09:50:19Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 16 02:50:19\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-16T09:50:19Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e38\u003c/MessageID\u003e\\n \u003cDesc\u003eCPM Verify Password Failed\u003c/Desc\u003e\\n \u003cSeverity\u003eError\u003c/Severity\u003e\\n \u003cIssuer\u003ePasswordManager\u003c/Issuer\u003e\\n \u003cAction\u003eCPM Verify Password Failed\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003epartner\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Operating System-WinDomain-34.66.114.180-ELASTICbart\u003c/File\u003e\\n \u003cStation\u003e10.0.1.20\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003eImmediateTask,Failure. Failure Description: CACPM344E Verifying Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-34.66.114.180-ELASTICbart failed (try #4). Code: 2101, Error: Error in verifypass to user 34.66.114.180\\\\ELASTIC.local\\\\bart on domain 34.66.114.180(\\\\\\\\34.66.114.180). Reason: The specified username is invalid. (winRc=2202). \\n\u003c/Reason\u003e\\n \u003cExtraDetails\u003eaddress=34.66.114.180;retriescount=4;username=ELASTIC.local\\\\bart;\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eCPM Verify Password Failed\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"WinDomain\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"ELASTIC.local\\\\bart\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"34.66.114.180\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"ResetImmediately\\\" Value=\\\"VerifyTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMStatus\\\" Value=\\\"failure\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"RetriesCount\\\" Value=\\\"4\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastFailDate\\\" Value=\\\"1615888216\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastTask\\\" Value=\\\"VerifyTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LogonDomain\\\" Value=\\\"34.66.114.180\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMErrorDetails\\\" Value=\\\"Error in verifypass to user 34.66.114.180\\\\ELASTIC.local\\\\bart on domain 34.66.114.180(\\\\\\\\34.66.114.180). Reason: The specified username is invalid. (winRc=2202). \\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Operating System\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 16 02:50:19\",\"IsoTimestamp\":\"2021-03-16T09:50:19Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"38\",\"Desc\":\"CPM Verify Password Failed\",\"Severity\":\"Error\",\"Issuer\":\"PasswordManager\",\"Action\":\"CPM Verify Password Failed\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"partner\",\"File\":\"Root\\\\Operating System-WinDomain-34.66.114.180-ELASTICbart\",\"Station\":\"10.0.1.20\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"ImmediateTask,Failure. Failure Description: CACPM344E Verifying Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-34.66.114.180-ELASTICbart failed (try #4). Code: 2101, Error: Error in verifypass to user 34.66.114.180\\\\ELASTIC.local\\\\bart on domain 34.66.114.180(\\\\\\\\34.66.114.180). Reason: The specified username is invalid. (winRc=2202). \\n\",\"ExtraDetails\":\"address=34.66.114.180;retriescount=4;username=ELASTIC.local\\\\bart;\",\"Message\":\"CPM Verify Password Failed\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"WinDomain\"},{\"Name\":\"UserName\",\"Value\":\"ELASTIC.local\\\\bart\"},{\"Name\":\"Address\",\"Value\":\"34.66.114.180\"},{\"Name\":\"ResetImmediately\",\"Value\":\"VerifyTask\"},{\"Name\":\"CPMStatus\",\"Value\":\"failure\"},{\"Name\":\"RetriesCount\",\"Value\":\"4\"},{\"Name\":\"LastFailDate\",\"Value\":\"1615888216\"},{\"Name\":\"LastTask\",\"Value\":\"VerifyTask\"},{\"Name\":\"LogonDomain\",\"Value\":\"34.66.114.180\"},{\"Name\":\"CPMErrorDetails\",\"Value\":\"Error in verifypass to user 34.66.114.180\\\\ELASTIC.local\\\\bart on domain 34.66.114.180(\\\\\\\\34.66.114.180). Reason: The specified username is invalid. (winRc=2202). \"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"}]}}}}", + "code": "38", + "kind": "event", + "action": "cpm verify password failed", + "type": [ + "error" + ], + "category": [ + "iam" + ], + "outcome": "failure" + }, + "user": { + "name": "PasswordManager" + } + } + ] +} \ No newline at end of file diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-385-blservice-audit-record.log-expected.json b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-385-blservice-audit-record.log-expected.json new file mode 100644 index 00000000000..8f03448be8c --- /dev/null +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-385-blservice-audit-record.log-expected.json @@ -0,0 +1,324 @@ +{ + "expected": [ + { + "log": { + "syslog": { + "priority": 5 + } + }, + "destination": { + "address": "10.0.1.20", + "ip": "10.0.1.20" + }, + "source": { + "address": "127.0.0.1", + "ip": "127.0.0.1" + }, + "tags": [ + "preserve_original_event" + ], + "network": { + "direction": "internal" + }, + "observer": { + "product": "Vault", + "hostname": "VAULT", + "version": "11.7.0000", + "vendor": "Cyber-Ark" + }, + "@timestamp": "2021-03-11T16:31:13.000Z", + "ecs": { + "version": "1.10.0" + }, + "related": { + "ip": [ + "127.0.0.1", + "10.0.1.20" + ] + }, + "cyberarkpas": { + "audit": { + "severity": "Info", + "rfc5424": true, + "iso_timestamp": "2021-03-11T16:31:13Z", + "gateway_station": "10.0.1.20", + "station": "127.0.0.1", + "raw": "\u003csyslog\u003e\n\n \u003caudit_record\u003e\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\n \u003cTimestamp\u003eMar 11 08:31:13\u003c/Timestamp\u003e\n \u003cIsoTimestamp\u003e2021-03-11T16:31:13Z\u003c/IsoTimestamp\u003e\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\n \u003cProduct\u003eVault\u003c/Product\u003e\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\n \u003cMessageID\u003e385\u003c/MessageID\u003e\n \u003cDesc\u003eBLService Audit Record\u003c/Desc\u003e\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\n \u003cAction\u003eBLService Audit Record\u003c/Action\u003e\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\n \u003cSafe\u003e\u003c/Safe\u003e\n \u003cFile\u003e\u003c/File\u003e\n \u003cStation\u003e127.0.0.1\u003c/Station\u003e\n \u003cLocation\u003e\u003cVaultCommandAuditApplicativeHeader z:Id=\"1\" xmlns=\"CyberArk.AppServices.LogicContainer.Audit\" xmlns:i=\"http://www.w3.org/2001/XMLSchema-instance\" xmlns:z=\"http://schemas.microsoft.com/2003/10/Serialization/\"\u003e\u003cRuleAuditComponent z:Id=\"2\"\u003e\u003cAction z:Id=\"3\"\u003eUpdate\u003c/Action\u003e\u003cContainerName z:Id=\"4\"/\u003e\u003cIsAdvanced\u003etrue\u003c/IsAdvanced\u003e\u003cNewValue z:Id=\"5\"\u003eEnforceExclusiveAccess: False; EnforceOneTimePasswords: False; AllowOPMAccess: True; RecordSessions: False; EnforceExpirationPeriod: 90; EnforceVerificationPeriod: 7; AuditRetentionPeriod: 90; PSMEnabled: True; RequireReason: AllowFreeTextReason: True, BasicValue: True; AllowTransparentConnection: AllowViewingPasswords: True, BasicValue: True; DualControl: BasicValue: False, DualControlRequireMultilevelApproval: False, DualControlRequireManagerialApproval: False, DualControlRequiredConfirmers: 1\u003c/NewValue\u003e\u003cOldValue z:Id=\"6\"\u003eN/A\u003c/OldValue\u003e\u003cPropertyName z:Id=\"7\"\u003eMaster Policy\u003c/PropertyName\u003e\u003c/RuleAuditComponent\u003e\u003c/VaultCommandAuditApplicativeHeader\u003e\u003c/Location\u003e\n \u003cCategory\u003e\u003c/Category\u003e\n \u003cRequestId\u003e\u003c/RequestId\u003e\n \u003cReason\u003e\u003c/Reason\u003e\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\n \u003cMessage\u003eBLService Audit Record\u003c/Message\u003e\n \u003cGatewayStation\u003e10.0.1.20\u003c/GatewayStation\u003e\n \u003c/audit_record\u003e\n\n\u003c/syslog\u003e", + "action": "BLService Audit Record", + "location": "\u003cVaultCommandAuditApplicativeHeader z:Id=\"1\" xmlns=\"CyberArk.AppServices.LogicContainer.Audit\" xmlns:i=\"http://www.w3.org/2001/XMLSchema-instance\" xmlns:z=\"http://schemas.microsoft.com/2003/10/Serialization/\"\u003e\u003cRuleAuditComponent z:Id=\"2\"\u003e\u003cAction z:Id=\"3\"\u003eUpdate\u003c/Action\u003e\u003cContainerName z:Id=\"4\"/\u003e\u003cIsAdvanced\u003etrue\u003c/IsAdvanced\u003e\u003cNewValue z:Id=\"5\"\u003eEnforceExclusiveAccess: False; EnforceOneTimePasswords: False; AllowOPMAccess: True; RecordSessions: False; EnforceExpirationPeriod: 90; EnforceVerificationPeriod: 7; AuditRetentionPeriod: 90; PSMEnabled: True; RequireReason: AllowFreeTextReason: True, BasicValue: True; AllowTransparentConnection: AllowViewingPasswords: True, BasicValue: True; DualControl: BasicValue: False, DualControlRequireMultilevelApproval: False, DualControlRequireManagerialApproval: False, DualControlRequiredConfirmers: 1\u003c/NewValue\u003e\u003cOldValue z:Id=\"6\"\u003eN/A\u003c/OldValue\u003e\u003cPropertyName z:Id=\"7\"\u003eMaster Policy\u003c/PropertyName\u003e\u003c/RuleAuditComponent\u003e\u003c/VaultCommandAuditApplicativeHeader\u003e", + "message": "BLService Audit Record", + "issuer": "Administrator", + "timestamp": "Mar 11 08:31:13", + "desc": "BLService Audit Record" + } + }, + "host": { + "name": "VAULT" + }, + "event": { + "severity": 2, + "action": "blservice audit record", + "ingested": "2021-05-31T15:30:23.237084300Z", + "original": "\u003c5\u003e1 2021-03-11T16:31:13Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 11 08:31:13\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-11T16:31:13Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e385\u003c/MessageID\u003e\\n \u003cDesc\u003eBLService Audit Record\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003eBLService Audit Record\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003e\u003c/Safe\u003e\\n \u003cFile\u003e\u003c/File\u003e\\n \u003cStation\u003e127.0.0.1\u003c/Station\u003e\\n \u003cLocation\u003e\u003cVaultCommandAuditApplicativeHeader z:Id=\\\"1\\\" xmlns=\\\"CyberArk.AppServices.LogicContainer.Audit\\\" xmlns:i=\\\"http://www.w3.org/2001/XMLSchema-instance\\\" xmlns:z=\\\"http://schemas.microsoft.com/2003/10/Serialization/\\\"\u003e\u003cRuleAuditComponent z:Id=\\\"2\\\"\u003e\u003cAction z:Id=\\\"3\\\"\u003eUpdate\u003c/Action\u003e\u003cContainerName z:Id=\\\"4\\\"/\u003e\u003cIsAdvanced\u003etrue\u003c/IsAdvanced\u003e\u003cNewValue z:Id=\\\"5\\\"\u003eEnforceExclusiveAccess: False; EnforceOneTimePasswords: False; AllowOPMAccess: True; RecordSessions: False; EnforceExpirationPeriod: 90; EnforceVerificationPeriod: 7; AuditRetentionPeriod: 90; PSMEnabled: True; RequireReason: AllowFreeTextReason: True, BasicValue: True; AllowTransparentConnection: AllowViewingPasswords: True, BasicValue: True; DualControl: BasicValue: False, DualControlRequireMultilevelApproval: False, DualControlRequireManagerialApproval: False, DualControlRequiredConfirmers: 1\u003c/NewValue\u003e\u003cOldValue z:Id=\\\"6\\\"\u003eN/A\u003c/OldValue\u003e\u003cPropertyName z:Id=\\\"7\\\"\u003eMaster Policy\u003c/PropertyName\u003e\u003c/RuleAuditComponent\u003e\u003c/VaultCommandAuditApplicativeHeader\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eBLService Audit Record\u003c/Message\u003e\\n \u003cGatewayStation\u003e10.0.1.20\u003c/GatewayStation\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 11 08:31:13\",\"IsoTimestamp\":\"2021-03-11T16:31:13Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"385\",\"Desc\":\"BLService Audit Record\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"BLService Audit Record\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"127.0.0.1\",\"Location\":\"\u003cVaultCommandAuditApplicativeHeader z:Id=\\\"1\\\" xmlns=\\\"CyberArk.AppServices.LogicContainer.Audit\\\" xmlns:i=\\\"http://www.w3.org/2001/XMLSchema-instance\\\" xmlns:z=\\\"http://schemas.microsoft.com/2003/10/Serialization/\\\"\u003e\u003cRuleAuditComponent z:Id=\\\"2\\\"\u003e\u003cAction z:Id=\\\"3\\\"\u003eUpdate\u003c/Action\u003e\u003cContainerName z:Id=\\\"4\\\"/\u003e\u003cIsAdvanced\u003etrue\u003c/IsAdvanced\u003e\u003cNewValue z:Id=\\\"5\\\"\u003eEnforceExclusiveAccess: False; EnforceOneTimePasswords: False; AllowOPMAccess: True; RecordSessions: False; EnforceExpirationPeriod: 90; EnforceVerificationPeriod: 7; AuditRetentionPeriod: 90; PSMEnabled: True; RequireReason: AllowFreeTextReason: True, BasicValue: True; AllowTransparentConnection: AllowViewingPasswords: True, BasicValue: True; DualControl: BasicValue: False, DualControlRequireMultilevelApproval: False, DualControlRequireManagerialApproval: False, DualControlRequiredConfirmers: 1\u003c/NewValue\u003e\u003cOldValue z:Id=\\\"6\\\"\u003eN/A\u003c/OldValue\u003e\u003cPropertyName z:Id=\\\"7\\\"\u003eMaster Policy\u003c/PropertyName\u003e\u003c/RuleAuditComponent\u003e\u003c/VaultCommandAuditApplicativeHeader\u003e\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"BLService Audit Record\",\"GatewayStation\":\"10.0.1.20\"}}}", + "code": "385", + "kind": "event" + } + }, + { + "log": { + "syslog": { + "priority": 5 + } + }, + "destination": { + "address": "10.0.1.20", + "ip": "10.0.1.20" + }, + "source": { + "address": "127.0.0.1", + "ip": "127.0.0.1" + }, + "tags": [ + "preserve_original_event" + ], + "network": { + "direction": "internal" + }, + "observer": { + "product": "Vault", + "hostname": "VAULT", + "version": "11.7.0000", + "vendor": "Cyber-Ark" + }, + "@timestamp": "2021-03-11T16:31:23.000Z", + "ecs": { + "version": "1.10.0" + }, + "related": { + "ip": [ + "127.0.0.1", + "10.0.1.20" + ] + }, + "cyberarkpas": { + "audit": { + "severity": "Info", + "rfc5424": true, + "iso_timestamp": "2021-03-11T16:31:23Z", + "gateway_station": "10.0.1.20", + "station": "127.0.0.1", + "raw": "\u003csyslog\u003e\n\n \u003caudit_record\u003e\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\n \u003cTimestamp\u003eMar 11 08:31:23\u003c/Timestamp\u003e\n \u003cIsoTimestamp\u003e2021-03-11T16:31:23Z\u003c/IsoTimestamp\u003e\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\n \u003cProduct\u003eVault\u003c/Product\u003e\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\n \u003cMessageID\u003e385\u003c/MessageID\u003e\n \u003cDesc\u003eBLService Audit Record\u003c/Desc\u003e\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\n \u003cAction\u003eBLService Audit Record\u003c/Action\u003e\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\n \u003cSafe\u003e\u003c/Safe\u003e\n \u003cFile\u003e\u003c/File\u003e\n \u003cStation\u003e127.0.0.1\u003c/Station\u003e\n \u003cLocation\u003e\u003cVaultCommandAuditApplicativeHeader z:Id=\"1\" xmlns=\"CyberArk.AppServices.LogicContainer.Audit\" xmlns:i=\"http://www.w3.org/2001/XMLSchema-instance\" xmlns:z=\"http://schemas.microsoft.com/2003/10/Serialization/\"\u003e\u003cRuleAuditComponent z:Id=\"2\"\u003e\u003cAction z:Id=\"3\"\u003eUpdate\u003c/Action\u003e\u003cContainerName z:Id=\"4\"/\u003e\u003cIsAdvanced\u003etrue\u003c/IsAdvanced\u003e\u003cNewValue z:Id=\"5\"\u003eEnforceExclusiveAccess: False; EnforceOneTimePasswords: False; AllowOPMAccess: True; RecordSessions: True; EnforceExpirationPeriod: 90; EnforceVerificationPeriod: 7; AuditRetentionPeriod: 90; PSMEnabled: True; RequireReason: AllowFreeTextReason: True, BasicValue: True; AllowTransparentConnection: AllowViewingPasswords: True, BasicValue: True; DualControl: BasicValue: False, DualControlRequireMultilevelApproval: False, DualControlRequireManagerialApproval: False, DualControlRequiredConfirmers: 1\u003c/NewValue\u003e\u003cOldValue z:Id=\"6\"\u003eN/A\u003c/OldValue\u003e\u003cPropertyName z:Id=\"7\"\u003eMaster Policy\u003c/PropertyName\u003e\u003c/RuleAuditComponent\u003e\u003c/VaultCommandAuditApplicativeHeader\u003e\u003c/Location\u003e\n \u003cCategory\u003e\u003c/Category\u003e\n \u003cRequestId\u003e\u003c/RequestId\u003e\n \u003cReason\u003e\u003c/Reason\u003e\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\n \u003cMessage\u003eBLService Audit Record\u003c/Message\u003e\n \u003cGatewayStation\u003e10.0.1.20\u003c/GatewayStation\u003e\n \u003c/audit_record\u003e\n\n\u003c/syslog\u003e", + "action": "BLService Audit Record", + "location": "\u003cVaultCommandAuditApplicativeHeader z:Id=\"1\" xmlns=\"CyberArk.AppServices.LogicContainer.Audit\" xmlns:i=\"http://www.w3.org/2001/XMLSchema-instance\" xmlns:z=\"http://schemas.microsoft.com/2003/10/Serialization/\"\u003e\u003cRuleAuditComponent z:Id=\"2\"\u003e\u003cAction z:Id=\"3\"\u003eUpdate\u003c/Action\u003e\u003cContainerName z:Id=\"4\"/\u003e\u003cIsAdvanced\u003etrue\u003c/IsAdvanced\u003e\u003cNewValue z:Id=\"5\"\u003eEnforceExclusiveAccess: False; EnforceOneTimePasswords: False; AllowOPMAccess: True; RecordSessions: True; EnforceExpirationPeriod: 90; EnforceVerificationPeriod: 7; AuditRetentionPeriod: 90; PSMEnabled: True; RequireReason: AllowFreeTextReason: True, BasicValue: True; AllowTransparentConnection: AllowViewingPasswords: True, BasicValue: True; DualControl: BasicValue: False, DualControlRequireMultilevelApproval: False, DualControlRequireManagerialApproval: False, DualControlRequiredConfirmers: 1\u003c/NewValue\u003e\u003cOldValue z:Id=\"6\"\u003eN/A\u003c/OldValue\u003e\u003cPropertyName z:Id=\"7\"\u003eMaster Policy\u003c/PropertyName\u003e\u003c/RuleAuditComponent\u003e\u003c/VaultCommandAuditApplicativeHeader\u003e", + "message": "BLService Audit Record", + "issuer": "Administrator", + "timestamp": "Mar 11 08:31:23", + "desc": "BLService Audit Record" + } + }, + "host": { + "name": "VAULT" + }, + "event": { + "severity": 2, + "action": "blservice audit record", + "ingested": "2021-05-31T15:30:23.237097700Z", + "original": "\u003c5\u003e1 2021-03-11T16:31:23Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 11 08:31:23\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-11T16:31:23Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e385\u003c/MessageID\u003e\\n \u003cDesc\u003eBLService Audit Record\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003eBLService Audit Record\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003e\u003c/Safe\u003e\\n \u003cFile\u003e\u003c/File\u003e\\n \u003cStation\u003e127.0.0.1\u003c/Station\u003e\\n \u003cLocation\u003e\u003cVaultCommandAuditApplicativeHeader z:Id=\\\"1\\\" xmlns=\\\"CyberArk.AppServices.LogicContainer.Audit\\\" xmlns:i=\\\"http://www.w3.org/2001/XMLSchema-instance\\\" xmlns:z=\\\"http://schemas.microsoft.com/2003/10/Serialization/\\\"\u003e\u003cRuleAuditComponent z:Id=\\\"2\\\"\u003e\u003cAction z:Id=\\\"3\\\"\u003eUpdate\u003c/Action\u003e\u003cContainerName z:Id=\\\"4\\\"/\u003e\u003cIsAdvanced\u003etrue\u003c/IsAdvanced\u003e\u003cNewValue z:Id=\\\"5\\\"\u003eEnforceExclusiveAccess: False; EnforceOneTimePasswords: False; AllowOPMAccess: True; RecordSessions: True; EnforceExpirationPeriod: 90; EnforceVerificationPeriod: 7; AuditRetentionPeriod: 90; PSMEnabled: True; RequireReason: AllowFreeTextReason: True, BasicValue: True; AllowTransparentConnection: AllowViewingPasswords: True, BasicValue: True; DualControl: BasicValue: False, DualControlRequireMultilevelApproval: False, DualControlRequireManagerialApproval: False, DualControlRequiredConfirmers: 1\u003c/NewValue\u003e\u003cOldValue z:Id=\\\"6\\\"\u003eN/A\u003c/OldValue\u003e\u003cPropertyName z:Id=\\\"7\\\"\u003eMaster Policy\u003c/PropertyName\u003e\u003c/RuleAuditComponent\u003e\u003c/VaultCommandAuditApplicativeHeader\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eBLService Audit Record\u003c/Message\u003e\\n \u003cGatewayStation\u003e10.0.1.20\u003c/GatewayStation\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 11 08:31:23\",\"IsoTimestamp\":\"2021-03-11T16:31:23Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"385\",\"Desc\":\"BLService Audit Record\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"BLService Audit Record\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"127.0.0.1\",\"Location\":\"\u003cVaultCommandAuditApplicativeHeader z:Id=\\\"1\\\" xmlns=\\\"CyberArk.AppServices.LogicContainer.Audit\\\" xmlns:i=\\\"http://www.w3.org/2001/XMLSchema-instance\\\" xmlns:z=\\\"http://schemas.microsoft.com/2003/10/Serialization/\\\"\u003e\u003cRuleAuditComponent z:Id=\\\"2\\\"\u003e\u003cAction z:Id=\\\"3\\\"\u003eUpdate\u003c/Action\u003e\u003cContainerName z:Id=\\\"4\\\"/\u003e\u003cIsAdvanced\u003etrue\u003c/IsAdvanced\u003e\u003cNewValue z:Id=\\\"5\\\"\u003eEnforceExclusiveAccess: False; EnforceOneTimePasswords: False; AllowOPMAccess: True; RecordSessions: True; EnforceExpirationPeriod: 90; EnforceVerificationPeriod: 7; AuditRetentionPeriod: 90; PSMEnabled: True; RequireReason: AllowFreeTextReason: True, BasicValue: True; AllowTransparentConnection: AllowViewingPasswords: True, BasicValue: True; DualControl: BasicValue: False, DualControlRequireMultilevelApproval: False, DualControlRequireManagerialApproval: False, DualControlRequiredConfirmers: 1\u003c/NewValue\u003e\u003cOldValue z:Id=\\\"6\\\"\u003eN/A\u003c/OldValue\u003e\u003cPropertyName z:Id=\\\"7\\\"\u003eMaster Policy\u003c/PropertyName\u003e\u003c/RuleAuditComponent\u003e\u003c/VaultCommandAuditApplicativeHeader\u003e\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"BLService Audit Record\",\"GatewayStation\":\"10.0.1.20\"}}}", + "code": "385", + "kind": "event" + } + }, + { + "log": { + "syslog": { + "priority": 5 + } + }, + "destination": { + "address": "10.0.1.20", + "ip": "10.0.1.20" + }, + "source": { + "address": "127.0.0.1", + "ip": "127.0.0.1" + }, + "tags": [ + "preserve_original_event" + ], + "network": { + "direction": "internal" + }, + "observer": { + "product": "Vault", + "hostname": "VAULT", + "version": "11.7.0000", + "vendor": "Cyber-Ark" + }, + "@timestamp": "2021-03-11T19:40:52.000Z", + "ecs": { + "version": "1.10.0" + }, + "related": { + "ip": [ + "127.0.0.1", + "10.0.1.20" + ] + }, + "cyberarkpas": { + "audit": { + "severity": "Info", + "rfc5424": true, + "iso_timestamp": "2021-03-11T19:40:52Z", + "gateway_station": "10.0.1.20", + "station": "127.0.0.1", + "raw": "\u003csyslog\u003e\n\n \u003caudit_record\u003e\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\n \u003cTimestamp\u003eMar 11 11:40:52\u003c/Timestamp\u003e\n \u003cIsoTimestamp\u003e2021-03-11T19:40:52Z\u003c/IsoTimestamp\u003e\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\n \u003cProduct\u003eVault\u003c/Product\u003e\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\n \u003cMessageID\u003e385\u003c/MessageID\u003e\n \u003cDesc\u003eBLService Audit Record\u003c/Desc\u003e\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\n \u003cAction\u003eBLService Audit Record\u003c/Action\u003e\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\n \u003cSafe\u003e\u003c/Safe\u003e\n \u003cFile\u003e\u003c/File\u003e\n \u003cStation\u003e127.0.0.1\u003c/Station\u003e\n \u003cLocation\u003e\u003cVaultCommandAuditApplicativeHeader z:Id=\"1\" xmlns=\"CyberArk.AppServices.LogicContainer.Audit\" xmlns:i=\"http://www.w3.org/2001/XMLSchema-instance\" xmlns:z=\"http://schemas.microsoft.com/2003/10/Serialization/\"\u003e\u003cRuleAuditComponent z:Id=\"2\"\u003e\u003cAction z:Id=\"3\"\u003eUpdate\u003c/Action\u003e\u003cContainerName z:Id=\"4\"/\u003e\u003cIsAdvanced\u003etrue\u003c/IsAdvanced\u003e\u003cNewValue z:Id=\"5\"\u003eEnforceExclusiveAccess: False; EnforceOneTimePasswords: False; AllowOPMAccess: True; RecordSessions: True; EnforceExpirationPeriod: 90; EnforceVerificationPeriod: 7; AuditRetentionPeriod: 90; PSMEnabled: False; RequireReason: AllowFreeTextReason: True, BasicValue: True; AllowTransparentConnection: AllowViewingPasswords: True, BasicValue: True; DualControl: BasicValue: False, DualControlRequireMultilevelApproval: False, DualControlRequireManagerialApproval: False, DualControlRequiredConfirmers: 1\u003c/NewValue\u003e\u003cOldValue z:Id=\"6\"\u003eN/A\u003c/OldValue\u003e\u003cPropertyName z:Id=\"7\"\u003eMaster Policy\u003c/PropertyName\u003e\u003c/RuleAuditComponent\u003e\u003c/VaultCommandAuditApplicativeHeader\u003e\u003c/Location\u003e\n \u003cCategory\u003e\u003c/Category\u003e\n \u003cRequestId\u003e\u003c/RequestId\u003e\n \u003cReason\u003e\u003c/Reason\u003e\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\n \u003cMessage\u003eBLService Audit Record\u003c/Message\u003e\n \u003cGatewayStation\u003e10.0.1.20\u003c/GatewayStation\u003e\n \u003c/audit_record\u003e\n\n\u003c/syslog\u003e", + "action": "BLService Audit Record", + "location": "\u003cVaultCommandAuditApplicativeHeader z:Id=\"1\" xmlns=\"CyberArk.AppServices.LogicContainer.Audit\" xmlns:i=\"http://www.w3.org/2001/XMLSchema-instance\" xmlns:z=\"http://schemas.microsoft.com/2003/10/Serialization/\"\u003e\u003cRuleAuditComponent z:Id=\"2\"\u003e\u003cAction z:Id=\"3\"\u003eUpdate\u003c/Action\u003e\u003cContainerName z:Id=\"4\"/\u003e\u003cIsAdvanced\u003etrue\u003c/IsAdvanced\u003e\u003cNewValue z:Id=\"5\"\u003eEnforceExclusiveAccess: False; EnforceOneTimePasswords: False; AllowOPMAccess: True; RecordSessions: True; EnforceExpirationPeriod: 90; EnforceVerificationPeriod: 7; AuditRetentionPeriod: 90; PSMEnabled: False; RequireReason: AllowFreeTextReason: True, BasicValue: True; AllowTransparentConnection: AllowViewingPasswords: True, BasicValue: True; DualControl: BasicValue: False, DualControlRequireMultilevelApproval: False, DualControlRequireManagerialApproval: False, DualControlRequiredConfirmers: 1\u003c/NewValue\u003e\u003cOldValue z:Id=\"6\"\u003eN/A\u003c/OldValue\u003e\u003cPropertyName z:Id=\"7\"\u003eMaster Policy\u003c/PropertyName\u003e\u003c/RuleAuditComponent\u003e\u003c/VaultCommandAuditApplicativeHeader\u003e", + "message": "BLService Audit Record", + "issuer": "Administrator", + "timestamp": "Mar 11 11:40:52", + "desc": "BLService Audit Record" + } + }, + "host": { + "name": "VAULT" + }, + "event": { + "severity": 2, + "action": "blservice audit record", + "ingested": "2021-05-31T15:30:23.237100800Z", + "original": "\u003c5\u003e1 2021-03-11T19:40:52Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 11 11:40:52\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-11T19:40:52Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e385\u003c/MessageID\u003e\\n \u003cDesc\u003eBLService Audit Record\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003eBLService Audit Record\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003e\u003c/Safe\u003e\\n \u003cFile\u003e\u003c/File\u003e\\n \u003cStation\u003e127.0.0.1\u003c/Station\u003e\\n \u003cLocation\u003e\u003cVaultCommandAuditApplicativeHeader z:Id=\\\"1\\\" xmlns=\\\"CyberArk.AppServices.LogicContainer.Audit\\\" xmlns:i=\\\"http://www.w3.org/2001/XMLSchema-instance\\\" xmlns:z=\\\"http://schemas.microsoft.com/2003/10/Serialization/\\\"\u003e\u003cRuleAuditComponent z:Id=\\\"2\\\"\u003e\u003cAction z:Id=\\\"3\\\"\u003eUpdate\u003c/Action\u003e\u003cContainerName z:Id=\\\"4\\\"/\u003e\u003cIsAdvanced\u003etrue\u003c/IsAdvanced\u003e\u003cNewValue z:Id=\\\"5\\\"\u003eEnforceExclusiveAccess: False; EnforceOneTimePasswords: False; AllowOPMAccess: True; RecordSessions: True; EnforceExpirationPeriod: 90; EnforceVerificationPeriod: 7; AuditRetentionPeriod: 90; PSMEnabled: False; RequireReason: AllowFreeTextReason: True, BasicValue: True; AllowTransparentConnection: AllowViewingPasswords: True, BasicValue: True; DualControl: BasicValue: False, DualControlRequireMultilevelApproval: False, DualControlRequireManagerialApproval: False, DualControlRequiredConfirmers: 1\u003c/NewValue\u003e\u003cOldValue z:Id=\\\"6\\\"\u003eN/A\u003c/OldValue\u003e\u003cPropertyName z:Id=\\\"7\\\"\u003eMaster Policy\u003c/PropertyName\u003e\u003c/RuleAuditComponent\u003e\u003c/VaultCommandAuditApplicativeHeader\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eBLService Audit Record\u003c/Message\u003e\\n \u003cGatewayStation\u003e10.0.1.20\u003c/GatewayStation\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 11 11:40:52\",\"IsoTimestamp\":\"2021-03-11T19:40:52Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"385\",\"Desc\":\"BLService Audit Record\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"BLService Audit Record\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"127.0.0.1\",\"Location\":\"\u003cVaultCommandAuditApplicativeHeader z:Id=\\\"1\\\" xmlns=\\\"CyberArk.AppServices.LogicContainer.Audit\\\" xmlns:i=\\\"http://www.w3.org/2001/XMLSchema-instance\\\" xmlns:z=\\\"http://schemas.microsoft.com/2003/10/Serialization/\\\"\u003e\u003cRuleAuditComponent z:Id=\\\"2\\\"\u003e\u003cAction z:Id=\\\"3\\\"\u003eUpdate\u003c/Action\u003e\u003cContainerName z:Id=\\\"4\\\"/\u003e\u003cIsAdvanced\u003etrue\u003c/IsAdvanced\u003e\u003cNewValue z:Id=\\\"5\\\"\u003eEnforceExclusiveAccess: False; EnforceOneTimePasswords: False; AllowOPMAccess: True; RecordSessions: True; EnforceExpirationPeriod: 90; EnforceVerificationPeriod: 7; AuditRetentionPeriod: 90; PSMEnabled: False; RequireReason: AllowFreeTextReason: True, BasicValue: True; AllowTransparentConnection: AllowViewingPasswords: True, BasicValue: True; DualControl: BasicValue: False, DualControlRequireMultilevelApproval: False, DualControlRequireManagerialApproval: False, DualControlRequiredConfirmers: 1\u003c/NewValue\u003e\u003cOldValue z:Id=\\\"6\\\"\u003eN/A\u003c/OldValue\u003e\u003cPropertyName z:Id=\\\"7\\\"\u003eMaster Policy\u003c/PropertyName\u003e\u003c/RuleAuditComponent\u003e\u003c/VaultCommandAuditApplicativeHeader\u003e\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"BLService Audit Record\",\"GatewayStation\":\"10.0.1.20\"}}}", + "code": "385", + "kind": "event" + } + }, + { + "log": { + "syslog": { + "priority": 5 + } + }, + "destination": { + "address": "10.0.1.20", + "ip": "10.0.1.20" + }, + "source": { + "address": "127.0.0.1", + "ip": "127.0.0.1" + }, + "tags": [ + "preserve_original_event" + ], + "network": { + "direction": "internal" + }, + "observer": { + "product": "Vault", + "hostname": "VAULT", + "version": "11.7.0000", + "vendor": "Cyber-Ark" + }, + "@timestamp": "2021-03-14T12:04:35.000Z", + "ecs": { + "version": "1.10.0" + }, + "related": { + "ip": [ + "127.0.0.1", + "10.0.1.20" + ] + }, + "cyberarkpas": { + "audit": { + "severity": "Info", + "rfc5424": true, + "iso_timestamp": "2021-03-14T12:04:35Z", + "gateway_station": "10.0.1.20", + "station": "127.0.0.1", + "raw": "\u003csyslog\u003e\n\n \u003caudit_record\u003e\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\n \u003cTimestamp\u003eMar 14 05:04:35\u003c/Timestamp\u003e\n \u003cIsoTimestamp\u003e2021-03-14T12:04:35Z\u003c/IsoTimestamp\u003e\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\n \u003cProduct\u003eVault\u003c/Product\u003e\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\n \u003cMessageID\u003e385\u003c/MessageID\u003e\n \u003cDesc\u003eBLService Audit Record\u003c/Desc\u003e\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\n \u003cAction\u003eBLService Audit Record\u003c/Action\u003e\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\n \u003cSafe\u003e\u003c/Safe\u003e\n \u003cFile\u003e\u003c/File\u003e\n \u003cStation\u003e127.0.0.1\u003c/Station\u003e\n \u003cLocation\u003e\u003cVaultCommandAuditApplicativeHeader z:Id=\"1\" xmlns=\"CyberArk.AppServices.LogicContainer.Audit\" xmlns:i=\"http://www.w3.org/2001/XMLSchema-instance\" xmlns:z=\"http://schemas.microsoft.com/2003/10/Serialization/\"\u003e\u003cRuleAuditComponent z:Id=\"2\"\u003e\u003cAction z:Id=\"3\"\u003eUpdate\u003c/Action\u003e\u003cContainerName z:Id=\"4\"/\u003e\u003cIsAdvanced\u003etrue\u003c/IsAdvanced\u003e\u003cNewValue z:Id=\"5\"\u003eEnforceExclusiveAccess: False; EnforceOneTimePasswords: False; AllowOPMAccess: True; RecordSessions: True; EnforceExpirationPeriod: 90; EnforceVerificationPeriod: 7; AuditRetentionPeriod: 90; PSMEnabled: False; RequireReason: AllowFreeTextReason: True, BasicValue: False; AllowTransparentConnection: AllowViewingPasswords: True, BasicValue: True; DualControl: BasicValue: False, DualControlRequireMultilevelApproval: False, DualControlRequireManagerialApproval: False, DualControlRequiredConfirmers: 1\u003c/NewValue\u003e\u003cOldValue z:Id=\"6\"\u003eN/A\u003c/OldValue\u003e\u003cPropertyName z:Id=\"7\"\u003eMaster Policy\u003c/PropertyName\u003e\u003c/RuleAuditComponent\u003e\u003c/VaultCommandAuditApplicativeHeader\u003e\u003c/Location\u003e\n \u003cCategory\u003e\u003c/Category\u003e\n \u003cRequestId\u003e\u003c/RequestId\u003e\n \u003cReason\u003e\u003c/Reason\u003e\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\n \u003cMessage\u003eBLService Audit Record\u003c/Message\u003e\n \u003cGatewayStation\u003e10.0.1.20\u003c/GatewayStation\u003e\n \u003c/audit_record\u003e\n\n\u003c/syslog\u003e", + "action": "BLService Audit Record", + "location": "\u003cVaultCommandAuditApplicativeHeader z:Id=\"1\" xmlns=\"CyberArk.AppServices.LogicContainer.Audit\" xmlns:i=\"http://www.w3.org/2001/XMLSchema-instance\" xmlns:z=\"http://schemas.microsoft.com/2003/10/Serialization/\"\u003e\u003cRuleAuditComponent z:Id=\"2\"\u003e\u003cAction z:Id=\"3\"\u003eUpdate\u003c/Action\u003e\u003cContainerName z:Id=\"4\"/\u003e\u003cIsAdvanced\u003etrue\u003c/IsAdvanced\u003e\u003cNewValue z:Id=\"5\"\u003eEnforceExclusiveAccess: False; EnforceOneTimePasswords: False; AllowOPMAccess: True; RecordSessions: True; EnforceExpirationPeriod: 90; EnforceVerificationPeriod: 7; AuditRetentionPeriod: 90; PSMEnabled: False; RequireReason: AllowFreeTextReason: True, BasicValue: False; AllowTransparentConnection: AllowViewingPasswords: True, BasicValue: True; DualControl: BasicValue: False, DualControlRequireMultilevelApproval: False, DualControlRequireManagerialApproval: False, DualControlRequiredConfirmers: 1\u003c/NewValue\u003e\u003cOldValue z:Id=\"6\"\u003eN/A\u003c/OldValue\u003e\u003cPropertyName z:Id=\"7\"\u003eMaster Policy\u003c/PropertyName\u003e\u003c/RuleAuditComponent\u003e\u003c/VaultCommandAuditApplicativeHeader\u003e", + "message": "BLService Audit Record", + "issuer": "Administrator", + "timestamp": "Mar 14 05:04:35", + "desc": "BLService Audit Record" + } + }, + "host": { + "name": "VAULT" + }, + "event": { + "severity": 2, + "action": "blservice audit record", + "ingested": "2021-05-31T15:30:23.237103500Z", + "original": "\u003c5\u003e1 2021-03-14T12:04:35Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 14 05:04:35\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-14T12:04:35Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e385\u003c/MessageID\u003e\\n \u003cDesc\u003eBLService Audit Record\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003eBLService Audit Record\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003e\u003c/Safe\u003e\\n \u003cFile\u003e\u003c/File\u003e\\n \u003cStation\u003e127.0.0.1\u003c/Station\u003e\\n \u003cLocation\u003e\u003cVaultCommandAuditApplicativeHeader z:Id=\\\"1\\\" xmlns=\\\"CyberArk.AppServices.LogicContainer.Audit\\\" xmlns:i=\\\"http://www.w3.org/2001/XMLSchema-instance\\\" xmlns:z=\\\"http://schemas.microsoft.com/2003/10/Serialization/\\\"\u003e\u003cRuleAuditComponent z:Id=\\\"2\\\"\u003e\u003cAction z:Id=\\\"3\\\"\u003eUpdate\u003c/Action\u003e\u003cContainerName z:Id=\\\"4\\\"/\u003e\u003cIsAdvanced\u003etrue\u003c/IsAdvanced\u003e\u003cNewValue z:Id=\\\"5\\\"\u003eEnforceExclusiveAccess: False; EnforceOneTimePasswords: False; AllowOPMAccess: True; RecordSessions: True; EnforceExpirationPeriod: 90; EnforceVerificationPeriod: 7; AuditRetentionPeriod: 90; PSMEnabled: False; RequireReason: AllowFreeTextReason: True, BasicValue: False; AllowTransparentConnection: AllowViewingPasswords: True, BasicValue: True; DualControl: BasicValue: False, DualControlRequireMultilevelApproval: False, DualControlRequireManagerialApproval: False, DualControlRequiredConfirmers: 1\u003c/NewValue\u003e\u003cOldValue z:Id=\\\"6\\\"\u003eN/A\u003c/OldValue\u003e\u003cPropertyName z:Id=\\\"7\\\"\u003eMaster Policy\u003c/PropertyName\u003e\u003c/RuleAuditComponent\u003e\u003c/VaultCommandAuditApplicativeHeader\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eBLService Audit Record\u003c/Message\u003e\\n \u003cGatewayStation\u003e10.0.1.20\u003c/GatewayStation\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 14 05:04:35\",\"IsoTimestamp\":\"2021-03-14T12:04:35Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"385\",\"Desc\":\"BLService Audit Record\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"BLService Audit Record\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"127.0.0.1\",\"Location\":\"\u003cVaultCommandAuditApplicativeHeader z:Id=\\\"1\\\" xmlns=\\\"CyberArk.AppServices.LogicContainer.Audit\\\" xmlns:i=\\\"http://www.w3.org/2001/XMLSchema-instance\\\" xmlns:z=\\\"http://schemas.microsoft.com/2003/10/Serialization/\\\"\u003e\u003cRuleAuditComponent z:Id=\\\"2\\\"\u003e\u003cAction z:Id=\\\"3\\\"\u003eUpdate\u003c/Action\u003e\u003cContainerName z:Id=\\\"4\\\"/\u003e\u003cIsAdvanced\u003etrue\u003c/IsAdvanced\u003e\u003cNewValue z:Id=\\\"5\\\"\u003eEnforceExclusiveAccess: False; EnforceOneTimePasswords: False; AllowOPMAccess: True; RecordSessions: True; EnforceExpirationPeriod: 90; EnforceVerificationPeriod: 7; AuditRetentionPeriod: 90; PSMEnabled: False; RequireReason: AllowFreeTextReason: True, BasicValue: False; AllowTransparentConnection: AllowViewingPasswords: True, BasicValue: True; DualControl: BasicValue: False, DualControlRequireMultilevelApproval: False, DualControlRequireManagerialApproval: False, DualControlRequiredConfirmers: 1\u003c/NewValue\u003e\u003cOldValue z:Id=\\\"6\\\"\u003eN/A\u003c/OldValue\u003e\u003cPropertyName z:Id=\\\"7\\\"\u003eMaster Policy\u003c/PropertyName\u003e\u003c/RuleAuditComponent\u003e\u003c/VaultCommandAuditApplicativeHeader\u003e\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"BLService Audit Record\",\"GatewayStation\":\"10.0.1.20\"}}}", + "code": "385", + "kind": "event" + } + }, + { + "log": { + "syslog": { + "priority": 5 + } + }, + "destination": { + "address": "10.0.1.20", + "ip": "10.0.1.20" + }, + "source": { + "address": "127.0.0.1", + "ip": "127.0.0.1" + }, + "tags": [ + "preserve_original_event" + ], + "network": { + "direction": "internal" + }, + "observer": { + "product": "Vault", + "hostname": "VAULT", + "version": "11.7.0000", + "vendor": "Cyber-Ark" + }, + "@timestamp": "2021-03-14T12:04:53.000Z", + "ecs": { + "version": "1.10.0" + }, + "related": { + "ip": [ + "127.0.0.1", + "10.0.1.20" + ] + }, + "cyberarkpas": { + "audit": { + "severity": "Info", + "rfc5424": true, + "iso_timestamp": "2021-03-14T12:04:53Z", + "gateway_station": "10.0.1.20", + "station": "127.0.0.1", + "raw": "\u003csyslog\u003e\n\n \u003caudit_record\u003e\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\n \u003cTimestamp\u003eMar 14 05:04:53\u003c/Timestamp\u003e\n \u003cIsoTimestamp\u003e2021-03-14T12:04:53Z\u003c/IsoTimestamp\u003e\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\n \u003cProduct\u003eVault\u003c/Product\u003e\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\n \u003cMessageID\u003e385\u003c/MessageID\u003e\n \u003cDesc\u003eBLService Audit Record\u003c/Desc\u003e\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\n \u003cAction\u003eBLService Audit Record\u003c/Action\u003e\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\n \u003cSafe\u003e\u003c/Safe\u003e\n \u003cFile\u003e\u003c/File\u003e\n \u003cStation\u003e127.0.0.1\u003c/Station\u003e\n \u003cLocation\u003e\u003cVaultCommandAuditApplicativeHeader z:Id=\"1\" xmlns=\"CyberArk.AppServices.LogicContainer.Audit\" xmlns:i=\"http://www.w3.org/2001/XMLSchema-instance\" xmlns:z=\"http://schemas.microsoft.com/2003/10/Serialization/\"\u003e\u003cRuleAuditComponent z:Id=\"2\"\u003e\u003cAction z:Id=\"3\"\u003eUpdate\u003c/Action\u003e\u003cContainerName z:Id=\"4\"/\u003e\u003cIsAdvanced\u003etrue\u003c/IsAdvanced\u003e\u003cNewValue z:Id=\"5\"\u003eEnforceExclusiveAccess: False; EnforceOneTimePasswords: False; AllowOPMAccess: True; RecordSessions: True; EnforceExpirationPeriod: 500; EnforceVerificationPeriod: 7; AuditRetentionPeriod: 90; PSMEnabled: False; RequireReason: AllowFreeTextReason: True, BasicValue: False; AllowTransparentConnection: AllowViewingPasswords: True, BasicValue: True; DualControl: BasicValue: False, DualControlRequireMultilevelApproval: False, DualControlRequireManagerialApproval: False, DualControlRequiredConfirmers: 1\u003c/NewValue\u003e\u003cOldValue z:Id=\"6\"\u003eN/A\u003c/OldValue\u003e\u003cPropertyName z:Id=\"7\"\u003eMaster Policy\u003c/PropertyName\u003e\u003c/RuleAuditComponent\u003e\u003c/VaultCommandAuditApplicativeHeader\u003e\u003c/Location\u003e\n \u003cCategory\u003e\u003c/Category\u003e\n \u003cRequestId\u003e\u003c/RequestId\u003e\n \u003cReason\u003e\u003c/Reason\u003e\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\n \u003cMessage\u003eBLService Audit Record\u003c/Message\u003e\n \u003cGatewayStation\u003e10.0.1.20\u003c/GatewayStation\u003e\n \u003c/audit_record\u003e\n\n\u003c/syslog\u003e", + "action": "BLService Audit Record", + "location": "\u003cVaultCommandAuditApplicativeHeader z:Id=\"1\" xmlns=\"CyberArk.AppServices.LogicContainer.Audit\" xmlns:i=\"http://www.w3.org/2001/XMLSchema-instance\" xmlns:z=\"http://schemas.microsoft.com/2003/10/Serialization/\"\u003e\u003cRuleAuditComponent z:Id=\"2\"\u003e\u003cAction z:Id=\"3\"\u003eUpdate\u003c/Action\u003e\u003cContainerName z:Id=\"4\"/\u003e\u003cIsAdvanced\u003etrue\u003c/IsAdvanced\u003e\u003cNewValue z:Id=\"5\"\u003eEnforceExclusiveAccess: False; EnforceOneTimePasswords: False; AllowOPMAccess: True; RecordSessions: True; EnforceExpirationPeriod: 500; EnforceVerificationPeriod: 7; AuditRetentionPeriod: 90; PSMEnabled: False; RequireReason: AllowFreeTextReason: True, BasicValue: False; AllowTransparentConnection: AllowViewingPasswords: True, BasicValue: True; DualControl: BasicValue: False, DualControlRequireMultilevelApproval: False, DualControlRequireManagerialApproval: False, DualControlRequiredConfirmers: 1\u003c/NewValue\u003e\u003cOldValue z:Id=\"6\"\u003eN/A\u003c/OldValue\u003e\u003cPropertyName z:Id=\"7\"\u003eMaster Policy\u003c/PropertyName\u003e\u003c/RuleAuditComponent\u003e\u003c/VaultCommandAuditApplicativeHeader\u003e", + "message": "BLService Audit Record", + "issuer": "Administrator", + "timestamp": "Mar 14 05:04:53", + "desc": "BLService Audit Record" + } + }, + "host": { + "name": "VAULT" + }, + "event": { + "severity": 2, + "action": "blservice audit record", + "ingested": "2021-05-31T15:30:23.237105900Z", + "original": "\u003c5\u003e1 2021-03-14T12:04:53Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 14 05:04:53\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-14T12:04:53Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e385\u003c/MessageID\u003e\\n \u003cDesc\u003eBLService Audit Record\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003eBLService Audit Record\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003e\u003c/Safe\u003e\\n \u003cFile\u003e\u003c/File\u003e\\n \u003cStation\u003e127.0.0.1\u003c/Station\u003e\\n \u003cLocation\u003e\u003cVaultCommandAuditApplicativeHeader z:Id=\\\"1\\\" xmlns=\\\"CyberArk.AppServices.LogicContainer.Audit\\\" xmlns:i=\\\"http://www.w3.org/2001/XMLSchema-instance\\\" xmlns:z=\\\"http://schemas.microsoft.com/2003/10/Serialization/\\\"\u003e\u003cRuleAuditComponent z:Id=\\\"2\\\"\u003e\u003cAction z:Id=\\\"3\\\"\u003eUpdate\u003c/Action\u003e\u003cContainerName z:Id=\\\"4\\\"/\u003e\u003cIsAdvanced\u003etrue\u003c/IsAdvanced\u003e\u003cNewValue z:Id=\\\"5\\\"\u003eEnforceExclusiveAccess: False; EnforceOneTimePasswords: False; AllowOPMAccess: True; RecordSessions: True; EnforceExpirationPeriod: 500; EnforceVerificationPeriod: 7; AuditRetentionPeriod: 90; PSMEnabled: False; RequireReason: AllowFreeTextReason: True, BasicValue: False; AllowTransparentConnection: AllowViewingPasswords: True, BasicValue: True; DualControl: BasicValue: False, DualControlRequireMultilevelApproval: False, DualControlRequireManagerialApproval: False, DualControlRequiredConfirmers: 1\u003c/NewValue\u003e\u003cOldValue z:Id=\\\"6\\\"\u003eN/A\u003c/OldValue\u003e\u003cPropertyName z:Id=\\\"7\\\"\u003eMaster Policy\u003c/PropertyName\u003e\u003c/RuleAuditComponent\u003e\u003c/VaultCommandAuditApplicativeHeader\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eBLService Audit Record\u003c/Message\u003e\\n \u003cGatewayStation\u003e10.0.1.20\u003c/GatewayStation\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 14 05:04:53\",\"IsoTimestamp\":\"2021-03-14T12:04:53Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"385\",\"Desc\":\"BLService Audit Record\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"BLService Audit Record\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"127.0.0.1\",\"Location\":\"\u003cVaultCommandAuditApplicativeHeader z:Id=\\\"1\\\" xmlns=\\\"CyberArk.AppServices.LogicContainer.Audit\\\" xmlns:i=\\\"http://www.w3.org/2001/XMLSchema-instance\\\" xmlns:z=\\\"http://schemas.microsoft.com/2003/10/Serialization/\\\"\u003e\u003cRuleAuditComponent z:Id=\\\"2\\\"\u003e\u003cAction z:Id=\\\"3\\\"\u003eUpdate\u003c/Action\u003e\u003cContainerName z:Id=\\\"4\\\"/\u003e\u003cIsAdvanced\u003etrue\u003c/IsAdvanced\u003e\u003cNewValue z:Id=\\\"5\\\"\u003eEnforceExclusiveAccess: False; EnforceOneTimePasswords: False; AllowOPMAccess: True; RecordSessions: True; EnforceExpirationPeriod: 500; EnforceVerificationPeriod: 7; AuditRetentionPeriod: 90; PSMEnabled: False; RequireReason: AllowFreeTextReason: True, BasicValue: False; AllowTransparentConnection: AllowViewingPasswords: True, BasicValue: True; DualControl: BasicValue: False, DualControlRequireMultilevelApproval: False, DualControlRequireManagerialApproval: False, DualControlRequiredConfirmers: 1\u003c/NewValue\u003e\u003cOldValue z:Id=\\\"6\\\"\u003eN/A\u003c/OldValue\u003e\u003cPropertyName z:Id=\\\"7\\\"\u003eMaster Policy\u003c/PropertyName\u003e\u003c/RuleAuditComponent\u003e\u003c/VaultCommandAuditApplicativeHeader\u003e\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"BLService Audit Record\",\"GatewayStation\":\"10.0.1.20\"}}}", + "code": "385", + "kind": "event" + } + } + ] +} \ No newline at end of file diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-4-user-authentication.log-expected.json b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-4-user-authentication.log-expected.json new file mode 100644 index 00000000000..9ff035d4e0c --- /dev/null +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-4-user-authentication.log-expected.json @@ -0,0 +1,158 @@ +{ + "expected": [ + { + "log": { + "syslog": { + "priority": 7 + } + }, + "source": { + "geo": { + "continent_name": "Europe", + "region_iso_code": "ES-B", + "city_name": "Barcelona", + "country_iso_code": "ES", + "country_name": "Spain", + "region_name": "Barcelona", + "location": { + "lon": 2.1611, + "lat": 41.3891 + } + }, + "address": "81.32.170.205", + "ip": "81.32.170.205" + }, + "tags": [ + "preserve_original_event" + ], + "observer": { + "product": "Vault", + "hostname": "VAULT", + "version": "11.7.0000", + "vendor": "Cyber-Ark" + }, + "@timestamp": "2021-03-10T18:42:36.000Z", + "ecs": { + "version": "1.10.0" + }, + "related": { + "user": [ + "Administrator" + ], + "ip": [ + "81.32.170.205" + ] + }, + "cyberarkpas": { + "audit": { + "severity": "Error", + "rfc5424": true, + "iso_timestamp": "2021-03-10T18:42:36Z", + "station": "81.32.170.205", + "action": "User Authentication", + "message": "User Authentication", + "issuer": "Administrator", + "timestamp": "Mar 10 10:42:36", + "desc": "User Authentication" + } + }, + "host": { + "name": "VAULT" + }, + "event": { + "severity": 7, + "ingested": "2021-05-31T15:30:23.396901Z", + "original": "\u003c7\u003e1 2021-03-10T18:42:36Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 10:42:36\",\"IsoTimestamp\":\"2021-03-10T18:42:36Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"4\",\"Desc\":\"User Authentication\",\"Severity\":\"Error\",\"Issuer\":\"Administrator\",\"Action\":\"User Authentication\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"81.32.170.205\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"User Authentication\",\"GatewayStation\":\"\"}}}", + "code": "4", + "kind": "event", + "action": "authentication_failure", + "type": [ + "error" + ], + "category": [ + "authentication" + ], + "outcome": "failure" + }, + "user": { + "name": "Administrator" + } + }, + { + "log": { + "syslog": { + "priority": 7 + } + }, + "destination": { + "address": "10.0.1.20", + "ip": "10.0.1.20" + }, + "source": { + "address": "127.0.0.1", + "ip": "127.0.0.1" + }, + "tags": [ + "preserve_original_event" + ], + "network": { + "direction": "internal" + }, + "observer": { + "product": "Vault", + "hostname": "VAULT", + "version": "11.7.0000", + "vendor": "Cyber-Ark" + }, + "@timestamp": "2021-03-11T18:03:43.000Z", + "ecs": { + "version": "1.10.0" + }, + "related": { + "user": [ + "Administrator" + ], + "ip": [ + "127.0.0.1", + "10.0.1.20" + ] + }, + "cyberarkpas": { + "audit": { + "severity": "Error", + "rfc5424": true, + "iso_timestamp": "2021-03-11T18:03:43Z", + "gateway_station": "10.0.1.20", + "station": "127.0.0.1", + "raw": "\u003csyslog\u003e\n\n \u003caudit_record\u003e\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\n \u003cTimestamp\u003eMar 11 10:03:43\u003c/Timestamp\u003e\n \u003cIsoTimestamp\u003e2021-03-11T18:03:43Z\u003c/IsoTimestamp\u003e\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\n \u003cProduct\u003eVault\u003c/Product\u003e\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\n \u003cMessageID\u003e4\u003c/MessageID\u003e\n \u003cDesc\u003eUser Authentication\u003c/Desc\u003e\n \u003cSeverity\u003eError\u003c/Severity\u003e\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\n \u003cAction\u003eUser Authentication\u003c/Action\u003e\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\n \u003cSafe\u003e\u003c/Safe\u003e\n \u003cFile\u003e\u003c/File\u003e\n \u003cStation\u003e127.0.0.1\u003c/Station\u003e\n \u003cLocation\u003e\u003c/Location\u003e\n \u003cCategory\u003e\u003c/Category\u003e\n \u003cRequestId\u003e\u003c/RequestId\u003e\n \u003cReason\u003e\u003c/Reason\u003e\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\n \u003cMessage\u003eUser Authentication\u003c/Message\u003e\n \u003cGatewayStation\u003e10.0.1.20\u003c/GatewayStation\u003e\n \u003c/audit_record\u003e\n\n\u003c/syslog\u003e", + "action": "User Authentication", + "message": "User Authentication", + "issuer": "Administrator", + "timestamp": "Mar 11 10:03:43", + "desc": "User Authentication" + } + }, + "host": { + "name": "VAULT" + }, + "event": { + "severity": 7, + "ingested": "2021-05-31T15:30:23.396914300Z", + "original": "\u003c7\u003e1 2021-03-11T18:03:43Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 11 10:03:43\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-11T18:03:43Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e4\u003c/MessageID\u003e\\n \u003cDesc\u003eUser Authentication\u003c/Desc\u003e\\n \u003cSeverity\u003eError\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003eUser Authentication\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003e\u003c/Safe\u003e\\n \u003cFile\u003e\u003c/File\u003e\\n \u003cStation\u003e127.0.0.1\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eUser Authentication\u003c/Message\u003e\\n \u003cGatewayStation\u003e10.0.1.20\u003c/GatewayStation\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 11 10:03:43\",\"IsoTimestamp\":\"2021-03-11T18:03:43Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"4\",\"Desc\":\"User Authentication\",\"Severity\":\"Error\",\"Issuer\":\"Administrator\",\"Action\":\"User Authentication\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"127.0.0.1\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"User Authentication\",\"GatewayStation\":\"10.0.1.20\"}}}", + "code": "4", + "kind": "event", + "action": "authentication_failure", + "type": [ + "error" + ], + "category": [ + "authentication" + ], + "outcome": "failure" + }, + "user": { + "name": "Administrator" + } + } + ] +} \ No newline at end of file diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-411-window-title.log-expected.json b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-411-window-title.log-expected.json new file mode 100644 index 00000000000..f42d68d561c --- /dev/null +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-411-window-title.log-expected.json @@ -0,0 +1,116 @@ +{ + "expected": [ + { + "process": { + "name": "shutdown.exe", + "pid": 4144 + }, + "destination": { + "user": { + "name": "Administrator2" + }, + "address": "dbserver.cyberark.local", + "domain": "dbserver.cyberark.local" + }, + "source": { + "user": { + "name": "adm2" + }, + "address": "10.2.0.6", + "ip": "10.2.0.6" + }, + "tags": [ + "preserve_original_event" + ], + "network": { + "application": "rdp" + }, + "observer": { + "version": "11.6.0000", + "product": "Vault", + "vendor": "Cyber-Ark" + }, + "@timestamp": "2021-03-16T17:11:42.000Z", + "file": { + "path": "Root\\Operating System-WIN-SERVER-LOCAL-dbserver.cyberark.local-Administrator2" + }, + "ecs": { + "version": "1.10.0" + }, + "related": { + "user": [ + "adm2", + "Administrator2" + ], + "ip": [ + "10.2.0.6", + "10.2.0.5" + ] + }, + "cyberarkpas": { + "audit": { + "severity": "Info", + "iso_timestamp": "2021-03-16T17:11:42Z", + "raw": "\u003csyslog\u003e\n \u003caudit_record\u003e\n \u003cRfc5424\u003eno\u003c/Rfc5424\u003e\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\n \u003cProduct\u003eVault\u003c/Product\u003e\n \u003cVersion\u003e11.6.0000\u003c/Version\u003e\n \u003cMessageID\u003e411\u003c/MessageID\u003e\n \u003cDesc\u003eWindow Title\u003c/Desc\u003e\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\n \u003cIssuer\u003eadm2\u003c/Issuer\u003e\n \u003cAction\u003eWindow Title\u003c/Action\u003e\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\n \u003cSafe\u003eWindows\u003c/Safe\u003e\n \u003cFile\u003eRoot\\Operating System-WIN-SERVER-LOCAL-dbserver.cyberark.local-Administrator2\u003c/File\u003e\n \u003cStation\u003e10.2.0.5\u003c/Station\u003e\n \u003cLocation\u003e\u003c/Location\u003e\n \u003cCategory\u003e\u003c/Category\u003e\n \u003cRequestId\u003e\u003c/RequestId\u003e\n \u003cReason\u003e\u003c/Reason\u003e\n \u003cExtraDetails\u003eCommand=shutdown.exe, Shutdown Event Tracker;ConnectionComponentId=PSM-RDP;DstHost=dbserver.cyberark.local;ProcessId=4144;ProcessName=shutdown.exe;Protocol=RDP;PSMID=PSMServer_88f6598;RDPOffset=218B;SessionID=a1f46060-1de4-4f56-a8ba-71fdf3140ac1;SrcHost=10.2.0.6;User=Administrator2;VIDOffset=12T;\u003c/ExtraDetails\u003e\n \u003cMessage\u003eWindow Title\u003c/Message\u003e\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\n \u003cCAProperties\u003e\n \u003cCAProperty Name=\"PolicyID\" Value=\"WIN-SERVER-LOCAL\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"UserName\" Value=\"Administrator2\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"Address\" Value=\"dbserver.cyberark.local\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"DeviceType\" Value=\"Operating System\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"LogonDomain\" Value=\"DBServer\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"SequenceID\" Value=\"1\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"RetriesCount\" Value=\"-1\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"LastTask\" Value=\"ReconcileTask\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"CPMStatus\" Value=\"success\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"CreationMethod\" Value=\"PVWA\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"LastSuccessReconciliation\" Value=\"1604944215\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"Customer\" Value=\"EvilCorp\"\u003e\u003c/CAProperty\u003e\n \u003c/CAProperties\u003e\n \u003c/audit_record\u003e\n\u003c/syslog\u003e", + "message": "Window Title", + "issuer": "adm2", + "rfc5424": false, + "extra_details": { + "process_id": "4144", + "connection_component_id": "PSM-RDP", + "protocol": "RDP", + "other": { + "vid_offset": "12T", + "user": "Administrator2", + "rdp_offset": "218B" + }, + "psmid": "PSMServer_88f6598", + "process_name": "shutdown.exe", + "session_id": "a1f46060-1de4-4f56-a8ba-71fdf3140ac1", + "src_host": "10.2.0.6", + "dst_host": "dbserver.cyberark.local", + "command": "shutdown.exe, Shutdown Event Tracker" + }, + "file": "Root\\Operating System-WIN-SERVER-LOCAL-dbserver.cyberark.local-Administrator2", + "ca_properties": { + "other": {}, + "address": "dbserver.cyberark.local", + "creation_method": "PVWA", + "cpm_status": "success", + "policy_id": "WIN-SERVER-LOCAL", + "last_success_reconciliation": "1604944215", + "user_name": "Administrator2", + "device_type": "Operating System", + "retries_count": "-1", + "last_task": "ReconcileTask", + "sequence_id": "1", + "logon_domain": "DBServer", + "customer": "EvilCorp" + }, + "safe": "Windows", + "station": "10.2.0.5", + "action": "Window Title", + "desc": "Window Title" + } + }, + "event": { + "severity": 2, + "ingested": "2021-05-31T15:30:23.446758100Z", + "original": "{\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eno\u003c/Rfc5424\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.6.0000\u003c/Version\u003e\\n \u003cMessageID\u003e411\u003c/MessageID\u003e\\n \u003cDesc\u003eWindow Title\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eadm2\u003c/Issuer\u003e\\n \u003cAction\u003eWindow Title\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003eWindows\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Operating System-WIN-SERVER-LOCAL-dbserver.cyberark.local-Administrator2\u003c/File\u003e\\n \u003cStation\u003e10.2.0.5\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003eCommand=shutdown.exe, Shutdown Event Tracker;ConnectionComponentId=PSM-RDP;DstHost=dbserver.cyberark.local;ProcessId=4144;ProcessName=shutdown.exe;Protocol=RDP;PSMID=PSMServer_88f6598;RDPOffset=218B;SessionID=a1f46060-1de4-4f56-a8ba-71fdf3140ac1;SrcHost=10.2.0.6;User=Administrator2;VIDOffset=12T;\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eWindow Title\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"WIN-SERVER-LOCAL\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"Administrator2\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"dbserver.cyberark.local\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Operating System\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LogonDomain\\\" Value=\\\"DBServer\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"SequenceID\\\" Value=\\\"1\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"RetriesCount\\\" Value=\\\"-1\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastTask\\\" Value=\\\"ReconcileTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMStatus\\\" Value=\\\"success\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastSuccessReconciliation\\\" Value=\\\"1604944215\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Customer\\\" Value=\\\"EvilCorp\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"no\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.6.0000\",\"MessageID\":\"411\",\"Desc\":\"Window Title\",\"Severity\":\"Info\",\"Issuer\":\"adm2\",\"Action\":\"Window Title\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"Windows\",\"File\":\"Root\\\\Operating System-WIN-SERVER-LOCAL-dbserver.cyberark.local-Administrator2\",\"Station\":\"10.2.0.5\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"Command=shutdown.exe, Shutdown Event Tracker;ConnectionComponentId=PSM-RDP;DstHost=dbserver.cyberark.local;ProcessId=4144;ProcessName=shutdown.exe;Protocol=RDP;PSMID=PSMServer_88f6598;RDPOffset=218B;SessionID=a1f46060-1de4-4f56-a8ba-71fdf3140ac1;SrcHost=10.2.0.6;User=Administrator2;VIDOffset=12T;\",\"IsoTimestamp\":\"2021-03-16T17:11:42Z\",\"Message\":\"Window Title\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"WIN-SERVER-LOCAL\"},{\"Name\":\"UserName\",\"Value\":\"Administrator2\"},{\"Name\":\"Address\",\"Value\":\"dbserver.cyberark.local\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"},{\"Name\":\"LogonDomain\",\"Value\":\"DBServer\"},{\"Name\":\"SequenceID\",\"Value\":\"1\"},{\"Name\":\"RetriesCount\",\"Value\":\"-1\"},{\"Name\":\"LastTask\",\"Value\":\"ReconcileTask\"},{\"Name\":\"CPMStatus\",\"Value\":\"success\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"LastSuccessReconciliation\",\"Value\":\"1604944215\"},{\"Name\":\"Customer\",\"Value\":\"EvilCorp\"}]}}}}", + "code": "411", + "kind": "event", + "action": "window title", + "category": [ + "process" + ], + "type": [ + "access", + "info" + ] + }, + "user": { + "name": "adm2" + } + } + ] +} \ No newline at end of file diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-412-keystroke-logging.log-expected.json b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-412-keystroke-logging.log-expected.json new file mode 100644 index 00000000000..69f630a6fca --- /dev/null +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-412-keystroke-logging.log-expected.json @@ -0,0 +1,121 @@ +{ + "expected": [ + { + "log": { + "syslog": { + "priority": 5 + } + }, + "destination": { + "user": { + "name": "sa" + }, + "address": "tgtsvr01.cybr.com", + "domain": "tgtsvr01.cybr.com" + }, + "source": { + "user": { + "name": "Administrator" + }, + "address": "127.0.0.1", + "ip": "127.0.0.1" + }, + "tags": [ + "preserve_original_event" + ], + "network": { + "application": "sqlnet" + }, + "observer": { + "product": "Vault", + "hostname": "VLT01", + "version": "12.0.0000", + "vendor": "Cyber-Ark" + }, + "@timestamp": "2021-03-25T11:29:37.000Z", + "file": { + "path": "Root\\Database-MSSql-epmsvr01.cybr.com-sa" + }, + "ecs": { + "version": "1.10.0" + }, + "related": { + "user": [ + "Administrator", + "sa" + ], + "ip": [ + "127.0.0.1", + "10.0.0.15" + ] + }, + "cyberarkpas": { + "audit": { + "severity": "Info", + "iso_timestamp": "2021-03-25T11:29:37Z", + "raw": "\u003csyslog\u003e\n\n \u003caudit_record\u003e\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\n \u003cTimestamp\u003eMar 25 07:29:37\u003c/Timestamp\u003e\n \u003cIsoTimestamp\u003e2021-03-25T11:29:37Z\u003c/IsoTimestamp\u003e\n \u003cHostname\u003eVLT01\u003c/Hostname\u003e\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\n \u003cProduct\u003eVault\u003c/Product\u003e\n \u003cVersion\u003e12.0.0000\u003c/Version\u003e\n \u003cMessageID\u003e412\u003c/MessageID\u003e\n \u003cDesc\u003eKeystroke logging\u003c/Desc\u003e\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\n \u003cAction\u003eKeystroke logging\u003c/Action\u003e\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\n \u003cSafe\u003eMSSQL\u003c/Safe\u003e\n \u003cFile\u003eRoot\\Database-MSSql-epmsvr01.cybr.com-sa\u003c/File\u003e\n \u003cStation\u003e10.0.0.15\u003c/Station\u003e\n \u003cLocation\u003e\u003c/Location\u003e\n \u003cCategory\u003e\u003c/Category\u003e\n \u003cRequestId\u003e\u003c/RequestId\u003e\n \u003cReason\u003e\u003c/Reason\u003e\n \u003cExtraDetails\u003eCommand=SHOW DATABASES\\;;ConnectionComponentId=PSM-SQLServerMgmtStudio;DataBase=master;DstHost=tgtsvr01.cybr.com;Protocol=SQLNet;PSMID=PSMServer;SessionID=975edc19-ad10-4b42-8098-f26afab40fac;SrcHost=127.0.0.1;TXTOffset=702B;User=sa;VIDOffset=33T;\u003c/ExtraDetails\u003e\n \u003cMessage\u003eKeystroke logging\u003c/Message\u003e\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\n \u003cCAProperties\u003e\n \u003cCAProperty Name=\"PolicyID\" Value=\"MSSql\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"UserName\" Value=\"sa\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"Address\" Value=\"tgtsvr01.cybr.com\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"Database\" Value=\"master\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"DeviceType\" Value=\"Database\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"CPMStatus\" Value=\"success\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"RetriesCount\" Value=\"-1\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"LastTask\" Value=\"VerifyTask\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"LastSuccessVerification\" Value=\"1616580240\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"CreationMethod\" Value=\"PVWA\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"LastSuccessChange\" Value=\"1616011980\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"Tags\" Value=\"SQL;DB\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"Privcloud\" Value=\"privcloud\"\u003e\u003c/CAProperty\u003e\n \u003c/CAProperties\u003e\n \u003c/audit_record\u003e\n\n\u003c/syslog\u003e", + "message": "Keystroke logging", + "issuer": "Administrator", + "extra_details": { + "connection_component_id": "PSM-SQLServerMgmtStudio", + "protocol": "SQLNet", + "other": { + "txt_offset": "702B", + "vid_offset": "33T", + "data_base": "master", + "user": "sa" + }, + "psmid": "PSMServer", + "session_id": "975edc19-ad10-4b42-8098-f26afab40fac", + "src_host": "127.0.0.1", + "dst_host": "tgtsvr01.cybr.com", + "command": "SHOW DATABASES\\;" + }, + "rfc5424": true, + "ca_properties": { + "privcloud": "privcloud", + "other": {}, + "address": "tgtsvr01.cybr.com", + "creation_method": "PVWA", + "cpm_status": "success", + "policy_id": "MSSql", + "user_name": "sa", + "device_type": "Database", + "retries_count": "-1", + "last_success_verification": "1616580240", + "last_task": "VerifyTask", + "tags": "SQL;DB", + "database": "master", + "last_success_change": "1616011980" + }, + "file": "Root\\Database-MSSql-epmsvr01.cybr.com-sa", + "safe": "MSSQL", + "station": "10.0.0.15", + "action": "Keystroke logging", + "timestamp": "Mar 25 07:29:37", + "desc": "Keystroke logging" + } + }, + "host": { + "name": "VLT01" + }, + "event": { + "severity": 2, + "ingested": "2021-05-31T15:30:23.493895300Z", + "original": "\u003c5\u003e1 2021-03-25T11:29:37Z VLT01 {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 25 07:29:37\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-25T11:29:37Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVLT01\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e12.0.0000\u003c/Version\u003e\\n \u003cMessageID\u003e412\u003c/MessageID\u003e\\n \u003cDesc\u003eKeystroke logging\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003eKeystroke logging\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003eMSSQL\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Database-MSSql-epmsvr01.cybr.com-sa\u003c/File\u003e\\n \u003cStation\u003e10.0.0.15\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003eCommand=SHOW DATABASES\\\\;;ConnectionComponentId=PSM-SQLServerMgmtStudio;DataBase=master;DstHost=tgtsvr01.cybr.com;Protocol=SQLNet;PSMID=PSMServer;SessionID=975edc19-ad10-4b42-8098-f26afab40fac;SrcHost=127.0.0.1;TXTOffset=702B;User=sa;VIDOffset=33T;\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eKeystroke logging\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"MSSql\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"sa\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"tgtsvr01.cybr.com\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Database\\\" Value=\\\"master\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Database\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMStatus\\\" Value=\\\"success\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"RetriesCount\\\" Value=\\\"-1\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastTask\\\" Value=\\\"VerifyTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastSuccessVerification\\\" Value=\\\"1616580240\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastSuccessChange\\\" Value=\\\"1616011980\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Tags\\\" Value=\\\"SQL;DB\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Privcloud\\\" Value=\\\"privcloud\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 25 07:29:37\",\"IsoTimestamp\":\"2021-03-25T11:29:37Z\",\"Hostname\":\"VLT01\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"12.0.0000\",\"MessageID\":\"412\",\"Desc\":\"Keystroke logging\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Keystroke logging\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"MSSQL\",\"File\":\"Root\\\\Database-MSSql-epmsvr01.cybr.com-sa\",\"Station\":\"10.0.0.15\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"Command=SHOW DATABASES\\\\;;ConnectionComponentId=PSM-SQLServerMgmtStudio;DataBase=master;DstHost=tgtsvr01.cybr.com;Protocol=SQLNet;PSMID=PSMServer;SessionID=975edc19-ad10-4b42-8098-f26afab40fac;SrcHost=127.0.0.1;TXTOffset=702B;User=sa;VIDOffset=33T;\",\"Message\":\"Keystroke logging\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"MSSql\"},{\"Name\":\"UserName\",\"Value\":\"sa\"},{\"Name\":\"Address\",\"Value\":\"tgtsvr01.cybr.com\"},{\"Name\":\"Database\",\"Value\":\"master\"},{\"Name\":\"DeviceType\",\"Value\":\"Database\"},{\"Name\":\"CPMStatus\",\"Value\":\"success\"},{\"Name\":\"RetriesCount\",\"Value\":\"-1\"},{\"Name\":\"LastTask\",\"Value\":\"VerifyTask\"},{\"Name\":\"LastSuccessVerification\",\"Value\":\"1616580240\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"LastSuccessChange\",\"Value\":\"1616011980\"},{\"Name\":\"Tags\",\"Value\":\"SQL;DB\"},{\"Name\":\"Privcloud\",\"Value\":\"privcloud\"}]}}}}", + "code": "412", + "kind": "event", + "action": "keystroke logging", + "category": [ + "session" + ], + "type": [ + "info" + ] + }, + "user": { + "name": "Administrator" + } + } + ] +} \ No newline at end of file diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-414-cpm-verify-ssh-key.log-expected.json b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-414-cpm-verify-ssh-key.log-expected.json new file mode 100644 index 00000000000..6dcba955a6c --- /dev/null +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-414-cpm-verify-ssh-key.log-expected.json @@ -0,0 +1,115 @@ +{ + "expected": [ + { + "log": { + "syslog": { + "priority": 5 + } + }, + "destination": { + "user": { + "name": "firecall1" + }, + "address": "rhel7.cybr.com", + "domain": "rhel7.cybr.com" + }, + "source": { + "user": { + "name": "PasswordManager" + }, + "address": "10.0.0.15", + "ip": "10.0.0.15" + }, + "tags": [ + "preserve_original_event" + ], + "observer": { + "product": "Vault", + "hostname": "VLT01", + "version": "12.0.0000", + "vendor": "Cyber-Ark" + }, + "@timestamp": "2021-03-25T10:04:06.000Z", + "file": { + "path": "Root\\Operating System-UnixSSHKeys-rhel7.cybr.com-firecall1" + }, + "ecs": { + "version": "1.10.0" + }, + "related": { + "user": [ + "PasswordManager", + "firecall1" + ], + "ip": [ + "10.0.0.15" + ] + }, + "cyberarkpas": { + "audit": { + "severity": "Info", + "reason": "VerificationPeriod", + "iso_timestamp": "2021-03-25T10:04:06Z", + "raw": "\u003csyslog\u003e\n\n \u003caudit_record\u003e\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\n \u003cTimestamp\u003eMar 25 06:04:06\u003c/Timestamp\u003e\n \u003cIsoTimestamp\u003e2021-03-25T10:04:06Z\u003c/IsoTimestamp\u003e\n \u003cHostname\u003eVLT01\u003c/Hostname\u003e\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\n \u003cProduct\u003eVault\u003c/Product\u003e\n \u003cVersion\u003e12.0.0000\u003c/Version\u003e\n \u003cMessageID\u003e414\u003c/MessageID\u003e\n \u003cDesc\u003eCPM Verify SSH Key\u003c/Desc\u003e\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\n \u003cIssuer\u003ePasswordManager\u003c/Issuer\u003e\n \u003cAction\u003eCPM Verify SSH Key\u003c/Action\u003e\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\n \u003cSafe\u003eLinux SSH Keys\u003c/Safe\u003e\n \u003cFile\u003eRoot\\Operating System-UnixSSHKeys-rhel7.cybr.com-firecall1\u003c/File\u003e\n \u003cStation\u003e10.0.0.15\u003c/Station\u003e\n \u003cLocation\u003e\u003c/Location\u003e\n \u003cCategory\u003e\u003c/Category\u003e\n \u003cRequestId\u003e\u003c/RequestId\u003e\n \u003cReason\u003eVerificationPeriod\u003c/Reason\u003e\n \u003cExtraDetails\u003eaddress=rhel7.cybr.com;username=firecall1;\u003c/ExtraDetails\u003e\n \u003cMessage\u003eCPM Verify SSH Key\u003c/Message\u003e\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\n \u003cCAProperties\u003e\n \u003cCAProperty Name=\"PolicyID\" Value=\"UnixSSHKeys\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"UserName\" Value=\"firecall1\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"Address\" Value=\"rhel7.cybr.com\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"DeviceType\" Value=\"Operating System\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"SequenceID\" Value=\"2\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"CPMStatus\" Value=\"success\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"ExtraPass3Name\" Value=\"Operating System-UnixSSH-rhel7.cybr.com-root\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"ExtraPass3Folder\" Value=\"Root\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"ExtraPass3Safe\" Value=\"Linux Root\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"RetriesCount\" Value=\"-1\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"LastTask\" Value=\"VerifyTask\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"LastSuccessVerification\" Value=\"1616666646\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"CreationMethod\" Value=\"PVWA\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"LastSuccessChange\" Value=\"1582315464\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"Tags\" Value=\"SSH\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"Privcloud\" Value=\"privcloud\"\u003e\u003c/CAProperty\u003e\n \u003c/CAProperties\u003e\n \u003c/audit_record\u003e\n\n\u003c/syslog\u003e", + "message": "CPM Verify SSH Key", + "issuer": "PasswordManager", + "extra_details": { + "other": { + "address": "rhel7.cybr.com" + }, + "username": "firecall1" + }, + "rfc5424": true, + "ca_properties": { + "privcloud": "privcloud", + "other": { + "extra_pass3_name": "Operating System-UnixSSH-rhel7.cybr.com-root", + "extra_pass3_safe": "Linux Root", + "extra_pass3_folder": "Root" + }, + "address": "rhel7.cybr.com", + "creation_method": "PVWA", + "cpm_status": "success", + "policy_id": "UnixSSHKeys", + "user_name": "firecall1", + "device_type": "Operating System", + "retries_count": "-1", + "last_success_verification": "1616666646", + "last_task": "VerifyTask", + "tags": "SSH", + "sequence_id": "2", + "last_success_change": "1582315464" + }, + "file": "Root\\Operating System-UnixSSHKeys-rhel7.cybr.com-firecall1", + "safe": "Linux SSH Keys", + "station": "10.0.0.15", + "action": "CPM Verify SSH Key", + "timestamp": "Mar 25 06:04:06", + "desc": "CPM Verify SSH Key" + } + }, + "host": { + "name": "VLT01" + }, + "event": { + "severity": 2, + "ingested": "2021-05-31T15:30:23.543045Z", + "original": "\u003c5\u003e1 2021-03-25T10:04:06Z VLT01 {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 25 06:04:06\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-25T10:04:06Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVLT01\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e12.0.0000\u003c/Version\u003e\\n \u003cMessageID\u003e414\u003c/MessageID\u003e\\n \u003cDesc\u003eCPM Verify SSH Key\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003ePasswordManager\u003c/Issuer\u003e\\n \u003cAction\u003eCPM Verify SSH Key\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003eLinux SSH Keys\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Operating System-UnixSSHKeys-rhel7.cybr.com-firecall1\u003c/File\u003e\\n \u003cStation\u003e10.0.0.15\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003eVerificationPeriod\u003c/Reason\u003e\\n \u003cExtraDetails\u003eaddress=rhel7.cybr.com;username=firecall1;\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eCPM Verify SSH Key\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"UnixSSHKeys\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"firecall1\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"rhel7.cybr.com\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Operating System\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"SequenceID\\\" Value=\\\"2\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMStatus\\\" Value=\\\"success\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"ExtraPass3Name\\\" Value=\\\"Operating System-UnixSSH-rhel7.cybr.com-root\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"ExtraPass3Folder\\\" Value=\\\"Root\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"ExtraPass3Safe\\\" Value=\\\"Linux Root\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"RetriesCount\\\" Value=\\\"-1\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastTask\\\" Value=\\\"VerifyTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastSuccessVerification\\\" Value=\\\"1616666646\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastSuccessChange\\\" Value=\\\"1582315464\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Tags\\\" Value=\\\"SSH\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Privcloud\\\" Value=\\\"privcloud\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 25 06:04:06\",\"IsoTimestamp\":\"2021-03-25T10:04:06Z\",\"Hostname\":\"VLT01\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"12.0.0000\",\"MessageID\":\"414\",\"Desc\":\"CPM Verify SSH Key\",\"Severity\":\"Info\",\"Issuer\":\"PasswordManager\",\"Action\":\"CPM Verify SSH Key\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"Linux SSH Keys\",\"File\":\"Root\\\\Operating System-UnixSSHKeys-rhel7.cybr.com-firecall1\",\"Station\":\"10.0.0.15\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"VerificationPeriod\",\"ExtraDetails\":\"address=rhel7.cybr.com;username=firecall1;\",\"Message\":\"CPM Verify SSH Key\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"UnixSSHKeys\"},{\"Name\":\"UserName\",\"Value\":\"firecall1\"},{\"Name\":\"Address\",\"Value\":\"rhel7.cybr.com\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"},{\"Name\":\"SequenceID\",\"Value\":\"2\"},{\"Name\":\"CPMStatus\",\"Value\":\"success\"},{\"Name\":\"ExtraPass3Name\",\"Value\":\"Operating System-UnixSSH-rhel7.cybr.com-root\"},{\"Name\":\"ExtraPass3Folder\",\"Value\":\"Root\"},{\"Name\":\"ExtraPass3Safe\",\"Value\":\"Linux Root\"},{\"Name\":\"RetriesCount\",\"Value\":\"-1\"},{\"Name\":\"LastTask\",\"Value\":\"VerifyTask\"},{\"Name\":\"LastSuccessVerification\",\"Value\":\"1616666646\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"LastSuccessChange\",\"Value\":\"1582315464\"},{\"Name\":\"Tags\",\"Value\":\"SSH\"},{\"Name\":\"Privcloud\",\"Value\":\"privcloud\"}]}}}}", + "code": "414", + "kind": "event", + "action": "cpm verify ssh key", + "category": [ + "iam" + ], + "type": [ + "admin", + "info" + ], + "outcome": "success" + }, + "user": { + "name": "PasswordManager" + } + } + ] +} \ No newline at end of file diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-427-store-ssh-key.log-expected.json b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-427-store-ssh-key.log-expected.json new file mode 100644 index 00000000000..7071205acee --- /dev/null +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-427-store-ssh-key.log-expected.json @@ -0,0 +1,72 @@ +{ + "expected": [ + { + "log": { + "syslog": { + "priority": 5 + } + }, + "destination": { + "address": "10.0.1.20", + "ip": "10.0.1.20" + }, + "source": { + "address": "127.0.0.1", + "ip": "127.0.0.1" + }, + "tags": [ + "preserve_original_event" + ], + "network": { + "direction": "internal" + }, + "observer": { + "product": "Vault", + "hostname": "VAULT", + "version": "11.7.0000", + "vendor": "Cyber-Ark" + }, + "@timestamp": "2021-03-11T16:50:17.000Z", + "file": { + "path": "Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian" + }, + "ecs": { + "version": "1.10.0" + }, + "related": { + "ip": [ + "127.0.0.1", + "10.0.1.20" + ] + }, + "cyberarkpas": { + "audit": { + "severity": "Info", + "iso_timestamp": "2021-03-11T16:50:17Z", + "gateway_station": "10.0.1.20", + "raw": "\u003csyslog\u003e\n\n \u003caudit_record\u003e\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\n \u003cTimestamp\u003eMar 11 08:50:17\u003c/Timestamp\u003e\n \u003cIsoTimestamp\u003e2021-03-11T16:50:17Z\u003c/IsoTimestamp\u003e\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\n \u003cProduct\u003eVault\u003c/Product\u003e\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\n \u003cMessageID\u003e427\u003c/MessageID\u003e\n \u003cDesc\u003eStore SSH Key\u003c/Desc\u003e\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\n \u003cAction\u003eStore SSH Key\u003c/Action\u003e\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\n \u003cSafe\u003ePSM\u003c/Safe\u003e\n \u003cFile\u003eRoot\\Operating System-UnixSSHKeys-34.123.103.115-adrian\u003c/File\u003e\n \u003cStation\u003e127.0.0.1\u003c/Station\u003e\n \u003cLocation\u003e\u003c/Location\u003e\n \u003cCategory\u003e\u003c/Category\u003e\n \u003cRequestId\u003e\u003c/RequestId\u003e\n \u003cReason\u003e\u003c/Reason\u003e\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\n \u003cMessage\u003eStore SSH Key\u003c/Message\u003e\n \u003cGatewayStation\u003e10.0.1.20\u003c/GatewayStation\u003e\n \u003c/audit_record\u003e\n\n\u003c/syslog\u003e", + "message": "Store SSH Key", + "issuer": "Administrator", + "rfc5424": true, + "file": "Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian", + "safe": "PSM", + "station": "127.0.0.1", + "action": "Store SSH Key", + "timestamp": "Mar 11 08:50:17", + "desc": "Store SSH Key" + } + }, + "host": { + "name": "VAULT" + }, + "event": { + "severity": 2, + "action": "store ssh key", + "ingested": "2021-05-31T15:30:23.589116500Z", + "original": "\u003c5\u003e1 2021-03-11T16:50:17Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 11 08:50:17\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-11T16:50:17Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e427\u003c/MessageID\u003e\\n \u003cDesc\u003eStore SSH Key\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003eStore SSH Key\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003ePSM\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Operating System-UnixSSHKeys-34.123.103.115-adrian\u003c/File\u003e\\n \u003cStation\u003e127.0.0.1\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eStore SSH Key\u003c/Message\u003e\\n \u003cGatewayStation\u003e10.0.1.20\u003c/GatewayStation\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 11 08:50:17\",\"IsoTimestamp\":\"2021-03-11T16:50:17Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"427\",\"Desc\":\"Store SSH Key\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Store SSH Key\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"PSM\",\"File\":\"Root\\\\Operating System-UnixSSHKeys-34.123.103.115-adrian\",\"Station\":\"127.0.0.1\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Store SSH Key\",\"GatewayStation\":\"10.0.1.20\"}}}", + "code": "427", + "kind": "event" + } + } + ] +} \ No newline at end of file diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-428-retrieve-ssh-key.log-expected.json b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-428-retrieve-ssh-key.log-expected.json new file mode 100644 index 00000000000..fb38e0157cc --- /dev/null +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-428-retrieve-ssh-key.log-expected.json @@ -0,0 +1,357 @@ +{ + "expected": [ + { + "log": { + "syslog": { + "priority": 5 + } + }, + "destination": { + "geo": { + "continent_name": "North America", + "country_name": "United States", + "location": { + "lon": -97.822, + "lat": 37.751 + }, + "country_iso_code": "US" + }, + "address": "34.123.103.115", + "user": { + "name": "adrian" + }, + "ip": "34.123.103.115" + }, + "source": { + "user": { + "name": "Administrator" + }, + "address": "127.0.0.1", + "ip": "127.0.0.1" + }, + "tags": [ + "preserve_original_event" + ], + "network": { + "direction": "outbound" + }, + "observer": { + "product": "Vault", + "hostname": "VAULT", + "version": "11.7.0000", + "vendor": "Cyber-Ark" + }, + "@timestamp": "2021-03-11T17:43:44.000Z", + "file": { + "path": "Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian" + }, + "ecs": { + "version": "1.10.0" + }, + "related": { + "user": [ + "Administrator", + "adrian" + ], + "ip": [ + "127.0.0.1", + "34.123.103.115", + "10.0.1.20" + ] + }, + "cyberarkpas": { + "audit": { + "severity": "Info", + "reason": "(Action: Retrieve SSH key)for fun and profit", + "iso_timestamp": "2021-03-11T17:43:44Z", + "gateway_station": "10.0.1.20", + "raw": "\u003csyslog\u003e\n\n \u003caudit_record\u003e\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\n \u003cTimestamp\u003eMar 11 09:43:44\u003c/Timestamp\u003e\n \u003cIsoTimestamp\u003e2021-03-11T17:43:44Z\u003c/IsoTimestamp\u003e\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\n \u003cProduct\u003eVault\u003c/Product\u003e\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\n \u003cMessageID\u003e428\u003c/MessageID\u003e\n \u003cDesc\u003eRetrieve SSH Key\u003c/Desc\u003e\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\n \u003cAction\u003eRetrieve SSH Key\u003c/Action\u003e\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\n \u003cSafe\u003ePSM\u003c/Safe\u003e\n \u003cFile\u003eRoot\\Operating System-UnixSSHKeys-34.123.103.115-adrian\u003c/File\u003e\n \u003cStation\u003e127.0.0.1\u003c/Station\u003e\n \u003cLocation\u003e\u003c/Location\u003e\n \u003cCategory\u003e\u003c/Category\u003e\n \u003cRequestId\u003e\u003c/RequestId\u003e\n \u003cReason\u003e(Action: Retrieve SSH key)for fun and profit\u003c/Reason\u003e\n \u003cPvwaDetails\u003e\u003cRetrieveReason\u003e\n \u003cGeneral\u003e\n \u003cUserReason\u003efor fun and profit\u003c/UserReason\u003e\n \u003cRetrieveAction\u003eRetrieve SSH key\u003c/RetrieveAction\u003e\n \u003c/General\u003e\n\u003c/RetrieveReason\u003e\u003c/PvwaDetails\u003e\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\n \u003cMessage\u003eRetrieve SSH Key\u003c/Message\u003e\n \u003cGatewayStation\u003e10.0.1.20\u003c/GatewayStation\u003e\n \u003cCAProperties\u003e\n \u003cCAProperty Name=\"PolicyID\" Value=\"UnixSSHKeys\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"UserName\" Value=\"adrian\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"Address\" Value=\"34.123.103.115\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"CreationMethod\" Value=\"PVWA\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"DeviceType\" Value=\"Operating System\"\u003e\u003c/CAProperty\u003e\n \u003c/CAProperties\u003e\n \u003c/audit_record\u003e\n\n\u003c/syslog\u003e", + "message": "Retrieve SSH Key", + "issuer": "Administrator", + "pvwa_details": { + "retrieve_reason": { + "general": { + "retrieve_action": "Retrieve SSH key", + "user_reason": "for fun and profit" + } + } + }, + "rfc5424": true, + "ca_properties": { + "other": {}, + "device_type": "Operating System", + "address": "34.123.103.115", + "creation_method": "PVWA", + "policy_id": "UnixSSHKeys", + "user_name": "adrian" + }, + "file": "Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian", + "safe": "PSM", + "station": "127.0.0.1", + "action": "Retrieve SSH Key", + "timestamp": "Mar 11 09:43:44", + "desc": "Retrieve SSH Key" + } + }, + "host": { + "name": "VAULT" + }, + "event": { + "severity": 2, + "reason": "(Action: Retrieve SSH key)for fun and profit", + "ingested": "2021-05-31T15:30:23.619584600Z", + "original": "\u003c5\u003e1 2021-03-11T17:43:44Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 11 09:43:44\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-11T17:43:44Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e428\u003c/MessageID\u003e\\n \u003cDesc\u003eRetrieve SSH Key\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003eRetrieve SSH Key\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003ePSM\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Operating System-UnixSSHKeys-34.123.103.115-adrian\u003c/File\u003e\\n \u003cStation\u003e127.0.0.1\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e(Action: Retrieve SSH key)for fun and profit\u003c/Reason\u003e\\n \u003cPvwaDetails\u003e\u003cRetrieveReason\u003e\\n \u003cGeneral\u003e\\n \u003cUserReason\u003efor fun and profit\u003c/UserReason\u003e\\n \u003cRetrieveAction\u003eRetrieve SSH key\u003c/RetrieveAction\u003e\\n \u003c/General\u003e\\n\u003c/RetrieveReason\u003e\u003c/PvwaDetails\u003e\\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eRetrieve SSH Key\u003c/Message\u003e\\n \u003cGatewayStation\u003e10.0.1.20\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"UnixSSHKeys\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"adrian\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"34.123.103.115\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Operating System\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 11 09:43:44\",\"IsoTimestamp\":\"2021-03-11T17:43:44Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"428\",\"Desc\":\"Retrieve SSH Key\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Retrieve SSH Key\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"PSM\",\"File\":\"Root\\\\Operating System-UnixSSHKeys-34.123.103.115-adrian\",\"Station\":\"127.0.0.1\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"(Action: Retrieve SSH key)for fun and profit\",\"PvwaDetails\":{\"RetrieveReason\":{\"General\":{\"UserReason\":\"for fun and profit\",\"RetrieveAction\":\"Retrieve SSH key\"}}},\"ExtraDetails\":\"\",\"Message\":\"Retrieve SSH Key\",\"GatewayStation\":\"10.0.1.20\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"UnixSSHKeys\"},{\"Name\":\"UserName\",\"Value\":\"adrian\"},{\"Name\":\"Address\",\"Value\":\"34.123.103.115\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"}]}}}}", + "code": "428", + "kind": "event", + "action": "retrieve ssh key", + "category": [ + "iam" + ], + "type": [ + "admin", + "access" + ], + "outcome": "success" + }, + "user": { + "name": "Administrator" + } + }, + { + "log": { + "syslog": { + "priority": 5 + } + }, + "destination": { + "geo": { + "continent_name": "North America", + "country_name": "United States", + "location": { + "lon": -97.822, + "lat": 37.751 + }, + "country_iso_code": "US" + }, + "address": "34.123.103.115", + "user": { + "name": "adrian" + }, + "ip": "34.123.103.115" + }, + "source": { + "user": { + "name": "Administrator" + }, + "address": "127.0.0.1", + "ip": "127.0.0.1" + }, + "tags": [ + "preserve_original_event" + ], + "network": { + "direction": "outbound" + }, + "observer": { + "product": "Vault", + "hostname": "VAULT", + "version": "11.7.0000", + "vendor": "Cyber-Ark" + }, + "@timestamp": "2021-03-11T21:08:48.000Z", + "file": { + "path": "Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian" + }, + "ecs": { + "version": "1.10.0" + }, + "related": { + "user": [ + "Administrator", + "adrian" + ], + "ip": [ + "127.0.0.1", + "34.123.103.115", + "10.0.1.20" + ] + }, + "cyberarkpas": { + "audit": { + "severity": "Info", + "reason": "(Action: Connect)testing(Connection to address: 34.123.103.115)", + "iso_timestamp": "2021-03-11T21:08:48Z", + "gateway_station": "10.0.1.20", + "raw": "\u003csyslog\u003e\n\n \u003caudit_record\u003e\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\n \u003cTimestamp\u003eMar 11 13:08:48\u003c/Timestamp\u003e\n \u003cIsoTimestamp\u003e2021-03-11T21:08:48Z\u003c/IsoTimestamp\u003e\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\n \u003cProduct\u003eVault\u003c/Product\u003e\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\n \u003cMessageID\u003e428\u003c/MessageID\u003e\n \u003cDesc\u003eRetrieve SSH Key\u003c/Desc\u003e\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\n \u003cAction\u003eRetrieve SSH Key\u003c/Action\u003e\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\n \u003cSafe\u003ePSM\u003c/Safe\u003e\n \u003cFile\u003eRoot\\Operating System-UnixSSHKeys-34.123.103.115-adrian\u003c/File\u003e\n \u003cStation\u003e127.0.0.1\u003c/Station\u003e\n \u003cLocation\u003e\u003c/Location\u003e\n \u003cCategory\u003e\u003c/Category\u003e\n \u003cRequestId\u003e\u003c/RequestId\u003e\n \u003cReason\u003e(Action: Connect)testing(Connection to address: 34.123.103.115)\u003c/Reason\u003e\n \u003cPvwaDetails\u003e\u003cRetrieveReason\u003e\n \u003cGeneral\u003e\n \u003cUserReason\u003etesting\u003c/UserReason\u003e\n \u003cRetrieveAction\u003eConnect\u003c/RetrieveAction\u003e\n \u003c/General\u003e\n \u003cConnectionDetails\u003e\n \u003cConnectionAddress\u003e34.123.103.115\u003c/ConnectionAddress\u003e\n \u003c/ConnectionDetails\u003e\n\u003c/RetrieveReason\u003e\u003c/PvwaDetails\u003e\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\n \u003cMessage\u003eRetrieve SSH Key\u003c/Message\u003e\n \u003cGatewayStation\u003e10.0.1.20\u003c/GatewayStation\u003e\n \u003cCAProperties\u003e\n \u003cCAProperty Name=\"PolicyID\" Value=\"UnixSSHKeys\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"UserName\" Value=\"adrian\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"Address\" Value=\"34.123.103.115\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"CreationMethod\" Value=\"PVWA\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"DeviceType\" Value=\"Operating System\"\u003e\u003c/CAProperty\u003e\n \u003c/CAProperties\u003e\n \u003c/audit_record\u003e\n\n\u003c/syslog\u003e", + "message": "Retrieve SSH Key", + "issuer": "Administrator", + "pvwa_details": { + "retrieve_reason": { + "general": { + "retrieve_action": "Connect", + "user_reason": "testing" + }, + "connection_details": { + "connection_address": "34.123.103.115" + } + } + }, + "rfc5424": true, + "ca_properties": { + "other": {}, + "device_type": "Operating System", + "address": "34.123.103.115", + "creation_method": "PVWA", + "policy_id": "UnixSSHKeys", + "user_name": "adrian" + }, + "file": "Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian", + "safe": "PSM", + "station": "127.0.0.1", + "action": "Retrieve SSH Key", + "timestamp": "Mar 11 13:08:48", + "desc": "Retrieve SSH Key" + } + }, + "host": { + "name": "VAULT" + }, + "event": { + "severity": 2, + "reason": "(Action: Connect)testing(Connection to address: 34.123.103.115)", + "ingested": "2021-05-31T15:30:23.619597800Z", + "original": "\u003c5\u003e1 2021-03-11T21:08:48Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 11 13:08:48\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-11T21:08:48Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e428\u003c/MessageID\u003e\\n \u003cDesc\u003eRetrieve SSH Key\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003eRetrieve SSH Key\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003ePSM\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Operating System-UnixSSHKeys-34.123.103.115-adrian\u003c/File\u003e\\n \u003cStation\u003e127.0.0.1\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e(Action: Connect)testing(Connection to address: 34.123.103.115)\u003c/Reason\u003e\\n \u003cPvwaDetails\u003e\u003cRetrieveReason\u003e\\n \u003cGeneral\u003e\\n \u003cUserReason\u003etesting\u003c/UserReason\u003e\\n \u003cRetrieveAction\u003eConnect\u003c/RetrieveAction\u003e\\n \u003c/General\u003e\\n \u003cConnectionDetails\u003e\\n \u003cConnectionAddress\u003e34.123.103.115\u003c/ConnectionAddress\u003e\\n \u003c/ConnectionDetails\u003e\\n\u003c/RetrieveReason\u003e\u003c/PvwaDetails\u003e\\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eRetrieve SSH Key\u003c/Message\u003e\\n \u003cGatewayStation\u003e10.0.1.20\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"UnixSSHKeys\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"adrian\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"34.123.103.115\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Operating System\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 11 13:08:48\",\"IsoTimestamp\":\"2021-03-11T21:08:48Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"428\",\"Desc\":\"Retrieve SSH Key\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Retrieve SSH Key\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"PSM\",\"File\":\"Root\\\\Operating System-UnixSSHKeys-34.123.103.115-adrian\",\"Station\":\"127.0.0.1\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"(Action: Connect)testing(Connection to address: 34.123.103.115)\",\"PvwaDetails\":{\"RetrieveReason\":{\"General\":{\"UserReason\":\"testing\",\"RetrieveAction\":\"Connect\"},\"ConnectionDetails\":{\"ConnectionAddress\":\"34.123.103.115\"}}},\"ExtraDetails\":\"\",\"Message\":\"Retrieve SSH Key\",\"GatewayStation\":\"10.0.1.20\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"UnixSSHKeys\"},{\"Name\":\"UserName\",\"Value\":\"adrian\"},{\"Name\":\"Address\",\"Value\":\"34.123.103.115\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"}]}}}}", + "code": "428", + "kind": "event", + "action": "retrieve ssh key", + "category": [ + "iam" + ], + "type": [ + "admin", + "access" + ], + "outcome": "success" + }, + "user": { + "name": "Administrator" + } + }, + { + "log": { + "syslog": { + "priority": 5 + } + }, + "destination": { + "geo": { + "continent_name": "North America", + "country_name": "United States", + "location": { + "lon": -97.822, + "lat": 37.751 + }, + "country_iso_code": "US" + }, + "address": "34.123.103.115", + "user": { + "name": "adrian" + }, + "ip": "34.123.103.115" + }, + "source": { + "user": { + "name": "Administrator" + }, + "address": "127.0.0.1", + "ip": "127.0.0.1" + }, + "tags": [ + "preserve_original_event" + ], + "network": { + "direction": "outbound" + }, + "observer": { + "product": "Vault", + "hostname": "VAULT", + "version": "11.7.0000", + "vendor": "Cyber-Ark" + }, + "@timestamp": "2021-03-15T13:18:52.000Z", + "file": { + "path": "Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian" + }, + "ecs": { + "version": "1.10.0" + }, + "related": { + "user": [ + "Administrator", + "adrian" + ], + "ip": [ + "127.0.0.1", + "34.123.103.115", + "10.0.1.20" + ] + }, + "cyberarkpas": { + "audit": { + "severity": "Info", + "reason": "(Action: Retrieve SSH key)", + "iso_timestamp": "2021-03-15T13:18:52Z", + "gateway_station": "10.0.1.20", + "raw": "\u003csyslog\u003e\n\n \u003caudit_record\u003e\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\n \u003cTimestamp\u003eMar 15 06:18:52\u003c/Timestamp\u003e\n \u003cIsoTimestamp\u003e2021-03-15T13:18:52Z\u003c/IsoTimestamp\u003e\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\n \u003cProduct\u003eVault\u003c/Product\u003e\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\n \u003cMessageID\u003e428\u003c/MessageID\u003e\n \u003cDesc\u003eRetrieve SSH Key\u003c/Desc\u003e\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\n \u003cAction\u003eRetrieve SSH Key\u003c/Action\u003e\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\n \u003cSafe\u003ePSM\u003c/Safe\u003e\n \u003cFile\u003eRoot\\Operating System-UnixSSHKeys-34.123.103.115-adrian\u003c/File\u003e\n \u003cStation\u003e127.0.0.1\u003c/Station\u003e\n \u003cLocation\u003e\u003c/Location\u003e\n \u003cCategory\u003e\u003c/Category\u003e\n \u003cRequestId\u003e\u003c/RequestId\u003e\n \u003cReason\u003e(Action: Retrieve SSH key)\u003c/Reason\u003e\n \u003cPvwaDetails\u003e\u003cRetrieveReason\u003e\n \u003cGeneral\u003e\n \u003cRetrieveAction\u003eRetrieve SSH key\u003c/RetrieveAction\u003e\n \u003c/General\u003e\n\u003c/RetrieveReason\u003e\u003c/PvwaDetails\u003e\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\n \u003cMessage\u003eRetrieve SSH Key\u003c/Message\u003e\n \u003cGatewayStation\u003e10.0.1.20\u003c/GatewayStation\u003e\n \u003cCAProperties\u003e\n \u003cCAProperty Name=\"PolicyID\" Value=\"UnixSSHKeys\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"UserName\" Value=\"adrian\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"Address\" Value=\"34.123.103.115\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"CreationMethod\" Value=\"PVWA\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"DeviceType\" Value=\"Operating System\"\u003e\u003c/CAProperty\u003e\n \u003c/CAProperties\u003e\n \u003c/audit_record\u003e\n\n\u003c/syslog\u003e", + "message": "Retrieve SSH Key", + "issuer": "Administrator", + "pvwa_details": { + "retrieve_reason": { + "general": { + "retrieve_action": "Retrieve SSH key" + } + } + }, + "rfc5424": true, + "ca_properties": { + "other": {}, + "device_type": "Operating System", + "address": "34.123.103.115", + "creation_method": "PVWA", + "policy_id": "UnixSSHKeys", + "user_name": "adrian" + }, + "file": "Root\\Operating System-UnixSSHKeys-34.123.103.115-adrian", + "safe": "PSM", + "station": "127.0.0.1", + "action": "Retrieve SSH Key", + "timestamp": "Mar 15 06:18:52", + "desc": "Retrieve SSH Key" + } + }, + "host": { + "name": "VAULT" + }, + "event": { + "severity": 2, + "reason": "(Action: Retrieve SSH key)", + "ingested": "2021-05-31T15:30:23.619600800Z", + "original": "\u003c5\u003e1 2021-03-15T13:18:52Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 15 06:18:52\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-15T13:18:52Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e428\u003c/MessageID\u003e\\n \u003cDesc\u003eRetrieve SSH Key\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003eRetrieve SSH Key\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003ePSM\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Operating System-UnixSSHKeys-34.123.103.115-adrian\u003c/File\u003e\\n \u003cStation\u003e127.0.0.1\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e(Action: Retrieve SSH key)\u003c/Reason\u003e\\n \u003cPvwaDetails\u003e\u003cRetrieveReason\u003e\\n \u003cGeneral\u003e\\n \u003cRetrieveAction\u003eRetrieve SSH key\u003c/RetrieveAction\u003e\\n \u003c/General\u003e\\n\u003c/RetrieveReason\u003e\u003c/PvwaDetails\u003e\\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eRetrieve SSH Key\u003c/Message\u003e\\n \u003cGatewayStation\u003e10.0.1.20\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"UnixSSHKeys\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"adrian\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"34.123.103.115\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Operating System\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 15 06:18:52\",\"IsoTimestamp\":\"2021-03-15T13:18:52Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"428\",\"Desc\":\"Retrieve SSH Key\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Retrieve SSH Key\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"PSM\",\"File\":\"Root\\\\Operating System-UnixSSHKeys-34.123.103.115-adrian\",\"Station\":\"127.0.0.1\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"(Action: Retrieve SSH key)\",\"PvwaDetails\":{\"RetrieveReason\":{\"General\":{\"RetrieveAction\":\"Retrieve SSH key\"}}},\"ExtraDetails\":\"\",\"Message\":\"Retrieve SSH Key\",\"GatewayStation\":\"10.0.1.20\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"UnixSSHKeys\"},{\"Name\":\"UserName\",\"Value\":\"adrian\"},{\"Name\":\"Address\",\"Value\":\"34.123.103.115\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"}]}}}}", + "code": "428", + "kind": "event", + "action": "retrieve ssh key", + "category": [ + "iam" + ], + "type": [ + "admin", + "access" + ], + "outcome": "success" + }, + "user": { + "name": "Administrator" + } + } + ] +} \ No newline at end of file diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-449-create-discovery-succeeded.log-expected.json b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-449-create-discovery-succeeded.log-expected.json new file mode 100644 index 00000000000..823d207d5b4 --- /dev/null +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-449-create-discovery-succeeded.log-expected.json @@ -0,0 +1,59 @@ +{ + "expected": [ + { + "log": { + "syslog": { + "priority": 5 + } + }, + "source": { + "address": "10.0.1.20", + "ip": "10.0.1.20" + }, + "tags": [ + "preserve_original_event" + ], + "observer": { + "product": "Vault", + "hostname": "VAULT", + "version": "11.7.0000", + "vendor": "Cyber-Ark" + }, + "@timestamp": "2021-03-14T12:06:35.000Z", + "ecs": { + "version": "1.10.0" + }, + "related": { + "ip": [ + "10.0.1.20" + ] + }, + "cyberarkpas": { + "audit": { + "severity": "Info", + "rfc5424": true, + "reason": "Status:Success; Discovery:\u003cWindows discovery from ELASTIC.local\u003e; Reason:;", + "iso_timestamp": "2021-03-14T12:06:35Z", + "station": "10.0.1.20", + "raw": "\u003csyslog\u003e\n\n \u003caudit_record\u003e\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\n \u003cTimestamp\u003eMar 14 05:06:35\u003c/Timestamp\u003e\n \u003cIsoTimestamp\u003e2021-03-14T12:06:35Z\u003c/IsoTimestamp\u003e\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\n \u003cProduct\u003eVault\u003c/Product\u003e\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\n \u003cMessageID\u003e449\u003c/MessageID\u003e\n \u003cDesc\u003eCreate Discovery Succeeded\u003c/Desc\u003e\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\n \u003cAction\u003eCreate Discovery Succeeded\u003c/Action\u003e\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\n \u003cSafe\u003e\u003c/Safe\u003e\n \u003cFile\u003e\u003c/File\u003e\n \u003cStation\u003e10.0.1.20\u003c/Station\u003e\n \u003cLocation\u003e\u003c/Location\u003e\n \u003cCategory\u003e\u003c/Category\u003e\n \u003cRequestId\u003e\u003c/RequestId\u003e\n \u003cReason\u003eStatus:Success; Discovery:\u003cWindows discovery from ELASTIC.local\u003e; Reason:;\u003c/Reason\u003e\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\n \u003cMessage\u003eCreate Discovery Succeeded\u003c/Message\u003e\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\n \u003c/audit_record\u003e\n\n\u003c/syslog\u003e", + "action": "Create Discovery Succeeded", + "message": "Create Discovery Succeeded", + "issuer": "Administrator", + "timestamp": "Mar 14 05:06:35", + "desc": "Create Discovery Succeeded" + } + }, + "host": { + "name": "VAULT" + }, + "event": { + "severity": 2, + "action": "create discovery succeeded", + "ingested": "2021-05-31T15:30:23.724918400Z", + "original": "\u003c5\u003e1 2021-03-14T12:06:35Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 14 05:06:35\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-14T12:06:35Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e449\u003c/MessageID\u003e\\n \u003cDesc\u003eCreate Discovery Succeeded\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003eCreate Discovery Succeeded\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003e\u003c/Safe\u003e\\n \u003cFile\u003e\u003c/File\u003e\\n \u003cStation\u003e10.0.1.20\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003eStatus:Success; Discovery:\u003cWindows discovery from ELASTIC.local\u003e; Reason:;\u003c/Reason\u003e\\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eCreate Discovery Succeeded\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 14 05:06:35\",\"IsoTimestamp\":\"2021-03-14T12:06:35Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"449\",\"Desc\":\"Create Discovery Succeeded\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Create Discovery Succeeded\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"10.0.1.20\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"Status:Success; Discovery:\u003cWindows discovery from ELASTIC.local\u003e; Reason:;\",\"ExtraDetails\":\"\",\"Message\":\"Create Discovery Succeeded\",\"GatewayStation\":\"\"}}}", + "code": "449", + "kind": "event" + } + } + ] +} \ No newline at end of file diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-459-general-audit.log-expected.json b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-459-general-audit.log-expected.json new file mode 100644 index 00000000000..382f0300634 --- /dev/null +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-459-general-audit.log-expected.json @@ -0,0 +1,251 @@ +{ + "expected": [ + { + "log": { + "syslog": { + "priority": 5 + } + }, + "source": { + "address": "10.0.1.20", + "ip": "10.0.1.20" + }, + "tags": [ + "preserve_original_event" + ], + "observer": { + "product": "Vault", + "hostname": "VAULT", + "version": "11.7.0000", + "vendor": "Cyber-Ark" + }, + "@timestamp": "2021-03-08T10:19:42.000Z", + "file": { + "path": "Root\\Operating System-WindowsDesktopLocalAccountsRotationalPolicy-10.0.1.20-x_accountB" + }, + "ecs": { + "version": "1.10.0" + }, + "related": { + "ip": [ + "10.0.1.20" + ] + }, + "cyberarkpas": { + "audit": { + "severity": "Info", + "reason": "Dual account rotation", + "iso_timestamp": "2021-03-08T10:19:42Z", + "message": "General Audit", + "issuer": "PasswordManager", + "extra_details": { + "other": { + "index": "2", + "dual_account_status": "Active" + } + }, + "rfc5424": true, + "ca_properties": { + "other": {}, + "address": "components", + "creation_method": "PVWA", + "cpm_status": "success", + "policy_id": "WinDesktopLocal", + "group_name": "WindowsGroup", + "user_name": "x_accountB", + "index": "2", + "device_type": "Operating System", + "virtual_username": "virtual", + "retries_count": "-1", + "last_task": "ChangeTask", + "sequence_id": "24", + "dual_account_status": "Active", + "last_success_change": "1614868762" + }, + "file": "Root\\Operating System-WindowsDesktopLocalAccountsRotationalPolicy-10.0.1.20-x_accountB", + "safe": "Test", + "station": "10.0.1.20", + "action": "General Audit", + "timestamp": "Mar 08 02:19:42", + "desc": "General Audit" + } + }, + "host": { + "name": "VAULT" + }, + "event": { + "severity": 2, + "action": "general audit", + "ingested": "2021-05-31T15:30:23.751750400Z", + "original": "\u003c5\u003e1 2021-03-08T10:19:42Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 08 02:19:42\",\"IsoTimestamp\":\"2021-03-08T10:19:42Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"459\",\"Desc\":\"General Audit\",\"Severity\":\"Info\",\"Issuer\":\"PasswordManager\",\"Action\":\"General Audit\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"Test\",\"File\":\"Root\\\\Operating System-WindowsDesktopLocalAccountsRotationalPolicy-10.0.1.20-x_accountB\",\"Station\":\"10.0.1.20\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"Dual account rotation\",\"ExtraDetails\":\"DualAccountStatus=Active;Index=2;\",\"Message\":\"General Audit\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"WinDesktopLocal\"},{\"Name\":\"UserName\",\"Value\":\"x_accountB\"},{\"Name\":\"Address\",\"Value\":\"components\"},{\"Name\":\"SequenceID\",\"Value\":\"24\"},{\"Name\":\"CPMStatus\",\"Value\":\"success\"},{\"Name\":\"RetriesCount\",\"Value\":\"-1\"},{\"Name\":\"LastTask\",\"Value\":\"ChangeTask\"},{\"Name\":\"GroupName\",\"Value\":\"WindowsGroup\"},{\"Name\":\"LastSuccessChange\",\"Value\":\"1614868762\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"},{\"Name\":\"Index\",\"Value\":\"2\"},{\"Name\":\"DualAccountStatus\",\"Value\":\"Active\"},{\"Name\":\"VirtualUsername\",\"Value\":\"virtual\"}]}}}}", + "code": "459", + "kind": "event" + } + }, + { + "log": { + "syslog": { + "priority": 5 + } + }, + "source": { + "address": "10.0.1.20", + "ip": "10.0.1.20" + }, + "tags": [ + "preserve_original_event" + ], + "observer": { + "product": "Vault", + "hostname": "VAULT", + "version": "11.7.0000", + "vendor": "Cyber-Ark" + }, + "@timestamp": "2021-03-10T14:38:57.000Z", + "file": { + "path": "Root\\Operating System-WindowsDesktopLocalAccountsRotationalPolicy-10.0.1.20-x_accountA" + }, + "ecs": { + "version": "1.10.0" + }, + "related": { + "ip": [ + "10.0.1.20" + ] + }, + "cyberarkpas": { + "audit": { + "severity": "Info", + "reason": "Dual account rotation", + "iso_timestamp": "2021-03-10T14:38:57Z", + "message": "General Audit", + "issuer": "PasswordManager", + "extra_details": { + "other": { + "index": "1", + "dual_account_status": "Active" + } + }, + "rfc5424": true, + "ca_properties": { + "other": {}, + "address": "components", + "creation_method": "PVWA", + "cpm_status": "success", + "policy_id": "WinDesktopLocal", + "group_name": "WindowsGroup", + "user_name": "x_accountA", + "index": "1", + "device_type": "Operating System", + "virtual_username": "virtual", + "retries_count": "-1", + "last_task": "ChangeTask", + "sequence_id": "27", + "dual_account_status": "Active", + "last_success_change": "1615231204" + }, + "file": "Root\\Operating System-WindowsDesktopLocalAccountsRotationalPolicy-10.0.1.20-x_accountA", + "safe": "Test", + "station": "10.0.1.20", + "action": "General Audit", + "timestamp": "Mar 10 06:38:57", + "desc": "General Audit" + } + }, + "host": { + "name": "VAULT" + }, + "event": { + "severity": 2, + "action": "general audit", + "ingested": "2021-05-31T15:30:23.751764100Z", + "original": "\u003c5\u003e1 2021-03-10T14:38:57Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 06:38:57\",\"IsoTimestamp\":\"2021-03-10T14:38:57Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"459\",\"Desc\":\"General Audit\",\"Severity\":\"Info\",\"Issuer\":\"PasswordManager\",\"Action\":\"General Audit\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"Test\",\"File\":\"Root\\\\Operating System-WindowsDesktopLocalAccountsRotationalPolicy-10.0.1.20-x_accountA\",\"Station\":\"10.0.1.20\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"Dual account rotation\",\"ExtraDetails\":\"DualAccountStatus=Active;Index=1;\",\"Message\":\"General Audit\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"WinDesktopLocal\"},{\"Name\":\"UserName\",\"Value\":\"x_accountA\"},{\"Name\":\"Address\",\"Value\":\"components\"},{\"Name\":\"SequenceID\",\"Value\":\"27\"},{\"Name\":\"CPMStatus\",\"Value\":\"success\"},{\"Name\":\"RetriesCount\",\"Value\":\"-1\"},{\"Name\":\"LastTask\",\"Value\":\"ChangeTask\"},{\"Name\":\"GroupName\",\"Value\":\"WindowsGroup\"},{\"Name\":\"LastSuccessChange\",\"Value\":\"1615231204\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"},{\"Name\":\"Index\",\"Value\":\"1\"},{\"Name\":\"DualAccountStatus\",\"Value\":\"Active\"},{\"Name\":\"VirtualUsername\",\"Value\":\"virtual\"}]}}}}", + "code": "459", + "kind": "event" + } + }, + { + "log": { + "syslog": { + "priority": 5 + } + }, + "source": { + "address": "10.0.1.20", + "ip": "10.0.1.20" + }, + "tags": [ + "preserve_original_event" + ], + "observer": { + "product": "Vault", + "hostname": "VAULT", + "version": "11.7.0000", + "vendor": "Cyber-Ark" + }, + "@timestamp": "2021-03-14T11:48:26.000Z", + "file": { + "path": "Root\\Operating System-WindowsDesktopLocalAccountsRotationalPolicy-10.0.1.20-x_accountB" + }, + "ecs": { + "version": "1.10.0" + }, + "related": { + "ip": [ + "10.0.1.20" + ] + }, + "cyberarkpas": { + "audit": { + "severity": "Info", + "reason": "Dual account rotation", + "iso_timestamp": "2021-03-14T11:48:26Z", + "raw": "\u003csyslog\u003e\n\n \u003caudit_record\u003e\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\n \u003cTimestamp\u003eMar 14 04:48:26\u003c/Timestamp\u003e\n \u003cIsoTimestamp\u003e2021-03-14T11:48:26Z\u003c/IsoTimestamp\u003e\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\n \u003cProduct\u003eVault\u003c/Product\u003e\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\n \u003cMessageID\u003e459\u003c/MessageID\u003e\n \u003cDesc\u003eGeneral Audit\u003c/Desc\u003e\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\n \u003cIssuer\u003ePasswordManager\u003c/Issuer\u003e\n \u003cAction\u003eGeneral Audit\u003c/Action\u003e\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\n \u003cSafe\u003eTest\u003c/Safe\u003e\n \u003cFile\u003eRoot\\Operating System-WindowsDesktopLocalAccountsRotationalPolicy-10.0.1.20-x_accountB\u003c/File\u003e\n \u003cStation\u003e10.0.1.20\u003c/Station\u003e\n \u003cLocation\u003e\u003c/Location\u003e\n \u003cCategory\u003e\u003c/Category\u003e\n \u003cRequestId\u003e\u003c/RequestId\u003e\n \u003cReason\u003eDual account rotation\u003c/Reason\u003e\n \u003cExtraDetails\u003eDualAccountStatus=Active;Index=2;\u003c/ExtraDetails\u003e\n \u003cMessage\u003eGeneral Audit\u003c/Message\u003e\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\n \u003cCAProperties\u003e\n \u003cCAProperty Name=\"PolicyID\" Value=\"WinDesktopLocal\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"UserName\" Value=\"x_accountB\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"Address\" Value=\"components\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"SequenceID\" Value=\"25\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"CPMStatus\" Value=\"success\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"RetriesCount\" Value=\"-1\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"LastTask\" Value=\"ChangeTask\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"GroupName\" Value=\"WindowsGroup\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"LastSuccessChange\" Value=\"1615419568\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"CreationMethod\" Value=\"PVWA\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"DeviceType\" Value=\"Operating System\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"Index\" Value=\"2\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"DualAccountStatus\" Value=\"Active\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"VirtualUsername\" Value=\"virtual\"\u003e\u003c/CAProperty\u003e\n \u003c/CAProperties\u003e\n \u003c/audit_record\u003e\n\n\u003c/syslog\u003e", + "message": "General Audit", + "issuer": "PasswordManager", + "extra_details": { + "other": { + "index": "2", + "dual_account_status": "Active" + } + }, + "rfc5424": true, + "ca_properties": { + "other": {}, + "address": "components", + "creation_method": "PVWA", + "cpm_status": "success", + "policy_id": "WinDesktopLocal", + "group_name": "WindowsGroup", + "user_name": "x_accountB", + "index": "2", + "device_type": "Operating System", + "virtual_username": "virtual", + "retries_count": "-1", + "last_task": "ChangeTask", + "sequence_id": "25", + "dual_account_status": "Active", + "last_success_change": "1615419568" + }, + "file": "Root\\Operating System-WindowsDesktopLocalAccountsRotationalPolicy-10.0.1.20-x_accountB", + "safe": "Test", + "station": "10.0.1.20", + "action": "General Audit", + "timestamp": "Mar 14 04:48:26", + "desc": "General Audit" + } + }, + "host": { + "name": "VAULT" + }, + "event": { + "severity": 2, + "action": "general audit", + "ingested": "2021-05-31T15:30:23.751767300Z", + "original": "\u003c5\u003e1 2021-03-14T11:48:26Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 14 04:48:26\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-14T11:48:26Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e459\u003c/MessageID\u003e\\n \u003cDesc\u003eGeneral Audit\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003ePasswordManager\u003c/Issuer\u003e\\n \u003cAction\u003eGeneral Audit\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003eTest\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Operating System-WindowsDesktopLocalAccountsRotationalPolicy-10.0.1.20-x_accountB\u003c/File\u003e\\n \u003cStation\u003e10.0.1.20\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003eDual account rotation\u003c/Reason\u003e\\n \u003cExtraDetails\u003eDualAccountStatus=Active;Index=2;\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eGeneral Audit\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"WinDesktopLocal\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"x_accountB\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"components\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"SequenceID\\\" Value=\\\"25\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMStatus\\\" Value=\\\"success\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"RetriesCount\\\" Value=\\\"-1\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastTask\\\" Value=\\\"ChangeTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"GroupName\\\" Value=\\\"WindowsGroup\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastSuccessChange\\\" Value=\\\"1615419568\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Operating System\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Index\\\" Value=\\\"2\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DualAccountStatus\\\" Value=\\\"Active\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"VirtualUsername\\\" Value=\\\"virtual\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 14 04:48:26\",\"IsoTimestamp\":\"2021-03-14T11:48:26Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"459\",\"Desc\":\"General Audit\",\"Severity\":\"Info\",\"Issuer\":\"PasswordManager\",\"Action\":\"General Audit\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"Test\",\"File\":\"Root\\\\Operating System-WindowsDesktopLocalAccountsRotationalPolicy-10.0.1.20-x_accountB\",\"Station\":\"10.0.1.20\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"Dual account rotation\",\"ExtraDetails\":\"DualAccountStatus=Active;Index=2;\",\"Message\":\"General Audit\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"WinDesktopLocal\"},{\"Name\":\"UserName\",\"Value\":\"x_accountB\"},{\"Name\":\"Address\",\"Value\":\"components\"},{\"Name\":\"SequenceID\",\"Value\":\"25\"},{\"Name\":\"CPMStatus\",\"Value\":\"success\"},{\"Name\":\"RetriesCount\",\"Value\":\"-1\"},{\"Name\":\"LastTask\",\"Value\":\"ChangeTask\"},{\"Name\":\"GroupName\",\"Value\":\"WindowsGroup\"},{\"Name\":\"LastSuccessChange\",\"Value\":\"1615419568\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"},{\"Name\":\"Index\",\"Value\":\"2\"},{\"Name\":\"DualAccountStatus\",\"Value\":\"Active\"},{\"Name\":\"VirtualUsername\",\"Value\":\"virtual\"}]}}}}", + "code": "459", + "kind": "event" + } + } + ] +} \ No newline at end of file diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-467-the-component-public-key-for-jwt-authentication-was-updated.log-expected.json b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-467-the-component-public-key-for-jwt-authentication-was-updated.log-expected.json new file mode 100644 index 00000000000..c059ed33cad --- /dev/null +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-467-the-component-public-key-for-jwt-authentication-was-updated.log-expected.json @@ -0,0 +1,57 @@ +{ + "expected": [ + { + "log": { + "syslog": { + "priority": 5 + } + }, + "source": { + "address": "10.0.1.20", + "ip": "10.0.1.20" + }, + "tags": [ + "preserve_original_event" + ], + "observer": { + "product": "Vault", + "hostname": "VAULT", + "version": "11.7.0000", + "vendor": "Cyber-Ark" + }, + "@timestamp": "2021-03-10T18:14:35.000Z", + "ecs": { + "version": "1.10.0" + }, + "related": { + "ip": [ + "10.0.1.20" + ] + }, + "cyberarkpas": { + "audit": { + "severity": "Info", + "rfc5424": true, + "iso_timestamp": "2021-03-10T18:14:35Z", + "station": "10.0.1.20", + "action": "The component public key for JWT authentication was updated", + "message": "The component public key for JWT authentication was updated", + "issuer": "PasswordManager", + "timestamp": "Mar 10 10:14:35", + "desc": "The component public key for JWT authentication was updated" + } + }, + "host": { + "name": "VAULT" + }, + "event": { + "severity": 2, + "action": "the component public key for jwt authentication was updated", + "ingested": "2021-05-31T15:30:23.858441200Z", + "original": "\u003c5\u003e1 2021-03-10T18:14:35Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 10:14:35\",\"IsoTimestamp\":\"2021-03-10T18:14:35Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"467\",\"Desc\":\"The component public key for JWT authentication was updated\",\"Severity\":\"Info\",\"Issuer\":\"PasswordManager\",\"Action\":\"The component public key for JWT authentication was updated\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"10.0.1.20\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"The component public key for JWT authentication was updated\",\"GatewayStation\":\"\"}}}", + "code": "467", + "kind": "event" + } + } + ] +} \ No newline at end of file diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-479-security-warning-the-signature-hash-algorithm-of-the-vault-certificate-is-sha1.log-expected.json b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-479-security-warning-the-signature-hash-algorithm-of-the-vault-certificate-is-sha1.log-expected.json new file mode 100644 index 00000000000..17b24e97cb2 --- /dev/null +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-479-security-warning-the-signature-hash-algorithm-of-the-vault-certificate-is-sha1.log-expected.json @@ -0,0 +1,105 @@ +{ + "expected": [ + { + "log": { + "syslog": { + "priority": 7 + } + }, + "source": { + "address": "0.0.0.0", + "ip": "0.0.0.0" + }, + "tags": [ + "preserve_original_event" + ], + "observer": { + "product": "Vault", + "hostname": "VAULT", + "version": "11.7.0000", + "vendor": "Cyber-Ark" + }, + "@timestamp": "2021-03-04T19:10:01.000Z", + "ecs": { + "version": "1.10.0" + }, + "related": { + "ip": [ + "0.0.0.0" + ] + }, + "cyberarkpas": { + "audit": { + "severity": "Error", + "rfc5424": true, + "iso_timestamp": "2021-03-04T19:10:01Z", + "station": "0.0.0.0", + "action": "Security warning - The Signature Hash Algorithm of the Vault certificate is SHA1.", + "message": "Security warning - The Signature Hash Algorithm of the Vault certificate is SHA1.", + "issuer": "Builtin", + "timestamp": "Mar 04 11:10:01", + "desc": "Security warning - The Signature Hash Algorithm of the Vault certificate is SHA1." + } + }, + "host": { + "name": "VAULT" + }, + "event": { + "severity": 7, + "ingested": "2021-05-31T15:30:23.885181600Z", + "original": "\u003c7\u003e1 2021-03-04T19:10:01Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 04 11:10:01\",\"IsoTimestamp\":\"2021-03-04T19:10:01Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"479\",\"Desc\":\"Security warning - The Signature Hash Algorithm of the Vault certificate is SHA1.\",\"Severity\":\"Error\",\"Issuer\":\"Builtin\",\"Action\":\"Security warning - The Signature Hash Algorithm of the Vault certificate is SHA1.\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"0.0.0.0\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Security warning - The Signature Hash Algorithm of the Vault certificate is SHA1.\",\"GatewayStation\":\"\"}}}", + "code": "479", + "kind": "event", + "action": "security warning - the signature hash algorithm of the vault certificate is sha1.", + "type": "error" + } + }, + { + "observer": { + "product": "Vault", + "hostname": "VAULT", + "version": "11.7.0000", + "vendor": "Cyber-Ark" + }, + "@timestamp": "2021-03-08T07:46:54.000Z", + "ecs": { + "version": "1.10.0" + }, + "related": { + "ip": [ + "0.0.0.0" + ] + }, + "cyberarkpas": { + "audit": { + "rfc5424": false, + "severity": "Error", + "station": "0.0.0.0", + "action": "Security warning - The Signature Hash Algorithm of the Vault certificate is SHA1.", + "message": "Security warning - The Signature Hash Algorithm of the Vault certificate is SHA1.", + "issuer": "Builtin", + "desc": "Security warning - The Signature Hash Algorithm of the Vault certificate is SHA1." + } + }, + "host": { + "name": "VAULT" + }, + "source": { + "address": "0.0.0.0", + "ip": "0.0.0.0" + }, + "event": { + "severity": 7, + "ingested": "2021-05-31T15:30:23.885195Z", + "original": "Mar 08 07:46:54 VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"no\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"479\",\"Desc\":\"Security warning - The Signature Hash Algorithm of the Vault certificate is SHA1.\",\"Severity\":\"Error\",\"Issuer\":\"Builtin\",\"Action\":\"Security warning - The Signature Hash Algorithm of the Vault certificate is SHA1.\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"0.0.0.0\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Security warning - The Signature Hash Algorithm of the Vault certificate is SHA1.\",\"GatewayStation\":\"\"}}}", + "code": "479", + "kind": "event", + "action": "security warning - the signature hash algorithm of the vault certificate is sha1.", + "type": "error" + }, + "tags": [ + "preserve_original_event" + ] + } + ] +} \ No newline at end of file diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-482-update-existing-add-account-bulk-operation-succeeded.log-expected.json b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-482-update-existing-add-account-bulk-operation-succeeded.log-expected.json new file mode 100644 index 00000000000..423d8006e67 --- /dev/null +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-482-update-existing-add-account-bulk-operation-succeeded.log-expected.json @@ -0,0 +1,57 @@ +{ + "expected": [ + { + "log": { + "syslog": { + "priority": 5 + } + }, + "source": { + "address": "10.0.1.20", + "ip": "10.0.1.20" + }, + "tags": [ + "preserve_original_event" + ], + "observer": { + "product": "Vault", + "hostname": "VAULT", + "version": "11.7.0000", + "vendor": "Cyber-Ark" + }, + "@timestamp": "2021-03-10T08:31:49.000Z", + "ecs": { + "version": "1.10.0" + }, + "related": { + "ip": [ + "10.0.1.20" + ] + }, + "cyberarkpas": { + "audit": { + "severity": "Info", + "rfc5424": true, + "iso_timestamp": "2021-03-10T08:31:49Z", + "station": "10.0.1.20", + "action": "Update existing Add Account Bulk Operation succeeded", + "message": "Update existing Add Account Bulk Operation succeeded", + "issuer": "PVWAAppUser", + "timestamp": "Mar 10 00:31:49", + "desc": "Update existing Add Account Bulk Operation succeeded" + } + }, + "host": { + "name": "VAULT" + }, + "event": { + "severity": 2, + "action": "update existing add account bulk operation succeeded", + "ingested": "2021-05-31T15:30:23.925378700Z", + "original": "\u003c5\u003e1 2021-03-10T08:31:49Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 00:31:49\",\"IsoTimestamp\":\"2021-03-10T08:31:49Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"482\",\"Desc\":\"Update existing Add Account Bulk Operation succeeded\",\"Severity\":\"Info\",\"Issuer\":\"PVWAAppUser\",\"Action\":\"Update existing Add Account Bulk Operation succeeded\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"10.0.1.20\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Update existing Add Account Bulk Operation succeeded\",\"GatewayStation\":\"\"}}}", + "code": "482", + "kind": "event" + } + } + ] +} \ No newline at end of file diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-50-store-file.log-expected.json b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-50-store-file.log-expected.json new file mode 100644 index 00000000000..3358e5fa1e5 --- /dev/null +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-50-store-file.log-expected.json @@ -0,0 +1,398 @@ +{ + "expected": [ + { + "log": { + "syslog": { + "priority": 5 + } + }, + "source": { + "address": "10.0.1.20", + "ip": "10.0.1.20" + }, + "tags": [ + "preserve_original_event" + ], + "observer": { + "product": "Vault", + "hostname": "VAULT", + "version": "11.7.0000", + "vendor": "Cyber-Ark" + }, + "@timestamp": "2021-03-08T18:24:50.000Z", + "file": { + "path": "Root\\YWRtaW5pc3RyYXRvcg==" + }, + "ecs": { + "version": "1.10.0" + }, + "related": { + "ip": [ + "10.0.1.20" + ] + }, + "cyberarkpas": { + "audit": { + "severity": "Info", + "rfc5424": true, + "iso_timestamp": "2021-03-08T18:24:50Z", + "file": "Root\\YWRtaW5pc3RyYXRvcg==", + "safe": "PVWAPrivateUserPrefs", + "station": "10.0.1.20", + "action": "Store File", + "message": "Store File", + "issuer": "PVWAAppUser", + "timestamp": "Mar 08 10:24:50", + "desc": "Store File" + } + }, + "host": { + "name": "VAULT" + }, + "event": { + "severity": 2, + "action": "store file", + "ingested": "2021-05-31T15:30:23.954026800Z", + "original": "\u003c5\u003e1 2021-03-08T18:24:50Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 08 10:24:50\",\"IsoTimestamp\":\"2021-03-08T18:24:50Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"50\",\"Desc\":\"Store File\",\"Severity\":\"Info\",\"Issuer\":\"PVWAAppUser\",\"Action\":\"Store File\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"PVWAPrivateUserPrefs\",\"File\":\"Root\\\\YWRtaW5pc3RyYXRvcg==\",\"Station\":\"10.0.1.20\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Store File\",\"GatewayStation\":\"\"}}}", + "code": "50", + "kind": "event" + } + }, + { + "log": { + "syslog": { + "priority": 5 + } + }, + "source": { + "geo": { + "continent_name": "Europe", + "region_iso_code": "ES-B", + "city_name": "Barcelona", + "country_iso_code": "ES", + "country_name": "Spain", + "region_name": "Barcelona", + "location": { + "lon": 2.1611, + "lat": 41.3891 + } + }, + "address": "81.32.170.205", + "ip": "81.32.170.205" + }, + "tags": [ + "preserve_original_event" + ], + "observer": { + "product": "Vault", + "hostname": "VAULT", + "version": "11.7.0000", + "vendor": "Cyber-Ark" + }, + "@timestamp": "2021-03-10T09:11:21.000Z", + "file": { + "path": "Root\\syntaxparser-conf.json.1.1" + }, + "ecs": { + "version": "1.10.0" + }, + "related": { + "ip": [ + "81.32.170.205" + ] + }, + "cyberarkpas": { + "audit": { + "severity": "Info", + "rfc5424": true, + "iso_timestamp": "2021-03-10T09:11:21Z", + "file": "Root\\syntaxparser-conf.json.1.1", + "safe": "PSMPConf", + "station": "81.32.170.205", + "action": "Store File", + "message": "Store File", + "issuer": "Administrator", + "timestamp": "Mar 10 01:11:21", + "desc": "Store File" + } + }, + "host": { + "name": "VAULT" + }, + "event": { + "severity": 2, + "action": "store file", + "ingested": "2021-05-31T15:30:23.954042300Z", + "original": "\u003c5\u003e1 2021-03-10T09:11:21Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 01:11:21\",\"IsoTimestamp\":\"2021-03-10T09:11:21Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"50\",\"Desc\":\"Store File\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Store File\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"PSMPConf\",\"File\":\"Root\\\\syntaxparser-conf.json.1.1\",\"Station\":\"81.32.170.205\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Store File\",\"GatewayStation\":\"\"}}}", + "code": "50", + "kind": "event" + } + }, + { + "log": { + "syslog": { + "priority": 5 + } + }, + "source": { + "address": "127.0.0.1", + "ip": "127.0.0.1" + }, + "tags": [ + "preserve_original_event" + ], + "observer": { + "product": "Vault", + "hostname": "VAULT", + "version": "11.7.0000", + "vendor": "Cyber-Ark" + }, + "@timestamp": "2021-03-10T18:36:22.000Z", + "file": { + "path": "Root\\PVConfiguration.xml" + }, + "ecs": { + "version": "1.10.0" + }, + "related": { + "ip": [ + "127.0.0.1" + ] + }, + "cyberarkpas": { + "audit": { + "severity": "Info", + "rfc5424": true, + "iso_timestamp": "2021-03-10T18:36:22Z", + "file": "Root\\PVConfiguration.xml", + "safe": "PVWAConfig", + "station": "127.0.0.1", + "action": "Store File", + "message": "Store File", + "issuer": "Administrator", + "timestamp": "Mar 10 10:36:22", + "desc": "Store File" + } + }, + "host": { + "name": "VAULT" + }, + "event": { + "severity": 2, + "action": "store file", + "ingested": "2021-05-31T15:30:23.954063900Z", + "original": "\u003c5\u003e1 2021-03-10T18:36:22Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 10:36:22\",\"IsoTimestamp\":\"2021-03-10T18:36:22Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"50\",\"Desc\":\"Store File\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Store File\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"PVWAConfig\",\"File\":\"Root\\\\PVConfiguration.xml\",\"Station\":\"127.0.0.1\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Store File\",\"GatewayStation\":\"\"}}}", + "code": "50", + "kind": "event" + } + }, + { + "log": { + "syslog": { + "priority": 5 + } + }, + "source": { + "geo": { + "continent_name": "North America", + "region_iso_code": "US-VA", + "country_name": "United States", + "region_name": "Virginia", + "location": { + "lon": -77.2481, + "lat": 38.6583 + }, + "country_iso_code": "US" + }, + "address": "35.192.121.42", + "ip": "35.192.121.42" + }, + "tags": [ + "preserve_original_event" + ], + "observer": { + "product": "Vault", + "hostname": "VAULT", + "version": "11.7.0000", + "vendor": "Cyber-Ark" + }, + "@timestamp": "2021-03-10T22:17:56.000Z", + "file": { + "path": "ROOT\\PVConfiguration.xml" + }, + "ecs": { + "version": "1.10.0" + }, + "related": { + "ip": [ + "35.192.121.42" + ] + }, + "cyberarkpas": { + "audit": { + "severity": "Info", + "rfc5424": true, + "iso_timestamp": "2021-03-10T22:17:56Z", + "file": "ROOT\\PVConfiguration.xml", + "safe": "PVWAConfig", + "station": "35.192.121.42", + "action": "Store File", + "message": "Store File", + "issuer": "Administrator", + "timestamp": "Mar 10 14:17:56", + "desc": "Store File" + } + }, + "host": { + "name": "VAULT" + }, + "event": { + "severity": 2, + "action": "store file", + "ingested": "2021-05-31T15:30:23.954068800Z", + "original": "\u003c5\u003e1 2021-03-10T22:17:56Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 14:17:56\",\"IsoTimestamp\":\"2021-03-10T22:17:56Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"50\",\"Desc\":\"Store File\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Store File\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"PVWAConfig\",\"File\":\"ROOT\\\\PVConfiguration.xml\",\"Station\":\"35.192.121.42\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Store File\",\"GatewayStation\":\"\"}}}", + "code": "50", + "kind": "event" + } + }, + { + "log": { + "syslog": { + "priority": 5 + } + }, + "source": { + "geo": { + "continent_name": "Europe", + "region_iso_code": "ES-B", + "city_name": "Barcelona", + "country_iso_code": "ES", + "country_name": "Spain", + "region_name": "Barcelona", + "location": { + "lon": 2.1611, + "lat": 41.3891 + } + }, + "address": "81.32.170.205", + "ip": "81.32.170.205" + }, + "tags": [ + "preserve_original_event" + ], + "observer": { + "product": "Vault", + "hostname": "VAULT", + "version": "11.7.0000", + "vendor": "Cyber-Ark" + }, + "@timestamp": "2021-03-11T17:38:27.000Z", + "file": { + "path": "root\\87012dcc-8290-11eb-949e-080027efd402.SSH.txt" + }, + "ecs": { + "version": "1.10.0" + }, + "related": { + "ip": [ + "81.32.170.205" + ] + }, + "cyberarkpas": { + "audit": { + "severity": "Info", + "rfc5424": true, + "iso_timestamp": "2021-03-11T17:38:27Z", + "file": "root\\87012dcc-8290-11eb-949e-080027efd402.SSH.txt", + "safe": "PSMRecordings", + "station": "81.32.170.205", + "raw": "\u003csyslog\u003e\n\n \u003caudit_record\u003e\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\n \u003cTimestamp\u003eMar 11 09:38:27\u003c/Timestamp\u003e\n \u003cIsoTimestamp\u003e2021-03-11T17:38:27Z\u003c/IsoTimestamp\u003e\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\n \u003cProduct\u003eVault\u003c/Product\u003e\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\n \u003cMessageID\u003e50\u003c/MessageID\u003e\n \u003cDesc\u003eStore File\u003c/Desc\u003e\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\n \u003cIssuer\u003ePSMPApp_VAGRANT\u003c/Issuer\u003e\n \u003cAction\u003eStore File\u003c/Action\u003e\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\n \u003cSafe\u003ePSMRecordings\u003c/Safe\u003e\n \u003cFile\u003eroot\\87012dcc-8290-11eb-949e-080027efd402.SSH.txt\u003c/File\u003e\n \u003cStation\u003e81.32.170.205\u003c/Station\u003e\n \u003cLocation\u003e\u003c/Location\u003e\n \u003cCategory\u003e\u003c/Category\u003e\n \u003cRequestId\u003e\u003c/RequestId\u003e\n \u003cReason\u003e\u003c/Reason\u003e\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\n \u003cMessage\u003eStore File\u003c/Message\u003e\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\n \u003c/audit_record\u003e\n\n\u003c/syslog\u003e", + "action": "Store File", + "message": "Store File", + "issuer": "PSMPApp_VAGRANT", + "timestamp": "Mar 11 09:38:27", + "desc": "Store File" + } + }, + "host": { + "name": "VAULT" + }, + "event": { + "severity": 2, + "action": "store file", + "ingested": "2021-05-31T15:30:23.954072100Z", + "original": "\u003c5\u003e1 2021-03-11T17:38:27Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 11 09:38:27\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-11T17:38:27Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e50\u003c/MessageID\u003e\\n \u003cDesc\u003eStore File\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003ePSMPApp_VAGRANT\u003c/Issuer\u003e\\n \u003cAction\u003eStore File\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003ePSMRecordings\u003c/Safe\u003e\\n \u003cFile\u003eroot\\\\87012dcc-8290-11eb-949e-080027efd402.SSH.txt\u003c/File\u003e\\n \u003cStation\u003e81.32.170.205\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eStore File\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 11 09:38:27\",\"IsoTimestamp\":\"2021-03-11T17:38:27Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"50\",\"Desc\":\"Store File\",\"Severity\":\"Info\",\"Issuer\":\"PSMPApp_VAGRANT\",\"Action\":\"Store File\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"PSMRecordings\",\"File\":\"root\\\\87012dcc-8290-11eb-949e-080027efd402.SSH.txt\",\"Station\":\"81.32.170.205\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Store File\",\"GatewayStation\":\"\"}}}", + "code": "50", + "kind": "event" + } + }, + { + "log": { + "syslog": { + "priority": 5 + } + }, + "destination": { + "address": "10.0.1.20", + "ip": "10.0.1.20" + }, + "source": { + "address": "127.0.0.1", + "ip": "127.0.0.1" + }, + "tags": [ + "preserve_original_event" + ], + "network": { + "direction": "internal" + }, + "observer": { + "product": "Vault", + "hostname": "VAULT", + "version": "11.7.0000", + "vendor": "Cyber-Ark" + }, + "@timestamp": "2021-03-11T19:45:26.000Z", + "file": { + "path": "Root\\PVConfiguration.xml" + }, + "ecs": { + "version": "1.10.0" + }, + "related": { + "ip": [ + "127.0.0.1", + "10.0.1.20" + ] + }, + "cyberarkpas": { + "audit": { + "severity": "Info", + "iso_timestamp": "2021-03-11T19:45:26Z", + "gateway_station": "10.0.1.20", + "raw": "\u003csyslog\u003e\n\n \u003caudit_record\u003e\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\n \u003cTimestamp\u003eMar 11 11:45:26\u003c/Timestamp\u003e\n \u003cIsoTimestamp\u003e2021-03-11T19:45:26Z\u003c/IsoTimestamp\u003e\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\n \u003cProduct\u003eVault\u003c/Product\u003e\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\n \u003cMessageID\u003e50\u003c/MessageID\u003e\n \u003cDesc\u003eStore File\u003c/Desc\u003e\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\n \u003cAction\u003eStore File\u003c/Action\u003e\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\n \u003cSafe\u003ePVWAConfig\u003c/Safe\u003e\n \u003cFile\u003eRoot\\PVConfiguration.xml\u003c/File\u003e\n \u003cStation\u003e127.0.0.1\u003c/Station\u003e\n \u003cLocation\u003e\u003c/Location\u003e\n \u003cCategory\u003e\u003c/Category\u003e\n \u003cRequestId\u003e\u003c/RequestId\u003e\n \u003cReason\u003e\u003c/Reason\u003e\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\n \u003cMessage\u003eStore File\u003c/Message\u003e\n \u003cGatewayStation\u003e10.0.1.20\u003c/GatewayStation\u003e\n \u003c/audit_record\u003e\n\n\u003c/syslog\u003e", + "message": "Store File", + "issuer": "Administrator", + "rfc5424": true, + "file": "Root\\PVConfiguration.xml", + "safe": "PVWAConfig", + "station": "127.0.0.1", + "action": "Store File", + "timestamp": "Mar 11 11:45:26", + "desc": "Store File" + } + }, + "host": { + "name": "VAULT" + }, + "event": { + "severity": 2, + "action": "store file", + "ingested": "2021-05-31T15:30:23.954075100Z", + "original": "\u003c5\u003e1 2021-03-11T19:45:26Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 11 11:45:26\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-11T19:45:26Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e50\u003c/MessageID\u003e\\n \u003cDesc\u003eStore File\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003eStore File\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003ePVWAConfig\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\PVConfiguration.xml\u003c/File\u003e\\n \u003cStation\u003e127.0.0.1\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eStore File\u003c/Message\u003e\\n \u003cGatewayStation\u003e10.0.1.20\u003c/GatewayStation\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 11 11:45:26\",\"IsoTimestamp\":\"2021-03-11T19:45:26Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"50\",\"Desc\":\"Store File\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Store File\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"PVWAConfig\",\"File\":\"Root\\\\PVConfiguration.xml\",\"Station\":\"127.0.0.1\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Store File\",\"GatewayStation\":\"10.0.1.20\"}}}", + "code": "50", + "kind": "event" + } + } + ] +} \ No newline at end of file diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-51-retrieve-file.log-expected.json b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-51-retrieve-file.log-expected.json new file mode 100644 index 00000000000..e3cbd6e2b22 --- /dev/null +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-51-retrieve-file.log-expected.json @@ -0,0 +1,120 @@ +{ + "expected": [ + { + "log": { + "syslog": { + "priority": 5 + } + }, + "source": { + "address": "10.0.1.20", + "ip": "10.0.1.20" + }, + "tags": [ + "preserve_original_event" + ], + "observer": { + "product": "Vault", + "hostname": "VAULT", + "version": "11.7.0000", + "vendor": "Cyber-Ark" + }, + "@timestamp": "2021-03-04T19:10:05.000Z", + "file": { + "path": "Root\\Policies\\Policy-GenericWebApp.ini" + }, + "ecs": { + "version": "1.10.0" + }, + "related": { + "ip": [ + "10.0.1.20" + ] + }, + "cyberarkpas": { + "audit": { + "severity": "Info", + "rfc5424": true, + "iso_timestamp": "2021-03-04T19:10:05Z", + "file": "Root\\Policies\\Policy-GenericWebApp.ini", + "safe": "PasswordManagerShared", + "station": "10.0.1.20", + "action": "Retrieve File", + "message": "Retrieve File", + "issuer": "PasswordManager", + "timestamp": "Mar 04 11:10:05", + "desc": "Retrieve File" + } + }, + "host": { + "name": "VAULT" + }, + "event": { + "severity": 2, + "action": "retrieve file", + "ingested": "2021-05-31T15:30:24.089609500Z", + "original": "\u003c5\u003e1 2021-03-04T19:10:05Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 04 11:10:05\",\"IsoTimestamp\":\"2021-03-04T19:10:05Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"51\",\"Desc\":\"Retrieve File\",\"Severity\":\"Info\",\"Issuer\":\"PasswordManager\",\"Action\":\"Retrieve File\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"PasswordManagerShared\",\"File\":\"Root\\\\Policies\\\\Policy-GenericWebApp.ini\",\"Station\":\"10.0.1.20\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Retrieve File\",\"GatewayStation\":\"\"}}}", + "code": "51", + "kind": "event" + } + }, + { + "log": { + "syslog": { + "priority": 5 + } + }, + "source": { + "address": "10.0.1.20", + "ip": "10.0.1.20" + }, + "tags": [ + "preserve_original_event" + ], + "observer": { + "product": "Vault", + "hostname": "VAULT", + "version": "11.7.0000", + "vendor": "Cyber-Ark" + }, + "@timestamp": "2021-03-04T19:11:23.000Z", + "file": { + "path": "Root\\main_appprovider.conf.Win64.11.04" + }, + "ecs": { + "version": "1.10.0" + }, + "related": { + "ip": [ + "10.0.1.20" + ] + }, + "cyberarkpas": { + "audit": { + "severity": "Info", + "rfc5424": true, + "iso_timestamp": "2021-03-04T19:11:23Z", + "file": "Root\\main_appprovider.conf.Win64.11.04", + "safe": "AppProviderConf", + "station": "10.0.1.20", + "action": "Retrieve File", + "message": "Retrieve File", + "issuer": "Prov_COMPONENTS", + "timestamp": "Mar 04 11:11:23", + "desc": "Retrieve File" + } + }, + "host": { + "name": "VAULT" + }, + "event": { + "severity": 2, + "action": "retrieve file", + "ingested": "2021-05-31T15:30:24.089622800Z", + "original": "\u003c5\u003e1 2021-03-04T19:11:23Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 04 11:11:23\",\"IsoTimestamp\":\"2021-03-04T19:11:23Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"51\",\"Desc\":\"Retrieve File\",\"Severity\":\"Info\",\"Issuer\":\"Prov_COMPONENTS\",\"Action\":\"Retrieve File\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"AppProviderConf\",\"File\":\"Root\\\\main_appprovider.conf.Win64.11.04\",\"Station\":\"10.0.1.20\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Retrieve File\",\"GatewayStation\":\"\"}}}", + "code": "51", + "kind": "event" + } + } + ] +} \ No newline at end of file diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-52-delete-file.log-expected.json b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-52-delete-file.log-expected.json new file mode 100644 index 00000000000..7f677bcec88 --- /dev/null +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-52-delete-file.log-expected.json @@ -0,0 +1,731 @@ +{ + "expected": [ + { + "log": { + "syslog": { + "priority": 5 + } + }, + "destination": { + "address": "10.0.1.20", + "ip": "10.0.1.20" + }, + "source": { + "address": "127.0.0.1", + "ip": "127.0.0.1" + }, + "tags": [ + "preserve_original_event" + ], + "network": { + "direction": "internal" + }, + "observer": { + "product": "Vault", + "hostname": "VAULT", + "version": "11.7.0000", + "vendor": "Cyber-Ark" + }, + "@timestamp": "2021-03-08T18:32:43.000Z", + "file": { + "path": "Root\\Operating System-WinDesktopLocal-Address-adriansr" + }, + "ecs": { + "version": "1.10.0" + }, + "related": { + "ip": [ + "127.0.0.1", + "10.0.1.20" + ] + }, + "cyberarkpas": { + "audit": { + "severity": "Info", + "iso_timestamp": "2021-03-08T18:32:43Z", + "gateway_station": "10.0.1.20", + "message": "Delete File", + "issuer": "Administrator", + "rfc5424": true, + "ca_properties": { + "other": {}, + "device_type": "Operating System", + "address": "components", + "creation_method": "PVWA", + "policy_id": "WinDesktopLocal", + "user_name": "adriansr" + }, + "file": "Root\\Operating System-WinDesktopLocal-Address-adriansr", + "safe": "Test", + "station": "127.0.0.1", + "action": "Delete File", + "timestamp": "Mar 08 10:32:43", + "desc": "Delete File" + } + }, + "host": { + "name": "VAULT" + }, + "event": { + "severity": 2, + "action": "delete file", + "ingested": "2021-05-31T15:30:24.137889900Z", + "original": "\u003c5\u003e1 2021-03-08T18:32:43Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 08 10:32:43\",\"IsoTimestamp\":\"2021-03-08T18:32:43Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"52\",\"Desc\":\"Delete File\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Delete File\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"Test\",\"File\":\"Root\\\\Operating System-WinDesktopLocal-Address-adriansr\",\"Station\":\"127.0.0.1\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Delete File\",\"GatewayStation\":\"10.0.1.20\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"WinDesktopLocal\"},{\"Name\":\"UserName\",\"Value\":\"adriansr\"},{\"Name\":\"Address\",\"Value\":\"components\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"}]}}}}", + "code": "52", + "kind": "event" + } + }, + { + "log": { + "syslog": { + "priority": 5 + } + }, + "destination": { + "address": "10.0.1.20", + "ip": "10.0.1.20" + }, + "source": { + "address": "127.0.0.1", + "ip": "127.0.0.1" + }, + "tags": [ + "preserve_original_event" + ], + "network": { + "direction": "internal" + }, + "observer": { + "product": "Vault", + "hostname": "VAULT", + "version": "11.7.0000", + "vendor": "Cyber-Ark" + }, + "@timestamp": "2021-03-08T18:38:21.000Z", + "file": { + "path": "Root\\Operating System-WinServerLocal-components-adriansr" + }, + "ecs": { + "version": "1.10.0" + }, + "related": { + "ip": [ + "127.0.0.1", + "10.0.1.20" + ] + }, + "cyberarkpas": { + "audit": { + "severity": "Info", + "iso_timestamp": "2021-03-08T18:38:21Z", + "gateway_station": "10.0.1.20", + "message": "Delete File", + "issuer": "Administrator", + "rfc5424": true, + "ca_properties": { + "other": {}, + "address": "components", + "creation_method": "PVWA", + "policy_id": "WinServerLocal", + "user_name": "adriansr", + "logon_domain": "COMPONENTS", + "device_type": "Operating System" + }, + "file": "Root\\Operating System-WinServerLocal-components-adriansr", + "safe": "VaultInternal", + "station": "127.0.0.1", + "action": "Delete File", + "timestamp": "Mar 08 10:38:21", + "desc": "Delete File" + } + }, + "host": { + "name": "VAULT" + }, + "event": { + "severity": 2, + "action": "delete file", + "ingested": "2021-05-31T15:30:24.137909200Z", + "original": "\u003c5\u003e1 2021-03-08T18:38:21Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 08 10:38:21\",\"IsoTimestamp\":\"2021-03-08T18:38:21Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"52\",\"Desc\":\"Delete File\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Delete File\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"VaultInternal\",\"File\":\"Root\\\\Operating System-WinServerLocal-components-adriansr\",\"Station\":\"127.0.0.1\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Delete File\",\"GatewayStation\":\"10.0.1.20\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"WinServerLocal\"},{\"Name\":\"UserName\",\"Value\":\"adriansr\"},{\"Name\":\"Address\",\"Value\":\"components\"},{\"Name\":\"LogonDomain\",\"Value\":\"COMPONENTS\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"}]}}}}", + "code": "52", + "kind": "event" + } + }, + { + "log": { + "syslog": { + "priority": 5 + } + }, + "source": { + "address": "10.0.1.20", + "ip": "10.0.1.20" + }, + "tags": [ + "preserve_original_event" + ], + "observer": { + "product": "Vault", + "hostname": "VAULT", + "version": "11.7.0000", + "vendor": "Cyber-Ark" + }, + "@timestamp": "2021-03-08T19:20:04.000Z", + "file": { + "path": "Root\\Test_4" + }, + "ecs": { + "version": "1.10.0" + }, + "related": { + "ip": [ + "10.0.1.20" + ] + }, + "cyberarkpas": { + "audit": { + "severity": "Info", + "rfc5424": true, + "iso_timestamp": "2021-03-08T19:20:04Z", + "file": "Root\\Test_4", + "safe": "PasswordManager_workspace", + "station": "10.0.1.20", + "action": "Delete File", + "message": "Delete File", + "issuer": "PasswordManager", + "timestamp": "Mar 08 11:20:04", + "desc": "Delete File" + } + }, + "host": { + "name": "VAULT" + }, + "event": { + "severity": 2, + "action": "delete file", + "ingested": "2021-05-31T15:30:24.137911400Z", + "original": "\u003c5\u003e1 2021-03-08T19:20:04Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 08 11:20:04\",\"IsoTimestamp\":\"2021-03-08T19:20:04Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"52\",\"Desc\":\"Delete File\",\"Severity\":\"Info\",\"Issuer\":\"PasswordManager\",\"Action\":\"Delete File\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"PasswordManager_workspace\",\"File\":\"Root\\\\Test_4\",\"Station\":\"10.0.1.20\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Delete File\",\"GatewayStation\":\"\"}}}", + "code": "52", + "kind": "event" + } + }, + { + "log": { + "syslog": { + "priority": 5 + } + }, + "source": { + "geo": { + "continent_name": "North America", + "region_iso_code": "US-VA", + "country_name": "United States", + "region_name": "Virginia", + "location": { + "lon": -77.2481, + "lat": 38.6583 + }, + "country_iso_code": "US" + }, + "address": "35.192.121.42", + "ip": "35.192.121.42" + }, + "tags": [ + "preserve_original_event" + ], + "observer": { + "product": "Vault", + "hostname": "VAULT", + "version": "11.7.0000", + "vendor": "Cyber-Ark" + }, + "@timestamp": "2021-03-11T18:59:57.000Z", + "file": { + "path": "Root\\c89ca3ba9c76f820fdc58e86f2c854f99d232fcd" + }, + "ecs": { + "version": "1.10.0" + }, + "related": { + "ip": [ + "35.192.121.42" + ] + }, + "cyberarkpas": { + "audit": { + "severity": "Info", + "rfc5424": true, + "iso_timestamp": "2021-03-11T18:59:57Z", + "file": "Root\\c89ca3ba9c76f820fdc58e86f2c854f99d232fcd", + "safe": "PSMSessions", + "station": "35.192.121.42", + "raw": "\u003csyslog\u003e\n\n \u003caudit_record\u003e\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\n \u003cTimestamp\u003eMar 11 10:59:57\u003c/Timestamp\u003e\n \u003cIsoTimestamp\u003e2021-03-11T18:59:57Z\u003c/IsoTimestamp\u003e\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\n \u003cProduct\u003eVault\u003c/Product\u003e\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\n \u003cMessageID\u003e52\u003c/MessageID\u003e\n \u003cDesc\u003eDelete File\u003c/Desc\u003e\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\n \u003cIssuer\u003ePSMApp_ASR-WIN\u003c/Issuer\u003e\n \u003cAction\u003eDelete File\u003c/Action\u003e\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\n \u003cSafe\u003ePSMSessions\u003c/Safe\u003e\n \u003cFile\u003eRoot\\c89ca3ba9c76f820fdc58e86f2c854f99d232fcd\u003c/File\u003e\n \u003cStation\u003e35.192.121.42\u003c/Station\u003e\n \u003cLocation\u003e\u003c/Location\u003e\n \u003cCategory\u003e\u003c/Category\u003e\n \u003cRequestId\u003e\u003c/RequestId\u003e\n \u003cReason\u003e\u003c/Reason\u003e\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\n \u003cMessage\u003eDelete File\u003c/Message\u003e\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\n \u003c/audit_record\u003e\n\n\u003c/syslog\u003e", + "action": "Delete File", + "message": "Delete File", + "issuer": "PSMApp_ASR-WIN", + "timestamp": "Mar 11 10:59:57", + "desc": "Delete File" + } + }, + "host": { + "name": "VAULT" + }, + "event": { + "severity": 2, + "action": "delete file", + "ingested": "2021-05-31T15:30:24.137913100Z", + "original": "\u003c5\u003e1 2021-03-11T18:59:57Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 11 10:59:57\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-11T18:59:57Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e52\u003c/MessageID\u003e\\n \u003cDesc\u003eDelete File\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003ePSMApp_ASR-WIN\u003c/Issuer\u003e\\n \u003cAction\u003eDelete File\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003ePSMSessions\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\c89ca3ba9c76f820fdc58e86f2c854f99d232fcd\u003c/File\u003e\\n \u003cStation\u003e35.192.121.42\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eDelete File\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 11 10:59:57\",\"IsoTimestamp\":\"2021-03-11T18:59:57Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"52\",\"Desc\":\"Delete File\",\"Severity\":\"Info\",\"Issuer\":\"PSMApp_ASR-WIN\",\"Action\":\"Delete File\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"PSMSessions\",\"File\":\"Root\\\\c89ca3ba9c76f820fdc58e86f2c854f99d232fcd\",\"Station\":\"35.192.121.42\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Delete File\",\"GatewayStation\":\"\"}}}", + "code": "52", + "kind": "event" + } + }, + { + "log": { + "syslog": { + "priority": 5 + } + }, + "source": { + "address": "127.0.0.1", + "ip": "127.0.0.1" + }, + "tags": [ + "preserve_original_event" + ], + "observer": { + "product": "Vault", + "hostname": "VAULT", + "version": "11.7.0000", + "vendor": "Cyber-Ark" + }, + "@timestamp": "2021-03-11T19:32:12.000Z", + "file": { + "path": "Root\\PSMPApp_VAGRANT.LiveSessions" + }, + "ecs": { + "version": "1.10.0" + }, + "related": { + "ip": [ + "127.0.0.1" + ] + }, + "cyberarkpas": { + "audit": { + "severity": "Info", + "iso_timestamp": "2021-03-11T19:32:12Z", + "raw": "\u003csyslog\u003e\n\n \u003caudit_record\u003e\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\n \u003cTimestamp\u003eMar 11 11:32:12\u003c/Timestamp\u003e\n \u003cIsoTimestamp\u003e2021-03-11T19:32:12Z\u003c/IsoTimestamp\u003e\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\n \u003cProduct\u003eVault\u003c/Product\u003e\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\n \u003cMessageID\u003e52\u003c/MessageID\u003e\n \u003cDesc\u003eDelete File\u003c/Desc\u003e\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\n \u003cAction\u003eDelete File\u003c/Action\u003e\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\n \u003cSafe\u003ePSMPLiveSessions\u003c/Safe\u003e\n \u003cFile\u003eRoot\\PSMPApp_VAGRANT.LiveSessions\u003c/File\u003e\n \u003cStation\u003e127.0.0.1\u003c/Station\u003e\n \u003cLocation\u003e\u003c/Location\u003e\n \u003cCategory\u003e\u003c/Category\u003e\n \u003cRequestId\u003e\u003c/RequestId\u003e\n \u003cReason\u003e\u003c/Reason\u003e\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\n \u003cMessage\u003eDelete File\u003c/Message\u003e\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\n \u003cCAProperties\u003e\n \u003cCAProperty Name=\"_PSMLiveSessions_1\" Value=\"\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"_PSMLiveSessions_2\" Value=\"\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"_PSMLiveSessions_3\" Value=\"\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"_PSMLiveSessions_4\" Value=\"\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"_PSMLiveSessions_5\" Value=\"\"\u003e\u003c/CAProperty\u003e\n \u003c/CAProperties\u003e\n \u003c/audit_record\u003e\n\n\u003c/syslog\u003e", + "message": "Delete File", + "issuer": "Administrator", + "rfc5424": true, + "ca_properties": { + "other": { + "__psm_live_sessions_4": "", + "__psm_live_sessions_5": "", + "__psm_live_sessions_2": "", + "__psm_live_sessions_3": "", + "__psm_live_sessions_1": "" + } + }, + "file": "Root\\PSMPApp_VAGRANT.LiveSessions", + "safe": "PSMPLiveSessions", + "station": "127.0.0.1", + "action": "Delete File", + "timestamp": "Mar 11 11:32:12", + "desc": "Delete File" + } + }, + "host": { + "name": "VAULT" + }, + "event": { + "severity": 2, + "action": "delete file", + "ingested": "2021-05-31T15:30:24.137914500Z", + "original": "\u003c5\u003e1 2021-03-11T19:32:12Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 11 11:32:12\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-11T19:32:12Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e52\u003c/MessageID\u003e\\n \u003cDesc\u003eDelete File\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003eDelete File\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003ePSMPLiveSessions\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\PSMPApp_VAGRANT.LiveSessions\u003c/File\u003e\\n \u003cStation\u003e127.0.0.1\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eDelete File\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"_PSMLiveSessions_1\\\" Value=\\\"\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"_PSMLiveSessions_2\\\" Value=\\\"\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"_PSMLiveSessions_3\\\" Value=\\\"\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"_PSMLiveSessions_4\\\" Value=\\\"\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"_PSMLiveSessions_5\\\" Value=\\\"\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 11 11:32:12\",\"IsoTimestamp\":\"2021-03-11T19:32:12Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"52\",\"Desc\":\"Delete File\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Delete File\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"PSMPLiveSessions\",\"File\":\"Root\\\\PSMPApp_VAGRANT.LiveSessions\",\"Station\":\"127.0.0.1\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Delete File\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"_PSMLiveSessions_1\",\"Value\":\"\"},{\"Name\":\"_PSMLiveSessions_2\",\"Value\":\"\"},{\"Name\":\"_PSMLiveSessions_3\",\"Value\":\"\"},{\"Name\":\"_PSMLiveSessions_4\",\"Value\":\"\"},{\"Name\":\"_PSMLiveSessions_5\",\"Value\":\"\"}]}}}}", + "code": "52", + "kind": "event" + } + }, + { + "log": { + "syslog": { + "priority": 5 + } + }, + "destination": { + "address": "10.0.1.20", + "ip": "10.0.1.20" + }, + "source": { + "address": "127.0.0.1", + "ip": "127.0.0.1" + }, + "tags": [ + "preserve_original_event" + ], + "network": { + "direction": "internal" + }, + "observer": { + "product": "Vault", + "hostname": "VAULT", + "version": "11.7.0000", + "vendor": "Cyber-Ark" + }, + "@timestamp": "2021-03-11T21:06:40.000Z", + "file": { + "path": "Root\\Operating System-WinDomain-35.192.121.42-PSMConnect" + }, + "ecs": { + "version": "1.10.0" + }, + "related": { + "ip": [ + "127.0.0.1", + "10.0.1.20" + ] + }, + "cyberarkpas": { + "audit": { + "severity": "Info", + "iso_timestamp": "2021-03-11T21:06:40Z", + "gateway_station": "10.0.1.20", + "raw": "\u003csyslog\u003e\n\n \u003caudit_record\u003e\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\n \u003cTimestamp\u003eMar 11 13:06:40\u003c/Timestamp\u003e\n \u003cIsoTimestamp\u003e2021-03-11T21:06:40Z\u003c/IsoTimestamp\u003e\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\n \u003cProduct\u003eVault\u003c/Product\u003e\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\n \u003cMessageID\u003e52\u003c/MessageID\u003e\n \u003cDesc\u003eDelete File\u003c/Desc\u003e\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\n \u003cAction\u003eDelete File\u003c/Action\u003e\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\n \u003cSafe\u003ePSM\u003c/Safe\u003e\n \u003cFile\u003eRoot\\Operating System-WinDomain-35.192.121.42-PSMConnect\u003c/File\u003e\n \u003cStation\u003e127.0.0.1\u003c/Station\u003e\n \u003cLocation\u003e\u003c/Location\u003e\n \u003cCategory\u003e\u003c/Category\u003e\n \u003cRequestId\u003e\u003c/RequestId\u003e\n \u003cReason\u003e\u003c/Reason\u003e\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\n \u003cMessage\u003eDelete File\u003c/Message\u003e\n \u003cGatewayStation\u003e10.0.1.20\u003c/GatewayStation\u003e\n \u003cCAProperties\u003e\n \u003cCAProperty Name=\"PolicyID\" Value=\"WinDomain\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"UserName\" Value=\"PSMConnect\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"Address\" Value=\"35.192.121.42\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"CreationMethod\" Value=\"PVWA\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"DeviceType\" Value=\"Operating System\"\u003e\u003c/CAProperty\u003e\n \u003c/CAProperties\u003e\n \u003c/audit_record\u003e\n\n\u003c/syslog\u003e", + "message": "Delete File", + "issuer": "Administrator", + "rfc5424": true, + "ca_properties": { + "other": {}, + "device_type": "Operating System", + "address": "35.192.121.42", + "creation_method": "PVWA", + "policy_id": "WinDomain", + "user_name": "PSMConnect" + }, + "file": "Root\\Operating System-WinDomain-35.192.121.42-PSMConnect", + "safe": "PSM", + "station": "127.0.0.1", + "action": "Delete File", + "timestamp": "Mar 11 13:06:40", + "desc": "Delete File" + } + }, + "host": { + "name": "VAULT" + }, + "event": { + "severity": 2, + "action": "delete file", + "ingested": "2021-05-31T15:30:24.137916500Z", + "original": "\u003c5\u003e1 2021-03-11T21:06:40Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 11 13:06:40\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-11T21:06:40Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e52\u003c/MessageID\u003e\\n \u003cDesc\u003eDelete File\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003eDelete File\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003ePSM\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Operating System-WinDomain-35.192.121.42-PSMConnect\u003c/File\u003e\\n \u003cStation\u003e127.0.0.1\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eDelete File\u003c/Message\u003e\\n \u003cGatewayStation\u003e10.0.1.20\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"WinDomain\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"PSMConnect\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"35.192.121.42\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Operating System\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 11 13:06:40\",\"IsoTimestamp\":\"2021-03-11T21:06:40Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"52\",\"Desc\":\"Delete File\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Delete File\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"PSM\",\"File\":\"Root\\\\Operating System-WinDomain-35.192.121.42-PSMConnect\",\"Station\":\"127.0.0.1\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Delete File\",\"GatewayStation\":\"10.0.1.20\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"WinDomain\"},{\"Name\":\"UserName\",\"Value\":\"PSMConnect\"},{\"Name\":\"Address\",\"Value\":\"35.192.121.42\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"}]}}}}", + "code": "52", + "kind": "event" + } + }, + { + "log": { + "syslog": { + "priority": 5 + } + }, + "destination": { + "address": "10.0.1.20", + "ip": "10.0.1.20" + }, + "source": { + "address": "127.0.0.1", + "ip": "127.0.0.1" + }, + "tags": [ + "preserve_original_event" + ], + "network": { + "direction": "internal" + }, + "observer": { + "product": "Vault", + "hostname": "VAULT", + "version": "11.7.0000", + "vendor": "Cyber-Ark" + }, + "@timestamp": "2021-03-11T21:06:50.000Z", + "file": { + "path": "Root\\PSM-ASR-CYBERARK-WI" + }, + "ecs": { + "version": "1.10.0" + }, + "related": { + "ip": [ + "127.0.0.1", + "10.0.1.20" + ] + }, + "cyberarkpas": { + "audit": { + "severity": "Info", + "iso_timestamp": "2021-03-11T21:06:50Z", + "gateway_station": "10.0.1.20", + "raw": "\u003csyslog\u003e\n\n \u003caudit_record\u003e\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\n \u003cTimestamp\u003eMar 11 13:06:50\u003c/Timestamp\u003e\n \u003cIsoTimestamp\u003e2021-03-11T21:06:50Z\u003c/IsoTimestamp\u003e\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\n \u003cProduct\u003eVault\u003c/Product\u003e\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\n \u003cMessageID\u003e52\u003c/MessageID\u003e\n \u003cDesc\u003eDelete File\u003c/Desc\u003e\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\n \u003cAction\u003eDelete File\u003c/Action\u003e\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\n \u003cSafe\u003ePSM\u003c/Safe\u003e\n \u003cFile\u003eRoot\\PSM-ASR-CYBERARK-WI\u003c/File\u003e\n \u003cStation\u003e127.0.0.1\u003c/Station\u003e\n \u003cLocation\u003e\u003c/Location\u003e\n \u003cCategory\u003e\u003c/Category\u003e\n \u003cRequestId\u003e\u003c/RequestId\u003e\n \u003cReason\u003e\u003c/Reason\u003e\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\n \u003cMessage\u003eDelete File\u003c/Message\u003e\n \u003cGatewayStation\u003e10.0.1.20\u003c/GatewayStation\u003e\n \u003cCAProperties\u003e\n \u003cCAProperty Name=\"UserName\" Value=\"PSMConnect\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"Address\" Value=\"10.128.0.65\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"LogonDomain\" Value=\"ASR-CYBERARK-WI\"\u003e\u003c/CAProperty\u003e\n \u003c/CAProperties\u003e\n \u003c/audit_record\u003e\n\n\u003c/syslog\u003e", + "message": "Delete File", + "issuer": "Administrator", + "rfc5424": true, + "ca_properties": { + "logon_domain": "ASR-CYBERARK-WI", + "other": {}, + "address": "10.128.0.65", + "user_name": "PSMConnect" + }, + "file": "Root\\PSM-ASR-CYBERARK-WI", + "safe": "PSM", + "station": "127.0.0.1", + "action": "Delete File", + "timestamp": "Mar 11 13:06:50", + "desc": "Delete File" + } + }, + "host": { + "name": "VAULT" + }, + "event": { + "severity": 2, + "action": "delete file", + "ingested": "2021-05-31T15:30:24.137945Z", + "original": "\u003c5\u003e1 2021-03-11T21:06:50Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 11 13:06:50\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-11T21:06:50Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e52\u003c/MessageID\u003e\\n \u003cDesc\u003eDelete File\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003eDelete File\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003ePSM\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\PSM-ASR-CYBERARK-WI\u003c/File\u003e\\n \u003cStation\u003e127.0.0.1\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eDelete File\u003c/Message\u003e\\n \u003cGatewayStation\u003e10.0.1.20\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"PSMConnect\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"10.128.0.65\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LogonDomain\\\" Value=\\\"ASR-CYBERARK-WI\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 11 13:06:50\",\"IsoTimestamp\":\"2021-03-11T21:06:50Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"52\",\"Desc\":\"Delete File\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Delete File\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"PSM\",\"File\":\"Root\\\\PSM-ASR-CYBERARK-WI\",\"Station\":\"127.0.0.1\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Delete File\",\"GatewayStation\":\"10.0.1.20\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"UserName\",\"Value\":\"PSMConnect\"},{\"Name\":\"Address\",\"Value\":\"10.128.0.65\"},{\"Name\":\"LogonDomain\",\"Value\":\"ASR-CYBERARK-WI\"}]}}}}", + "code": "52", + "kind": "event" + } + }, + { + "log": { + "syslog": { + "priority": 5 + } + }, + "destination": { + "address": "10.0.1.20", + "ip": "10.0.1.20" + }, + "source": { + "address": "127.0.0.1", + "ip": "127.0.0.1" + }, + "tags": [ + "preserve_original_event" + ], + "network": { + "direction": "internal" + }, + "observer": { + "product": "Vault", + "hostname": "VAULT", + "version": "11.7.0000", + "vendor": "Cyber-Ark" + }, + "@timestamp": "2021-03-14T12:10:17.000Z", + "file": { + "path": "Root\\PSMAdmin" + }, + "ecs": { + "version": "1.10.0" + }, + "related": { + "ip": [ + "127.0.0.1", + "10.0.1.20" + ] + }, + "cyberarkpas": { + "audit": { + "severity": "Info", + "iso_timestamp": "2021-03-14T12:10:17Z", + "gateway_station": "10.0.1.20", + "raw": "\u003csyslog\u003e\n\n \u003caudit_record\u003e\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\n \u003cTimestamp\u003eMar 14 05:10:17\u003c/Timestamp\u003e\n \u003cIsoTimestamp\u003e2021-03-14T12:10:17Z\u003c/IsoTimestamp\u003e\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\n \u003cProduct\u003eVault\u003c/Product\u003e\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\n \u003cMessageID\u003e52\u003c/MessageID\u003e\n \u003cDesc\u003eDelete File\u003c/Desc\u003e\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\n \u003cAction\u003eDelete File\u003c/Action\u003e\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\n \u003cSafe\u003ePSM\u003c/Safe\u003e\n \u003cFile\u003eRoot\\PSMAdmin\u003c/File\u003e\n \u003cStation\u003e127.0.0.1\u003c/Station\u003e\n \u003cLocation\u003e\u003c/Location\u003e\n \u003cCategory\u003e\u003c/Category\u003e\n \u003cRequestId\u003e\u003c/RequestId\u003e\n \u003cReason\u003e\u003c/Reason\u003e\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\n \u003cMessage\u003eDelete File\u003c/Message\u003e\n \u003cGatewayStation\u003e10.0.1.20\u003c/GatewayStation\u003e\n \u003cCAProperties\u003e\n \u003cCAProperty Name=\"UserName\" Value=\"PSMAdminConnect\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"Address\" Value=\"169.254.180.25\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"LogonDomain\" Value=\"VAGRANT-2012-R2\"\u003e\u003c/CAProperty\u003e\n \u003c/CAProperties\u003e\n \u003c/audit_record\u003e\n\n\u003c/syslog\u003e", + "message": "Delete File", + "issuer": "Administrator", + "rfc5424": true, + "ca_properties": { + "logon_domain": "VAGRANT-2012-R2", + "other": {}, + "address": "169.254.180.25", + "user_name": "PSMAdminConnect" + }, + "file": "Root\\PSMAdmin", + "safe": "PSM", + "station": "127.0.0.1", + "action": "Delete File", + "timestamp": "Mar 14 05:10:17", + "desc": "Delete File" + } + }, + "host": { + "name": "VAULT" + }, + "event": { + "severity": 2, + "action": "delete file", + "ingested": "2021-05-31T15:30:24.137947100Z", + "original": "\u003c5\u003e1 2021-03-14T12:10:17Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 14 05:10:17\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-14T12:10:17Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e52\u003c/MessageID\u003e\\n \u003cDesc\u003eDelete File\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003eDelete File\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003ePSM\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\PSMAdmin\u003c/File\u003e\\n \u003cStation\u003e127.0.0.1\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eDelete File\u003c/Message\u003e\\n \u003cGatewayStation\u003e10.0.1.20\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"PSMAdminConnect\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"169.254.180.25\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LogonDomain\\\" Value=\\\"VAGRANT-2012-R2\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 14 05:10:17\",\"IsoTimestamp\":\"2021-03-14T12:10:17Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"52\",\"Desc\":\"Delete File\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Delete File\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"PSM\",\"File\":\"Root\\\\PSMAdmin\",\"Station\":\"127.0.0.1\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Delete File\",\"GatewayStation\":\"10.0.1.20\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"UserName\",\"Value\":\"PSMAdminConnect\"},{\"Name\":\"Address\",\"Value\":\"169.254.180.25\"},{\"Name\":\"LogonDomain\",\"Value\":\"VAGRANT-2012-R2\"}]}}}}", + "code": "52", + "kind": "event" + } + }, + { + "log": { + "syslog": { + "priority": 5 + } + }, + "destination": { + "address": "10.0.1.20", + "ip": "10.0.1.20" + }, + "source": { + "address": "127.0.0.1", + "ip": "127.0.0.1" + }, + "tags": [ + "preserve_original_event" + ], + "network": { + "direction": "internal" + }, + "observer": { + "product": "Vault", + "hostname": "VAULT", + "version": "11.7.0000", + "vendor": "Cyber-Ark" + }, + "@timestamp": "2021-03-15T15:09:00.000Z", + "file": { + "path": "Root\\Database-Oracle-10.128.0.7-adrian" + }, + "ecs": { + "version": "1.10.0" + }, + "related": { + "ip": [ + "127.0.0.1", + "10.0.1.20" + ] + }, + "cyberarkpas": { + "audit": { + "severity": "Info", + "iso_timestamp": "2021-03-15T15:09:00Z", + "gateway_station": "10.0.1.20", + "raw": "\u003csyslog\u003e\n\n \u003caudit_record\u003e\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\n \u003cTimestamp\u003eMar 15 08:09:00\u003c/Timestamp\u003e\n \u003cIsoTimestamp\u003e2021-03-15T15:09:00Z\u003c/IsoTimestamp\u003e\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\n \u003cProduct\u003eVault\u003c/Product\u003e\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\n \u003cMessageID\u003e52\u003c/MessageID\u003e\n \u003cDesc\u003eDelete File\u003c/Desc\u003e\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\n \u003cAction\u003eDelete File\u003c/Action\u003e\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\n \u003cSafe\u003epartner\u003c/Safe\u003e\n \u003cFile\u003eRoot\\Database-Oracle-10.128.0.7-adrian\u003c/File\u003e\n \u003cStation\u003e127.0.0.1\u003c/Station\u003e\n \u003cLocation\u003e\u003c/Location\u003e\n \u003cCategory\u003e\u003c/Category\u003e\n \u003cRequestId\u003e\u003c/RequestId\u003e\n \u003cReason\u003e\u003c/Reason\u003e\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\n \u003cMessage\u003eDelete File\u003c/Message\u003e\n \u003cGatewayStation\u003e10.0.1.20\u003c/GatewayStation\u003e\n \u003cCAProperties\u003e\n \u003cCAProperty Name=\"PolicyID\" Value=\"Oracle\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"UserName\" Value=\"adrian\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"Address\" Value=\"10.128.0.7\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"Port\" Value=\"3306\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"Database\" Value=\"test\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"CreationMethod\" Value=\"PVWA\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"DeviceType\" Value=\"Database\"\u003e\u003c/CAProperty\u003e\n \u003c/CAProperties\u003e\n \u003c/audit_record\u003e\n\n\u003c/syslog\u003e", + "message": "Delete File", + "issuer": "Administrator", + "rfc5424": true, + "ca_properties": { + "database": "test", + "other": {}, + "address": "10.128.0.7", + "creation_method": "PVWA", + "policy_id": "Oracle", + "port": "3306", + "user_name": "adrian", + "device_type": "Database" + }, + "file": "Root\\Database-Oracle-10.128.0.7-adrian", + "safe": "partner", + "station": "127.0.0.1", + "action": "Delete File", + "timestamp": "Mar 15 08:09:00", + "desc": "Delete File" + } + }, + "host": { + "name": "VAULT" + }, + "event": { + "severity": 2, + "action": "delete file", + "ingested": "2021-05-31T15:30:24.137948800Z", + "original": "\u003c5\u003e1 2021-03-15T15:09:00Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 15 08:09:00\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-15T15:09:00Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e52\u003c/MessageID\u003e\\n \u003cDesc\u003eDelete File\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003eDelete File\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003epartner\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Database-Oracle-10.128.0.7-adrian\u003c/File\u003e\\n \u003cStation\u003e127.0.0.1\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eDelete File\u003c/Message\u003e\\n \u003cGatewayStation\u003e10.0.1.20\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"Oracle\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"adrian\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"10.128.0.7\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Port\\\" Value=\\\"3306\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Database\\\" Value=\\\"test\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Database\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 15 08:09:00\",\"IsoTimestamp\":\"2021-03-15T15:09:00Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"52\",\"Desc\":\"Delete File\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Delete File\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"partner\",\"File\":\"Root\\\\Database-Oracle-10.128.0.7-adrian\",\"Station\":\"127.0.0.1\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Delete File\",\"GatewayStation\":\"10.0.1.20\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"Oracle\"},{\"Name\":\"UserName\",\"Value\":\"adrian\"},{\"Name\":\"Address\",\"Value\":\"10.128.0.7\"},{\"Name\":\"Port\",\"Value\":\"3306\"},{\"Name\":\"Database\",\"Value\":\"test\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Database\"}]}}}}", + "code": "52", + "kind": "event" + } + }, + { + "log": { + "syslog": { + "priority": 5 + } + }, + "destination": { + "address": "10.0.1.20", + "ip": "10.0.1.20" + }, + "source": { + "address": "127.0.0.1", + "ip": "127.0.0.1" + }, + "tags": [ + "preserve_original_event" + ], + "network": { + "direction": "internal" + }, + "observer": { + "product": "Vault", + "hostname": "VAULT", + "version": "11.7.0000", + "vendor": "Cyber-Ark" + }, + "@timestamp": "2021-03-15T15:13:59.000Z", + "file": { + "path": "Root\\Database-MySQL-10.128.0.7-adrian" + }, + "ecs": { + "version": "1.10.0" + }, + "related": { + "ip": [ + "127.0.0.1", + "10.0.1.20" + ] + }, + "cyberarkpas": { + "audit": { + "severity": "Info", + "iso_timestamp": "2021-03-15T15:13:59Z", + "gateway_station": "10.0.1.20", + "raw": "\u003csyslog\u003e\n\n \u003caudit_record\u003e\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\n \u003cTimestamp\u003eMar 15 08:13:59\u003c/Timestamp\u003e\n \u003cIsoTimestamp\u003e2021-03-15T15:13:59Z\u003c/IsoTimestamp\u003e\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\n \u003cProduct\u003eVault\u003c/Product\u003e\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\n \u003cMessageID\u003e52\u003c/MessageID\u003e\n \u003cDesc\u003eDelete File\u003c/Desc\u003e\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\n \u003cAction\u003eDelete File\u003c/Action\u003e\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\n \u003cSafe\u003epartner\u003c/Safe\u003e\n \u003cFile\u003eRoot\\Database-MySQL-10.128.0.7-adrian\u003c/File\u003e\n \u003cStation\u003e127.0.0.1\u003c/Station\u003e\n \u003cLocation\u003e\u003c/Location\u003e\n \u003cCategory\u003e\u003c/Category\u003e\n \u003cRequestId\u003e\u003c/RequestId\u003e\n \u003cReason\u003e\u003c/Reason\u003e\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\n \u003cMessage\u003eDelete File\u003c/Message\u003e\n \u003cGatewayStation\u003e10.0.1.20\u003c/GatewayStation\u003e\n \u003cCAProperties\u003e\n \u003cCAProperty Name=\"PolicyID\" Value=\"MySQL\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"UserName\" Value=\"adrian\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"Address\" Value=\"10.128.0.7\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"Port\" Value=\"3306\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"Database\" Value=\"test\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"CreationMethod\" Value=\"PVWA\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"DeviceType\" Value=\"Database\"\u003e\u003c/CAProperty\u003e\n \u003c/CAProperties\u003e\n \u003c/audit_record\u003e\n\n\u003c/syslog\u003e", + "message": "Delete File", + "issuer": "Administrator", + "rfc5424": true, + "ca_properties": { + "database": "test", + "other": {}, + "address": "10.128.0.7", + "creation_method": "PVWA", + "policy_id": "MySQL", + "port": "3306", + "user_name": "adrian", + "device_type": "Database" + }, + "file": "Root\\Database-MySQL-10.128.0.7-adrian", + "safe": "partner", + "station": "127.0.0.1", + "action": "Delete File", + "timestamp": "Mar 15 08:13:59", + "desc": "Delete File" + } + }, + "host": { + "name": "VAULT" + }, + "event": { + "severity": 2, + "action": "delete file", + "ingested": "2021-05-31T15:30:24.137950300Z", + "original": "\u003c5\u003e1 2021-03-15T15:13:59Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 15 08:13:59\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-15T15:13:59Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e52\u003c/MessageID\u003e\\n \u003cDesc\u003eDelete File\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003eDelete File\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003epartner\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Database-MySQL-10.128.0.7-adrian\u003c/File\u003e\\n \u003cStation\u003e127.0.0.1\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eDelete File\u003c/Message\u003e\\n \u003cGatewayStation\u003e10.0.1.20\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"MySQL\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"adrian\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"10.128.0.7\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Port\\\" Value=\\\"3306\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Database\\\" Value=\\\"test\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Database\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 15 08:13:59\",\"IsoTimestamp\":\"2021-03-15T15:13:59Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"52\",\"Desc\":\"Delete File\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Delete File\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"partner\",\"File\":\"Root\\\\Database-MySQL-10.128.0.7-adrian\",\"Station\":\"127.0.0.1\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Delete File\",\"GatewayStation\":\"10.0.1.20\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"MySQL\"},{\"Name\":\"UserName\",\"Value\":\"adrian\"},{\"Name\":\"Address\",\"Value\":\"10.128.0.7\"},{\"Name\":\"Port\",\"Value\":\"3306\"},{\"Name\":\"Database\",\"Value\":\"test\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Database\"}]}}}}", + "code": "52", + "kind": "event" + } + } + ] +} \ No newline at end of file diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-57-cpm-change-password-failed.log-expected.json b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-57-cpm-change-password-failed.log-expected.json new file mode 100644 index 00000000000..4b63c08aa34 --- /dev/null +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-57-cpm-change-password-failed.log-expected.json @@ -0,0 +1,118 @@ +{ + "expected": [ + { + "log": { + "syslog": { + "priority": 7 + } + }, + "destination": { + "address": "rhel7.cybr.com", + "domain": "rhel7.cybr.com" + }, + "source": { + "address": "10.0.0.15", + "ip": "10.0.0.15" + }, + "tags": [ + "preserve_original_event" + ], + "observer": { + "product": "Vault", + "hostname": "VLT01", + "version": "12.0.0000", + "vendor": "Cyber-Ark" + }, + "@timestamp": "2021-03-25T12:00:08.000Z", + "file": { + "path": "Root\\Operating System-UnixSSH-rhel7.cybr.com-firecall2" + }, + "ecs": { + "version": "1.10.0" + }, + "related": { + "user": [ + "PasswordManager", + "firecall2" + ], + "ip": [ + "10.0.0.15" + ] + }, + "cyberarkpas": { + "audit": { + "severity": "Error", + "reason": "ImmediateTask. Failure Description: Execution error. EXT01::A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond. Error code:9002", + "iso_timestamp": "2021-03-25T12:00:08Z", + "raw": "\u003csyslog\u003e\n\n \u003caudit_record\u003e\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\n \u003cTimestamp\u003eMar 25 08:00:08\u003c/Timestamp\u003e\n \u003cIsoTimestamp\u003e2021-03-25T12:00:08Z\u003c/IsoTimestamp\u003e\n \u003cHostname\u003eVLT01\u003c/Hostname\u003e\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\n \u003cProduct\u003eVault\u003c/Product\u003e\n \u003cVersion\u003e12.0.0000\u003c/Version\u003e\n \u003cMessageID\u003e57\u003c/MessageID\u003e\n \u003cDesc\u003eCPM Change Password Failed\u003c/Desc\u003e\n \u003cSeverity\u003eError\u003c/Severity\u003e\n \u003cIssuer\u003ePasswordManager\u003c/Issuer\u003e\n \u003cAction\u003eCPM Change Password Failed\u003c/Action\u003e\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\n \u003cSafe\u003eLinux Accounts\u003c/Safe\u003e\n \u003cFile\u003eRoot\\Operating System-UnixSSH-rhel7.cybr.com-firecall2\u003c/File\u003e\n \u003cStation\u003e10.0.0.15\u003c/Station\u003e\n \u003cLocation\u003e\u003c/Location\u003e\n \u003cCategory\u003e\u003c/Category\u003e\n \u003cRequestId\u003e\u003c/RequestId\u003e\n \u003cReason\u003eImmediateTask. Failure Description: Execution error. EXT01::A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond. Error code:9002\u003c/Reason\u003e\n \u003cExtraDetails\u003eaddress=rhel7.cybr.com;username=firecall2;\u003c/ExtraDetails\u003e\n \u003cMessage\u003eCPM Change Password Failed\u003c/Message\u003e\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\n \u003cCAProperties\u003e\n \u003cCAProperty Name=\"PolicyID\" Value=\"UnixSSH\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"UserName\" Value=\"firecall2\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"Address\" Value=\"rhel7.cybr.com\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"DeviceType\" Value=\"Operating System\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"ResetImmediately\" Value=\"ChangeTask\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"CPMStatus\" Value=\"failure\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"ExtraPass3Name\" Value=\"Operating System-UnixSSH-rhel7.cybr.com-root\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"ExtraPass3Folder\" Value=\"Root\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"ExtraPass3Safe\" Value=\"Linux Root\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"RetriesCount\" Value=\"0\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"LastFailDate\" Value=\"1616673608\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"LastTask\" Value=\"ChangeTask\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"LastSuccessVerification\" Value=\"1616580255\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"CPMErrorDetails\" Value=\"Execution error. EXT01::A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond. Error code:9002\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"CreationMethod\" Value=\"PVWA\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"LastSuccessChange\" Value=\"1616011989\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"LastSuccessReconciliation\" Value=\"1576120341\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"UseSudoOnReconcile\" Value=\"No\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"Tags\" Value=\"SSH\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"Privcloud\" Value=\"privcloud\"\u003e\u003c/CAProperty\u003e\n \u003c/CAProperties\u003e\n \u003c/audit_record\u003e\n\n\u003c/syslog\u003e", + "message": "CPM Change Password Failed", + "issuer": "PasswordManager", + "extra_details": { + "other": { + "address": "rhel7.cybr.com" + }, + "username": "firecall2" + }, + "rfc5424": true, + "ca_properties": { + "privcloud": "privcloud", + "other": { + "extra_pass3_name": "Operating System-UnixSSH-rhel7.cybr.com-root", + "extra_pass3_folder": "Root", + "use_sudo_on_reconcile": "No", + "extra_pass3_safe": "Linux Root" + }, + "address": "rhel7.cybr.com", + "creation_method": "PVWA", + "cpm_status": "failure", + "policy_id": "UnixSSH", + "last_success_reconciliation": "1576120341", + "user_name": "firecall2", + "device_type": "Operating System", + "retries_count": "0", + "last_success_verification": "1616580255", + "reset_immediately": "ChangeTask", + "last_task": "ChangeTask", + "tags": "SSH", + "cpm_error_details": "Execution error. EXT01::A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond. Error code:9002", + "last_fail_date": "1616673608", + "last_success_change": "1616011989" + }, + "file": "Root\\Operating System-UnixSSH-rhel7.cybr.com-firecall2", + "safe": "Linux Accounts", + "station": "10.0.0.15", + "action": "CPM Change Password Failed", + "timestamp": "Mar 25 08:00:08", + "desc": "CPM Change Password Failed" + } + }, + "host": { + "name": "VLT01" + }, + "event": { + "severity": 7, + "reason": "Execution error. EXT01::A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond. Error code:9002", + "ingested": "2021-05-31T15:30:24.402124100Z", + "original": "\u003c7\u003e1 2021-03-25T12:00:08Z VLT01 {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 25 08:00:08\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-25T12:00:08Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVLT01\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e12.0.0000\u003c/Version\u003e\\n \u003cMessageID\u003e57\u003c/MessageID\u003e\\n \u003cDesc\u003eCPM Change Password Failed\u003c/Desc\u003e\\n \u003cSeverity\u003eError\u003c/Severity\u003e\\n \u003cIssuer\u003ePasswordManager\u003c/Issuer\u003e\\n \u003cAction\u003eCPM Change Password Failed\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003eLinux Accounts\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Operating System-UnixSSH-rhel7.cybr.com-firecall2\u003c/File\u003e\\n \u003cStation\u003e10.0.0.15\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003eImmediateTask. Failure Description: Execution error. EXT01::A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond. Error code:9002\u003c/Reason\u003e\\n \u003cExtraDetails\u003eaddress=rhel7.cybr.com;username=firecall2;\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eCPM Change Password Failed\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"UnixSSH\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"firecall2\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"rhel7.cybr.com\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Operating System\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"ResetImmediately\\\" Value=\\\"ChangeTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMStatus\\\" Value=\\\"failure\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"ExtraPass3Name\\\" Value=\\\"Operating System-UnixSSH-rhel7.cybr.com-root\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"ExtraPass3Folder\\\" Value=\\\"Root\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"ExtraPass3Safe\\\" Value=\\\"Linux Root\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"RetriesCount\\\" Value=\\\"0\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastFailDate\\\" Value=\\\"1616673608\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastTask\\\" Value=\\\"ChangeTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastSuccessVerification\\\" Value=\\\"1616580255\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMErrorDetails\\\" Value=\\\"Execution error. EXT01::A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond. Error code:9002\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastSuccessChange\\\" Value=\\\"1616011989\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastSuccessReconciliation\\\" Value=\\\"1576120341\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UseSudoOnReconcile\\\" Value=\\\"No\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Tags\\\" Value=\\\"SSH\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Privcloud\\\" Value=\\\"privcloud\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 25 08:00:08\",\"IsoTimestamp\":\"2021-03-25T12:00:08Z\",\"Hostname\":\"VLT01\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"12.0.0000\",\"MessageID\":\"57\",\"Desc\":\"CPM Change Password Failed\",\"Severity\":\"Error\",\"Issuer\":\"PasswordManager\",\"Action\":\"CPM Change Password Failed\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"Linux Accounts\",\"File\":\"Root\\\\Operating System-UnixSSH-rhel7.cybr.com-firecall2\",\"Station\":\"10.0.0.15\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"ImmediateTask. Failure Description: Execution error. EXT01::A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond. Error code:9002\",\"ExtraDetails\":\"address=rhel7.cybr.com;username=firecall2;\",\"Message\":\"CPM Change Password Failed\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"UnixSSH\"},{\"Name\":\"UserName\",\"Value\":\"firecall2\"},{\"Name\":\"Address\",\"Value\":\"rhel7.cybr.com\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"},{\"Name\":\"ResetImmediately\",\"Value\":\"ChangeTask\"},{\"Name\":\"CPMStatus\",\"Value\":\"failure\"},{\"Name\":\"ExtraPass3Name\",\"Value\":\"Operating System-UnixSSH-rhel7.cybr.com-root\"},{\"Name\":\"ExtraPass3Folder\",\"Value\":\"Root\"},{\"Name\":\"ExtraPass3Safe\",\"Value\":\"Linux Root\"},{\"Name\":\"RetriesCount\",\"Value\":\"0\"},{\"Name\":\"LastFailDate\",\"Value\":\"1616673608\"},{\"Name\":\"LastTask\",\"Value\":\"ChangeTask\"},{\"Name\":\"LastSuccessVerification\",\"Value\":\"1616580255\"},{\"Name\":\"CPMErrorDetails\",\"Value\":\"Execution error. EXT01::A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond. Error code:9002\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"LastSuccessChange\",\"Value\":\"1616011989\"},{\"Name\":\"LastSuccessReconciliation\",\"Value\":\"1576120341\"},{\"Name\":\"UseSudoOnReconcile\",\"Value\":\"No\"},{\"Name\":\"Tags\",\"Value\":\"SSH\"},{\"Name\":\"Privcloud\",\"Value\":\"privcloud\"}]}}}}", + "code": "57", + "kind": "event", + "action": "cpm change password failed", + "type": [ + "user", + "change", + "error" + ], + "category": [ + "iam" + ], + "outcome": "failure" + }, + "user": { + "name": "PasswordManager", + "target": { + "name": "firecall2" + } + } + } + ] +} \ No newline at end of file diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-59-clear-safe-history.log-expected.json b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-59-clear-safe-history.log-expected.json new file mode 100644 index 00000000000..ce48a789ba2 --- /dev/null +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-59-clear-safe-history.log-expected.json @@ -0,0 +1,159 @@ +{ + "expected": [ + { + "log": { + "syslog": { + "priority": 5 + } + }, + "source": { + "address": "10.0.1.20", + "ip": "10.0.1.20" + }, + "tags": [ + "preserve_original_event" + ], + "observer": { + "product": "Vault", + "hostname": "VAULT", + "version": "11.7.0000", + "vendor": "Cyber-Ark" + }, + "@timestamp": "2021-03-04T19:25:02.000Z", + "ecs": { + "version": "1.10.0" + }, + "related": { + "ip": [ + "10.0.1.20" + ] + }, + "cyberarkpas": { + "audit": { + "severity": "Info", + "rfc5424": true, + "iso_timestamp": "2021-03-04T19:25:02Z", + "safe": "PasswordManager_workspace", + "station": "10.0.1.20", + "action": "Clear Safe History", + "message": "Clear Safe History", + "issuer": "PasswordManager", + "timestamp": "Mar 04 11:25:02", + "desc": "Clear Safe History" + } + }, + "host": { + "name": "VAULT" + }, + "event": { + "severity": 2, + "action": "clear safe history", + "ingested": "2021-05-31T15:30:24.448403800Z", + "original": "\u003c5\u003e1 2021-03-04T19:25:02Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 04 11:25:02\",\"IsoTimestamp\":\"2021-03-04T19:25:02Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"59\",\"Desc\":\"Clear Safe History\",\"Severity\":\"Info\",\"Issuer\":\"PasswordManager\",\"Action\":\"Clear Safe History\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"PasswordManager_workspace\",\"File\":\"\",\"Station\":\"10.0.1.20\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Clear Safe History\",\"GatewayStation\":\"\"}}}", + "code": "59", + "kind": "event" + } + }, + { + "observer": { + "product": "Vault", + "hostname": "VAULT", + "version": "11.7.0000", + "vendor": "Cyber-Ark" + }, + "@timestamp": "2021-03-08T03:10:31.000Z", + "ecs": { + "version": "1.10.0" + }, + "related": { + "ip": [ + "10.0.1.20" + ] + }, + "cyberarkpas": { + "audit": { + "rfc5424": false, + "severity": "Info", + "safe": "PasswordManager_workspace", + "station": "10.0.1.20", + "action": "Clear Safe History", + "message": "Clear Safe History", + "issuer": "PasswordManager", + "desc": "Clear Safe History" + } + }, + "host": { + "name": "VAULT" + }, + "source": { + "address": "10.0.1.20", + "ip": "10.0.1.20" + }, + "event": { + "severity": 2, + "action": "clear safe history", + "ingested": "2021-05-31T15:30:24.448416200Z", + "original": "Mar 08 03:10:31 VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"no\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"59\",\"Desc\":\"Clear Safe History\",\"Severity\":\"Info\",\"Issuer\":\"PasswordManager\",\"Action\":\"Clear Safe History\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"PasswordManager_workspace\",\"File\":\"\",\"Station\":\"10.0.1.20\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Clear Safe History\",\"GatewayStation\":\"\"}}}", + "code": "59", + "kind": "event" + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "log": { + "syslog": { + "priority": 5 + } + }, + "source": { + "address": "0.0.0.0", + "ip": "0.0.0.0" + }, + "tags": [ + "preserve_original_event" + ], + "observer": { + "product": "Vault", + "hostname": "VAULT", + "version": "11.7.0000", + "vendor": "Cyber-Ark" + }, + "@timestamp": "2021-03-09T09:00:47.000Z", + "ecs": { + "version": "1.10.0" + }, + "related": { + "ip": [ + "0.0.0.0" + ] + }, + "cyberarkpas": { + "audit": { + "severity": "Info", + "rfc5424": true, + "iso_timestamp": "2021-03-09T09:00:47Z", + "safe": "System", + "station": "0.0.0.0", + "action": "Clear Safe History", + "message": "Clear Safe History", + "issuer": "Batch", + "timestamp": "Mar 09 01:00:47", + "desc": "Clear Safe History" + } + }, + "host": { + "name": "VAULT" + }, + "event": { + "severity": 2, + "action": "clear safe history", + "ingested": "2021-05-31T15:30:24.448418700Z", + "original": "\u003c5\u003e1 2021-03-09T09:00:47Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 09 01:00:47\",\"IsoTimestamp\":\"2021-03-09T09:00:47Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"59\",\"Desc\":\"Clear Safe History\",\"Severity\":\"Info\",\"Issuer\":\"Batch\",\"Action\":\"Clear Safe History\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"System\",\"File\":\"\",\"Station\":\"0.0.0.0\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Clear Safe History\",\"GatewayStation\":\"\"}}}", + "code": "59", + "kind": "event" + } + } + ] +} \ No newline at end of file diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-60-cpm-reconcile-password-failed.log-expected.json b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-60-cpm-reconcile-password-failed.log-expected.json new file mode 100644 index 00000000000..4cb588b72af --- /dev/null +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-60-cpm-reconcile-password-failed.log-expected.json @@ -0,0 +1,1083 @@ +{ + "expected": [ + { + "log": { + "syslog": { + "priority": 7 + } + }, + "destination": { + "geo": { + "continent_name": "North America", + "region_iso_code": "US-VA", + "country_name": "United States", + "region_name": "Virginia", + "location": { + "lon": -77.2481, + "lat": 38.6583 + }, + "country_iso_code": "US" + }, + "address": "34.66.114.180", + "ip": "34.66.114.180" + }, + "source": { + "address": "10.0.1.20", + "ip": "10.0.1.20" + }, + "tags": [ + "preserve_original_event" + ], + "network": { + "direction": "outbound" + }, + "observer": { + "product": "Vault", + "hostname": "VAULT", + "version": "11.7.0000", + "vendor": "Cyber-Ark" + }, + "@timestamp": "2021-03-11T21:12:22.000Z", + "file": { + "path": "Root\\Operating System-WinDomain-35.192.121.42-ELASTICbart" + }, + "ecs": { + "version": "1.10.0" + }, + "related": { + "user": [ + "PasswordManager", + "ELASTIC\\bart" + ], + "ip": [ + "10.0.1.20", + "34.66.114.180" + ] + }, + "cyberarkpas": { + "audit": { + "severity": "Error", + "reason": "ImmediateTask. Failure Description: CACPM406E Reconciling Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-35.192.121.42-ELASTICbart failed (try #0). Code: 2101, Error: Parameter Reconcile account is mandatory but has an empty value or is not defined\n", + "iso_timestamp": "2021-03-11T21:12:22Z", + "raw": "\u003csyslog\u003e\n\n \u003caudit_record\u003e\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\n \u003cTimestamp\u003eMar 11 13:12:22\u003c/Timestamp\u003e\n \u003cIsoTimestamp\u003e2021-03-11T21:12:22Z\u003c/IsoTimestamp\u003e\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\n \u003cProduct\u003eVault\u003c/Product\u003e\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\n \u003cMessageID\u003e60\u003c/MessageID\u003e\n \u003cDesc\u003eCPM Reconcile Password Failed\u003c/Desc\u003e\n \u003cSeverity\u003eError\u003c/Severity\u003e\n \u003cIssuer\u003ePasswordManager\u003c/Issuer\u003e\n \u003cAction\u003eCPM Reconcile Password Failed\u003c/Action\u003e\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\n \u003cSafe\u003epartner\u003c/Safe\u003e\n \u003cFile\u003eRoot\\Operating System-WinDomain-35.192.121.42-ELASTICbart\u003c/File\u003e\n \u003cStation\u003e10.0.1.20\u003c/Station\u003e\n \u003cLocation\u003e\u003c/Location\u003e\n \u003cCategory\u003e\u003c/Category\u003e\n \u003cRequestId\u003e\u003c/RequestId\u003e\n \u003cReason\u003eImmediateTask. Failure Description: CACPM406E Reconciling Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-35.192.121.42-ELASTICbart failed (try #0). Code: 2101, Error: Parameter Reconcile account is mandatory but has an empty value or is not defined\n\u003c/Reason\u003e\n \u003cExtraDetails\u003eaddress=34.66.114.180;username=ELASTIC\\bart;\u003c/ExtraDetails\u003e\n \u003cMessage\u003eCPM Reconcile Password Failed\u003c/Message\u003e\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\n \u003cCAProperties\u003e\n \u003cCAProperty Name=\"PolicyID\" Value=\"WinDomain\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"UserName\" Value=\"ELASTIC\\bart\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"Address\" Value=\"34.66.114.180\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"ResetImmediately\" Value=\"ReconcileTask\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"CPMStatus\" Value=\"failure\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"RetriesCount\" Value=\"0\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"LastFailDate\" Value=\"1615497142\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"LastTask\" Value=\"ReconcileTask\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"LogonDomain\" Value=\"34.66.114.180\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"CPMErrorDetails\" Value=\"Parameter Reconcile account is mandatory but has an empty value or is not defined\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"CreationMethod\" Value=\"PVWA\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"DeviceType\" Value=\"Operating System\"\u003e\u003c/CAProperty\u003e\n \u003c/CAProperties\u003e\n \u003c/audit_record\u003e\n\n\u003c/syslog\u003e", + "message": "CPM Reconcile Password Failed", + "issuer": "PasswordManager", + "extra_details": { + "other": { + "address": "34.66.114.180" + }, + "username": "ELASTIC\\bart" + }, + "rfc5424": true, + "ca_properties": { + "other": {}, + "address": "34.66.114.180", + "creation_method": "PVWA", + "cpm_status": "failure", + "policy_id": "WinDomain", + "user_name": "ELASTIC\\bart", + "device_type": "Operating System", + "retries_count": "0", + "reset_immediately": "ReconcileTask", + "last_task": "ReconcileTask", + "cpm_error_details": "Parameter Reconcile account is mandatory but has an empty value or is not defined", + "last_fail_date": "1615497142", + "logon_domain": "34.66.114.180" + }, + "file": "Root\\Operating System-WinDomain-35.192.121.42-ELASTICbart", + "safe": "partner", + "station": "10.0.1.20", + "action": "CPM Reconcile Password Failed", + "timestamp": "Mar 11 13:12:22", + "desc": "CPM Reconcile Password Failed" + } + }, + "host": { + "name": "VAULT" + }, + "event": { + "severity": 7, + "reason": "Parameter Reconcile account is mandatory but has an empty value or is not defined", + "ingested": "2021-05-31T15:30:24.507716700Z", + "original": "\u003c7\u003e1 2021-03-11T21:12:22Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 11 13:12:22\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-11T21:12:22Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e60\u003c/MessageID\u003e\\n \u003cDesc\u003eCPM Reconcile Password Failed\u003c/Desc\u003e\\n \u003cSeverity\u003eError\u003c/Severity\u003e\\n \u003cIssuer\u003ePasswordManager\u003c/Issuer\u003e\\n \u003cAction\u003eCPM Reconcile Password Failed\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003epartner\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Operating System-WinDomain-35.192.121.42-ELASTICbart\u003c/File\u003e\\n \u003cStation\u003e10.0.1.20\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003eImmediateTask. Failure Description: CACPM406E Reconciling Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-35.192.121.42-ELASTICbart failed (try #0). Code: 2101, Error: Parameter Reconcile account is mandatory but has an empty value or is not defined\\n\u003c/Reason\u003e\\n \u003cExtraDetails\u003eaddress=34.66.114.180;username=ELASTIC\\\\bart;\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eCPM Reconcile Password Failed\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"WinDomain\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"ELASTIC\\\\bart\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"34.66.114.180\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"ResetImmediately\\\" Value=\\\"ReconcileTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMStatus\\\" Value=\\\"failure\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"RetriesCount\\\" Value=\\\"0\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastFailDate\\\" Value=\\\"1615497142\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastTask\\\" Value=\\\"ReconcileTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LogonDomain\\\" Value=\\\"34.66.114.180\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMErrorDetails\\\" Value=\\\"Parameter Reconcile account is mandatory but has an empty value or is not defined\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Operating System\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 11 13:12:22\",\"IsoTimestamp\":\"2021-03-11T21:12:22Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"60\",\"Desc\":\"CPM Reconcile Password Failed\",\"Severity\":\"Error\",\"Issuer\":\"PasswordManager\",\"Action\":\"CPM Reconcile Password Failed\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"partner\",\"File\":\"Root\\\\Operating System-WinDomain-35.192.121.42-ELASTICbart\",\"Station\":\"10.0.1.20\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"ImmediateTask. Failure Description: CACPM406E Reconciling Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-35.192.121.42-ELASTICbart failed (try #0). Code: 2101, Error: Parameter Reconcile account is mandatory but has an empty value or is not defined\\n\",\"ExtraDetails\":\"address=34.66.114.180;username=ELASTIC\\\\bart;\",\"Message\":\"CPM Reconcile Password Failed\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"WinDomain\"},{\"Name\":\"UserName\",\"Value\":\"ELASTIC\\\\bart\"},{\"Name\":\"Address\",\"Value\":\"34.66.114.180\"},{\"Name\":\"ResetImmediately\",\"Value\":\"ReconcileTask\"},{\"Name\":\"CPMStatus\",\"Value\":\"failure\"},{\"Name\":\"RetriesCount\",\"Value\":\"0\"},{\"Name\":\"LastFailDate\",\"Value\":\"1615497142\"},{\"Name\":\"LastTask\",\"Value\":\"ReconcileTask\"},{\"Name\":\"LogonDomain\",\"Value\":\"34.66.114.180\"},{\"Name\":\"CPMErrorDetails\",\"Value\":\"Parameter Reconcile account is mandatory but has an empty value or is not defined\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"}]}}}}", + "code": "60", + "kind": "event", + "action": "cpm reconcile password failed", + "type": [ + "user", + "change", + "error" + ], + "category": [ + "iam" + ], + "outcome": "failure" + }, + "user": { + "name": "PasswordManager", + "target": { + "name": "ELASTIC\\bart" + } + } + }, + { + "log": { + "syslog": { + "priority": 7 + } + }, + "destination": { + "geo": { + "continent_name": "North America", + "region_iso_code": "US-VA", + "country_name": "United States", + "region_name": "Virginia", + "location": { + "lon": -77.2481, + "lat": 38.6583 + }, + "country_iso_code": "US" + }, + "address": "34.66.114.180", + "ip": "34.66.114.180" + }, + "source": { + "address": "10.0.1.20", + "ip": "10.0.1.20" + }, + "tags": [ + "preserve_original_event" + ], + "network": { + "direction": "outbound" + }, + "observer": { + "product": "Vault", + "hostname": "VAULT", + "version": "11.7.0000", + "vendor": "Cyber-Ark" + }, + "@timestamp": "2021-03-14T13:18:15.000Z", + "file": { + "path": "Root\\Operating System-WinDomain-35.192.121.42-ELASTICbart" + }, + "ecs": { + "version": "1.10.0" + }, + "related": { + "user": [ + "PasswordManager", + "ELASTIC\\bart" + ], + "ip": [ + "10.0.1.20", + "34.66.114.180" + ] + }, + "cyberarkpas": { + "audit": { + "severity": "Error", + "reason": "ImmediateTask. Failure Description: CACPM406E Reconciling Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-35.192.121.42-ELASTICbart failed (try #2). Code: 2101, Error: Parameter Reconcile account is mandatory but has an empty value or is not defined\n", + "iso_timestamp": "2021-03-14T13:18:15Z", + "raw": "\u003csyslog\u003e\n\n \u003caudit_record\u003e\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\n \u003cTimestamp\u003eMar 14 06:18:15\u003c/Timestamp\u003e\n \u003cIsoTimestamp\u003e2021-03-14T13:18:15Z\u003c/IsoTimestamp\u003e\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\n \u003cProduct\u003eVault\u003c/Product\u003e\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\n \u003cMessageID\u003e60\u003c/MessageID\u003e\n \u003cDesc\u003eCPM Reconcile Password Failed\u003c/Desc\u003e\n \u003cSeverity\u003eError\u003c/Severity\u003e\n \u003cIssuer\u003ePasswordManager\u003c/Issuer\u003e\n \u003cAction\u003eCPM Reconcile Password Failed\u003c/Action\u003e\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\n \u003cSafe\u003epartner\u003c/Safe\u003e\n \u003cFile\u003eRoot\\Operating System-WinDomain-35.192.121.42-ELASTICbart\u003c/File\u003e\n \u003cStation\u003e10.0.1.20\u003c/Station\u003e\n \u003cLocation\u003e\u003c/Location\u003e\n \u003cCategory\u003e\u003c/Category\u003e\n \u003cRequestId\u003e\u003c/RequestId\u003e\n \u003cReason\u003eImmediateTask. Failure Description: CACPM406E Reconciling Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-35.192.121.42-ELASTICbart failed (try #2). Code: 2101, Error: Parameter Reconcile account is mandatory but has an empty value or is not defined\n\u003c/Reason\u003e\n \u003cExtraDetails\u003eaddress=34.66.114.180;retriescount=2;username=ELASTIC\\bart;\u003c/ExtraDetails\u003e\n \u003cMessage\u003eCPM Reconcile Password Failed\u003c/Message\u003e\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\n \u003cCAProperties\u003e\n \u003cCAProperty Name=\"PolicyID\" Value=\"WinDomain\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"UserName\" Value=\"ELASTIC\\bart\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"Address\" Value=\"34.66.114.180\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"ResetImmediately\" Value=\"ReconcileTask\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"CPMStatus\" Value=\"failure\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"RetriesCount\" Value=\"2\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"LastFailDate\" Value=\"1615727895\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"LastTask\" Value=\"ReconcileTask\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"LogonDomain\" Value=\"34.66.114.180\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"CPMErrorDetails\" Value=\"Parameter Reconcile account is mandatory but has an empty value or is not defined\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"CreationMethod\" Value=\"PVWA\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"DeviceType\" Value=\"Operating System\"\u003e\u003c/CAProperty\u003e\n \u003c/CAProperties\u003e\n \u003c/audit_record\u003e\n\n\u003c/syslog\u003e", + "message": "CPM Reconcile Password Failed", + "issuer": "PasswordManager", + "extra_details": { + "other": { + "retriescount": "2", + "address": "34.66.114.180" + }, + "username": "ELASTIC\\bart" + }, + "rfc5424": true, + "ca_properties": { + "other": {}, + "address": "34.66.114.180", + "creation_method": "PVWA", + "cpm_status": "failure", + "policy_id": "WinDomain", + "user_name": "ELASTIC\\bart", + "device_type": "Operating System", + "retries_count": "2", + "reset_immediately": "ReconcileTask", + "last_task": "ReconcileTask", + "cpm_error_details": "Parameter Reconcile account is mandatory but has an empty value or is not defined", + "last_fail_date": "1615727895", + "logon_domain": "34.66.114.180" + }, + "file": "Root\\Operating System-WinDomain-35.192.121.42-ELASTICbart", + "safe": "partner", + "station": "10.0.1.20", + "action": "CPM Reconcile Password Failed", + "timestamp": "Mar 14 06:18:15", + "desc": "CPM Reconcile Password Failed" + } + }, + "host": { + "name": "VAULT" + }, + "event": { + "severity": 7, + "reason": "Parameter Reconcile account is mandatory but has an empty value or is not defined", + "ingested": "2021-05-31T15:30:24.507726800Z", + "original": "\u003c7\u003e1 2021-03-14T13:18:15Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 14 06:18:15\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-14T13:18:15Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e60\u003c/MessageID\u003e\\n \u003cDesc\u003eCPM Reconcile Password Failed\u003c/Desc\u003e\\n \u003cSeverity\u003eError\u003c/Severity\u003e\\n \u003cIssuer\u003ePasswordManager\u003c/Issuer\u003e\\n \u003cAction\u003eCPM Reconcile Password Failed\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003epartner\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Operating System-WinDomain-35.192.121.42-ELASTICbart\u003c/File\u003e\\n \u003cStation\u003e10.0.1.20\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003eImmediateTask. Failure Description: CACPM406E Reconciling Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-35.192.121.42-ELASTICbart failed (try #2). Code: 2101, Error: Parameter Reconcile account is mandatory but has an empty value or is not defined\\n\u003c/Reason\u003e\\n \u003cExtraDetails\u003eaddress=34.66.114.180;retriescount=2;username=ELASTIC\\\\bart;\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eCPM Reconcile Password Failed\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"WinDomain\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"ELASTIC\\\\bart\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"34.66.114.180\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"ResetImmediately\\\" Value=\\\"ReconcileTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMStatus\\\" Value=\\\"failure\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"RetriesCount\\\" Value=\\\"2\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastFailDate\\\" Value=\\\"1615727895\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastTask\\\" Value=\\\"ReconcileTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LogonDomain\\\" Value=\\\"34.66.114.180\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMErrorDetails\\\" Value=\\\"Parameter Reconcile account is mandatory but has an empty value or is not defined\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Operating System\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 14 06:18:15\",\"IsoTimestamp\":\"2021-03-14T13:18:15Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"60\",\"Desc\":\"CPM Reconcile Password Failed\",\"Severity\":\"Error\",\"Issuer\":\"PasswordManager\",\"Action\":\"CPM Reconcile Password Failed\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"partner\",\"File\":\"Root\\\\Operating System-WinDomain-35.192.121.42-ELASTICbart\",\"Station\":\"10.0.1.20\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"ImmediateTask. Failure Description: CACPM406E Reconciling Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-35.192.121.42-ELASTICbart failed (try #2). Code: 2101, Error: Parameter Reconcile account is mandatory but has an empty value or is not defined\\n\",\"ExtraDetails\":\"address=34.66.114.180;retriescount=2;username=ELASTIC\\\\bart;\",\"Message\":\"CPM Reconcile Password Failed\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"WinDomain\"},{\"Name\":\"UserName\",\"Value\":\"ELASTIC\\\\bart\"},{\"Name\":\"Address\",\"Value\":\"34.66.114.180\"},{\"Name\":\"ResetImmediately\",\"Value\":\"ReconcileTask\"},{\"Name\":\"CPMStatus\",\"Value\":\"failure\"},{\"Name\":\"RetriesCount\",\"Value\":\"2\"},{\"Name\":\"LastFailDate\",\"Value\":\"1615727895\"},{\"Name\":\"LastTask\",\"Value\":\"ReconcileTask\"},{\"Name\":\"LogonDomain\",\"Value\":\"34.66.114.180\"},{\"Name\":\"CPMErrorDetails\",\"Value\":\"Parameter Reconcile account is mandatory but has an empty value or is not defined\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"}]}}}}", + "code": "60", + "kind": "event", + "action": "cpm reconcile password failed", + "type": [ + "user", + "change", + "error" + ], + "category": [ + "iam" + ], + "outcome": "failure" + }, + "user": { + "name": "PasswordManager", + "target": { + "name": "ELASTIC\\bart" + } + } + }, + { + "log": { + "syslog": { + "priority": 7 + } + }, + "destination": { + "geo": { + "continent_name": "North America", + "country_name": "United States", + "location": { + "lon": -97.822, + "lat": 37.751 + }, + "country_iso_code": "US" + }, + "address": "34.123.103.115", + "ip": "34.123.103.115" + }, + "source": { + "address": "10.0.1.20", + "ip": "10.0.1.20" + }, + "tags": [ + "preserve_original_event" + ], + "network": { + "direction": "outbound" + }, + "observer": { + "product": "Vault", + "hostname": "VAULT", + "version": "11.7.0000", + "vendor": "Cyber-Ark" + }, + "@timestamp": "2021-03-14T13:46:13.000Z", + "file": { + "path": "Root\\Operating System-UnixSSH-34.123.103.115-testark" + }, + "ecs": { + "version": "1.10.0" + }, + "related": { + "user": [ + "PasswordManager", + "testark" + ], + "ip": [ + "10.0.1.20", + "34.123.103.115" + ] + }, + "cyberarkpas": { + "audit": { + "severity": "Error", + "reason": "ImmediateTask. Failure Description: CACPM406E Reconciling Password Safe: partner, Folder: Root, Object: Operating System-UnixSSH-34.123.103.115-testark failed (try #0). Code: 8031, Error: First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031\n", + "iso_timestamp": "2021-03-14T13:46:13Z", + "raw": "\u003csyslog\u003e\n\n \u003caudit_record\u003e\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\n \u003cTimestamp\u003eMar 14 06:46:13\u003c/Timestamp\u003e\n \u003cIsoTimestamp\u003e2021-03-14T13:46:13Z\u003c/IsoTimestamp\u003e\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\n \u003cProduct\u003eVault\u003c/Product\u003e\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\n \u003cMessageID\u003e60\u003c/MessageID\u003e\n \u003cDesc\u003eCPM Reconcile Password Failed\u003c/Desc\u003e\n \u003cSeverity\u003eError\u003c/Severity\u003e\n \u003cIssuer\u003ePasswordManager\u003c/Issuer\u003e\n \u003cAction\u003eCPM Reconcile Password Failed\u003c/Action\u003e\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\n \u003cSafe\u003epartner\u003c/Safe\u003e\n \u003cFile\u003eRoot\\Operating System-UnixSSH-34.123.103.115-testark\u003c/File\u003e\n \u003cStation\u003e10.0.1.20\u003c/Station\u003e\n \u003cLocation\u003e\u003c/Location\u003e\n \u003cCategory\u003e\u003c/Category\u003e\n \u003cRequestId\u003e\u003c/RequestId\u003e\n \u003cReason\u003eImmediateTask. Failure Description: CACPM406E Reconciling Password Safe: partner, Folder: Root, Object: Operating System-UnixSSH-34.123.103.115-testark failed (try #0). Code: 8031, Error: First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031\n\u003c/Reason\u003e\n \u003cExtraDetails\u003eaddress=34.123.103.115;username=testark;\u003c/ExtraDetails\u003e\n \u003cMessage\u003eCPM Reconcile Password Failed\u003c/Message\u003e\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\n \u003cCAProperties\u003e\n \u003cCAProperty Name=\"PolicyID\" Value=\"UnixSSH\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"UserName\" Value=\"testark\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"Address\" Value=\"34.123.103.115\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"ResetImmediately\" Value=\"ReconcileTask\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"CPMStatus\" Value=\"failure\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"RetriesCount\" Value=\"0\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"LastFailDate\" Value=\"1615729572\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"LastTask\" Value=\"ReconcileTask\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"CPMErrorDetails\" Value=\"First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"CreationMethod\" Value=\"PVWA\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"DeviceType\" Value=\"Operating System\"\u003e\u003c/CAProperty\u003e\n \u003c/CAProperties\u003e\n \u003c/audit_record\u003e\n\n\u003c/syslog\u003e", + "message": "CPM Reconcile Password Failed", + "issuer": "PasswordManager", + "extra_details": { + "other": { + "address": "34.123.103.115" + }, + "username": "testark" + }, + "rfc5424": true, + "ca_properties": { + "other": {}, + "address": "34.123.103.115", + "creation_method": "PVWA", + "cpm_status": "failure", + "policy_id": "UnixSSH", + "cpm_error_details": "First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031", + "user_name": "testark", + "last_fail_date": "1615729572", + "device_type": "Operating System", + "retries_count": "0", + "reset_immediately": "ReconcileTask", + "last_task": "ReconcileTask" + }, + "file": "Root\\Operating System-UnixSSH-34.123.103.115-testark", + "safe": "partner", + "station": "10.0.1.20", + "action": "CPM Reconcile Password Failed", + "timestamp": "Mar 14 06:46:13", + "desc": "CPM Reconcile Password Failed" + } + }, + "host": { + "name": "VAULT" + }, + "event": { + "severity": 7, + "reason": "First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031", + "ingested": "2021-05-31T15:30:24.507728800Z", + "original": "\u003c7\u003e1 2021-03-14T13:46:13Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 14 06:46:13\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-14T13:46:13Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e60\u003c/MessageID\u003e\\n \u003cDesc\u003eCPM Reconcile Password Failed\u003c/Desc\u003e\\n \u003cSeverity\u003eError\u003c/Severity\u003e\\n \u003cIssuer\u003ePasswordManager\u003c/Issuer\u003e\\n \u003cAction\u003eCPM Reconcile Password Failed\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003epartner\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Operating System-UnixSSH-34.123.103.115-testark\u003c/File\u003e\\n \u003cStation\u003e10.0.1.20\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003eImmediateTask. Failure Description: CACPM406E Reconciling Password Safe: partner, Folder: Root, Object: Operating System-UnixSSH-34.123.103.115-testark failed (try #0). Code: 8031, Error: First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031\\n\u003c/Reason\u003e\\n \u003cExtraDetails\u003eaddress=34.123.103.115;username=testark;\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eCPM Reconcile Password Failed\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"UnixSSH\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"testark\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"34.123.103.115\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"ResetImmediately\\\" Value=\\\"ReconcileTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMStatus\\\" Value=\\\"failure\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"RetriesCount\\\" Value=\\\"0\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastFailDate\\\" Value=\\\"1615729572\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastTask\\\" Value=\\\"ReconcileTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMErrorDetails\\\" Value=\\\"First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Operating System\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 14 06:46:13\",\"IsoTimestamp\":\"2021-03-14T13:46:13Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"60\",\"Desc\":\"CPM Reconcile Password Failed\",\"Severity\":\"Error\",\"Issuer\":\"PasswordManager\",\"Action\":\"CPM Reconcile Password Failed\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"partner\",\"File\":\"Root\\\\Operating System-UnixSSH-34.123.103.115-testark\",\"Station\":\"10.0.1.20\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"ImmediateTask. Failure Description: CACPM406E Reconciling Password Safe: partner, Folder: Root, Object: Operating System-UnixSSH-34.123.103.115-testark failed (try #0). Code: 8031, Error: First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031\\n\",\"ExtraDetails\":\"address=34.123.103.115;username=testark;\",\"Message\":\"CPM Reconcile Password Failed\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"UnixSSH\"},{\"Name\":\"UserName\",\"Value\":\"testark\"},{\"Name\":\"Address\",\"Value\":\"34.123.103.115\"},{\"Name\":\"ResetImmediately\",\"Value\":\"ReconcileTask\"},{\"Name\":\"CPMStatus\",\"Value\":\"failure\"},{\"Name\":\"RetriesCount\",\"Value\":\"0\"},{\"Name\":\"LastFailDate\",\"Value\":\"1615729572\"},{\"Name\":\"LastTask\",\"Value\":\"ReconcileTask\"},{\"Name\":\"CPMErrorDetails\",\"Value\":\"First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"}]}}}}", + "code": "60", + "kind": "event", + "action": "cpm reconcile password failed", + "type": [ + "user", + "change", + "error" + ], + "category": [ + "iam" + ], + "outcome": "failure" + }, + "user": { + "name": "PasswordManager", + "target": { + "name": "testark" + } + } + }, + { + "log": { + "syslog": { + "priority": 7 + } + }, + "destination": { + "geo": { + "continent_name": "North America", + "region_iso_code": "US-VA", + "country_name": "United States", + "region_name": "Virginia", + "location": { + "lon": -77.2481, + "lat": 38.6583 + }, + "country_iso_code": "US" + }, + "address": "34.66.114.180", + "ip": "34.66.114.180" + }, + "source": { + "address": "10.0.1.20", + "ip": "10.0.1.20" + }, + "tags": [ + "preserve_original_event" + ], + "network": { + "direction": "outbound" + }, + "observer": { + "product": "Vault", + "hostname": "VAULT", + "version": "11.7.0000", + "vendor": "Cyber-Ark" + }, + "@timestamp": "2021-03-14T14:49:11.000Z", + "file": { + "path": "Root\\Operating System-WinDomain-35.192.121.42-ELASTICbart" + }, + "ecs": { + "version": "1.10.0" + }, + "related": { + "user": [ + "PasswordManager", + "ELASTIC\\bart" + ], + "ip": [ + "10.0.1.20", + "34.66.114.180" + ] + }, + "cyberarkpas": { + "audit": { + "severity": "Error", + "reason": "ImmediateTask,Failure. Failure Description: CACPM406E Reconciling Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-35.192.121.42-ELASTICbart failed (try #3). Code: 2101, Error: Parameter Reconcile account is mandatory but has an empty value or is not defined\n", + "iso_timestamp": "2021-03-14T14:49:11Z", + "raw": "\u003csyslog\u003e\n\n \u003caudit_record\u003e\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\n \u003cTimestamp\u003eMar 14 07:49:11\u003c/Timestamp\u003e\n \u003cIsoTimestamp\u003e2021-03-14T14:49:11Z\u003c/IsoTimestamp\u003e\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\n \u003cProduct\u003eVault\u003c/Product\u003e\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\n \u003cMessageID\u003e60\u003c/MessageID\u003e\n \u003cDesc\u003eCPM Reconcile Password Failed\u003c/Desc\u003e\n \u003cSeverity\u003eError\u003c/Severity\u003e\n \u003cIssuer\u003ePasswordManager\u003c/Issuer\u003e\n \u003cAction\u003eCPM Reconcile Password Failed\u003c/Action\u003e\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\n \u003cSafe\u003epartner\u003c/Safe\u003e\n \u003cFile\u003eRoot\\Operating System-WinDomain-35.192.121.42-ELASTICbart\u003c/File\u003e\n \u003cStation\u003e10.0.1.20\u003c/Station\u003e\n \u003cLocation\u003e\u003c/Location\u003e\n \u003cCategory\u003e\u003c/Category\u003e\n \u003cRequestId\u003e\u003c/RequestId\u003e\n \u003cReason\u003eImmediateTask,Failure. Failure Description: CACPM406E Reconciling Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-35.192.121.42-ELASTICbart failed (try #3). Code: 2101, Error: Parameter Reconcile account is mandatory but has an empty value or is not defined\n\u003c/Reason\u003e\n \u003cExtraDetails\u003eaddress=34.66.114.180;retriescount=3;username=ELASTIC\\bart;\u003c/ExtraDetails\u003e\n \u003cMessage\u003eCPM Reconcile Password Failed\u003c/Message\u003e\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\n \u003cCAProperties\u003e\n \u003cCAProperty Name=\"PolicyID\" Value=\"WinDomain\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"UserName\" Value=\"ELASTIC\\bart\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"Address\" Value=\"34.66.114.180\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"ResetImmediately\" Value=\"ReconcileTask\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"CPMStatus\" Value=\"failure\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"RetriesCount\" Value=\"3\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"LastFailDate\" Value=\"1615733350\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"LastTask\" Value=\"ReconcileTask\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"LogonDomain\" Value=\"34.66.114.180\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"CPMErrorDetails\" Value=\"Parameter Reconcile account is mandatory but has an empty value or is not defined\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"CreationMethod\" Value=\"PVWA\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"DeviceType\" Value=\"Operating System\"\u003e\u003c/CAProperty\u003e\n \u003c/CAProperties\u003e\n \u003c/audit_record\u003e\n\n\u003c/syslog\u003e", + "message": "CPM Reconcile Password Failed", + "issuer": "PasswordManager", + "extra_details": { + "other": { + "retriescount": "3", + "address": "34.66.114.180" + }, + "username": "ELASTIC\\bart" + }, + "rfc5424": true, + "ca_properties": { + "other": {}, + "address": "34.66.114.180", + "creation_method": "PVWA", + "cpm_status": "failure", + "policy_id": "WinDomain", + "user_name": "ELASTIC\\bart", + "device_type": "Operating System", + "retries_count": "3", + "reset_immediately": "ReconcileTask", + "last_task": "ReconcileTask", + "cpm_error_details": "Parameter Reconcile account is mandatory but has an empty value or is not defined", + "last_fail_date": "1615733350", + "logon_domain": "34.66.114.180" + }, + "file": "Root\\Operating System-WinDomain-35.192.121.42-ELASTICbart", + "safe": "partner", + "station": "10.0.1.20", + "action": "CPM Reconcile Password Failed", + "timestamp": "Mar 14 07:49:11", + "desc": "CPM Reconcile Password Failed" + } + }, + "host": { + "name": "VAULT" + }, + "event": { + "severity": 7, + "reason": "Parameter Reconcile account is mandatory but has an empty value or is not defined", + "ingested": "2021-05-31T15:30:24.507730200Z", + "original": "\u003c7\u003e1 2021-03-14T14:49:11Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 14 07:49:11\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-14T14:49:11Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e60\u003c/MessageID\u003e\\n \u003cDesc\u003eCPM Reconcile Password Failed\u003c/Desc\u003e\\n \u003cSeverity\u003eError\u003c/Severity\u003e\\n \u003cIssuer\u003ePasswordManager\u003c/Issuer\u003e\\n \u003cAction\u003eCPM Reconcile Password Failed\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003epartner\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Operating System-WinDomain-35.192.121.42-ELASTICbart\u003c/File\u003e\\n \u003cStation\u003e10.0.1.20\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003eImmediateTask,Failure. Failure Description: CACPM406E Reconciling Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-35.192.121.42-ELASTICbart failed (try #3). Code: 2101, Error: Parameter Reconcile account is mandatory but has an empty value or is not defined\\n\u003c/Reason\u003e\\n \u003cExtraDetails\u003eaddress=34.66.114.180;retriescount=3;username=ELASTIC\\\\bart;\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eCPM Reconcile Password Failed\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"WinDomain\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"ELASTIC\\\\bart\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"34.66.114.180\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"ResetImmediately\\\" Value=\\\"ReconcileTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMStatus\\\" Value=\\\"failure\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"RetriesCount\\\" Value=\\\"3\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastFailDate\\\" Value=\\\"1615733350\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastTask\\\" Value=\\\"ReconcileTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LogonDomain\\\" Value=\\\"34.66.114.180\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMErrorDetails\\\" Value=\\\"Parameter Reconcile account is mandatory but has an empty value or is not defined\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Operating System\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 14 07:49:11\",\"IsoTimestamp\":\"2021-03-14T14:49:11Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"60\",\"Desc\":\"CPM Reconcile Password Failed\",\"Severity\":\"Error\",\"Issuer\":\"PasswordManager\",\"Action\":\"CPM Reconcile Password Failed\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"partner\",\"File\":\"Root\\\\Operating System-WinDomain-35.192.121.42-ELASTICbart\",\"Station\":\"10.0.1.20\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"ImmediateTask,Failure. Failure Description: CACPM406E Reconciling Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-35.192.121.42-ELASTICbart failed (try #3). Code: 2101, Error: Parameter Reconcile account is mandatory but has an empty value or is not defined\\n\",\"ExtraDetails\":\"address=34.66.114.180;retriescount=3;username=ELASTIC\\\\bart;\",\"Message\":\"CPM Reconcile Password Failed\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"WinDomain\"},{\"Name\":\"UserName\",\"Value\":\"ELASTIC\\\\bart\"},{\"Name\":\"Address\",\"Value\":\"34.66.114.180\"},{\"Name\":\"ResetImmediately\",\"Value\":\"ReconcileTask\"},{\"Name\":\"CPMStatus\",\"Value\":\"failure\"},{\"Name\":\"RetriesCount\",\"Value\":\"3\"},{\"Name\":\"LastFailDate\",\"Value\":\"1615733350\"},{\"Name\":\"LastTask\",\"Value\":\"ReconcileTask\"},{\"Name\":\"LogonDomain\",\"Value\":\"34.66.114.180\"},{\"Name\":\"CPMErrorDetails\",\"Value\":\"Parameter Reconcile account is mandatory but has an empty value or is not defined\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"}]}}}}", + "code": "60", + "kind": "event", + "action": "cpm reconcile password failed", + "type": [ + "user", + "change", + "error" + ], + "category": [ + "iam" + ], + "outcome": "failure" + }, + "user": { + "name": "PasswordManager", + "target": { + "name": "ELASTIC\\bart" + } + } + }, + { + "log": { + "syslog": { + "priority": 7 + } + }, + "destination": { + "geo": { + "continent_name": "North America", + "region_iso_code": "US-VA", + "country_name": "United States", + "region_name": "Virginia", + "location": { + "lon": -77.2481, + "lat": 38.6583 + }, + "country_iso_code": "US" + }, + "address": "34.66.114.180", + "ip": "34.66.114.180" + }, + "source": { + "address": "10.0.1.20", + "ip": "10.0.1.20" + }, + "tags": [ + "preserve_original_event" + ], + "network": { + "direction": "outbound" + }, + "observer": { + "product": "Vault", + "hostname": "VAULT", + "version": "11.7.0000", + "vendor": "Cyber-Ark" + }, + "@timestamp": "2021-03-15T10:12:18.000Z", + "file": { + "path": "Root\\Operating System-WinDomain-35.192.121.42-ELASTICbart" + }, + "ecs": { + "version": "1.10.0" + }, + "related": { + "user": [ + "PasswordManager", + "ELASTIC\\bart" + ], + "ip": [ + "10.0.1.20", + "34.66.114.180" + ] + }, + "cyberarkpas": { + "audit": { + "severity": "Error", + "reason": "ImmediateTask,Failure. Failure Description: CACPM406E Reconciling Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-35.192.121.42-ELASTICbart failed (try #4). Code: 2101, Error: Parameter Reconcile account is mandatory but has an empty value or is not defined\n", + "iso_timestamp": "2021-03-15T10:12:18Z", + "raw": "\u003csyslog\u003e\n\n \u003caudit_record\u003e\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\n \u003cTimestamp\u003eMar 15 03:12:18\u003c/Timestamp\u003e\n \u003cIsoTimestamp\u003e2021-03-15T10:12:18Z\u003c/IsoTimestamp\u003e\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\n \u003cProduct\u003eVault\u003c/Product\u003e\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\n \u003cMessageID\u003e60\u003c/MessageID\u003e\n \u003cDesc\u003eCPM Reconcile Password Failed\u003c/Desc\u003e\n \u003cSeverity\u003eError\u003c/Severity\u003e\n \u003cIssuer\u003ePasswordManager\u003c/Issuer\u003e\n \u003cAction\u003eCPM Reconcile Password Failed\u003c/Action\u003e\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\n \u003cSafe\u003epartner\u003c/Safe\u003e\n \u003cFile\u003eRoot\\Operating System-WinDomain-35.192.121.42-ELASTICbart\u003c/File\u003e\n \u003cStation\u003e10.0.1.20\u003c/Station\u003e\n \u003cLocation\u003e\u003c/Location\u003e\n \u003cCategory\u003e\u003c/Category\u003e\n \u003cRequestId\u003e\u003c/RequestId\u003e\n \u003cReason\u003eImmediateTask,Failure. Failure Description: CACPM406E Reconciling Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-35.192.121.42-ELASTICbart failed (try #4). Code: 2101, Error: Parameter Reconcile account is mandatory but has an empty value or is not defined\n\u003c/Reason\u003e\n \u003cExtraDetails\u003eaddress=34.66.114.180;retriescount=4;username=ELASTIC\\bart;\u003c/ExtraDetails\u003e\n \u003cMessage\u003eCPM Reconcile Password Failed\u003c/Message\u003e\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\n \u003cCAProperties\u003e\n \u003cCAProperty Name=\"PolicyID\" Value=\"WinDomain\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"UserName\" Value=\"ELASTIC\\bart\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"Address\" Value=\"34.66.114.180\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"ResetImmediately\" Value=\"ReconcileTask\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"CPMStatus\" Value=\"failure\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"RetriesCount\" Value=\"4\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"LastFailDate\" Value=\"1615803137\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"LastTask\" Value=\"ReconcileTask\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"LogonDomain\" Value=\"34.66.114.180\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"CPMErrorDetails\" Value=\"Parameter Reconcile account is mandatory but has an empty value or is not defined\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"CreationMethod\" Value=\"PVWA\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"DeviceType\" Value=\"Operating System\"\u003e\u003c/CAProperty\u003e\n \u003c/CAProperties\u003e\n \u003c/audit_record\u003e\n\n\u003c/syslog\u003e", + "message": "CPM Reconcile Password Failed", + "issuer": "PasswordManager", + "extra_details": { + "other": { + "retriescount": "4", + "address": "34.66.114.180" + }, + "username": "ELASTIC\\bart" + }, + "rfc5424": true, + "ca_properties": { + "other": {}, + "address": "34.66.114.180", + "creation_method": "PVWA", + "cpm_status": "failure", + "policy_id": "WinDomain", + "user_name": "ELASTIC\\bart", + "device_type": "Operating System", + "retries_count": "4", + "reset_immediately": "ReconcileTask", + "last_task": "ReconcileTask", + "cpm_error_details": "Parameter Reconcile account is mandatory but has an empty value or is not defined", + "last_fail_date": "1615803137", + "logon_domain": "34.66.114.180" + }, + "file": "Root\\Operating System-WinDomain-35.192.121.42-ELASTICbart", + "safe": "partner", + "station": "10.0.1.20", + "action": "CPM Reconcile Password Failed", + "timestamp": "Mar 15 03:12:18", + "desc": "CPM Reconcile Password Failed" + } + }, + "host": { + "name": "VAULT" + }, + "event": { + "severity": 7, + "reason": "Parameter Reconcile account is mandatory but has an empty value or is not defined", + "ingested": "2021-05-31T15:30:24.507731600Z", + "original": "\u003c7\u003e1 2021-03-15T10:12:18Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 15 03:12:18\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-15T10:12:18Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e60\u003c/MessageID\u003e\\n \u003cDesc\u003eCPM Reconcile Password Failed\u003c/Desc\u003e\\n \u003cSeverity\u003eError\u003c/Severity\u003e\\n \u003cIssuer\u003ePasswordManager\u003c/Issuer\u003e\\n \u003cAction\u003eCPM Reconcile Password Failed\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003epartner\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Operating System-WinDomain-35.192.121.42-ELASTICbart\u003c/File\u003e\\n \u003cStation\u003e10.0.1.20\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003eImmediateTask,Failure. Failure Description: CACPM406E Reconciling Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-35.192.121.42-ELASTICbart failed (try #4). Code: 2101, Error: Parameter Reconcile account is mandatory but has an empty value or is not defined\\n\u003c/Reason\u003e\\n \u003cExtraDetails\u003eaddress=34.66.114.180;retriescount=4;username=ELASTIC\\\\bart;\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eCPM Reconcile Password Failed\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"WinDomain\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"ELASTIC\\\\bart\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"34.66.114.180\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"ResetImmediately\\\" Value=\\\"ReconcileTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMStatus\\\" Value=\\\"failure\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"RetriesCount\\\" Value=\\\"4\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastFailDate\\\" Value=\\\"1615803137\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastTask\\\" Value=\\\"ReconcileTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LogonDomain\\\" Value=\\\"34.66.114.180\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMErrorDetails\\\" Value=\\\"Parameter Reconcile account is mandatory but has an empty value or is not defined\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Operating System\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 15 03:12:18\",\"IsoTimestamp\":\"2021-03-15T10:12:18Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"60\",\"Desc\":\"CPM Reconcile Password Failed\",\"Severity\":\"Error\",\"Issuer\":\"PasswordManager\",\"Action\":\"CPM Reconcile Password Failed\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"partner\",\"File\":\"Root\\\\Operating System-WinDomain-35.192.121.42-ELASTICbart\",\"Station\":\"10.0.1.20\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"ImmediateTask,Failure. Failure Description: CACPM406E Reconciling Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-35.192.121.42-ELASTICbart failed (try #4). Code: 2101, Error: Parameter Reconcile account is mandatory but has an empty value or is not defined\\n\",\"ExtraDetails\":\"address=34.66.114.180;retriescount=4;username=ELASTIC\\\\bart;\",\"Message\":\"CPM Reconcile Password Failed\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"WinDomain\"},{\"Name\":\"UserName\",\"Value\":\"ELASTIC\\\\bart\"},{\"Name\":\"Address\",\"Value\":\"34.66.114.180\"},{\"Name\":\"ResetImmediately\",\"Value\":\"ReconcileTask\"},{\"Name\":\"CPMStatus\",\"Value\":\"failure\"},{\"Name\":\"RetriesCount\",\"Value\":\"4\"},{\"Name\":\"LastFailDate\",\"Value\":\"1615803137\"},{\"Name\":\"LastTask\",\"Value\":\"ReconcileTask\"},{\"Name\":\"LogonDomain\",\"Value\":\"34.66.114.180\"},{\"Name\":\"CPMErrorDetails\",\"Value\":\"Parameter Reconcile account is mandatory but has an empty value or is not defined\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"}]}}}}", + "code": "60", + "kind": "event", + "action": "cpm reconcile password failed", + "type": [ + "user", + "change", + "error" + ], + "category": [ + "iam" + ], + "outcome": "failure" + }, + "user": { + "name": "PasswordManager", + "target": { + "name": "ELASTIC\\bart" + } + } + }, + { + "log": { + "syslog": { + "priority": 7 + } + }, + "destination": { + "geo": { + "continent_name": "North America", + "country_name": "United States", + "location": { + "lon": -97.822, + "lat": 37.751 + }, + "country_iso_code": "US" + }, + "address": "34.123.103.115", + "ip": "34.123.103.115" + }, + "source": { + "address": "10.0.1.20", + "ip": "10.0.1.20" + }, + "tags": [ + "preserve_original_event" + ], + "network": { + "direction": "outbound" + }, + "observer": { + "product": "Vault", + "hostname": "VAULT", + "version": "11.7.0000", + "vendor": "Cyber-Ark" + }, + "@timestamp": "2021-03-15T10:12:19.000Z", + "file": { + "path": "Root\\Operating System-UnixSSH-34.123.103.115-testark" + }, + "ecs": { + "version": "1.10.0" + }, + "related": { + "user": [ + "PasswordManager", + "testark" + ], + "ip": [ + "10.0.1.20", + "34.123.103.115" + ] + }, + "cyberarkpas": { + "audit": { + "severity": "Error", + "reason": "ImmediateTask,Failure. Failure Description: CACPM406E Reconciling Password Safe: partner, Folder: Root, Object: Operating System-UnixSSH-34.123.103.115-testark failed (try #1). Code: 8031, Error: First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031\n", + "iso_timestamp": "2021-03-15T10:12:19Z", + "raw": "\u003csyslog\u003e\n\n \u003caudit_record\u003e\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\n \u003cTimestamp\u003eMar 15 03:12:19\u003c/Timestamp\u003e\n \u003cIsoTimestamp\u003e2021-03-15T10:12:19Z\u003c/IsoTimestamp\u003e\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\n \u003cProduct\u003eVault\u003c/Product\u003e\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\n \u003cMessageID\u003e60\u003c/MessageID\u003e\n \u003cDesc\u003eCPM Reconcile Password Failed\u003c/Desc\u003e\n \u003cSeverity\u003eError\u003c/Severity\u003e\n \u003cIssuer\u003ePasswordManager\u003c/Issuer\u003e\n \u003cAction\u003eCPM Reconcile Password Failed\u003c/Action\u003e\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\n \u003cSafe\u003epartner\u003c/Safe\u003e\n \u003cFile\u003eRoot\\Operating System-UnixSSH-34.123.103.115-testark\u003c/File\u003e\n \u003cStation\u003e10.0.1.20\u003c/Station\u003e\n \u003cLocation\u003e\u003c/Location\u003e\n \u003cCategory\u003e\u003c/Category\u003e\n \u003cRequestId\u003e\u003c/RequestId\u003e\n \u003cReason\u003eImmediateTask,Failure. Failure Description: CACPM406E Reconciling Password Safe: partner, Folder: Root, Object: Operating System-UnixSSH-34.123.103.115-testark failed (try #1). Code: 8031, Error: First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031\n\u003c/Reason\u003e\n \u003cExtraDetails\u003eaddress=34.123.103.115;retriescount=1;username=testark;\u003c/ExtraDetails\u003e\n \u003cMessage\u003eCPM Reconcile Password Failed\u003c/Message\u003e\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\n \u003cCAProperties\u003e\n \u003cCAProperty Name=\"PolicyID\" Value=\"UnixSSH\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"UserName\" Value=\"testark\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"Address\" Value=\"34.123.103.115\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"ResetImmediately\" Value=\"ReconcileTask\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"CPMStatus\" Value=\"failure\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"RetriesCount\" Value=\"1\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"LastFailDate\" Value=\"1615803137\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"LastTask\" Value=\"ReconcileTask\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"CPMErrorDetails\" Value=\"First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"CreationMethod\" Value=\"PVWA\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"DeviceType\" Value=\"Operating System\"\u003e\u003c/CAProperty\u003e\n \u003c/CAProperties\u003e\n \u003c/audit_record\u003e\n\n\u003c/syslog\u003e", + "message": "CPM Reconcile Password Failed", + "issuer": "PasswordManager", + "extra_details": { + "other": { + "retriescount": "1", + "address": "34.123.103.115" + }, + "username": "testark" + }, + "rfc5424": true, + "ca_properties": { + "other": {}, + "address": "34.123.103.115", + "creation_method": "PVWA", + "cpm_status": "failure", + "policy_id": "UnixSSH", + "cpm_error_details": "First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031", + "user_name": "testark", + "last_fail_date": "1615803137", + "device_type": "Operating System", + "retries_count": "1", + "reset_immediately": "ReconcileTask", + "last_task": "ReconcileTask" + }, + "file": "Root\\Operating System-UnixSSH-34.123.103.115-testark", + "safe": "partner", + "station": "10.0.1.20", + "action": "CPM Reconcile Password Failed", + "timestamp": "Mar 15 03:12:19", + "desc": "CPM Reconcile Password Failed" + } + }, + "host": { + "name": "VAULT" + }, + "event": { + "severity": 7, + "reason": "First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031", + "ingested": "2021-05-31T15:30:24.507733Z", + "original": "\u003c7\u003e1 2021-03-15T10:12:19Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 15 03:12:19\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-15T10:12:19Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e60\u003c/MessageID\u003e\\n \u003cDesc\u003eCPM Reconcile Password Failed\u003c/Desc\u003e\\n \u003cSeverity\u003eError\u003c/Severity\u003e\\n \u003cIssuer\u003ePasswordManager\u003c/Issuer\u003e\\n \u003cAction\u003eCPM Reconcile Password Failed\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003epartner\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Operating System-UnixSSH-34.123.103.115-testark\u003c/File\u003e\\n \u003cStation\u003e10.0.1.20\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003eImmediateTask,Failure. Failure Description: CACPM406E Reconciling Password Safe: partner, Folder: Root, Object: Operating System-UnixSSH-34.123.103.115-testark failed (try #1). Code: 8031, Error: First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031\\n\u003c/Reason\u003e\\n \u003cExtraDetails\u003eaddress=34.123.103.115;retriescount=1;username=testark;\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eCPM Reconcile Password Failed\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"UnixSSH\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"testark\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"34.123.103.115\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"ResetImmediately\\\" Value=\\\"ReconcileTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMStatus\\\" Value=\\\"failure\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"RetriesCount\\\" Value=\\\"1\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastFailDate\\\" Value=\\\"1615803137\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastTask\\\" Value=\\\"ReconcileTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMErrorDetails\\\" Value=\\\"First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Operating System\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 15 03:12:19\",\"IsoTimestamp\":\"2021-03-15T10:12:19Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"60\",\"Desc\":\"CPM Reconcile Password Failed\",\"Severity\":\"Error\",\"Issuer\":\"PasswordManager\",\"Action\":\"CPM Reconcile Password Failed\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"partner\",\"File\":\"Root\\\\Operating System-UnixSSH-34.123.103.115-testark\",\"Station\":\"10.0.1.20\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"ImmediateTask,Failure. Failure Description: CACPM406E Reconciling Password Safe: partner, Folder: Root, Object: Operating System-UnixSSH-34.123.103.115-testark failed (try #1). Code: 8031, Error: First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031\\n\",\"ExtraDetails\":\"address=34.123.103.115;retriescount=1;username=testark;\",\"Message\":\"CPM Reconcile Password Failed\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"UnixSSH\"},{\"Name\":\"UserName\",\"Value\":\"testark\"},{\"Name\":\"Address\",\"Value\":\"34.123.103.115\"},{\"Name\":\"ResetImmediately\",\"Value\":\"ReconcileTask\"},{\"Name\":\"CPMStatus\",\"Value\":\"failure\"},{\"Name\":\"RetriesCount\",\"Value\":\"1\"},{\"Name\":\"LastFailDate\",\"Value\":\"1615803137\"},{\"Name\":\"LastTask\",\"Value\":\"ReconcileTask\"},{\"Name\":\"CPMErrorDetails\",\"Value\":\"First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"}]}}}}", + "code": "60", + "kind": "event", + "action": "cpm reconcile password failed", + "type": [ + "user", + "change", + "error" + ], + "category": [ + "iam" + ], + "outcome": "failure" + }, + "user": { + "name": "PasswordManager", + "target": { + "name": "testark" + } + } + }, + { + "log": { + "syslog": { + "priority": 7 + } + }, + "destination": { + "geo": { + "continent_name": "North America", + "region_iso_code": "US-VA", + "country_name": "United States", + "region_name": "Virginia", + "location": { + "lon": -77.2481, + "lat": 38.6583 + }, + "country_iso_code": "US" + }, + "address": "34.66.114.180", + "ip": "34.66.114.180" + }, + "source": { + "address": "10.0.1.20", + "ip": "10.0.1.20" + }, + "tags": [ + "preserve_original_event" + ], + "network": { + "direction": "outbound" + }, + "observer": { + "product": "Vault", + "hostname": "VAULT", + "version": "11.7.0000", + "vendor": "Cyber-Ark" + }, + "@timestamp": "2021-03-15T12:57:13.000Z", + "file": { + "path": "Root\\Operating System-WinDomain-35.192.121.42-ELASTICbart" + }, + "ecs": { + "version": "1.10.0" + }, + "related": { + "user": [ + "PasswordManager", + "ELASTIC\\bart" + ], + "ip": [ + "10.0.1.20", + "34.66.114.180" + ] + }, + "cyberarkpas": { + "audit": { + "severity": "Error", + "reason": "ImmediateTask,Failure. Failure Description: CACPM406E Reconciling Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-35.192.121.42-ELASTICbart failed (try #5). Code: 2101, Error: Parameter Reconcile account is mandatory but has an empty value or is not defined\n", + "iso_timestamp": "2021-03-15T12:57:13Z", + "raw": "\u003csyslog\u003e\n\n \u003caudit_record\u003e\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\n \u003cTimestamp\u003eMar 15 05:57:13\u003c/Timestamp\u003e\n \u003cIsoTimestamp\u003e2021-03-15T12:57:13Z\u003c/IsoTimestamp\u003e\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\n \u003cProduct\u003eVault\u003c/Product\u003e\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\n \u003cMessageID\u003e60\u003c/MessageID\u003e\n \u003cDesc\u003eCPM Reconcile Password Failed\u003c/Desc\u003e\n \u003cSeverity\u003eError\u003c/Severity\u003e\n \u003cIssuer\u003ePasswordManager\u003c/Issuer\u003e\n \u003cAction\u003eCPM Reconcile Password Failed\u003c/Action\u003e\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\n \u003cSafe\u003epartner\u003c/Safe\u003e\n \u003cFile\u003eRoot\\Operating System-WinDomain-35.192.121.42-ELASTICbart\u003c/File\u003e\n \u003cStation\u003e10.0.1.20\u003c/Station\u003e\n \u003cLocation\u003e\u003c/Location\u003e\n \u003cCategory\u003e\u003c/Category\u003e\n \u003cRequestId\u003e\u003c/RequestId\u003e\n \u003cReason\u003eImmediateTask,Failure. Failure Description: CACPM406E Reconciling Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-35.192.121.42-ELASTICbart failed (try #5). Code: 2101, Error: Parameter Reconcile account is mandatory but has an empty value or is not defined\n\u003c/Reason\u003e\n \u003cExtraDetails\u003eaddress=34.66.114.180;retriescount=5;username=ELASTIC\\bart;\u003c/ExtraDetails\u003e\n \u003cMessage\u003eCPM Reconcile Password Failed\u003c/Message\u003e\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\n \u003cCAProperties\u003e\n \u003cCAProperty Name=\"PolicyID\" Value=\"WinDomain\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"UserName\" Value=\"ELASTIC\\bart\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"Address\" Value=\"34.66.114.180\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"ResetImmediately\" Value=\"ReconcileTask\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"CPMStatus\" Value=\"failure\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"CPMDisabled\" Value=\"(CPM)MaxRetries\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"RetriesCount\" Value=\"5\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"LastFailDate\" Value=\"1615813031\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"LastTask\" Value=\"ReconcileTask\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"LogonDomain\" Value=\"34.66.114.180\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"CPMErrorDetails\" Value=\"Parameter Reconcile account is mandatory but has an empty value or is not defined\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"CreationMethod\" Value=\"PVWA\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"DeviceType\" Value=\"Operating System\"\u003e\u003c/CAProperty\u003e\n \u003c/CAProperties\u003e\n \u003c/audit_record\u003e\n\n\u003c/syslog\u003e", + "message": "CPM Reconcile Password Failed", + "issuer": "PasswordManager", + "extra_details": { + "other": { + "retriescount": "5", + "address": "34.66.114.180" + }, + "username": "ELASTIC\\bart" + }, + "rfc5424": true, + "ca_properties": { + "other": {}, + "address": "34.66.114.180", + "creation_method": "PVWA", + "cpm_status": "failure", + "policy_id": "WinDomain", + "user_name": "ELASTIC\\bart", + "cpm_disabled": "(CPM)MaxRetries", + "device_type": "Operating System", + "retries_count": "5", + "reset_immediately": "ReconcileTask", + "last_task": "ReconcileTask", + "cpm_error_details": "Parameter Reconcile account is mandatory but has an empty value or is not defined", + "last_fail_date": "1615813031", + "logon_domain": "34.66.114.180" + }, + "file": "Root\\Operating System-WinDomain-35.192.121.42-ELASTICbart", + "safe": "partner", + "station": "10.0.1.20", + "action": "CPM Reconcile Password Failed", + "timestamp": "Mar 15 05:57:13", + "desc": "CPM Reconcile Password Failed" + } + }, + "host": { + "name": "VAULT" + }, + "event": { + "severity": 7, + "reason": "Parameter Reconcile account is mandatory but has an empty value or is not defined", + "ingested": "2021-05-31T15:30:24.507734300Z", + "original": "\u003c7\u003e1 2021-03-15T12:57:13Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 15 05:57:13\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-15T12:57:13Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e60\u003c/MessageID\u003e\\n \u003cDesc\u003eCPM Reconcile Password Failed\u003c/Desc\u003e\\n \u003cSeverity\u003eError\u003c/Severity\u003e\\n \u003cIssuer\u003ePasswordManager\u003c/Issuer\u003e\\n \u003cAction\u003eCPM Reconcile Password Failed\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003epartner\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Operating System-WinDomain-35.192.121.42-ELASTICbart\u003c/File\u003e\\n \u003cStation\u003e10.0.1.20\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003eImmediateTask,Failure. Failure Description: CACPM406E Reconciling Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-35.192.121.42-ELASTICbart failed (try #5). Code: 2101, Error: Parameter Reconcile account is mandatory but has an empty value or is not defined\\n\u003c/Reason\u003e\\n \u003cExtraDetails\u003eaddress=34.66.114.180;retriescount=5;username=ELASTIC\\\\bart;\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eCPM Reconcile Password Failed\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"WinDomain\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"ELASTIC\\\\bart\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"34.66.114.180\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"ResetImmediately\\\" Value=\\\"ReconcileTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMStatus\\\" Value=\\\"failure\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMDisabled\\\" Value=\\\"(CPM)MaxRetries\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"RetriesCount\\\" Value=\\\"5\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastFailDate\\\" Value=\\\"1615813031\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastTask\\\" Value=\\\"ReconcileTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LogonDomain\\\" Value=\\\"34.66.114.180\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMErrorDetails\\\" Value=\\\"Parameter Reconcile account is mandatory but has an empty value or is not defined\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Operating System\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 15 05:57:13\",\"IsoTimestamp\":\"2021-03-15T12:57:13Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"60\",\"Desc\":\"CPM Reconcile Password Failed\",\"Severity\":\"Error\",\"Issuer\":\"PasswordManager\",\"Action\":\"CPM Reconcile Password Failed\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"partner\",\"File\":\"Root\\\\Operating System-WinDomain-35.192.121.42-ELASTICbart\",\"Station\":\"10.0.1.20\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"ImmediateTask,Failure. Failure Description: CACPM406E Reconciling Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-35.192.121.42-ELASTICbart failed (try #5). Code: 2101, Error: Parameter Reconcile account is mandatory but has an empty value or is not defined\\n\",\"ExtraDetails\":\"address=34.66.114.180;retriescount=5;username=ELASTIC\\\\bart;\",\"Message\":\"CPM Reconcile Password Failed\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"WinDomain\"},{\"Name\":\"UserName\",\"Value\":\"ELASTIC\\\\bart\"},{\"Name\":\"Address\",\"Value\":\"34.66.114.180\"},{\"Name\":\"ResetImmediately\",\"Value\":\"ReconcileTask\"},{\"Name\":\"CPMStatus\",\"Value\":\"failure\"},{\"Name\":\"CPMDisabled\",\"Value\":\"(CPM)MaxRetries\"},{\"Name\":\"RetriesCount\",\"Value\":\"5\"},{\"Name\":\"LastFailDate\",\"Value\":\"1615813031\"},{\"Name\":\"LastTask\",\"Value\":\"ReconcileTask\"},{\"Name\":\"LogonDomain\",\"Value\":\"34.66.114.180\"},{\"Name\":\"CPMErrorDetails\",\"Value\":\"Parameter Reconcile account is mandatory but has an empty value or is not defined\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"}]}}}}", + "code": "60", + "kind": "event", + "action": "cpm reconcile password failed", + "type": [ + "user", + "change", + "error" + ], + "category": [ + "iam" + ], + "outcome": "failure" + }, + "user": { + "name": "PasswordManager", + "target": { + "name": "ELASTIC\\bart" + } + } + }, + { + "log": { + "syslog": { + "priority": 7 + } + }, + "destination": { + "geo": { + "continent_name": "North America", + "country_name": "United States", + "location": { + "lon": -97.822, + "lat": 37.751 + }, + "country_iso_code": "US" + }, + "address": "34.123.103.115", + "ip": "34.123.103.115" + }, + "source": { + "address": "10.0.1.20", + "ip": "10.0.1.20" + }, + "tags": [ + "preserve_original_event" + ], + "network": { + "direction": "outbound" + }, + "observer": { + "product": "Vault", + "hostname": "VAULT", + "version": "11.7.0000", + "vendor": "Cyber-Ark" + }, + "@timestamp": "2021-03-15T13:04:27.000Z", + "file": { + "path": "Root\\Operating System-UnixSSH-34.123.103.115-testark" + }, + "ecs": { + "version": "1.10.0" + }, + "related": { + "user": [ + "PasswordManager", + "testark" + ], + "ip": [ + "10.0.1.20", + "34.123.103.115" + ] + }, + "cyberarkpas": { + "audit": { + "severity": "Error", + "reason": "ImmediateTask. Failure Description: CACPM406E Reconciling Password Safe: partner, Folder: Root, Object: Operating System-UnixSSH-34.123.103.115-testark failed (try #0). Code: 8031, Error: First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031\n", + "iso_timestamp": "2021-03-15T13:04:27Z", + "raw": "\u003csyslog\u003e\n\n \u003caudit_record\u003e\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\n \u003cTimestamp\u003eMar 15 06:04:27\u003c/Timestamp\u003e\n \u003cIsoTimestamp\u003e2021-03-15T13:04:27Z\u003c/IsoTimestamp\u003e\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\n \u003cProduct\u003eVault\u003c/Product\u003e\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\n \u003cMessageID\u003e60\u003c/MessageID\u003e\n \u003cDesc\u003eCPM Reconcile Password Failed\u003c/Desc\u003e\n \u003cSeverity\u003eError\u003c/Severity\u003e\n \u003cIssuer\u003ePasswordManager\u003c/Issuer\u003e\n \u003cAction\u003eCPM Reconcile Password Failed\u003c/Action\u003e\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\n \u003cSafe\u003epartner\u003c/Safe\u003e\n \u003cFile\u003eRoot\\Operating System-UnixSSH-34.123.103.115-testark\u003c/File\u003e\n \u003cStation\u003e10.0.1.20\u003c/Station\u003e\n \u003cLocation\u003e\u003c/Location\u003e\n \u003cCategory\u003e\u003c/Category\u003e\n \u003cRequestId\u003e\u003c/RequestId\u003e\n \u003cReason\u003eImmediateTask. Failure Description: CACPM406E Reconciling Password Safe: partner, Folder: Root, Object: Operating System-UnixSSH-34.123.103.115-testark failed (try #0). Code: 8031, Error: First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031\n\u003c/Reason\u003e\n \u003cExtraDetails\u003eaddress=34.123.103.115;username=testark;\u003c/ExtraDetails\u003e\n \u003cMessage\u003eCPM Reconcile Password Failed\u003c/Message\u003e\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\n \u003cCAProperties\u003e\n \u003cCAProperty Name=\"PolicyID\" Value=\"UnixSSH\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"UserName\" Value=\"testark\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"Address\" Value=\"34.123.103.115\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"ResetImmediately\" Value=\"ReconcileTask\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"CPMStatus\" Value=\"failure\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"RetriesCount\" Value=\"0\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"LastFailDate\" Value=\"1615813465\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"LastTask\" Value=\"ReconcileTask\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"LastSuccessVerification\" Value=\"1615803764\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"CPMErrorDetails\" Value=\"First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"CreationMethod\" Value=\"PVWA\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"DeviceType\" Value=\"Operating System\"\u003e\u003c/CAProperty\u003e\n \u003c/CAProperties\u003e\n \u003c/audit_record\u003e\n\n\u003c/syslog\u003e", + "message": "CPM Reconcile Password Failed", + "issuer": "PasswordManager", + "extra_details": { + "other": { + "address": "34.123.103.115" + }, + "username": "testark" + }, + "rfc5424": true, + "ca_properties": { + "other": {}, + "address": "34.123.103.115", + "creation_method": "PVWA", + "cpm_status": "failure", + "policy_id": "UnixSSH", + "user_name": "testark", + "device_type": "Operating System", + "retries_count": "0", + "last_success_verification": "1615803764", + "reset_immediately": "ReconcileTask", + "last_task": "ReconcileTask", + "cpm_error_details": "First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031", + "last_fail_date": "1615813465" + }, + "file": "Root\\Operating System-UnixSSH-34.123.103.115-testark", + "safe": "partner", + "station": "10.0.1.20", + "action": "CPM Reconcile Password Failed", + "timestamp": "Mar 15 06:04:27", + "desc": "CPM Reconcile Password Failed" + } + }, + "host": { + "name": "VAULT" + }, + "event": { + "severity": 7, + "reason": "First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031", + "ingested": "2021-05-31T15:30:24.507735700Z", + "original": "\u003c7\u003e1 2021-03-15T13:04:27Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 15 06:04:27\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-15T13:04:27Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e60\u003c/MessageID\u003e\\n \u003cDesc\u003eCPM Reconcile Password Failed\u003c/Desc\u003e\\n \u003cSeverity\u003eError\u003c/Severity\u003e\\n \u003cIssuer\u003ePasswordManager\u003c/Issuer\u003e\\n \u003cAction\u003eCPM Reconcile Password Failed\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003epartner\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Operating System-UnixSSH-34.123.103.115-testark\u003c/File\u003e\\n \u003cStation\u003e10.0.1.20\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003eImmediateTask. Failure Description: CACPM406E Reconciling Password Safe: partner, Folder: Root, Object: Operating System-UnixSSH-34.123.103.115-testark failed (try #0). Code: 8031, Error: First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031\\n\u003c/Reason\u003e\\n \u003cExtraDetails\u003eaddress=34.123.103.115;username=testark;\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eCPM Reconcile Password Failed\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"UnixSSH\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"testark\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"34.123.103.115\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"ResetImmediately\\\" Value=\\\"ReconcileTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMStatus\\\" Value=\\\"failure\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"RetriesCount\\\" Value=\\\"0\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastFailDate\\\" Value=\\\"1615813465\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastTask\\\" Value=\\\"ReconcileTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastSuccessVerification\\\" Value=\\\"1615803764\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMErrorDetails\\\" Value=\\\"First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Operating System\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 15 06:04:27\",\"IsoTimestamp\":\"2021-03-15T13:04:27Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"60\",\"Desc\":\"CPM Reconcile Password Failed\",\"Severity\":\"Error\",\"Issuer\":\"PasswordManager\",\"Action\":\"CPM Reconcile Password Failed\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"partner\",\"File\":\"Root\\\\Operating System-UnixSSH-34.123.103.115-testark\",\"Station\":\"10.0.1.20\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"ImmediateTask. Failure Description: CACPM406E Reconciling Password Safe: partner, Folder: Root, Object: Operating System-UnixSSH-34.123.103.115-testark failed (try #0). Code: 8031, Error: First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031\\n\",\"ExtraDetails\":\"address=34.123.103.115;username=testark;\",\"Message\":\"CPM Reconcile Password Failed\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"UnixSSH\"},{\"Name\":\"UserName\",\"Value\":\"testark\"},{\"Name\":\"Address\",\"Value\":\"34.123.103.115\"},{\"Name\":\"ResetImmediately\",\"Value\":\"ReconcileTask\"},{\"Name\":\"CPMStatus\",\"Value\":\"failure\"},{\"Name\":\"RetriesCount\",\"Value\":\"0\"},{\"Name\":\"LastFailDate\",\"Value\":\"1615813465\"},{\"Name\":\"LastTask\",\"Value\":\"ReconcileTask\"},{\"Name\":\"LastSuccessVerification\",\"Value\":\"1615803764\"},{\"Name\":\"CPMErrorDetails\",\"Value\":\"First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"}]}}}}", + "code": "60", + "kind": "event", + "action": "cpm reconcile password failed", + "type": [ + "user", + "change", + "error" + ], + "category": [ + "iam" + ], + "outcome": "failure" + }, + "user": { + "name": "PasswordManager", + "target": { + "name": "testark" + } + } + }, + { + "log": { + "syslog": { + "priority": 7 + } + }, + "destination": { + "geo": { + "continent_name": "North America", + "country_name": "United States", + "location": { + "lon": -97.822, + "lat": 37.751 + }, + "country_iso_code": "US" + }, + "address": "34.123.103.115", + "ip": "34.123.103.115" + }, + "source": { + "address": "10.0.1.20", + "ip": "10.0.1.20" + }, + "tags": [ + "preserve_original_event" + ], + "network": { + "direction": "outbound" + }, + "observer": { + "product": "Vault", + "hostname": "VAULT", + "version": "11.7.0000", + "vendor": "Cyber-Ark" + }, + "@timestamp": "2021-03-15T14:44:37.000Z", + "file": { + "path": "Root\\Operating System-UnixSSH-34.123.103.115-testark" + }, + "ecs": { + "version": "1.10.0" + }, + "related": { + "user": [ + "PasswordManager", + "testark" + ], + "ip": [ + "10.0.1.20", + "34.123.103.115" + ] + }, + "cyberarkpas": { + "audit": { + "severity": "Error", + "reason": "ImmediateTask. Failure Description: CACPM406E Reconciling Password Safe: partner, Folder: Root, Object: Operating System-UnixSSH-34.123.103.115-testark failed (try #1). Code: 8031, Error: First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031\n", + "iso_timestamp": "2021-03-15T14:44:37Z", + "raw": "\u003csyslog\u003e\n\n \u003caudit_record\u003e\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\n \u003cTimestamp\u003eMar 15 07:44:37\u003c/Timestamp\u003e\n \u003cIsoTimestamp\u003e2021-03-15T14:44:37Z\u003c/IsoTimestamp\u003e\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\n \u003cProduct\u003eVault\u003c/Product\u003e\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\n \u003cMessageID\u003e60\u003c/MessageID\u003e\n \u003cDesc\u003eCPM Reconcile Password Failed\u003c/Desc\u003e\n \u003cSeverity\u003eError\u003c/Severity\u003e\n \u003cIssuer\u003ePasswordManager\u003c/Issuer\u003e\n \u003cAction\u003eCPM Reconcile Password Failed\u003c/Action\u003e\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\n \u003cSafe\u003epartner\u003c/Safe\u003e\n \u003cFile\u003eRoot\\Operating System-UnixSSH-34.123.103.115-testark\u003c/File\u003e\n \u003cStation\u003e10.0.1.20\u003c/Station\u003e\n \u003cLocation\u003e\u003c/Location\u003e\n \u003cCategory\u003e\u003c/Category\u003e\n \u003cRequestId\u003e\u003c/RequestId\u003e\n \u003cReason\u003eImmediateTask. Failure Description: CACPM406E Reconciling Password Safe: partner, Folder: Root, Object: Operating System-UnixSSH-34.123.103.115-testark failed (try #1). Code: 8031, Error: First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031\n\u003c/Reason\u003e\n \u003cExtraDetails\u003eaddress=34.123.103.115;retriescount=1;username=testark;\u003c/ExtraDetails\u003e\n \u003cMessage\u003eCPM Reconcile Password Failed\u003c/Message\u003e\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\n \u003cCAProperties\u003e\n \u003cCAProperty Name=\"PolicyID\" Value=\"UnixSSH\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"UserName\" Value=\"testark\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"Address\" Value=\"34.123.103.115\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"ResetImmediately\" Value=\"ReconcileTask\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"CPMStatus\" Value=\"failure\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"RetriesCount\" Value=\"1\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"LastFailDate\" Value=\"1615819476\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"LastTask\" Value=\"ReconcileTask\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"LastSuccessVerification\" Value=\"1615803764\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"CPMErrorDetails\" Value=\"First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"CreationMethod\" Value=\"PVWA\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"DeviceType\" Value=\"Operating System\"\u003e\u003c/CAProperty\u003e\n \u003cCAProperty Name=\"UseSudoOnReconcile\" Value=\"Yes\"\u003e\u003c/CAProperty\u003e\n \u003c/CAProperties\u003e\n \u003c/audit_record\u003e\n\n\u003c/syslog\u003e", + "message": "CPM Reconcile Password Failed", + "issuer": "PasswordManager", + "extra_details": { + "other": { + "retriescount": "1", + "address": "34.123.103.115" + }, + "username": "testark" + }, + "rfc5424": true, + "ca_properties": { + "other": { + "use_sudo_on_reconcile": "Yes" + }, + "address": "34.123.103.115", + "creation_method": "PVWA", + "cpm_status": "failure", + "policy_id": "UnixSSH", + "user_name": "testark", + "device_type": "Operating System", + "retries_count": "1", + "last_success_verification": "1615803764", + "reset_immediately": "ReconcileTask", + "last_task": "ReconcileTask", + "cpm_error_details": "First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031", + "last_fail_date": "1615819476" + }, + "file": "Root\\Operating System-UnixSSH-34.123.103.115-testark", + "safe": "partner", + "station": "10.0.1.20", + "action": "CPM Reconcile Password Failed", + "timestamp": "Mar 15 07:44:37", + "desc": "CPM Reconcile Password Failed" + } + }, + "host": { + "name": "VAULT" + }, + "event": { + "severity": 7, + "reason": "First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031", + "ingested": "2021-05-31T15:30:24.507737100Z", + "original": "\u003c7\u003e1 2021-03-15T14:44:37Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 15 07:44:37\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-15T14:44:37Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e60\u003c/MessageID\u003e\\n \u003cDesc\u003eCPM Reconcile Password Failed\u003c/Desc\u003e\\n \u003cSeverity\u003eError\u003c/Severity\u003e\\n \u003cIssuer\u003ePasswordManager\u003c/Issuer\u003e\\n \u003cAction\u003eCPM Reconcile Password Failed\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003epartner\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Operating System-UnixSSH-34.123.103.115-testark\u003c/File\u003e\\n \u003cStation\u003e10.0.1.20\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003eImmediateTask. Failure Description: CACPM406E Reconciling Password Safe: partner, Folder: Root, Object: Operating System-UnixSSH-34.123.103.115-testark failed (try #1). Code: 8031, Error: First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031\\n\u003c/Reason\u003e\\n \u003cExtraDetails\u003eaddress=34.123.103.115;retriescount=1;username=testark;\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eCPM Reconcile Password Failed\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"UnixSSH\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"testark\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"34.123.103.115\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"ResetImmediately\\\" Value=\\\"ReconcileTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMStatus\\\" Value=\\\"failure\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"RetriesCount\\\" Value=\\\"1\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastFailDate\\\" Value=\\\"1615819476\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastTask\\\" Value=\\\"ReconcileTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastSuccessVerification\\\" Value=\\\"1615803764\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMErrorDetails\\\" Value=\\\"First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Operating System\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UseSudoOnReconcile\\\" Value=\\\"Yes\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 15 07:44:37\",\"IsoTimestamp\":\"2021-03-15T14:44:37Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"60\",\"Desc\":\"CPM Reconcile Password Failed\",\"Severity\":\"Error\",\"Issuer\":\"PasswordManager\",\"Action\":\"CPM Reconcile Password Failed\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"partner\",\"File\":\"Root\\\\Operating System-UnixSSH-34.123.103.115-testark\",\"Station\":\"10.0.1.20\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"ImmediateTask. Failure Description: CACPM406E Reconciling Password Safe: partner, Folder: Root, Object: Operating System-UnixSSH-34.123.103.115-testark failed (try #1). Code: 8031, Error: First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031\\n\",\"ExtraDetails\":\"address=34.123.103.115;retriescount=1;username=testark;\",\"Message\":\"CPM Reconcile Password Failed\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"UnixSSH\"},{\"Name\":\"UserName\",\"Value\":\"testark\"},{\"Name\":\"Address\",\"Value\":\"34.123.103.115\"},{\"Name\":\"ResetImmediately\",\"Value\":\"ReconcileTask\"},{\"Name\":\"CPMStatus\",\"Value\":\"failure\"},{\"Name\":\"RetriesCount\",\"Value\":\"1\"},{\"Name\":\"LastFailDate\",\"Value\":\"1615819476\"},{\"Name\":\"LastTask\",\"Value\":\"ReconcileTask\"},{\"Name\":\"LastSuccessVerification\",\"Value\":\"1615803764\"},{\"Name\":\"CPMErrorDetails\",\"Value\":\"First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"},{\"Name\":\"UseSudoOnReconcile\",\"Value\":\"Yes\"}]}}}}", + "code": "60", + "kind": "event", + "action": "cpm reconcile password failed", + "type": [ + "user", + "change", + "error" + ], + "category": [ + "iam" + ], + "outcome": "failure" + }, + "user": { + "name": "PasswordManager", + "target": { + "name": "testark" + } + } + } + ] +} \ No newline at end of file diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-62-create-file-version.log-expected.json b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-62-create-file-version.log-expected.json new file mode 100644 index 00000000000..60732e02d75 --- /dev/null +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-62-create-file-version.log-expected.json @@ -0,0 +1,548 @@ +{ + "expected": [ + { + "log": { + "syslog": { + "priority": 5 + } + }, + "source": { + "geo": { + "continent_name": "Europe", + "region_iso_code": "ES-B", + "city_name": "Barcelona", + "country_iso_code": "ES", + "country_name": "Spain", + "region_name": "Barcelona", + "location": { + "lon": 2.1611, + "lat": 41.3891 + } + }, + "address": "81.32.170.205", + "ip": "81.32.170.205" + }, + "tags": [ + "preserve_original_event" + ], + "observer": { + "product": "Vault", + "hostname": "VAULT", + "version": "11.7.0000", + "vendor": "Cyber-Ark" + }, + "@timestamp": "2021-03-10T09:11:54.000Z", + "file": { + "path": "Root\\PSMPApp_localhost.localdomain.LiveSessions" + }, + "ecs": { + "version": "1.10.0" + }, + "related": { + "ip": [ + "81.32.170.205" + ] + }, + "cyberarkpas": { + "audit": { + "severity": "Info", + "rfc5424": true, + "iso_timestamp": "2021-03-10T09:11:54Z", + "file": "Root\\PSMPApp_localhost.localdomain.LiveSessions", + "safe": "PSMPLiveSessions", + "station": "81.32.170.205", + "action": "Create File Version", + "message": "Create File Version", + "issuer": "PSMPApp_localhost.localdomain", + "timestamp": "Mar 10 01:11:54", + "desc": "Create File Version" + } + }, + "host": { + "name": "VAULT" + }, + "event": { + "severity": 2, + "action": "create file version", + "ingested": "2021-05-31T15:30:24.863283Z", + "original": "\u003c5\u003e1 2021-03-10T09:11:54Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 01:11:54\",\"IsoTimestamp\":\"2021-03-10T09:11:54Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"62\",\"Desc\":\"Create File Version\",\"Severity\":\"Info\",\"Issuer\":\"PSMPApp_localhost.localdomain\",\"Action\":\"Create File Version\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"PSMPLiveSessions\",\"File\":\"Root\\\\PSMPApp_localhost.localdomain.LiveSessions\",\"Station\":\"81.32.170.205\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Create File Version\",\"GatewayStation\":\"\"}}}", + "code": "62", + "kind": "event" + } + }, + { + "log": { + "syslog": { + "priority": 5 + } + }, + "source": { + "geo": { + "continent_name": "Europe", + "region_iso_code": "ES-B", + "city_name": "Barcelona", + "country_iso_code": "ES", + "country_name": "Spain", + "region_name": "Barcelona", + "location": { + "lon": 2.1611, + "lat": 41.3891 + } + }, + "address": "81.32.170.205", + "ip": "81.32.170.205" + }, + "tags": [ + "preserve_original_event" + ], + "observer": { + "product": "Vault", + "hostname": "VAULT", + "version": "11.7.0000", + "vendor": "Cyber-Ark" + }, + "@timestamp": "2021-03-10T17:58:05.000Z", + "file": { + "path": "Root\\SessionControl" + }, + "ecs": { + "version": "1.10.0" + }, + "related": { + "ip": [ + "81.32.170.205" + ] + }, + "cyberarkpas": { + "audit": { + "severity": "Info", + "rfc5424": true, + "iso_timestamp": "2021-03-10T17:58:05Z", + "file": "Root\\SessionControl", + "safe": "PSMNotifications", + "station": "81.32.170.205", + "action": "Create File Version", + "message": "Create File Version", + "issuer": "Administrator", + "timestamp": "Mar 10 09:58:05", + "desc": "Create File Version" + } + }, + "host": { + "name": "VAULT" + }, + "event": { + "severity": 2, + "action": "create file version", + "ingested": "2021-05-31T15:30:24.863293900Z", + "original": "\u003c5\u003e1 2021-03-10T17:58:05Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 09:58:05\",\"IsoTimestamp\":\"2021-03-10T17:58:05Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"62\",\"Desc\":\"Create File Version\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Create File Version\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"PSMNotifications\",\"File\":\"Root\\\\SessionControl\",\"Station\":\"81.32.170.205\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Create File Version\",\"GatewayStation\":\"\"}}}", + "code": "62", + "kind": "event" + } + }, + { + "log": { + "syslog": { + "priority": 5 + } + }, + "source": { + "geo": { + "continent_name": "Europe", + "region_iso_code": "ES-B", + "city_name": "Barcelona", + "country_iso_code": "ES", + "country_name": "Spain", + "region_name": "Barcelona", + "location": { + "lon": 2.1611, + "lat": 41.3891 + } + }, + "address": "81.32.170.205", + "ip": "81.32.170.205" + }, + "tags": [ + "preserve_original_event" + ], + "observer": { + "product": "Vault", + "hostname": "VAULT", + "version": "11.7.0000", + "vendor": "Cyber-Ark" + }, + "@timestamp": "2021-03-10T18:46:47.000Z", + "file": { + "path": "Root\\PSMServer.LiveSessions" + }, + "ecs": { + "version": "1.10.0" + }, + "related": { + "ip": [ + "81.32.170.205" + ] + }, + "cyberarkpas": { + "audit": { + "severity": "Info", + "rfc5424": true, + "iso_timestamp": "2021-03-10T18:46:47Z", + "file": "Root\\PSMServer.LiveSessions", + "safe": "PSMLiveSessions", + "station": "81.32.170.205", + "action": "Create File Version", + "message": "Create File Version", + "issuer": "PSMApp_VAGRANT", + "timestamp": "Mar 10 10:46:47", + "desc": "Create File Version" + } + }, + "host": { + "name": "VAULT" + }, + "event": { + "severity": 2, + "action": "create file version", + "ingested": "2021-05-31T15:30:24.863296600Z", + "original": "\u003c5\u003e1 2021-03-10T18:46:47Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 10:46:47\",\"IsoTimestamp\":\"2021-03-10T18:46:47Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"62\",\"Desc\":\"Create File Version\",\"Severity\":\"Info\",\"Issuer\":\"PSMApp_VAGRANT\",\"Action\":\"Create File Version\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"PSMLiveSessions\",\"File\":\"Root\\\\PSMServer.LiveSessions\",\"Station\":\"81.32.170.205\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Create File Version\",\"GatewayStation\":\"\"}}}", + "code": "62", + "kind": "event" + } + }, + { + "log": { + "syslog": { + "priority": 5 + } + }, + "source": { + "geo": { + "continent_name": "North America", + "region_iso_code": "US-VA", + "country_name": "United States", + "region_name": "Virginia", + "location": { + "lon": -77.2481, + "lat": 38.6583 + }, + "country_iso_code": "US" + }, + "address": "35.192.121.42", + "ip": "35.192.121.42" + }, + "tags": [ + "preserve_original_event" + ], + "observer": { + "product": "Vault", + "hostname": "VAULT", + "version": "11.7.0000", + "vendor": "Cyber-Ark" + }, + "@timestamp": "2021-03-10T22:20:12.000Z", + "file": { + "path": "Root\\PSM-ASR-CYBERARK-WI.LiveSessions" + }, + "ecs": { + "version": "1.10.0" + }, + "related": { + "ip": [ + "35.192.121.42" + ] + }, + "cyberarkpas": { + "audit": { + "severity": "Info", + "rfc5424": true, + "iso_timestamp": "2021-03-10T22:20:12Z", + "file": "Root\\PSM-ASR-CYBERARK-WI.LiveSessions", + "safe": "PSMLiveSessions", + "station": "35.192.121.42", + "action": "Create File Version", + "message": "Create File Version", + "issuer": "PSMApp_ASR-WIN", + "timestamp": "Mar 10 14:20:12", + "desc": "Create File Version" + } + }, + "host": { + "name": "VAULT" + }, + "event": { + "severity": 2, + "action": "create file version", + "ingested": "2021-05-31T15:30:24.863298800Z", + "original": "\u003c5\u003e1 2021-03-10T22:20:12Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 14:20:12\",\"IsoTimestamp\":\"2021-03-10T22:20:12Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"62\",\"Desc\":\"Create File Version\",\"Severity\":\"Info\",\"Issuer\":\"PSMApp_ASR-WIN\",\"Action\":\"Create File Version\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"PSMLiveSessions\",\"File\":\"Root\\\\PSM-ASR-CYBERARK-WI.LiveSessions\",\"Station\":\"35.192.121.42\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Create File Version\",\"GatewayStation\":\"\"}}}", + "code": "62", + "kind": "event" + } + }, + { + "log": { + "syslog": { + "priority": 5 + } + }, + "source": { + "address": "10.0.1.20", + "ip": "10.0.1.20" + }, + "tags": [ + "preserve_original_event" + ], + "observer": { + "product": "Vault", + "hostname": "VAULT", + "version": "11.7.0000", + "vendor": "Cyber-Ark" + }, + "@timestamp": "2021-03-11T16:50:29.000Z", + "file": { + "path": "Root\\ec7c3e3bd11069dd20a491a6b11bbe293bf4780b" + }, + "ecs": { + "version": "1.10.0" + }, + "related": { + "ip": [ + "10.0.1.20" + ] + }, + "cyberarkpas": { + "audit": { + "severity": "Info", + "rfc5424": true, + "iso_timestamp": "2021-03-11T16:50:29Z", + "file": "Root\\ec7c3e3bd11069dd20a491a6b11bbe293bf4780b", + "safe": "PSMSessions", + "station": "10.0.1.20", + "raw": "\u003csyslog\u003e\n\n \u003caudit_record\u003e\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\n \u003cTimestamp\u003eMar 11 08:50:29\u003c/Timestamp\u003e\n \u003cIsoTimestamp\u003e2021-03-11T16:50:29Z\u003c/IsoTimestamp\u003e\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\n \u003cProduct\u003eVault\u003c/Product\u003e\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\n \u003cMessageID\u003e62\u003c/MessageID\u003e\n \u003cDesc\u003eCreate File Version\u003c/Desc\u003e\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\n \u003cIssuer\u003ePVWAAppUser\u003c/Issuer\u003e\n \u003cAction\u003eCreate File Version\u003c/Action\u003e\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\n \u003cSafe\u003ePSMSessions\u003c/Safe\u003e\n \u003cFile\u003eRoot\\ec7c3e3bd11069dd20a491a6b11bbe293bf4780b\u003c/File\u003e\n \u003cStation\u003e10.0.1.20\u003c/Station\u003e\n \u003cLocation\u003e\u003c/Location\u003e\n \u003cCategory\u003e\u003c/Category\u003e\n \u003cRequestId\u003e\u003c/RequestId\u003e\n \u003cReason\u003e\u003c/Reason\u003e\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\n \u003cMessage\u003eCreate File Version\u003c/Message\u003e\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\n \u003c/audit_record\u003e\n\n\u003c/syslog\u003e", + "action": "Create File Version", + "message": "Create File Version", + "issuer": "PVWAAppUser", + "timestamp": "Mar 11 08:50:29", + "desc": "Create File Version" + } + }, + "host": { + "name": "VAULT" + }, + "event": { + "severity": 2, + "action": "create file version", + "ingested": "2021-05-31T15:30:24.863300600Z", + "original": "\u003c5\u003e1 2021-03-11T16:50:29Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 11 08:50:29\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-11T16:50:29Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e62\u003c/MessageID\u003e\\n \u003cDesc\u003eCreate File Version\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003ePVWAAppUser\u003c/Issuer\u003e\\n \u003cAction\u003eCreate File Version\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003ePSMSessions\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\ec7c3e3bd11069dd20a491a6b11bbe293bf4780b\u003c/File\u003e\\n \u003cStation\u003e10.0.1.20\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eCreate File Version\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 11 08:50:29\",\"IsoTimestamp\":\"2021-03-11T16:50:29Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"62\",\"Desc\":\"Create File Version\",\"Severity\":\"Info\",\"Issuer\":\"PVWAAppUser\",\"Action\":\"Create File Version\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"PSMSessions\",\"File\":\"Root\\\\ec7c3e3bd11069dd20a491a6b11bbe293bf4780b\",\"Station\":\"10.0.1.20\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Create File Version\",\"GatewayStation\":\"\"}}}", + "code": "62", + "kind": "event" + } + }, + { + "log": { + "syslog": { + "priority": 5 + } + }, + "source": { + "geo": { + "continent_name": "Europe", + "region_iso_code": "ES-B", + "city_name": "Barcelona", + "country_iso_code": "ES", + "country_name": "Spain", + "region_name": "Barcelona", + "location": { + "lon": 2.1611, + "lat": 41.3891 + } + }, + "address": "81.32.170.205", + "ip": "81.32.170.205" + }, + "tags": [ + "preserve_original_event" + ], + "observer": { + "product": "Vault", + "hostname": "VAULT", + "version": "11.7.0000", + "vendor": "Cyber-Ark" + }, + "@timestamp": "2021-03-11T16:59:58.000Z", + "file": { + "path": "Root\\PSMPApp_VAGRANT.LiveSessions" + }, + "ecs": { + "version": "1.10.0" + }, + "related": { + "ip": [ + "81.32.170.205" + ] + }, + "cyberarkpas": { + "audit": { + "severity": "Info", + "rfc5424": true, + "iso_timestamp": "2021-03-11T16:59:58Z", + "file": "Root\\PSMPApp_VAGRANT.LiveSessions", + "safe": "PSMPLiveSessions", + "station": "81.32.170.205", + "raw": "\u003csyslog\u003e\n\n \u003caudit_record\u003e\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\n \u003cTimestamp\u003eMar 11 08:59:58\u003c/Timestamp\u003e\n \u003cIsoTimestamp\u003e2021-03-11T16:59:58Z\u003c/IsoTimestamp\u003e\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\n \u003cProduct\u003eVault\u003c/Product\u003e\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\n \u003cMessageID\u003e62\u003c/MessageID\u003e\n \u003cDesc\u003eCreate File Version\u003c/Desc\u003e\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\n \u003cIssuer\u003ePSMPApp_VAGRANT\u003c/Issuer\u003e\n \u003cAction\u003eCreate File Version\u003c/Action\u003e\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\n \u003cSafe\u003ePSMPLiveSessions\u003c/Safe\u003e\n \u003cFile\u003eRoot\\PSMPApp_VAGRANT.LiveSessions\u003c/File\u003e\n \u003cStation\u003e81.32.170.205\u003c/Station\u003e\n \u003cLocation\u003e\u003c/Location\u003e\n \u003cCategory\u003e\u003c/Category\u003e\n \u003cRequestId\u003e\u003c/RequestId\u003e\n \u003cReason\u003e\u003c/Reason\u003e\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\n \u003cMessage\u003eCreate File Version\u003c/Message\u003e\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\n \u003c/audit_record\u003e\n\n\u003c/syslog\u003e", + "action": "Create File Version", + "message": "Create File Version", + "issuer": "PSMPApp_VAGRANT", + "timestamp": "Mar 11 08:59:58", + "desc": "Create File Version" + } + }, + "host": { + "name": "VAULT" + }, + "event": { + "severity": 2, + "action": "create file version", + "ingested": "2021-05-31T15:30:24.863302100Z", + "original": "\u003c5\u003e1 2021-03-11T16:59:58Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 11 08:59:58\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-11T16:59:58Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e62\u003c/MessageID\u003e\\n \u003cDesc\u003eCreate File Version\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003ePSMPApp_VAGRANT\u003c/Issuer\u003e\\n \u003cAction\u003eCreate File Version\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003ePSMPLiveSessions\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\PSMPApp_VAGRANT.LiveSessions\u003c/File\u003e\\n \u003cStation\u003e81.32.170.205\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eCreate File Version\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 11 08:59:58\",\"IsoTimestamp\":\"2021-03-11T16:59:58Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"62\",\"Desc\":\"Create File Version\",\"Severity\":\"Info\",\"Issuer\":\"PSMPApp_VAGRANT\",\"Action\":\"Create File Version\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"PSMPLiveSessions\",\"File\":\"Root\\\\PSMPApp_VAGRANT.LiveSessions\",\"Station\":\"81.32.170.205\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Create File Version\",\"GatewayStation\":\"\"}}}", + "code": "62", + "kind": "event" + } + }, + { + "log": { + "syslog": { + "priority": 5 + } + }, + "destination": { + "address": "10.0.1.20", + "ip": "10.0.1.20" + }, + "source": { + "address": "10.0.1.20", + "ip": "10.0.1.20" + }, + "tags": [ + "preserve_original_event" + ], + "network": { + "direction": "internal" + }, + "observer": { + "product": "Vault", + "hostname": "VAULT", + "version": "11.7.0000", + "vendor": "Cyber-Ark" + }, + "@timestamp": "2021-03-14T12:07:32.000Z", + "file": { + "path": "Root\\Windows discovery from ELASTIC.local_PasswordManager_UID1.log" + }, + "ecs": { + "version": "1.10.0" + }, + "related": { + "ip": [ + "10.0.1.20" + ] + }, + "cyberarkpas": { + "audit": { + "severity": "Info", + "iso_timestamp": "2021-03-14T12:07:32Z", + "gateway_station": "10.0.1.20", + "raw": "\u003csyslog\u003e\n\n \u003caudit_record\u003e\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\n \u003cTimestamp\u003eMar 14 05:07:32\u003c/Timestamp\u003e\n \u003cIsoTimestamp\u003e2021-03-14T12:07:32Z\u003c/IsoTimestamp\u003e\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\n \u003cProduct\u003eVault\u003c/Product\u003e\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\n \u003cMessageID\u003e62\u003c/MessageID\u003e\n \u003cDesc\u003eCreate File Version\u003c/Desc\u003e\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\n \u003cIssuer\u003ePasswordManager\u003c/Issuer\u003e\n \u003cAction\u003eCreate File Version\u003c/Action\u003e\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\n \u003cSafe\u003eAccountsFeedDiscoveryLogs\u003c/Safe\u003e\n \u003cFile\u003eRoot\\Windows discovery from ELASTIC.local_PasswordManager_UID1.log\u003c/File\u003e\n \u003cStation\u003e10.0.1.20\u003c/Station\u003e\n \u003cLocation\u003e\u003c/Location\u003e\n \u003cCategory\u003e\u003c/Category\u003e\n \u003cRequestId\u003e\u003c/RequestId\u003e\n \u003cReason\u003e\u003c/Reason\u003e\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\n \u003cMessage\u003eCreate File Version\u003c/Message\u003e\n \u003cGatewayStation\u003e10.0.1.20\u003c/GatewayStation\u003e\n \u003c/audit_record\u003e\n\n\u003c/syslog\u003e", + "message": "Create File Version", + "issuer": "PasswordManager", + "rfc5424": true, + "file": "Root\\Windows discovery from ELASTIC.local_PasswordManager_UID1.log", + "safe": "AccountsFeedDiscoveryLogs", + "station": "10.0.1.20", + "action": "Create File Version", + "timestamp": "Mar 14 05:07:32", + "desc": "Create File Version" + } + }, + "host": { + "name": "VAULT" + }, + "event": { + "severity": 2, + "action": "create file version", + "ingested": "2021-05-31T15:30:24.863304100Z", + "original": "\u003c5\u003e1 2021-03-14T12:07:32Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 14 05:07:32\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-14T12:07:32Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e62\u003c/MessageID\u003e\\n \u003cDesc\u003eCreate File Version\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003ePasswordManager\u003c/Issuer\u003e\\n \u003cAction\u003eCreate File Version\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003eAccountsFeedDiscoveryLogs\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Windows discovery from ELASTIC.local_PasswordManager_UID1.log\u003c/File\u003e\\n \u003cStation\u003e10.0.1.20\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eCreate File Version\u003c/Message\u003e\\n \u003cGatewayStation\u003e10.0.1.20\u003c/GatewayStation\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 14 05:07:32\",\"IsoTimestamp\":\"2021-03-14T12:07:32Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"62\",\"Desc\":\"Create File Version\",\"Severity\":\"Info\",\"Issuer\":\"PasswordManager\",\"Action\":\"Create File Version\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"AccountsFeedDiscoveryLogs\",\"File\":\"Root\\\\Windows discovery from ELASTIC.local_PasswordManager_UID1.log\",\"Station\":\"10.0.1.20\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Create File Version\",\"GatewayStation\":\"10.0.1.20\"}}}", + "code": "62", + "kind": "event" + } + }, + { + "log": { + "syslog": { + "priority": 5 + } + }, + "source": { + "geo": { + "continent_name": "North America", + "country_name": "United States", + "location": { + "lon": -97.822, + "lat": 37.751 + }, + "country_iso_code": "US" + }, + "address": "34.71.250.247", + "ip": "34.71.250.247" + }, + "tags": [ + "preserve_original_event" + ], + "observer": { + "product": "Vault", + "hostname": "VAULT", + "version": "11.7.0000", + "vendor": "Cyber-Ark" + }, + "@timestamp": "2021-03-14T12:57:27.000Z", + "file": { + "path": "Root\\PSMPApp_SSH.LiveSessions" + }, + "ecs": { + "version": "1.10.0" + }, + "related": { + "ip": [ + "34.71.250.247" + ] + }, + "cyberarkpas": { + "audit": { + "severity": "Info", + "rfc5424": true, + "iso_timestamp": "2021-03-14T12:57:27Z", + "file": "Root\\PSMPApp_SSH.LiveSessions", + "safe": "PSMPLiveSessions", + "station": "34.71.250.247", + "raw": "\u003csyslog\u003e\n\n \u003caudit_record\u003e\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\n \u003cTimestamp\u003eMar 14 05:57:27\u003c/Timestamp\u003e\n \u003cIsoTimestamp\u003e2021-03-14T12:57:27Z\u003c/IsoTimestamp\u003e\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\n \u003cProduct\u003eVault\u003c/Product\u003e\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\n \u003cMessageID\u003e62\u003c/MessageID\u003e\n \u003cDesc\u003eCreate File Version\u003c/Desc\u003e\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\n \u003cIssuer\u003ePSMPApp_SSH\u003c/Issuer\u003e\n \u003cAction\u003eCreate File Version\u003c/Action\u003e\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\n \u003cSafe\u003ePSMPLiveSessions\u003c/Safe\u003e\n \u003cFile\u003eRoot\\PSMPApp_SSH.LiveSessions\u003c/File\u003e\n \u003cStation\u003e34.71.250.247\u003c/Station\u003e\n \u003cLocation\u003e\u003c/Location\u003e\n \u003cCategory\u003e\u003c/Category\u003e\n \u003cRequestId\u003e\u003c/RequestId\u003e\n \u003cReason\u003e\u003c/Reason\u003e\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\n \u003cMessage\u003eCreate File Version\u003c/Message\u003e\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\n \u003c/audit_record\u003e\n\n\u003c/syslog\u003e", + "action": "Create File Version", + "message": "Create File Version", + "issuer": "PSMPApp_SSH", + "timestamp": "Mar 14 05:57:27", + "desc": "Create File Version" + } + }, + "host": { + "name": "VAULT" + }, + "event": { + "severity": 2, + "action": "create file version", + "ingested": "2021-05-31T15:30:24.863306100Z", + "original": "\u003c5\u003e1 2021-03-14T12:57:27Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 14 05:57:27\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-14T12:57:27Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e62\u003c/MessageID\u003e\\n \u003cDesc\u003eCreate File Version\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003ePSMPApp_SSH\u003c/Issuer\u003e\\n \u003cAction\u003eCreate File Version\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003ePSMPLiveSessions\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\PSMPApp_SSH.LiveSessions\u003c/File\u003e\\n \u003cStation\u003e34.71.250.247\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eCreate File Version\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 14 05:57:27\",\"IsoTimestamp\":\"2021-03-14T12:57:27Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"62\",\"Desc\":\"Create File Version\",\"Severity\":\"Info\",\"Issuer\":\"PSMPApp_SSH\",\"Action\":\"Create File Version\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"PSMPLiveSessions\",\"File\":\"Root\\\\PSMPApp_SSH.LiveSessions\",\"Station\":\"34.71.250.247\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Create File Version\",\"GatewayStation\":\"\"}}}", + "code": "62", + "kind": "event" + } + } + ] +} \ No newline at end of file diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-7-logon.log-expected.json b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-7-logon.log-expected.json new file mode 100644 index 00000000000..88083163c86 --- /dev/null +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-7-logon.log-expected.json @@ -0,0 +1,895 @@ +{ + "expected": [ + { + "destination": { + "address": "10.2.0.3", + "ip": "10.2.0.3" + }, + "source": { + "address": "10.2.0.6", + "ip": "10.2.0.6" + }, + "tags": [ + "preserve_original_event" + ], + "network": { + "direction": "internal" + }, + "observer": { + "version": "11.6.0000", + "product": "Vault", + "vendor": "Cyber-Ark" + }, + "@timestamp": "2021-03-16T15:01:00.000Z", + "ecs": { + "version": "1.10.0" + }, + "related": { + "user": [ + "adm2" + ], + "ip": [ + "10.2.0.6", + "10.2.0.3" + ] + }, + "cyberarkpas": { + "audit": { + "severity": "Info", + "rfc5424": false, + "iso_timestamp": "2021-03-16T15:01:00Z", + "gateway_station": "10.2.0.3", + "station": "10.2.0.6", + "raw": "\u003csyslog\u003e\n \u003caudit_record\u003e\n \u003cRfc5424\u003eno\u003c/Rfc5424\u003e\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\n \u003cProduct\u003eVault\u003c/Product\u003e\n \u003cVersion\u003e11.6.0000\u003c/Version\u003e\n \u003cMessageID\u003e7\u003c/MessageID\u003e\n \u003cDesc\u003eLogon\u003c/Desc\u003e\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\n \u003cIssuer\u003eadm2\u003c/Issuer\u003e\n \u003cAction\u003eLogon\u003c/Action\u003e\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\n \u003cSafe\u003e\u003c/Safe\u003e\n \u003cFile\u003e\u003c/File\u003e\n \u003cStation\u003e10.2.0.6\u003c/Station\u003e\n \u003cLocation\u003e\u003c/Location\u003e\n \u003cCategory\u003e\u003c/Category\u003e\n \u003cRequestId\u003e\u003c/RequestId\u003e\n \u003cReason\u003e\u003c/Reason\u003e\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\n \u003cMessage\u003eLogon\u003c/Message\u003e\n \u003cGatewayStation\u003e10.2.0.3\u003c/GatewayStation\u003e\n \u003c/audit_record\u003e\n\u003c/syslog\u003e", + "action": "Logon", + "message": "Logon", + "issuer": "adm2", + "desc": "Logon" + } + }, + "event": { + "severity": 2, + "ingested": "2021-05-31T15:30:25.058675700Z", + "original": "{\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eno\u003c/Rfc5424\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.6.0000\u003c/Version\u003e\\n \u003cMessageID\u003e7\u003c/MessageID\u003e\\n \u003cDesc\u003eLogon\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eadm2\u003c/Issuer\u003e\\n \u003cAction\u003eLogon\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003e\u003c/Safe\u003e\\n \u003cFile\u003e\u003c/File\u003e\\n \u003cStation\u003e10.2.0.6\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eLogon\u003c/Message\u003e\\n \u003cGatewayStation\u003e10.2.0.3\u003c/GatewayStation\u003e\\n \u003c/audit_record\u003e\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"no\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.6.0000\",\"MessageID\":\"7\",\"Desc\":\"Logon\",\"Severity\":\"Info\",\"Issuer\":\"adm2\",\"Action\":\"Logon\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"10.2.0.6\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Logon\",\"GatewayStation\":\"10.2.0.3\",\"IsoTimestamp\":\"2021-03-16T15:01:00Z\"}}}", + "code": "7", + "kind": "event", + "action": "authentication_success", + "category": [ + "authentication", + "session" + ], + "type": [ + "start" + ], + "outcome": "success" + }, + "user": { + "name": "adm2" + } + }, + { + "log": { + "syslog": { + "priority": 5 + } + }, + "source": { + "address": "10.0.1.20", + "ip": "10.0.1.20" + }, + "tags": [ + "preserve_original_event" + ], + "observer": { + "product": "Vault", + "hostname": "VAULT", + "version": "11.7.0000", + "vendor": "Cyber-Ark" + }, + "@timestamp": "2021-03-04T19:10:05.000Z", + "ecs": { + "version": "1.10.0" + }, + "related": { + "user": [ + "PasswordManager" + ], + "ip": [ + "10.0.1.20" + ] + }, + "cyberarkpas": { + "audit": { + "severity": "Info", + "rfc5424": true, + "iso_timestamp": "2021-03-04T19:10:05Z", + "station": "10.0.1.20", + "action": "Logon", + "message": "Logon", + "issuer": "PasswordManager", + "timestamp": "Mar 04 11:10:05", + "desc": "Logon" + } + }, + "host": { + "name": "VAULT" + }, + "event": { + "severity": 2, + "ingested": "2021-05-31T15:30:25.058686100Z", + "original": "\u003c5\u003e1 2021-03-04T19:10:05Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 04 11:10:05\",\"IsoTimestamp\":\"2021-03-04T19:10:05Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"7\",\"Desc\":\"Logon\",\"Severity\":\"Info\",\"Issuer\":\"PasswordManager\",\"Action\":\"Logon\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"10.0.1.20\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Logon\",\"GatewayStation\":\"\"}}}", + "code": "7", + "kind": "event", + "action": "authentication_success", + "category": [ + "authentication", + "session" + ], + "type": [ + "start" + ], + "outcome": "success" + }, + "user": { + "name": "PasswordManager" + } + }, + { + "log": { + "syslog": { + "priority": 5 + } + }, + "source": { + "address": "10.0.1.20", + "ip": "10.0.1.20" + }, + "tags": [ + "preserve_original_event" + ], + "observer": { + "product": "Vault", + "hostname": "VAULT", + "version": "11.7.0000", + "vendor": "Cyber-Ark" + }, + "@timestamp": "2021-03-04T19:10:20.000Z", + "ecs": { + "version": "1.10.0" + }, + "related": { + "user": [ + "SCIM-user" + ], + "ip": [ + "10.0.1.20" + ] + }, + "cyberarkpas": { + "audit": { + "severity": "Info", + "rfc5424": true, + "iso_timestamp": "2021-03-04T19:10:20Z", + "station": "10.0.1.20", + "action": "Logon", + "message": "Logon", + "issuer": "SCIM-user", + "timestamp": "Mar 04 11:10:20", + "desc": "Logon" + } + }, + "host": { + "name": "VAULT" + }, + "event": { + "severity": 2, + "ingested": "2021-05-31T15:30:25.058687900Z", + "original": "\u003c5\u003e1 2021-03-04T19:10:20Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 04 11:10:20\",\"IsoTimestamp\":\"2021-03-04T19:10:20Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"7\",\"Desc\":\"Logon\",\"Severity\":\"Info\",\"Issuer\":\"SCIM-user\",\"Action\":\"Logon\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"10.0.1.20\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Logon\",\"GatewayStation\":\"\"}}}", + "code": "7", + "kind": "event", + "action": "authentication_success", + "category": [ + "authentication", + "session" + ], + "type": [ + "start" + ], + "outcome": "success" + }, + "user": { + "name": "SCIM-user" + } + }, + { + "log": { + "syslog": { + "priority": 5 + } + }, + "source": { + "address": "10.0.1.20", + "ip": "10.0.1.20" + }, + "tags": [ + "preserve_original_event" + ], + "observer": { + "product": "Vault", + "hostname": "VAULT", + "version": "11.7.0000", + "vendor": "Cyber-Ark" + }, + "@timestamp": "2021-03-04T19:11:20.000Z", + "ecs": { + "version": "1.10.0" + }, + "related": { + "user": [ + "PVWAGWUser" + ], + "ip": [ + "10.0.1.20" + ] + }, + "cyberarkpas": { + "audit": { + "severity": "Info", + "rfc5424": true, + "iso_timestamp": "2021-03-04T19:11:20Z", + "station": "10.0.1.20", + "action": "Logon", + "message": "Logon", + "issuer": "PVWAGWUser", + "timestamp": "Mar 04 11:11:20", + "desc": "Logon" + } + }, + "host": { + "name": "VAULT" + }, + "event": { + "severity": 2, + "ingested": "2021-05-31T15:30:25.058689300Z", + "original": "\u003c5\u003e1 2021-03-04T19:11:20Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 04 11:11:20\",\"IsoTimestamp\":\"2021-03-04T19:11:20Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"7\",\"Desc\":\"Logon\",\"Severity\":\"Info\",\"Issuer\":\"PVWAGWUser\",\"Action\":\"Logon\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"10.0.1.20\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Logon\",\"GatewayStation\":\"\"}}}", + "code": "7", + "kind": "event", + "action": "authentication_success", + "category": [ + "authentication", + "session" + ], + "type": [ + "start" + ], + "outcome": "success" + }, + "user": { + "name": "PVWAGWUser" + } + }, + { + "log": { + "syslog": { + "priority": 5 + } + }, + "source": { + "address": "10.0.1.20", + "ip": "10.0.1.20" + }, + "tags": [ + "preserve_original_event" + ], + "observer": { + "product": "Vault", + "hostname": "VAULT", + "version": "11.7.0000", + "vendor": "Cyber-Ark" + }, + "@timestamp": "2021-03-04T19:11:23.000Z", + "ecs": { + "version": "1.10.0" + }, + "related": { + "user": [ + "Prov_COMPONENTS" + ], + "ip": [ + "10.0.1.20" + ] + }, + "cyberarkpas": { + "audit": { + "severity": "Info", + "rfc5424": true, + "iso_timestamp": "2021-03-04T19:11:23Z", + "station": "10.0.1.20", + "action": "Logon", + "message": "Logon", + "issuer": "Prov_COMPONENTS", + "timestamp": "Mar 04 11:11:23", + "desc": "Logon" + } + }, + "host": { + "name": "VAULT" + }, + "event": { + "severity": 2, + "ingested": "2021-05-31T15:30:25.058690800Z", + "original": "\u003c5\u003e1 2021-03-04T19:11:23Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 04 11:11:23\",\"IsoTimestamp\":\"2021-03-04T19:11:23Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"7\",\"Desc\":\"Logon\",\"Severity\":\"Info\",\"Issuer\":\"Prov_COMPONENTS\",\"Action\":\"Logon\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"10.0.1.20\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Logon\",\"GatewayStation\":\"\"}}}", + "code": "7", + "kind": "event", + "action": "authentication_success", + "category": [ + "authentication", + "session" + ], + "type": [ + "start" + ], + "outcome": "success" + }, + "user": { + "name": "Prov_COMPONENTS" + } + }, + { + "log": { + "syslog": { + "priority": 5 + } + }, + "source": { + "address": "10.0.1.20", + "ip": "10.0.1.20" + }, + "tags": [ + "preserve_original_event" + ], + "observer": { + "product": "Vault", + "hostname": "VAULT", + "version": "11.7.0000", + "vendor": "Cyber-Ark" + }, + "@timestamp": "2021-03-05T10:18:50.000Z", + "ecs": { + "version": "1.10.0" + }, + "related": { + "user": [ + "PVWAAppUser" + ], + "ip": [ + "10.0.1.20" + ] + }, + "cyberarkpas": { + "audit": { + "severity": "Info", + "rfc5424": true, + "iso_timestamp": "2021-03-05T10:18:50Z", + "station": "10.0.1.20", + "action": "Logon", + "message": "Logon", + "issuer": "PVWAAppUser", + "timestamp": "Mar 05 02:18:50", + "desc": "Logon" + } + }, + "host": { + "name": "VAULT" + }, + "event": { + "severity": 2, + "ingested": "2021-05-31T15:30:25.058692100Z", + "original": "\u003c5\u003e1 2021-03-05T10:18:50Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 05 02:18:50\",\"IsoTimestamp\":\"2021-03-05T10:18:50Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"7\",\"Desc\":\"Logon\",\"Severity\":\"Info\",\"Issuer\":\"PVWAAppUser\",\"Action\":\"Logon\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"10.0.1.20\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Logon\",\"GatewayStation\":\"\"}}}", + "code": "7", + "kind": "event", + "action": "authentication_success", + "category": [ + "authentication", + "session" + ], + "type": [ + "start" + ], + "outcome": "success" + }, + "user": { + "name": "PVWAAppUser" + } + }, + { + "log": { + "syslog": { + "priority": 5 + } + }, + "destination": { + "address": "10.0.1.20", + "ip": "10.0.1.20" + }, + "source": { + "address": "127.0.0.1", + "ip": "127.0.0.1" + }, + "tags": [ + "preserve_original_event" + ], + "network": { + "direction": "internal" + }, + "observer": { + "product": "Vault", + "hostname": "VAULT", + "version": "11.7.0000", + "vendor": "Cyber-Ark" + }, + "@timestamp": "2021-03-08T18:07:51.000Z", + "ecs": { + "version": "1.10.0" + }, + "related": { + "user": [ + "Administrator" + ], + "ip": [ + "127.0.0.1", + "10.0.1.20" + ] + }, + "cyberarkpas": { + "audit": { + "severity": "Info", + "rfc5424": true, + "iso_timestamp": "2021-03-08T18:07:51Z", + "gateway_station": "10.0.1.20", + "station": "127.0.0.1", + "action": "Logon", + "message": "Logon", + "issuer": "Administrator", + "timestamp": "Mar 08 10:07:51", + "desc": "Logon" + } + }, + "host": { + "name": "VAULT" + }, + "event": { + "severity": 2, + "ingested": "2021-05-31T15:30:25.058693500Z", + "original": "\u003c5\u003e1 2021-03-08T18:07:51Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 08 10:07:51\",\"IsoTimestamp\":\"2021-03-08T18:07:51Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"7\",\"Desc\":\"Logon\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Logon\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"127.0.0.1\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Logon\",\"GatewayStation\":\"10.0.1.20\"}}}", + "code": "7", + "kind": "event", + "action": "authentication_success", + "category": [ + "authentication", + "session" + ], + "type": [ + "start" + ], + "outcome": "success" + }, + "user": { + "name": "Administrator" + } + }, + { + "log": { + "syslog": { + "priority": 5 + } + }, + "destination": { + "address": "10.0.1.20", + "ip": "10.0.1.20" + }, + "source": { + "geo": { + "continent_name": "Europe", + "region_iso_code": "ES-B", + "city_name": "Barcelona", + "country_iso_code": "ES", + "country_name": "Spain", + "region_name": "Barcelona", + "location": { + "lon": 2.1611, + "lat": 41.3891 + } + }, + "address": "81.32.170.205", + "ip": "81.32.170.205" + }, + "tags": [ + "preserve_original_event" + ], + "network": { + "direction": "inbound" + }, + "observer": { + "product": "Vault", + "hostname": "VAULT", + "version": "11.7.0000", + "vendor": "Cyber-Ark" + }, + "@timestamp": "2021-03-09T08:32:51.000Z", + "ecs": { + "version": "1.10.0" + }, + "related": { + "user": [ + "Administrator" + ], + "ip": [ + "81.32.170.205", + "10.0.1.20" + ] + }, + "cyberarkpas": { + "audit": { + "severity": "Info", + "rfc5424": true, + "iso_timestamp": "2021-03-09T08:32:51Z", + "gateway_station": "10.0.1.20", + "station": "81.32.170.205", + "action": "Logon", + "message": "Logon", + "issuer": "Administrator", + "timestamp": "Mar 09 00:32:51", + "desc": "Logon" + } + }, + "host": { + "name": "VAULT" + }, + "event": { + "severity": 2, + "ingested": "2021-05-31T15:30:25.058694800Z", + "original": "\u003c5\u003e1 2021-03-09T08:32:51Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 09 00:32:51\",\"IsoTimestamp\":\"2021-03-09T08:32:51Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"7\",\"Desc\":\"Logon\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Logon\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"81.32.170.205\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Logon\",\"GatewayStation\":\"10.0.1.20\"}}}", + "code": "7", + "kind": "event", + "action": "authentication_success", + "category": [ + "authentication", + "session" + ], + "type": [ + "start" + ], + "outcome": "success" + }, + "user": { + "name": "Administrator" + } + }, + { + "log": { + "syslog": { + "priority": 5 + } + }, + "destination": { + "address": "10.0.1.20", + "ip": "10.0.1.20" + }, + "source": { + "geo": { + "continent_name": "Europe", + "region_iso_code": "ES-B", + "city_name": "Barcelona", + "country_iso_code": "ES", + "country_name": "Spain", + "region_name": "Barcelona", + "location": { + "lon": 2.1611, + "lat": 41.3891 + } + }, + "address": "37.223.7.45", + "ip": "37.223.7.45" + }, + "tags": [ + "preserve_original_event" + ], + "network": { + "direction": "inbound" + }, + "observer": { + "product": "Vault", + "hostname": "VAULT", + "version": "11.7.0000", + "vendor": "Cyber-Ark" + }, + "@timestamp": "2021-03-09T10:14:58.000Z", + "ecs": { + "version": "1.10.0" + }, + "related": { + "user": [ + "Administrator" + ], + "ip": [ + "37.223.7.45", + "10.0.1.20" + ] + }, + "cyberarkpas": { + "audit": { + "severity": "Info", + "rfc5424": true, + "iso_timestamp": "2021-03-09T10:14:58Z", + "gateway_station": "10.0.1.20", + "station": "37.223.7.45", + "action": "Logon", + "message": "Logon", + "issuer": "Administrator", + "timestamp": "Mar 09 02:14:58", + "desc": "Logon" + } + }, + "host": { + "name": "VAULT" + }, + "event": { + "severity": 2, + "ingested": "2021-05-31T15:30:25.058696200Z", + "original": "\u003c5\u003e1 2021-03-09T10:14:58Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 09 02:14:58\",\"IsoTimestamp\":\"2021-03-09T10:14:58Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"7\",\"Desc\":\"Logon\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Logon\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"37.223.7.45\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Logon\",\"GatewayStation\":\"10.0.1.20\"}}}", + "code": "7", + "kind": "event", + "action": "authentication_success", + "category": [ + "authentication", + "session" + ], + "type": [ + "start" + ], + "outcome": "success" + }, + "user": { + "name": "Administrator" + } + }, + { + "log": { + "syslog": { + "priority": 5 + } + }, + "source": { + "geo": { + "continent_name": "Europe", + "region_iso_code": "ES-B", + "city_name": "Barcelona", + "country_iso_code": "ES", + "country_name": "Spain", + "region_name": "Barcelona", + "location": { + "lon": 2.1611, + "lat": 41.3891 + } + }, + "address": "81.32.170.205", + "ip": "81.32.170.205" + }, + "tags": [ + "preserve_original_event" + ], + "observer": { + "product": "Vault", + "hostname": "VAULT", + "version": "11.7.0000", + "vendor": "Cyber-Ark" + }, + "@timestamp": "2021-03-10T09:11:48.000Z", + "ecs": { + "version": "1.10.0" + }, + "related": { + "user": [ + "PSMP_ADB_localhost.localdomain" + ], + "ip": [ + "81.32.170.205" + ] + }, + "cyberarkpas": { + "audit": { + "severity": "Info", + "rfc5424": true, + "iso_timestamp": "2021-03-10T09:11:48Z", + "station": "81.32.170.205", + "action": "Logon", + "message": "Logon", + "issuer": "PSMP_ADB_localhost.localdomain", + "timestamp": "Mar 10 01:11:48", + "desc": "Logon" + } + }, + "host": { + "name": "VAULT" + }, + "event": { + "severity": 2, + "ingested": "2021-05-31T15:30:25.058697600Z", + "original": "\u003c5\u003e1 2021-03-10T09:11:48Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 01:11:48\",\"IsoTimestamp\":\"2021-03-10T09:11:48Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"7\",\"Desc\":\"Logon\",\"Severity\":\"Info\",\"Issuer\":\"PSMP_ADB_localhost.localdomain\",\"Action\":\"Logon\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"81.32.170.205\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Logon\",\"GatewayStation\":\"\"}}}", + "code": "7", + "kind": "event", + "action": "authentication_success", + "category": [ + "authentication", + "session" + ], + "type": [ + "start" + ], + "outcome": "success" + }, + "user": { + "name": "PSMP_ADB_localhost.localdomain" + } + }, + { + "log": { + "syslog": { + "priority": 5 + } + }, + "source": { + "geo": { + "continent_name": "Europe", + "region_iso_code": "ES-B", + "city_name": "Barcelona", + "country_iso_code": "ES", + "country_name": "Spain", + "region_name": "Barcelona", + "location": { + "lon": 2.1611, + "lat": 41.3891 + } + }, + "address": "81.32.170.205", + "ip": "81.32.170.205" + }, + "tags": [ + "preserve_original_event" + ], + "observer": { + "product": "Vault", + "hostname": "VAULT", + "version": "11.7.0000", + "vendor": "Cyber-Ark" + }, + "@timestamp": "2021-03-10T09:11:48.000Z", + "ecs": { + "version": "1.10.0" + }, + "related": { + "user": [ + "PSMPApp_localhost.localdomain" + ], + "ip": [ + "81.32.170.205" + ] + }, + "cyberarkpas": { + "audit": { + "severity": "Info", + "rfc5424": true, + "iso_timestamp": "2021-03-10T09:11:48Z", + "station": "81.32.170.205", + "action": "Logon", + "message": "Logon", + "issuer": "PSMPApp_localhost.localdomain", + "timestamp": "Mar 10 01:11:48", + "desc": "Logon" + } + }, + "host": { + "name": "VAULT" + }, + "event": { + "severity": 2, + "ingested": "2021-05-31T15:30:25.058699200Z", + "original": "\u003c5\u003e1 2021-03-10T09:11:48Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 01:11:48\",\"IsoTimestamp\":\"2021-03-10T09:11:48Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"7\",\"Desc\":\"Logon\",\"Severity\":\"Info\",\"Issuer\":\"PSMPApp_localhost.localdomain\",\"Action\":\"Logon\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"81.32.170.205\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Logon\",\"GatewayStation\":\"\"}}}", + "code": "7", + "kind": "event", + "action": "authentication_success", + "category": [ + "authentication", + "session" + ], + "type": [ + "start" + ], + "outcome": "success" + }, + "user": { + "name": "PSMPApp_localhost.localdomain" + } + }, + { + "log": { + "syslog": { + "priority": 5 + } + }, + "source": { + "geo": { + "continent_name": "Europe", + "region_iso_code": "ES-B", + "city_name": "Barcelona", + "country_iso_code": "ES", + "country_name": "Spain", + "region_name": "Barcelona", + "location": { + "lon": 2.1611, + "lat": 41.3891 + } + }, + "address": "81.32.170.205", + "ip": "81.32.170.205" + }, + "tags": [ + "preserve_original_event" + ], + "observer": { + "product": "Vault", + "hostname": "VAULT", + "version": "11.7.0000", + "vendor": "Cyber-Ark" + }, + "@timestamp": "2021-03-10T09:11:49.000Z", + "ecs": { + "version": "1.10.0" + }, + "related": { + "user": [ + "PSMPGW_localhost.localdomain" + ], + "ip": [ + "81.32.170.205" + ] + }, + "cyberarkpas": { + "audit": { + "severity": "Info", + "rfc5424": true, + "iso_timestamp": "2021-03-10T09:11:49Z", + "station": "81.32.170.205", + "action": "Logon", + "message": "Logon", + "issuer": "PSMPGW_localhost.localdomain", + "timestamp": "Mar 10 01:11:49", + "desc": "Logon" + } + }, + "host": { + "name": "VAULT" + }, + "event": { + "severity": 2, + "ingested": "2021-05-31T15:30:25.058700800Z", + "original": "\u003c5\u003e1 2021-03-10T09:11:49Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 01:11:49\",\"IsoTimestamp\":\"2021-03-10T09:11:49Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"7\",\"Desc\":\"Logon\",\"Severity\":\"Info\",\"Issuer\":\"PSMPGW_localhost.localdomain\",\"Action\":\"Logon\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"81.32.170.205\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Logon\",\"GatewayStation\":\"\"}}}", + "code": "7", + "kind": "event", + "action": "authentication_success", + "category": [ + "authentication", + "session" + ], + "type": [ + "start" + ], + "outcome": "success" + }, + "user": { + "name": "PSMPGW_localhost.localdomain" + } + } + ] +} \ No newline at end of file diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-8-logoff.log-expected.json b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-8-logoff.log-expected.json new file mode 100644 index 00000000000..77fb528c0fc --- /dev/null +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-8-logoff.log-expected.json @@ -0,0 +1,1154 @@ +{ + "expected": [ + { + "log": { + "syslog": { + "priority": 5 + } + }, + "source": { + "address": "10.0.1.20", + "ip": "10.0.1.20" + }, + "tags": [ + "preserve_original_event" + ], + "observer": { + "product": "Vault", + "hostname": "VAULT", + "version": "11.7.0000", + "vendor": "Cyber-Ark" + }, + "@timestamp": "2021-03-08T18:19:15.000Z", + "ecs": { + "version": "1.10.0" + }, + "related": { + "user": [ + "Administrator" + ], + "ip": [ + "10.0.1.20" + ] + }, + "cyberarkpas": { + "audit": { + "severity": "Info", + "rfc5424": true, + "iso_timestamp": "2021-03-08T18:19:15Z", + "station": "10.0.1.20", + "action": "Logoff", + "message": "Logoff", + "issuer": "Administrator", + "timestamp": "Mar 08 10:19:15", + "desc": "Logoff" + } + }, + "host": { + "name": "VAULT" + }, + "event": { + "severity": 2, + "ingested": "2021-05-31T15:30:25.316787700Z", + "original": "\u003c5\u003e1 2021-03-08T18:19:15Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 08 10:19:15\",\"IsoTimestamp\":\"2021-03-08T18:19:15Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"8\",\"Desc\":\"Logoff\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Logoff\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"10.0.1.20\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Logoff\",\"GatewayStation\":\"\"}}}", + "code": "8", + "kind": "event", + "action": "logoff", + "category": [ + "authentication", + "session" + ], + "type": [ + "end" + ], + "outcome": "success" + }, + "user": { + "name": "Administrator" + } + }, + { + "log": { + "syslog": { + "priority": 5 + } + }, + "source": { + "address": "127.0.0.1", + "ip": "127.0.0.1" + }, + "tags": [ + "preserve_original_event" + ], + "observer": { + "product": "Vault", + "hostname": "VAULT", + "version": "11.7.0000", + "vendor": "Cyber-Ark" + }, + "@timestamp": "2021-03-08T18:59:23.000Z", + "ecs": { + "version": "1.10.0" + }, + "related": { + "user": [ + "Administrator" + ], + "ip": [ + "127.0.0.1" + ] + }, + "cyberarkpas": { + "audit": { + "severity": "Info", + "rfc5424": true, + "iso_timestamp": "2021-03-08T18:59:23Z", + "station": "127.0.0.1", + "action": "Logoff", + "message": "Logoff", + "issuer": "Administrator", + "timestamp": "Mar 08 10:59:23", + "desc": "Logoff" + } + }, + "host": { + "name": "VAULT" + }, + "event": { + "severity": 2, + "ingested": "2021-05-31T15:30:25.316798700Z", + "original": "\u003c5\u003e1 2021-03-08T18:59:23Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 08 10:59:23\",\"IsoTimestamp\":\"2021-03-08T18:59:23Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"8\",\"Desc\":\"Logoff\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Logoff\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"127.0.0.1\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Logoff\",\"GatewayStation\":\"\"}}}", + "code": "8", + "kind": "event", + "action": "logoff", + "category": [ + "authentication", + "session" + ], + "type": [ + "end" + ], + "outcome": "success" + }, + "user": { + "name": "Administrator" + } + }, + { + "log": { + "syslog": { + "priority": 5 + } + }, + "source": { + "address": "10.0.1.20", + "ip": "10.0.1.20" + }, + "tags": [ + "preserve_original_event" + ], + "observer": { + "product": "Vault", + "hostname": "VAULT", + "version": "11.7.0000", + "vendor": "Cyber-Ark" + }, + "@timestamp": "2021-03-10T08:28:28.000Z", + "ecs": { + "version": "1.10.0" + }, + "related": { + "user": [ + "PasswordManager" + ], + "ip": [ + "10.0.1.20" + ] + }, + "cyberarkpas": { + "audit": { + "severity": "Info", + "rfc5424": true, + "iso_timestamp": "2021-03-10T08:28:28Z", + "station": "10.0.1.20", + "action": "Logoff", + "message": "Logoff", + "issuer": "PasswordManager", + "timestamp": "Mar 10 00:28:28", + "desc": "Logoff" + } + }, + "host": { + "name": "VAULT" + }, + "event": { + "severity": 2, + "ingested": "2021-05-31T15:30:25.316800500Z", + "original": "\u003c5\u003e1 2021-03-10T08:28:28Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 00:28:28\",\"IsoTimestamp\":\"2021-03-10T08:28:28Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"8\",\"Desc\":\"Logoff\",\"Severity\":\"Info\",\"Issuer\":\"PasswordManager\",\"Action\":\"Logoff\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"10.0.1.20\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Logoff\",\"GatewayStation\":\"\"}}}", + "code": "8", + "kind": "event", + "action": "logoff", + "category": [ + "authentication", + "session" + ], + "type": [ + "end" + ], + "outcome": "success" + }, + "user": { + "name": "PasswordManager" + } + }, + { + "log": { + "syslog": { + "priority": 5 + } + }, + "source": { + "address": "10.0.1.20", + "ip": "10.0.1.20" + }, + "tags": [ + "preserve_original_event" + ], + "observer": { + "product": "Vault", + "hostname": "VAULT", + "version": "11.7.0000", + "vendor": "Cyber-Ark" + }, + "@timestamp": "2021-03-10T08:28:29.000Z", + "ecs": { + "version": "1.10.0" + }, + "related": { + "user": [ + "Prov_COMPONENTS" + ], + "ip": [ + "10.0.1.20" + ] + }, + "cyberarkpas": { + "audit": { + "severity": "Info", + "rfc5424": true, + "iso_timestamp": "2021-03-10T08:28:29Z", + "station": "10.0.1.20", + "action": "Logoff", + "message": "Logoff", + "issuer": "Prov_COMPONENTS", + "timestamp": "Mar 10 00:28:29", + "desc": "Logoff" + } + }, + "host": { + "name": "VAULT" + }, + "event": { + "severity": 2, + "ingested": "2021-05-31T15:30:25.316802300Z", + "original": "\u003c5\u003e1 2021-03-10T08:28:29Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 00:28:29\",\"IsoTimestamp\":\"2021-03-10T08:28:29Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"8\",\"Desc\":\"Logoff\",\"Severity\":\"Info\",\"Issuer\":\"Prov_COMPONENTS\",\"Action\":\"Logoff\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"10.0.1.20\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Logoff\",\"GatewayStation\":\"\"}}}", + "code": "8", + "kind": "event", + "action": "logoff", + "category": [ + "authentication", + "session" + ], + "type": [ + "end" + ], + "outcome": "success" + }, + "user": { + "name": "Prov_COMPONENTS" + } + }, + { + "log": { + "syslog": { + "priority": 5 + } + }, + "source": { + "address": "10.0.1.20", + "ip": "10.0.1.20" + }, + "tags": [ + "preserve_original_event" + ], + "observer": { + "product": "Vault", + "hostname": "VAULT", + "version": "11.7.0000", + "vendor": "Cyber-Ark" + }, + "@timestamp": "2021-03-10T08:28:30.000Z", + "ecs": { + "version": "1.10.0" + }, + "related": { + "user": [ + "PVWAGWUser" + ], + "ip": [ + "10.0.1.20" + ] + }, + "cyberarkpas": { + "audit": { + "severity": "Info", + "rfc5424": true, + "iso_timestamp": "2021-03-10T08:28:30Z", + "station": "10.0.1.20", + "action": "Logoff", + "message": "Logoff", + "issuer": "PVWAGWUser", + "timestamp": "Mar 10 00:28:30", + "desc": "Logoff" + } + }, + "host": { + "name": "VAULT" + }, + "event": { + "severity": 2, + "ingested": "2021-05-31T15:30:25.316804300Z", + "original": "\u003c5\u003e1 2021-03-10T08:28:30Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 00:28:30\",\"IsoTimestamp\":\"2021-03-10T08:28:30Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"8\",\"Desc\":\"Logoff\",\"Severity\":\"Info\",\"Issuer\":\"PVWAGWUser\",\"Action\":\"Logoff\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"10.0.1.20\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Logoff\",\"GatewayStation\":\"\"}}}", + "code": "8", + "kind": "event", + "action": "logoff", + "category": [ + "authentication", + "session" + ], + "type": [ + "end" + ], + "outcome": "success" + }, + "user": { + "name": "PVWAGWUser" + } + }, + { + "log": { + "syslog": { + "priority": 5 + } + }, + "source": { + "address": "10.0.1.20", + "ip": "10.0.1.20" + }, + "tags": [ + "preserve_original_event" + ], + "observer": { + "product": "Vault", + "hostname": "VAULT", + "version": "11.7.0000", + "vendor": "Cyber-Ark" + }, + "@timestamp": "2021-03-10T08:28:30.000Z", + "ecs": { + "version": "1.10.0" + }, + "related": { + "user": [ + "PVWAAppUser" + ], + "ip": [ + "10.0.1.20" + ] + }, + "cyberarkpas": { + "audit": { + "severity": "Info", + "rfc5424": true, + "iso_timestamp": "2021-03-10T08:28:30Z", + "station": "10.0.1.20", + "action": "Logoff", + "message": "Logoff", + "issuer": "PVWAAppUser", + "timestamp": "Mar 10 00:28:30", + "desc": "Logoff" + } + }, + "host": { + "name": "VAULT" + }, + "event": { + "severity": 2, + "ingested": "2021-05-31T15:30:25.316805700Z", + "original": "\u003c5\u003e1 2021-03-10T08:28:30Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 00:28:30\",\"IsoTimestamp\":\"2021-03-10T08:28:30Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"8\",\"Desc\":\"Logoff\",\"Severity\":\"Info\",\"Issuer\":\"PVWAAppUser\",\"Action\":\"Logoff\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"10.0.1.20\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Logoff\",\"GatewayStation\":\"\"}}}", + "code": "8", + "kind": "event", + "action": "logoff", + "category": [ + "authentication", + "session" + ], + "type": [ + "end" + ], + "outcome": "success" + }, + "user": { + "name": "PVWAAppUser" + } + }, + { + "log": { + "syslog": { + "priority": 5 + } + }, + "source": { + "geo": { + "continent_name": "Europe", + "region_iso_code": "ES-B", + "city_name": "Barcelona", + "country_iso_code": "ES", + "country_name": "Spain", + "region_name": "Barcelona", + "location": { + "lon": 2.1611, + "lat": 41.3891 + } + }, + "address": "81.32.170.205", + "ip": "81.32.170.205" + }, + "tags": [ + "preserve_original_event" + ], + "observer": { + "product": "Vault", + "hostname": "VAULT", + "version": "11.7.0000", + "vendor": "Cyber-Ark" + }, + "@timestamp": "2021-03-10T09:11:33.000Z", + "ecs": { + "version": "1.10.0" + }, + "related": { + "user": [ + "Administrator" + ], + "ip": [ + "81.32.170.205" + ] + }, + "cyberarkpas": { + "audit": { + "severity": "Info", + "rfc5424": true, + "iso_timestamp": "2021-03-10T09:11:33Z", + "station": "81.32.170.205", + "action": "Logoff", + "message": "Logoff", + "issuer": "Administrator", + "timestamp": "Mar 10 01:11:33", + "desc": "Logoff" + } + }, + "host": { + "name": "VAULT" + }, + "event": { + "severity": 2, + "ingested": "2021-05-31T15:30:25.316806900Z", + "original": "\u003c5\u003e1 2021-03-10T09:11:33Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 01:11:33\",\"IsoTimestamp\":\"2021-03-10T09:11:33Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"8\",\"Desc\":\"Logoff\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Logoff\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"81.32.170.205\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Logoff\",\"GatewayStation\":\"\"}}}", + "code": "8", + "kind": "event", + "action": "logoff", + "category": [ + "authentication", + "session" + ], + "type": [ + "end" + ], + "outcome": "success" + }, + "user": { + "name": "Administrator" + } + }, + { + "log": { + "syslog": { + "priority": 5 + } + }, + "source": { + "geo": { + "continent_name": "Europe", + "region_iso_code": "ES-B", + "city_name": "Barcelona", + "country_iso_code": "ES", + "country_name": "Spain", + "region_name": "Barcelona", + "location": { + "lon": 2.1611, + "lat": 41.3891 + } + }, + "address": "81.32.170.205", + "ip": "81.32.170.205" + }, + "tags": [ + "preserve_original_event" + ], + "observer": { + "product": "Vault", + "hostname": "VAULT", + "version": "11.7.0000", + "vendor": "Cyber-Ark" + }, + "@timestamp": "2021-03-10T09:12:20.000Z", + "ecs": { + "version": "1.10.0" + }, + "related": { + "user": [ + "PSMP_ADB_localhost.localdomain" + ], + "ip": [ + "81.32.170.205" + ] + }, + "cyberarkpas": { + "audit": { + "severity": "Info", + "rfc5424": true, + "iso_timestamp": "2021-03-10T09:12:20Z", + "station": "81.32.170.205", + "action": "Logoff", + "message": "Logoff", + "issuer": "PSMP_ADB_localhost.localdomain", + "timestamp": "Mar 10 01:12:20", + "desc": "Logoff" + } + }, + "host": { + "name": "VAULT" + }, + "event": { + "severity": 2, + "ingested": "2021-05-31T15:30:25.316808400Z", + "original": "\u003c5\u003e1 2021-03-10T09:12:20Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 01:12:20\",\"IsoTimestamp\":\"2021-03-10T09:12:20Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"8\",\"Desc\":\"Logoff\",\"Severity\":\"Info\",\"Issuer\":\"PSMP_ADB_localhost.localdomain\",\"Action\":\"Logoff\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"81.32.170.205\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Logoff\",\"GatewayStation\":\"\"}}}", + "code": "8", + "kind": "event", + "action": "logoff", + "category": [ + "authentication", + "session" + ], + "type": [ + "end" + ], + "outcome": "success" + }, + "user": { + "name": "PSMP_ADB_localhost.localdomain" + } + }, + { + "log": { + "syslog": { + "priority": 5 + } + }, + "source": { + "geo": { + "continent_name": "Europe", + "region_iso_code": "ES-B", + "city_name": "Barcelona", + "country_iso_code": "ES", + "country_name": "Spain", + "region_name": "Barcelona", + "location": { + "lon": 2.1611, + "lat": 41.3891 + } + }, + "address": "81.32.170.205", + "ip": "81.32.170.205" + }, + "tags": [ + "preserve_original_event" + ], + "observer": { + "product": "Vault", + "hostname": "VAULT", + "version": "11.7.0000", + "vendor": "Cyber-Ark" + }, + "@timestamp": "2021-03-10T09:12:27.000Z", + "ecs": { + "version": "1.10.0" + }, + "related": { + "user": [ + "PSMPGW_localhost.localdomain" + ], + "ip": [ + "81.32.170.205" + ] + }, + "cyberarkpas": { + "audit": { + "severity": "Info", + "rfc5424": true, + "iso_timestamp": "2021-03-10T09:12:27Z", + "station": "81.32.170.205", + "action": "Logoff", + "message": "Logoff", + "issuer": "PSMPGW_localhost.localdomain", + "timestamp": "Mar 10 01:12:27", + "desc": "Logoff" + } + }, + "host": { + "name": "VAULT" + }, + "event": { + "severity": 2, + "ingested": "2021-05-31T15:30:25.316810100Z", + "original": "\u003c5\u003e1 2021-03-10T09:12:27Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 01:12:27\",\"IsoTimestamp\":\"2021-03-10T09:12:27Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"8\",\"Desc\":\"Logoff\",\"Severity\":\"Info\",\"Issuer\":\"PSMPGW_localhost.localdomain\",\"Action\":\"Logoff\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"81.32.170.205\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Logoff\",\"GatewayStation\":\"\"}}}", + "code": "8", + "kind": "event", + "action": "logoff", + "category": [ + "authentication", + "session" + ], + "type": [ + "end" + ], + "outcome": "success" + }, + "user": { + "name": "PSMPGW_localhost.localdomain" + } + }, + { + "log": { + "syslog": { + "priority": 5 + } + }, + "source": { + "geo": { + "continent_name": "North America", + "region_iso_code": "US-VA", + "country_name": "United States", + "region_name": "Virginia", + "location": { + "lon": -77.2481, + "lat": 38.6583 + }, + "country_iso_code": "US" + }, + "address": "35.192.121.42", + "ip": "35.192.121.42" + }, + "tags": [ + "preserve_original_event" + ], + "observer": { + "product": "Vault", + "hostname": "VAULT", + "version": "11.7.0000", + "vendor": "Cyber-Ark" + }, + "@timestamp": "2021-03-10T22:17:27.000Z", + "ecs": { + "version": "1.10.0" + }, + "related": { + "user": [ + "Administrator" + ], + "ip": [ + "35.192.121.42" + ] + }, + "cyberarkpas": { + "audit": { + "severity": "Info", + "rfc5424": true, + "iso_timestamp": "2021-03-10T22:17:27Z", + "station": "35.192.121.42", + "action": "Logoff", + "message": "Logoff", + "issuer": "Administrator", + "timestamp": "Mar 10 14:17:27", + "desc": "Logoff" + } + }, + "host": { + "name": "VAULT" + }, + "event": { + "severity": 2, + "ingested": "2021-05-31T15:30:25.316849900Z", + "original": "\u003c5\u003e1 2021-03-10T22:17:27Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 14:17:27\",\"IsoTimestamp\":\"2021-03-10T22:17:27Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"8\",\"Desc\":\"Logoff\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Logoff\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"35.192.121.42\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Logoff\",\"GatewayStation\":\"\"}}}", + "code": "8", + "kind": "event", + "action": "logoff", + "category": [ + "authentication", + "session" + ], + "type": [ + "end" + ], + "outcome": "success" + }, + "user": { + "name": "Administrator" + } + }, + { + "log": { + "syslog": { + "priority": 5 + } + }, + "destination": { + "geo": { + "continent_name": "Europe", + "region_iso_code": "ES-B", + "city_name": "Barcelona", + "country_iso_code": "ES", + "country_name": "Spain", + "region_name": "Barcelona", + "location": { + "lon": 2.1611, + "lat": 41.3891 + } + }, + "address": "81.32.170.205", + "ip": "81.32.170.205" + }, + "source": { + "address": "127.0.0.1", + "ip": "127.0.0.1" + }, + "tags": [ + "preserve_original_event" + ], + "network": { + "direction": "outbound" + }, + "observer": { + "product": "Vault", + "hostname": "VAULT", + "version": "11.7.0000", + "vendor": "Cyber-Ark" + }, + "@timestamp": "2021-03-11T17:38:13.000Z", + "ecs": { + "version": "1.10.0" + }, + "related": { + "user": [ + "Administrator" + ], + "ip": [ + "127.0.0.1", + "81.32.170.205" + ] + }, + "cyberarkpas": { + "audit": { + "severity": "Info", + "rfc5424": true, + "iso_timestamp": "2021-03-11T17:38:13Z", + "gateway_station": "81.32.170.205", + "station": "127.0.0.1", + "raw": "\u003csyslog\u003e\n\n \u003caudit_record\u003e\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\n \u003cTimestamp\u003eMar 11 09:38:13\u003c/Timestamp\u003e\n \u003cIsoTimestamp\u003e2021-03-11T17:38:13Z\u003c/IsoTimestamp\u003e\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\n \u003cProduct\u003eVault\u003c/Product\u003e\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\n \u003cMessageID\u003e8\u003c/MessageID\u003e\n \u003cDesc\u003eLogoff\u003c/Desc\u003e\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\n \u003cAction\u003eLogoff\u003c/Action\u003e\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\n \u003cSafe\u003e\u003c/Safe\u003e\n \u003cFile\u003e\u003c/File\u003e\n \u003cStation\u003e127.0.0.1\u003c/Station\u003e\n \u003cLocation\u003e\u003c/Location\u003e\n \u003cCategory\u003e\u003c/Category\u003e\n \u003cRequestId\u003e\u003c/RequestId\u003e\n \u003cReason\u003e\u003c/Reason\u003e\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\n \u003cMessage\u003eLogoff\u003c/Message\u003e\n \u003cGatewayStation\u003e81.32.170.205\u003c/GatewayStation\u003e\n \u003c/audit_record\u003e\n\n\u003c/syslog\u003e", + "action": "Logoff", + "message": "Logoff", + "issuer": "Administrator", + "timestamp": "Mar 11 09:38:13", + "desc": "Logoff" + } + }, + "host": { + "name": "VAULT" + }, + "event": { + "severity": 2, + "ingested": "2021-05-31T15:30:25.316852100Z", + "original": "\u003c5\u003e1 2021-03-11T17:38:13Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 11 09:38:13\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-11T17:38:13Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e8\u003c/MessageID\u003e\\n \u003cDesc\u003eLogoff\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003eLogoff\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003e\u003c/Safe\u003e\\n \u003cFile\u003e\u003c/File\u003e\\n \u003cStation\u003e127.0.0.1\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eLogoff\u003c/Message\u003e\\n \u003cGatewayStation\u003e81.32.170.205\u003c/GatewayStation\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 11 09:38:13\",\"IsoTimestamp\":\"2021-03-11T17:38:13Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"8\",\"Desc\":\"Logoff\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Logoff\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"127.0.0.1\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Logoff\",\"GatewayStation\":\"81.32.170.205\"}}}", + "code": "8", + "kind": "event", + "action": "logoff", + "category": [ + "authentication", + "session" + ], + "type": [ + "end" + ], + "outcome": "success" + }, + "user": { + "name": "Administrator" + } + }, + { + "log": { + "syslog": { + "priority": 5 + } + }, + "destination": { + "geo": { + "continent_name": "Europe", + "region_iso_code": "ES-B", + "city_name": "Barcelona", + "country_iso_code": "ES", + "country_name": "Spain", + "region_name": "Barcelona", + "location": { + "lon": 2.1611, + "lat": 41.3891 + } + }, + "address": "81.32.170.205", + "ip": "81.32.170.205" + }, + "source": { + "address": "10.0.2.2", + "ip": "10.0.2.2" + }, + "tags": [ + "preserve_original_event" + ], + "network": { + "direction": "outbound" + }, + "observer": { + "product": "Vault", + "hostname": "VAULT", + "version": "11.7.0000", + "vendor": "Cyber-Ark" + }, + "@timestamp": "2021-03-11T17:48:28.000Z", + "ecs": { + "version": "1.10.0" + }, + "related": { + "user": [ + "Administrator" + ], + "ip": [ + "10.0.2.2", + "81.32.170.205" + ] + }, + "cyberarkpas": { + "audit": { + "severity": "Info", + "rfc5424": true, + "iso_timestamp": "2021-03-11T17:48:28Z", + "gateway_station": "81.32.170.205", + "station": "10.0.2.2", + "raw": "\u003csyslog\u003e\n\n \u003caudit_record\u003e\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\n \u003cTimestamp\u003eMar 11 09:48:28\u003c/Timestamp\u003e\n \u003cIsoTimestamp\u003e2021-03-11T17:48:28Z\u003c/IsoTimestamp\u003e\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\n \u003cProduct\u003eVault\u003c/Product\u003e\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\n \u003cMessageID\u003e8\u003c/MessageID\u003e\n \u003cDesc\u003eLogoff\u003c/Desc\u003e\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\n \u003cAction\u003eLogoff\u003c/Action\u003e\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\n \u003cSafe\u003e\u003c/Safe\u003e\n \u003cFile\u003e\u003c/File\u003e\n \u003cStation\u003e10.0.2.2\u003c/Station\u003e\n \u003cLocation\u003e\u003c/Location\u003e\n \u003cCategory\u003e\u003c/Category\u003e\n \u003cRequestId\u003e\u003c/RequestId\u003e\n \u003cReason\u003e\u003c/Reason\u003e\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\n \u003cMessage\u003eLogoff\u003c/Message\u003e\n \u003cGatewayStation\u003e81.32.170.205\u003c/GatewayStation\u003e\n \u003c/audit_record\u003e\n\n\u003c/syslog\u003e", + "action": "Logoff", + "message": "Logoff", + "issuer": "Administrator", + "timestamp": "Mar 11 09:48:28", + "desc": "Logoff" + } + }, + "host": { + "name": "VAULT" + }, + "event": { + "severity": 2, + "ingested": "2021-05-31T15:30:25.316854Z", + "original": "\u003c5\u003e1 2021-03-11T17:48:28Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 11 09:48:28\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-11T17:48:28Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e8\u003c/MessageID\u003e\\n \u003cDesc\u003eLogoff\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003eLogoff\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003e\u003c/Safe\u003e\\n \u003cFile\u003e\u003c/File\u003e\\n \u003cStation\u003e10.0.2.2\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eLogoff\u003c/Message\u003e\\n \u003cGatewayStation\u003e81.32.170.205\u003c/GatewayStation\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 11 09:48:28\",\"IsoTimestamp\":\"2021-03-11T17:48:28Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"8\",\"Desc\":\"Logoff\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Logoff\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"10.0.2.2\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Logoff\",\"GatewayStation\":\"81.32.170.205\"}}}", + "code": "8", + "kind": "event", + "action": "logoff", + "category": [ + "authentication", + "session" + ], + "type": [ + "end" + ], + "outcome": "success" + }, + "user": { + "name": "Administrator" + } + }, + { + "log": { + "syslog": { + "priority": 5 + } + }, + "source": { + "geo": { + "continent_name": "Europe", + "region_iso_code": "ES-B", + "city_name": "Barcelona", + "country_iso_code": "ES", + "country_name": "Spain", + "region_name": "Barcelona", + "location": { + "lon": 2.1611, + "lat": 41.3891 + } + }, + "address": "81.32.170.205", + "ip": "81.32.170.205" + }, + "tags": [ + "preserve_original_event" + ], + "observer": { + "product": "Vault", + "hostname": "VAULT", + "version": "11.7.0000", + "vendor": "Cyber-Ark" + }, + "@timestamp": "2021-03-11T17:49:06.000Z", + "ecs": { + "version": "1.10.0" + }, + "related": { + "user": [ + "PSMPGW_VAGRANT" + ], + "ip": [ + "81.32.170.205" + ] + }, + "cyberarkpas": { + "audit": { + "severity": "Info", + "rfc5424": true, + "iso_timestamp": "2021-03-11T17:49:06Z", + "station": "81.32.170.205", + "raw": "\u003csyslog\u003e\n\n \u003caudit_record\u003e\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\n \u003cTimestamp\u003eMar 11 09:49:06\u003c/Timestamp\u003e\n \u003cIsoTimestamp\u003e2021-03-11T17:49:06Z\u003c/IsoTimestamp\u003e\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\n \u003cProduct\u003eVault\u003c/Product\u003e\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\n \u003cMessageID\u003e8\u003c/MessageID\u003e\n \u003cDesc\u003eLogoff\u003c/Desc\u003e\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\n \u003cIssuer\u003ePSMPGW_VAGRANT\u003c/Issuer\u003e\n \u003cAction\u003eLogoff\u003c/Action\u003e\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\n \u003cSafe\u003e\u003c/Safe\u003e\n \u003cFile\u003e\u003c/File\u003e\n \u003cStation\u003e81.32.170.205\u003c/Station\u003e\n \u003cLocation\u003e\u003c/Location\u003e\n \u003cCategory\u003e\u003c/Category\u003e\n \u003cRequestId\u003e\u003c/RequestId\u003e\n \u003cReason\u003e\u003c/Reason\u003e\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\n \u003cMessage\u003eLogoff\u003c/Message\u003e\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\n \u003c/audit_record\u003e\n\n\u003c/syslog\u003e", + "action": "Logoff", + "message": "Logoff", + "issuer": "PSMPGW_VAGRANT", + "timestamp": "Mar 11 09:49:06", + "desc": "Logoff" + } + }, + "host": { + "name": "VAULT" + }, + "event": { + "severity": 2, + "ingested": "2021-05-31T15:30:25.316855600Z", + "original": "\u003c5\u003e1 2021-03-11T17:49:06Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 11 09:49:06\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-11T17:49:06Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e8\u003c/MessageID\u003e\\n \u003cDesc\u003eLogoff\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003ePSMPGW_VAGRANT\u003c/Issuer\u003e\\n \u003cAction\u003eLogoff\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003e\u003c/Safe\u003e\\n \u003cFile\u003e\u003c/File\u003e\\n \u003cStation\u003e81.32.170.205\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eLogoff\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 11 09:49:06\",\"IsoTimestamp\":\"2021-03-11T17:49:06Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"8\",\"Desc\":\"Logoff\",\"Severity\":\"Info\",\"Issuer\":\"PSMPGW_VAGRANT\",\"Action\":\"Logoff\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"81.32.170.205\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Logoff\",\"GatewayStation\":\"\"}}}", + "code": "8", + "kind": "event", + "action": "logoff", + "category": [ + "authentication", + "session" + ], + "type": [ + "end" + ], + "outcome": "success" + }, + "user": { + "name": "PSMPGW_VAGRANT" + } + }, + { + "log": { + "syslog": { + "priority": 5 + } + }, + "source": { + "geo": { + "continent_name": "North America", + "country_name": "United States", + "location": { + "lon": -97.822, + "lat": 37.751 + }, + "country_iso_code": "US" + }, + "address": "34.71.250.247", + "ip": "34.71.250.247" + }, + "tags": [ + "preserve_original_event" + ], + "observer": { + "product": "Vault", + "hostname": "VAULT", + "version": "11.7.0000", + "vendor": "Cyber-Ark" + }, + "@timestamp": "2021-03-14T12:57:20.000Z", + "ecs": { + "version": "1.10.0" + }, + "related": { + "user": [ + "Administrator" + ], + "ip": [ + "34.71.250.247" + ] + }, + "cyberarkpas": { + "audit": { + "severity": "Info", + "rfc5424": true, + "iso_timestamp": "2021-03-14T12:57:20Z", + "station": "34.71.250.247", + "raw": "\u003csyslog\u003e\n\n \u003caudit_record\u003e\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\n \u003cTimestamp\u003eMar 14 05:57:20\u003c/Timestamp\u003e\n \u003cIsoTimestamp\u003e2021-03-14T12:57:20Z\u003c/IsoTimestamp\u003e\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\n \u003cProduct\u003eVault\u003c/Product\u003e\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\n \u003cMessageID\u003e8\u003c/MessageID\u003e\n \u003cDesc\u003eLogoff\u003c/Desc\u003e\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\n \u003cAction\u003eLogoff\u003c/Action\u003e\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\n \u003cSafe\u003e\u003c/Safe\u003e\n \u003cFile\u003e\u003c/File\u003e\n \u003cStation\u003e34.71.250.247\u003c/Station\u003e\n \u003cLocation\u003e\u003c/Location\u003e\n \u003cCategory\u003e\u003c/Category\u003e\n \u003cRequestId\u003e\u003c/RequestId\u003e\n \u003cReason\u003e\u003c/Reason\u003e\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\n \u003cMessage\u003eLogoff\u003c/Message\u003e\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\n \u003c/audit_record\u003e\n\n\u003c/syslog\u003e", + "action": "Logoff", + "message": "Logoff", + "issuer": "Administrator", + "timestamp": "Mar 14 05:57:20", + "desc": "Logoff" + } + }, + "host": { + "name": "VAULT" + }, + "event": { + "severity": 2, + "ingested": "2021-05-31T15:30:25.316857100Z", + "original": "\u003c5\u003e1 2021-03-14T12:57:20Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 14 05:57:20\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-14T12:57:20Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e8\u003c/MessageID\u003e\\n \u003cDesc\u003eLogoff\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003eLogoff\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003e\u003c/Safe\u003e\\n \u003cFile\u003e\u003c/File\u003e\\n \u003cStation\u003e34.71.250.247\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eLogoff\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 14 05:57:20\",\"IsoTimestamp\":\"2021-03-14T12:57:20Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"8\",\"Desc\":\"Logoff\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Logoff\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"34.71.250.247\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Logoff\",\"GatewayStation\":\"\"}}}", + "code": "8", + "kind": "event", + "action": "logoff", + "category": [ + "authentication", + "session" + ], + "type": [ + "end" + ], + "outcome": "success" + }, + "user": { + "name": "Administrator" + } + }, + { + "log": { + "syslog": { + "priority": 5 + } + }, + "destination": { + "geo": { + "continent_name": "North America", + "country_name": "United States", + "location": { + "lon": -97.822, + "lat": 37.751 + }, + "country_iso_code": "US" + }, + "address": "34.71.250.247", + "ip": "34.71.250.247" + }, + "source": { + "geo": { + "continent_name": "Europe", + "region_iso_code": "ES-B", + "city_name": "Barcelona", + "country_iso_code": "ES", + "country_name": "Spain", + "region_name": "Barcelona", + "location": { + "lon": 2.1611, + "lat": 41.3891 + } + }, + "address": "81.32.170.205", + "ip": "81.32.170.205" + }, + "tags": [ + "preserve_original_event" + ], + "network": { + "direction": "external" + }, + "observer": { + "product": "Vault", + "hostname": "VAULT", + "version": "11.7.0000", + "vendor": "Cyber-Ark" + }, + "@timestamp": "2021-03-14T13:49:36.000Z", + "ecs": { + "version": "1.10.0" + }, + "related": { + "user": [ + "Administrator" + ], + "ip": [ + "81.32.170.205", + "34.71.250.247" + ] + }, + "cyberarkpas": { + "audit": { + "severity": "Info", + "rfc5424": true, + "iso_timestamp": "2021-03-14T13:49:36Z", + "gateway_station": "34.71.250.247", + "station": "81.32.170.205", + "raw": "\u003csyslog\u003e\n\n \u003caudit_record\u003e\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\n \u003cTimestamp\u003eMar 14 06:49:36\u003c/Timestamp\u003e\n \u003cIsoTimestamp\u003e2021-03-14T13:49:36Z\u003c/IsoTimestamp\u003e\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\n \u003cProduct\u003eVault\u003c/Product\u003e\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\n \u003cMessageID\u003e8\u003c/MessageID\u003e\n \u003cDesc\u003eLogoff\u003c/Desc\u003e\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\n \u003cAction\u003eLogoff\u003c/Action\u003e\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\n \u003cSafe\u003e\u003c/Safe\u003e\n \u003cFile\u003e\u003c/File\u003e\n \u003cStation\u003e81.32.170.205\u003c/Station\u003e\n \u003cLocation\u003e\u003c/Location\u003e\n \u003cCategory\u003e\u003c/Category\u003e\n \u003cRequestId\u003e\u003c/RequestId\u003e\n \u003cReason\u003e\u003c/Reason\u003e\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\n \u003cMessage\u003eLogoff\u003c/Message\u003e\n \u003cGatewayStation\u003e34.71.250.247\u003c/GatewayStation\u003e\n \u003c/audit_record\u003e\n\n\u003c/syslog\u003e", + "action": "Logoff", + "message": "Logoff", + "issuer": "Administrator", + "timestamp": "Mar 14 06:49:36", + "desc": "Logoff" + } + }, + "host": { + "name": "VAULT" + }, + "event": { + "severity": 2, + "ingested": "2021-05-31T15:30:25.316859100Z", + "original": "\u003c5\u003e1 2021-03-14T13:49:36Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 14 06:49:36\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-14T13:49:36Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e8\u003c/MessageID\u003e\\n \u003cDesc\u003eLogoff\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003eLogoff\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003e\u003c/Safe\u003e\\n \u003cFile\u003e\u003c/File\u003e\\n \u003cStation\u003e81.32.170.205\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eLogoff\u003c/Message\u003e\\n \u003cGatewayStation\u003e34.71.250.247\u003c/GatewayStation\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 14 06:49:36\",\"IsoTimestamp\":\"2021-03-14T13:49:36Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"8\",\"Desc\":\"Logoff\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Logoff\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"81.32.170.205\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Logoff\",\"GatewayStation\":\"34.71.250.247\"}}}", + "code": "8", + "kind": "event", + "action": "logoff", + "category": [ + "authentication", + "session" + ], + "type": [ + "end" + ], + "outcome": "success" + }, + "user": { + "name": "Administrator" + } + } + ] +} \ No newline at end of file diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-88-set-password.log-expected.json b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-88-set-password.log-expected.json new file mode 100644 index 00000000000..792892968c0 --- /dev/null +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-88-set-password.log-expected.json @@ -0,0 +1,1101 @@ +{ + "expected": [ + { + "log": { + "syslog": { + "priority": 5 + } + }, + "source": { + "address": "10.0.1.20", + "ip": "10.0.1.20" + }, + "tags": [ + "preserve_original_event" + ], + "observer": { + "product": "Vault", + "hostname": "VAULT", + "version": "11.7.0000", + "vendor": "Cyber-Ark" + }, + "@timestamp": "2021-03-04T19:16:19.000Z", + "ecs": { + "version": "1.10.0" + }, + "related": { + "ip": [ + "10.0.1.20" + ] + }, + "cyberarkpas": { + "audit": { + "severity": "Info", + "rfc5424": true, + "iso_timestamp": "2021-03-04T19:16:19Z", + "station": "10.0.1.20", + "action": "Set Password", + "message": "Set Password", + "issuer": "PVWAGWUser", + "timestamp": "Mar 04 11:16:19", + "desc": "Set Password" + } + }, + "host": { + "name": "VAULT" + }, + "event": { + "severity": 2, + "action": "set password", + "ingested": "2021-05-31T15:30:25.635427900Z", + "original": "\u003c5\u003e1 2021-03-04T19:16:19Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 04 11:16:19\",\"IsoTimestamp\":\"2021-03-04T19:16:19Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"88\",\"Desc\":\"Set Password\",\"Severity\":\"Info\",\"Issuer\":\"PVWAGWUser\",\"Action\":\"Set Password\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"10.0.1.20\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Set Password\",\"GatewayStation\":\"\"}}}", + "code": "88", + "kind": "event" + } + }, + { + "log": { + "syslog": { + "priority": 5 + } + }, + "source": { + "address": "10.0.1.20", + "ip": "10.0.1.20" + }, + "tags": [ + "preserve_original_event" + ], + "observer": { + "product": "Vault", + "hostname": "VAULT", + "version": "11.7.0000", + "vendor": "Cyber-Ark" + }, + "@timestamp": "2021-03-04T19:16:19.000Z", + "ecs": { + "version": "1.10.0" + }, + "related": { + "ip": [ + "10.0.1.20" + ] + }, + "cyberarkpas": { + "audit": { + "severity": "Info", + "rfc5424": true, + "iso_timestamp": "2021-03-04T19:16:19Z", + "station": "10.0.1.20", + "action": "Set Password", + "message": "Set Password", + "issuer": "PVWAAppUser", + "timestamp": "Mar 04 11:16:19", + "desc": "Set Password" + } + }, + "host": { + "name": "VAULT" + }, + "event": { + "severity": 2, + "action": "set password", + "ingested": "2021-05-31T15:30:25.635437500Z", + "original": "\u003c5\u003e1 2021-03-04T19:16:19Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 04 11:16:19\",\"IsoTimestamp\":\"2021-03-04T19:16:19Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"88\",\"Desc\":\"Set Password\",\"Severity\":\"Info\",\"Issuer\":\"PVWAAppUser\",\"Action\":\"Set Password\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"10.0.1.20\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Set Password\",\"GatewayStation\":\"\"}}}", + "code": "88", + "kind": "event" + } + }, + { + "observer": { + "product": "Vault", + "hostname": "VAULT", + "version": "11.7.0000", + "vendor": "Cyber-Ark" + }, + "@timestamp": "2021-03-08T02:54:46.000Z", + "ecs": { + "version": "1.10.0" + }, + "related": { + "ip": [ + "10.0.1.20" + ] + }, + "cyberarkpas": { + "audit": { + "rfc5424": false, + "severity": "Info", + "station": "10.0.1.20", + "action": "Set Password", + "message": "Set Password", + "issuer": "PVWAGWUser", + "desc": "Set Password" + } + }, + "host": { + "name": "VAULT" + }, + "source": { + "address": "10.0.1.20", + "ip": "10.0.1.20" + }, + "event": { + "severity": 2, + "action": "set password", + "ingested": "2021-05-31T15:30:25.635439300Z", + "original": "Mar 08 02:54:46 VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"no\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"88\",\"Desc\":\"Set Password\",\"Severity\":\"Info\",\"Issuer\":\"PVWAGWUser\",\"Action\":\"Set Password\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"10.0.1.20\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Set Password\",\"GatewayStation\":\"\"}}}", + "code": "88", + "kind": "event" + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "log": { + "syslog": { + "priority": 5 + } + }, + "source": { + "address": "10.0.1.20", + "ip": "10.0.1.20" + }, + "tags": [ + "preserve_original_event" + ], + "observer": { + "product": "Vault", + "hostname": "VAULT", + "version": "11.7.0000", + "vendor": "Cyber-Ark" + }, + "@timestamp": "2021-03-10T08:29:19.000Z", + "ecs": { + "version": "1.10.0" + }, + "related": { + "ip": [ + "10.0.1.20" + ] + }, + "cyberarkpas": { + "audit": { + "severity": "Info", + "rfc5424": true, + "iso_timestamp": "2021-03-10T08:29:19Z", + "station": "10.0.1.20", + "action": "Set Password", + "message": "Set Password", + "issuer": "Prov_COMPONENTS", + "timestamp": "Mar 10 00:29:19", + "desc": "Set Password" + } + }, + "host": { + "name": "VAULT" + }, + "event": { + "severity": 2, + "action": "set password", + "ingested": "2021-05-31T15:30:25.635440700Z", + "original": "\u003c5\u003e1 2021-03-10T08:29:19Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 00:29:19\",\"IsoTimestamp\":\"2021-03-10T08:29:19Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"88\",\"Desc\":\"Set Password\",\"Severity\":\"Info\",\"Issuer\":\"Prov_COMPONENTS\",\"Action\":\"Set Password\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"10.0.1.20\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Set Password\",\"GatewayStation\":\"\"}}}", + "code": "88", + "kind": "event" + } + }, + { + "log": { + "syslog": { + "priority": 5 + } + }, + "source": { + "address": "10.0.1.20", + "ip": "10.0.1.20" + }, + "tags": [ + "preserve_original_event" + ], + "observer": { + "product": "Vault", + "hostname": "VAULT", + "version": "11.7.0000", + "vendor": "Cyber-Ark" + }, + "@timestamp": "2021-03-10T08:29:28.000Z", + "ecs": { + "version": "1.10.0" + }, + "related": { + "ip": [ + "10.0.1.20" + ] + }, + "cyberarkpas": { + "audit": { + "severity": "Info", + "rfc5424": true, + "iso_timestamp": "2021-03-10T08:29:28Z", + "station": "10.0.1.20", + "action": "Set Password", + "message": "Set Password", + "issuer": "PasswordManager", + "timestamp": "Mar 10 00:29:28", + "desc": "Set Password" + } + }, + "host": { + "name": "VAULT" + }, + "event": { + "severity": 2, + "action": "set password", + "ingested": "2021-05-31T15:30:25.635442Z", + "original": "\u003c5\u003e1 2021-03-10T08:29:28Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 00:29:28\",\"IsoTimestamp\":\"2021-03-10T08:29:28Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"88\",\"Desc\":\"Set Password\",\"Severity\":\"Info\",\"Issuer\":\"PasswordManager\",\"Action\":\"Set Password\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"10.0.1.20\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Set Password\",\"GatewayStation\":\"\"}}}", + "code": "88", + "kind": "event" + } + }, + { + "log": { + "syslog": { + "priority": 5 + } + }, + "source": { + "geo": { + "continent_name": "Europe", + "region_iso_code": "ES-B", + "city_name": "Barcelona", + "country_iso_code": "ES", + "country_name": "Spain", + "region_name": "Barcelona", + "location": { + "lon": 2.1611, + "lat": 41.3891 + } + }, + "address": "81.32.170.205", + "ip": "81.32.170.205" + }, + "tags": [ + "preserve_original_event" + ], + "observer": { + "product": "Vault", + "hostname": "VAULT", + "version": "11.7.0000", + "vendor": "Cyber-Ark" + }, + "@timestamp": "2021-03-10T09:11:52.000Z", + "ecs": { + "version": "1.10.0" + }, + "related": { + "ip": [ + "81.32.170.205" + ] + }, + "cyberarkpas": { + "audit": { + "severity": "Info", + "rfc5424": true, + "iso_timestamp": "2021-03-10T09:11:52Z", + "station": "81.32.170.205", + "action": "Set Password", + "message": "Set Password", + "issuer": "PSMPApp_localhost.localdomain", + "timestamp": "Mar 10 01:11:52", + "desc": "Set Password" + } + }, + "host": { + "name": "VAULT" + }, + "event": { + "severity": 2, + "action": "set password", + "ingested": "2021-05-31T15:30:25.635443500Z", + "original": "\u003c5\u003e1 2021-03-10T09:11:52Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 01:11:52\",\"IsoTimestamp\":\"2021-03-10T09:11:52Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"88\",\"Desc\":\"Set Password\",\"Severity\":\"Info\",\"Issuer\":\"PSMPApp_localhost.localdomain\",\"Action\":\"Set Password\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"81.32.170.205\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Set Password\",\"GatewayStation\":\"\"}}}", + "code": "88", + "kind": "event" + } + }, + { + "log": { + "syslog": { + "priority": 5 + } + }, + "source": { + "geo": { + "continent_name": "Europe", + "region_iso_code": "ES-B", + "city_name": "Barcelona", + "country_iso_code": "ES", + "country_name": "Spain", + "region_name": "Barcelona", + "location": { + "lon": 2.1611, + "lat": 41.3891 + } + }, + "address": "81.32.170.205", + "ip": "81.32.170.205" + }, + "tags": [ + "preserve_original_event" + ], + "observer": { + "product": "Vault", + "hostname": "VAULT", + "version": "11.7.0000", + "vendor": "Cyber-Ark" + }, + "@timestamp": "2021-03-10T09:11:52.000Z", + "ecs": { + "version": "1.10.0" + }, + "related": { + "ip": [ + "81.32.170.205" + ] + }, + "cyberarkpas": { + "audit": { + "severity": "Info", + "rfc5424": true, + "iso_timestamp": "2021-03-10T09:11:52Z", + "station": "81.32.170.205", + "action": "Set Password", + "message": "Set Password", + "issuer": "PSMPGW_localhost.localdomain", + "timestamp": "Mar 10 01:11:52", + "desc": "Set Password" + } + }, + "host": { + "name": "VAULT" + }, + "event": { + "severity": 2, + "action": "set password", + "ingested": "2021-05-31T15:30:25.635445200Z", + "original": "\u003c5\u003e1 2021-03-10T09:11:52Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 01:11:52\",\"IsoTimestamp\":\"2021-03-10T09:11:52Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"88\",\"Desc\":\"Set Password\",\"Severity\":\"Info\",\"Issuer\":\"PSMPGW_localhost.localdomain\",\"Action\":\"Set Password\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"81.32.170.205\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Set Password\",\"GatewayStation\":\"\"}}}", + "code": "88", + "kind": "event" + } + }, + { + "log": { + "syslog": { + "priority": 5 + } + }, + "source": { + "geo": { + "continent_name": "Europe", + "region_iso_code": "ES-B", + "city_name": "Barcelona", + "country_iso_code": "ES", + "country_name": "Spain", + "region_name": "Barcelona", + "location": { + "lon": 2.1611, + "lat": 41.3891 + } + }, + "address": "81.32.170.205", + "ip": "81.32.170.205" + }, + "tags": [ + "preserve_original_event" + ], + "observer": { + "product": "Vault", + "hostname": "VAULT", + "version": "11.7.0000", + "vendor": "Cyber-Ark" + }, + "@timestamp": "2021-03-10T09:11:55.000Z", + "ecs": { + "version": "1.10.0" + }, + "related": { + "ip": [ + "81.32.170.205" + ] + }, + "cyberarkpas": { + "audit": { + "severity": "Info", + "rfc5424": true, + "iso_timestamp": "2021-03-10T09:11:55Z", + "station": "81.32.170.205", + "action": "Set Password", + "message": "Set Password", + "issuer": "PSMP_ADB_localhost.localdomain", + "timestamp": "Mar 10 01:11:55", + "desc": "Set Password" + } + }, + "host": { + "name": "VAULT" + }, + "event": { + "severity": 2, + "action": "set password", + "ingested": "2021-05-31T15:30:25.635447Z", + "original": "\u003c5\u003e1 2021-03-10T09:11:55Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 01:11:55\",\"IsoTimestamp\":\"2021-03-10T09:11:55Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"88\",\"Desc\":\"Set Password\",\"Severity\":\"Info\",\"Issuer\":\"PSMP_ADB_localhost.localdomain\",\"Action\":\"Set Password\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"81.32.170.205\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Set Password\",\"GatewayStation\":\"\"}}}", + "code": "88", + "kind": "event" + } + }, + { + "log": { + "syslog": { + "priority": 5 + } + }, + "source": { + "geo": { + "continent_name": "Europe", + "region_iso_code": "ES-B", + "city_name": "Barcelona", + "country_iso_code": "ES", + "country_name": "Spain", + "region_name": "Barcelona", + "location": { + "lon": 2.1611, + "lat": 41.3891 + } + }, + "address": "81.32.170.205", + "ip": "81.32.170.205" + }, + "tags": [ + "preserve_original_event" + ], + "observer": { + "product": "Vault", + "hostname": "VAULT", + "version": "11.7.0000", + "vendor": "Cyber-Ark" + }, + "@timestamp": "2021-03-10T18:46:47.000Z", + "ecs": { + "version": "1.10.0" + }, + "related": { + "ip": [ + "81.32.170.205" + ] + }, + "cyberarkpas": { + "audit": { + "severity": "Info", + "rfc5424": true, + "iso_timestamp": "2021-03-10T18:46:47Z", + "station": "81.32.170.205", + "action": "Set Password", + "message": "Set Password", + "issuer": "PSMApp_VAGRANT", + "timestamp": "Mar 10 10:46:47", + "desc": "Set Password" + } + }, + "host": { + "name": "VAULT" + }, + "event": { + "severity": 2, + "action": "set password", + "ingested": "2021-05-31T15:30:25.635448400Z", + "original": "\u003c5\u003e1 2021-03-10T18:46:47Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 10:46:47\",\"IsoTimestamp\":\"2021-03-10T18:46:47Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"88\",\"Desc\":\"Set Password\",\"Severity\":\"Info\",\"Issuer\":\"PSMApp_VAGRANT\",\"Action\":\"Set Password\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"81.32.170.205\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Set Password\",\"GatewayStation\":\"\"}}}", + "code": "88", + "kind": "event" + } + }, + { + "log": { + "syslog": { + "priority": 5 + } + }, + "source": { + "geo": { + "continent_name": "Europe", + "region_iso_code": "ES-B", + "city_name": "Barcelona", + "country_iso_code": "ES", + "country_name": "Spain", + "region_name": "Barcelona", + "location": { + "lon": 2.1611, + "lat": 41.3891 + } + }, + "address": "81.32.170.205", + "ip": "81.32.170.205" + }, + "tags": [ + "preserve_original_event" + ], + "observer": { + "product": "Vault", + "hostname": "VAULT", + "version": "11.7.0000", + "vendor": "Cyber-Ark" + }, + "@timestamp": "2021-03-10T18:46:47.000Z", + "ecs": { + "version": "1.10.0" + }, + "related": { + "ip": [ + "81.32.170.205" + ] + }, + "cyberarkpas": { + "audit": { + "severity": "Info", + "rfc5424": true, + "iso_timestamp": "2021-03-10T18:46:47Z", + "station": "81.32.170.205", + "action": "Set Password", + "message": "Set Password", + "issuer": "PSMGw_VAGRANT", + "timestamp": "Mar 10 10:46:47", + "desc": "Set Password" + } + }, + "host": { + "name": "VAULT" + }, + "event": { + "severity": 2, + "action": "set password", + "ingested": "2021-05-31T15:30:25.635449700Z", + "original": "\u003c5\u003e1 2021-03-10T18:46:47Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 10:46:47\",\"IsoTimestamp\":\"2021-03-10T18:46:47Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"88\",\"Desc\":\"Set Password\",\"Severity\":\"Info\",\"Issuer\":\"PSMGw_VAGRANT\",\"Action\":\"Set Password\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"81.32.170.205\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Set Password\",\"GatewayStation\":\"\"}}}", + "code": "88", + "kind": "event" + } + }, + { + "log": { + "syslog": { + "priority": 5 + } + }, + "source": { + "geo": { + "continent_name": "North America", + "region_iso_code": "US-VA", + "country_name": "United States", + "region_name": "Virginia", + "location": { + "lon": -77.2481, + "lat": 38.6583 + }, + "country_iso_code": "US" + }, + "address": "35.192.121.42", + "ip": "35.192.121.42" + }, + "tags": [ + "preserve_original_event" + ], + "observer": { + "product": "Vault", + "hostname": "VAULT", + "version": "11.7.0000", + "vendor": "Cyber-Ark" + }, + "@timestamp": "2021-03-10T22:20:12.000Z", + "ecs": { + "version": "1.10.0" + }, + "related": { + "ip": [ + "35.192.121.42" + ] + }, + "cyberarkpas": { + "audit": { + "severity": "Info", + "rfc5424": true, + "iso_timestamp": "2021-03-10T22:20:12Z", + "station": "35.192.121.42", + "action": "Set Password", + "message": "Set Password", + "issuer": "PSMApp_ASR-WIN", + "timestamp": "Mar 10 14:20:12", + "desc": "Set Password" + } + }, + "host": { + "name": "VAULT" + }, + "event": { + "severity": 2, + "action": "set password", + "ingested": "2021-05-31T15:30:25.635451Z", + "original": "\u003c5\u003e1 2021-03-10T22:20:12Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 14:20:12\",\"IsoTimestamp\":\"2021-03-10T22:20:12Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"88\",\"Desc\":\"Set Password\",\"Severity\":\"Info\",\"Issuer\":\"PSMApp_ASR-WIN\",\"Action\":\"Set Password\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"35.192.121.42\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Set Password\",\"GatewayStation\":\"\"}}}", + "code": "88", + "kind": "event" + } + }, + { + "log": { + "syslog": { + "priority": 5 + } + }, + "source": { + "geo": { + "continent_name": "North America", + "region_iso_code": "US-VA", + "country_name": "United States", + "region_name": "Virginia", + "location": { + "lon": -77.2481, + "lat": 38.6583 + }, + "country_iso_code": "US" + }, + "address": "35.192.121.42", + "ip": "35.192.121.42" + }, + "tags": [ + "preserve_original_event" + ], + "observer": { + "product": "Vault", + "hostname": "VAULT", + "version": "11.7.0000", + "vendor": "Cyber-Ark" + }, + "@timestamp": "2021-03-10T22:20:12.000Z", + "ecs": { + "version": "1.10.0" + }, + "related": { + "ip": [ + "35.192.121.42" + ] + }, + "cyberarkpas": { + "audit": { + "severity": "Info", + "rfc5424": true, + "iso_timestamp": "2021-03-10T22:20:12Z", + "station": "35.192.121.42", + "action": "Set Password", + "message": "Set Password", + "issuer": "PSMGw_ASR-WIN", + "timestamp": "Mar 10 14:20:12", + "desc": "Set Password" + } + }, + "host": { + "name": "VAULT" + }, + "event": { + "severity": 2, + "action": "set password", + "ingested": "2021-05-31T15:30:25.635453Z", + "original": "\u003c5\u003e1 2021-03-10T22:20:12Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 14:20:12\",\"IsoTimestamp\":\"2021-03-10T22:20:12Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"88\",\"Desc\":\"Set Password\",\"Severity\":\"Info\",\"Issuer\":\"PSMGw_ASR-WIN\",\"Action\":\"Set Password\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"35.192.121.42\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Set Password\",\"GatewayStation\":\"\"}}}", + "code": "88", + "kind": "event" + } + }, + { + "log": { + "syslog": { + "priority": 5 + } + }, + "source": { + "geo": { + "continent_name": "Europe", + "region_iso_code": "ES-B", + "city_name": "Barcelona", + "country_iso_code": "ES", + "country_name": "Spain", + "region_name": "Barcelona", + "location": { + "lon": 2.1611, + "lat": 41.3891 + } + }, + "address": "81.32.170.205", + "ip": "81.32.170.205" + }, + "tags": [ + "preserve_original_event" + ], + "observer": { + "product": "Vault", + "hostname": "VAULT", + "version": "11.7.0000", + "vendor": "Cyber-Ark" + }, + "@timestamp": "2021-03-11T16:59:54.000Z", + "ecs": { + "version": "1.10.0" + }, + "related": { + "ip": [ + "81.32.170.205" + ] + }, + "cyberarkpas": { + "audit": { + "severity": "Info", + "rfc5424": true, + "iso_timestamp": "2021-03-11T16:59:54Z", + "station": "81.32.170.205", + "raw": "\u003csyslog\u003e\n\n \u003caudit_record\u003e\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\n \u003cTimestamp\u003eMar 11 08:59:54\u003c/Timestamp\u003e\n \u003cIsoTimestamp\u003e2021-03-11T16:59:54Z\u003c/IsoTimestamp\u003e\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\n \u003cProduct\u003eVault\u003c/Product\u003e\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\n \u003cMessageID\u003e88\u003c/MessageID\u003e\n \u003cDesc\u003eSet Password\u003c/Desc\u003e\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\n \u003cIssuer\u003ePSMPApp_VAGRANT\u003c/Issuer\u003e\n \u003cAction\u003eSet Password\u003c/Action\u003e\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\n \u003cSafe\u003e\u003c/Safe\u003e\n \u003cFile\u003e\u003c/File\u003e\n \u003cStation\u003e81.32.170.205\u003c/Station\u003e\n \u003cLocation\u003e\u003c/Location\u003e\n \u003cCategory\u003e\u003c/Category\u003e\n \u003cRequestId\u003e\u003c/RequestId\u003e\n \u003cReason\u003e\u003c/Reason\u003e\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\n \u003cMessage\u003eSet Password\u003c/Message\u003e\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\n \u003c/audit_record\u003e\n\n\u003c/syslog\u003e", + "action": "Set Password", + "message": "Set Password", + "issuer": "PSMPApp_VAGRANT", + "timestamp": "Mar 11 08:59:54", + "desc": "Set Password" + } + }, + "host": { + "name": "VAULT" + }, + "event": { + "severity": 2, + "action": "set password", + "ingested": "2021-05-31T15:30:25.635454600Z", + "original": "\u003c5\u003e1 2021-03-11T16:59:54Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 11 08:59:54\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-11T16:59:54Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e88\u003c/MessageID\u003e\\n \u003cDesc\u003eSet Password\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003ePSMPApp_VAGRANT\u003c/Issuer\u003e\\n \u003cAction\u003eSet Password\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003e\u003c/Safe\u003e\\n \u003cFile\u003e\u003c/File\u003e\\n \u003cStation\u003e81.32.170.205\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eSet Password\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 11 08:59:54\",\"IsoTimestamp\":\"2021-03-11T16:59:54Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"88\",\"Desc\":\"Set Password\",\"Severity\":\"Info\",\"Issuer\":\"PSMPApp_VAGRANT\",\"Action\":\"Set Password\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"81.32.170.205\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Set Password\",\"GatewayStation\":\"\"}}}", + "code": "88", + "kind": "event" + } + }, + { + "log": { + "syslog": { + "priority": 5 + } + }, + "source": { + "geo": { + "continent_name": "Europe", + "region_iso_code": "ES-B", + "city_name": "Barcelona", + "country_iso_code": "ES", + "country_name": "Spain", + "region_name": "Barcelona", + "location": { + "lon": 2.1611, + "lat": 41.3891 + } + }, + "address": "81.32.170.205", + "ip": "81.32.170.205" + }, + "tags": [ + "preserve_original_event" + ], + "observer": { + "product": "Vault", + "hostname": "VAULT", + "version": "11.7.0000", + "vendor": "Cyber-Ark" + }, + "@timestamp": "2021-03-11T16:59:55.000Z", + "ecs": { + "version": "1.10.0" + }, + "related": { + "ip": [ + "81.32.170.205" + ] + }, + "cyberarkpas": { + "audit": { + "severity": "Info", + "rfc5424": true, + "iso_timestamp": "2021-03-11T16:59:55Z", + "station": "81.32.170.205", + "raw": "\u003csyslog\u003e\n\n \u003caudit_record\u003e\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\n \u003cTimestamp\u003eMar 11 08:59:55\u003c/Timestamp\u003e\n \u003cIsoTimestamp\u003e2021-03-11T16:59:55Z\u003c/IsoTimestamp\u003e\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\n \u003cProduct\u003eVault\u003c/Product\u003e\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\n \u003cMessageID\u003e88\u003c/MessageID\u003e\n \u003cDesc\u003eSet Password\u003c/Desc\u003e\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\n \u003cIssuer\u003ePSMPGW_VAGRANT\u003c/Issuer\u003e\n \u003cAction\u003eSet Password\u003c/Action\u003e\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\n \u003cSafe\u003e\u003c/Safe\u003e\n \u003cFile\u003e\u003c/File\u003e\n \u003cStation\u003e81.32.170.205\u003c/Station\u003e\n \u003cLocation\u003e\u003c/Location\u003e\n \u003cCategory\u003e\u003c/Category\u003e\n \u003cRequestId\u003e\u003c/RequestId\u003e\n \u003cReason\u003e\u003c/Reason\u003e\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\n \u003cMessage\u003eSet Password\u003c/Message\u003e\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\n \u003c/audit_record\u003e\n\n\u003c/syslog\u003e", + "action": "Set Password", + "message": "Set Password", + "issuer": "PSMPGW_VAGRANT", + "timestamp": "Mar 11 08:59:55", + "desc": "Set Password" + } + }, + "host": { + "name": "VAULT" + }, + "event": { + "severity": 2, + "action": "set password", + "ingested": "2021-05-31T15:30:25.635456Z", + "original": "\u003c5\u003e1 2021-03-11T16:59:55Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 11 08:59:55\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-11T16:59:55Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e88\u003c/MessageID\u003e\\n \u003cDesc\u003eSet Password\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003ePSMPGW_VAGRANT\u003c/Issuer\u003e\\n \u003cAction\u003eSet Password\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003e\u003c/Safe\u003e\\n \u003cFile\u003e\u003c/File\u003e\\n \u003cStation\u003e81.32.170.205\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eSet Password\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 11 08:59:55\",\"IsoTimestamp\":\"2021-03-11T16:59:55Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"88\",\"Desc\":\"Set Password\",\"Severity\":\"Info\",\"Issuer\":\"PSMPGW_VAGRANT\",\"Action\":\"Set Password\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"81.32.170.205\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Set Password\",\"GatewayStation\":\"\"}}}", + "code": "88", + "kind": "event" + } + }, + { + "log": { + "syslog": { + "priority": 5 + } + }, + "source": { + "geo": { + "continent_name": "North America", + "region_iso_code": "US-VA", + "country_name": "United States", + "region_name": "Virginia", + "location": { + "lon": -77.2481, + "lat": 38.6583 + }, + "country_iso_code": "US" + }, + "address": "34.66.114.180", + "ip": "34.66.114.180" + }, + "tags": [ + "preserve_original_event" + ], + "observer": { + "product": "Vault", + "hostname": "VAULT", + "version": "11.7.0000", + "vendor": "Cyber-Ark" + }, + "@timestamp": "2021-03-11T20:10:33.000Z", + "ecs": { + "version": "1.10.0" + }, + "related": { + "ip": [ + "34.66.114.180" + ] + }, + "cyberarkpas": { + "audit": { + "severity": "Info", + "rfc5424": true, + "iso_timestamp": "2021-03-11T20:10:33Z", + "station": "34.66.114.180", + "raw": "\u003csyslog\u003e\n\n \u003caudit_record\u003e\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\n \u003cTimestamp\u003eMar 11 12:10:33\u003c/Timestamp\u003e\n \u003cIsoTimestamp\u003e2021-03-11T20:10:33Z\u003c/IsoTimestamp\u003e\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\n \u003cProduct\u003eVault\u003c/Product\u003e\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\n \u003cMessageID\u003e88\u003c/MessageID\u003e\n \u003cDesc\u003eSet Password\u003c/Desc\u003e\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\n \u003cIssuer\u003ePSMApp_ASR-WIN\u003c/Issuer\u003e\n \u003cAction\u003eSet Password\u003c/Action\u003e\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\n \u003cSafe\u003e\u003c/Safe\u003e\n \u003cFile\u003e\u003c/File\u003e\n \u003cStation\u003e34.66.114.180\u003c/Station\u003e\n \u003cLocation\u003e\u003c/Location\u003e\n \u003cCategory\u003e\u003c/Category\u003e\n \u003cRequestId\u003e\u003c/RequestId\u003e\n \u003cReason\u003e\u003c/Reason\u003e\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\n \u003cMessage\u003eSet Password\u003c/Message\u003e\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\n \u003c/audit_record\u003e\n\n\u003c/syslog\u003e", + "action": "Set Password", + "message": "Set Password", + "issuer": "PSMApp_ASR-WIN", + "timestamp": "Mar 11 12:10:33", + "desc": "Set Password" + } + }, + "host": { + "name": "VAULT" + }, + "event": { + "severity": 2, + "action": "set password", + "ingested": "2021-05-31T15:30:25.635457300Z", + "original": "\u003c5\u003e1 2021-03-11T20:10:33Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 11 12:10:33\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-11T20:10:33Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e88\u003c/MessageID\u003e\\n \u003cDesc\u003eSet Password\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003ePSMApp_ASR-WIN\u003c/Issuer\u003e\\n \u003cAction\u003eSet Password\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003e\u003c/Safe\u003e\\n \u003cFile\u003e\u003c/File\u003e\\n \u003cStation\u003e34.66.114.180\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eSet Password\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 11 12:10:33\",\"IsoTimestamp\":\"2021-03-11T20:10:33Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"88\",\"Desc\":\"Set Password\",\"Severity\":\"Info\",\"Issuer\":\"PSMApp_ASR-WIN\",\"Action\":\"Set Password\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"34.66.114.180\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Set Password\",\"GatewayStation\":\"\"}}}", + "code": "88", + "kind": "event" + } + }, + { + "log": { + "syslog": { + "priority": 5 + } + }, + "source": { + "geo": { + "continent_name": "North America", + "country_name": "United States", + "location": { + "lon": -97.822, + "lat": 37.751 + }, + "country_iso_code": "US" + }, + "address": "34.71.250.247", + "ip": "34.71.250.247" + }, + "tags": [ + "preserve_original_event" + ], + "observer": { + "product": "Vault", + "hostname": "VAULT", + "version": "11.7.0000", + "vendor": "Cyber-Ark" + }, + "@timestamp": "2021-03-14T12:57:25.000Z", + "ecs": { + "version": "1.10.0" + }, + "related": { + "ip": [ + "34.71.250.247" + ] + }, + "cyberarkpas": { + "audit": { + "severity": "Info", + "rfc5424": true, + "iso_timestamp": "2021-03-14T12:57:25Z", + "station": "34.71.250.247", + "raw": "\u003csyslog\u003e\n\n \u003caudit_record\u003e\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\n \u003cTimestamp\u003eMar 14 05:57:25\u003c/Timestamp\u003e\n \u003cIsoTimestamp\u003e2021-03-14T12:57:25Z\u003c/IsoTimestamp\u003e\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\n \u003cProduct\u003eVault\u003c/Product\u003e\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\n \u003cMessageID\u003e88\u003c/MessageID\u003e\n \u003cDesc\u003eSet Password\u003c/Desc\u003e\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\n \u003cIssuer\u003ePSMPGW_SSH\u003c/Issuer\u003e\n \u003cAction\u003eSet Password\u003c/Action\u003e\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\n \u003cSafe\u003e\u003c/Safe\u003e\n \u003cFile\u003e\u003c/File\u003e\n \u003cStation\u003e34.71.250.247\u003c/Station\u003e\n \u003cLocation\u003e\u003c/Location\u003e\n \u003cCategory\u003e\u003c/Category\u003e\n \u003cRequestId\u003e\u003c/RequestId\u003e\n \u003cReason\u003e\u003c/Reason\u003e\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\n \u003cMessage\u003eSet Password\u003c/Message\u003e\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\n \u003c/audit_record\u003e\n\n\u003c/syslog\u003e", + "action": "Set Password", + "message": "Set Password", + "issuer": "PSMPGW_SSH", + "timestamp": "Mar 14 05:57:25", + "desc": "Set Password" + } + }, + "host": { + "name": "VAULT" + }, + "event": { + "severity": 2, + "action": "set password", + "ingested": "2021-05-31T15:30:25.635458700Z", + "original": "\u003c5\u003e1 2021-03-14T12:57:25Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 14 05:57:25\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-14T12:57:25Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e88\u003c/MessageID\u003e\\n \u003cDesc\u003eSet Password\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003ePSMPGW_SSH\u003c/Issuer\u003e\\n \u003cAction\u003eSet Password\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003e\u003c/Safe\u003e\\n \u003cFile\u003e\u003c/File\u003e\\n \u003cStation\u003e34.71.250.247\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eSet Password\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 14 05:57:25\",\"IsoTimestamp\":\"2021-03-14T12:57:25Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"88\",\"Desc\":\"Set Password\",\"Severity\":\"Info\",\"Issuer\":\"PSMPGW_SSH\",\"Action\":\"Set Password\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"34.71.250.247\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Set Password\",\"GatewayStation\":\"\"}}}", + "code": "88", + "kind": "event" + } + }, + { + "log": { + "syslog": { + "priority": 5 + } + }, + "source": { + "geo": { + "continent_name": "North America", + "country_name": "United States", + "location": { + "lon": -97.822, + "lat": 37.751 + }, + "country_iso_code": "US" + }, + "address": "34.71.250.247", + "ip": "34.71.250.247" + }, + "tags": [ + "preserve_original_event" + ], + "observer": { + "product": "Vault", + "hostname": "VAULT", + "version": "11.7.0000", + "vendor": "Cyber-Ark" + }, + "@timestamp": "2021-03-14T12:57:25.000Z", + "ecs": { + "version": "1.10.0" + }, + "related": { + "ip": [ + "34.71.250.247" + ] + }, + "cyberarkpas": { + "audit": { + "severity": "Info", + "rfc5424": true, + "iso_timestamp": "2021-03-14T12:57:25Z", + "station": "34.71.250.247", + "raw": "\u003csyslog\u003e\n\n \u003caudit_record\u003e\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\n \u003cTimestamp\u003eMar 14 05:57:25\u003c/Timestamp\u003e\n \u003cIsoTimestamp\u003e2021-03-14T12:57:25Z\u003c/IsoTimestamp\u003e\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\n \u003cProduct\u003eVault\u003c/Product\u003e\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\n \u003cMessageID\u003e88\u003c/MessageID\u003e\n \u003cDesc\u003eSet Password\u003c/Desc\u003e\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\n \u003cIssuer\u003ePSMPApp_SSH\u003c/Issuer\u003e\n \u003cAction\u003eSet Password\u003c/Action\u003e\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\n \u003cSafe\u003e\u003c/Safe\u003e\n \u003cFile\u003e\u003c/File\u003e\n \u003cStation\u003e34.71.250.247\u003c/Station\u003e\n \u003cLocation\u003e\u003c/Location\u003e\n \u003cCategory\u003e\u003c/Category\u003e\n \u003cRequestId\u003e\u003c/RequestId\u003e\n \u003cReason\u003e\u003c/Reason\u003e\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\n \u003cMessage\u003eSet Password\u003c/Message\u003e\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\n \u003c/audit_record\u003e\n\n\u003c/syslog\u003e", + "action": "Set Password", + "message": "Set Password", + "issuer": "PSMPApp_SSH", + "timestamp": "Mar 14 05:57:25", + "desc": "Set Password" + } + }, + "host": { + "name": "VAULT" + }, + "event": { + "severity": 2, + "action": "set password", + "ingested": "2021-05-31T15:30:25.635473600Z", + "original": "\u003c5\u003e1 2021-03-14T12:57:25Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 14 05:57:25\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-14T12:57:25Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e88\u003c/MessageID\u003e\\n \u003cDesc\u003eSet Password\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003ePSMPApp_SSH\u003c/Issuer\u003e\\n \u003cAction\u003eSet Password\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003e\u003c/Safe\u003e\\n \u003cFile\u003e\u003c/File\u003e\\n \u003cStation\u003e34.71.250.247\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eSet Password\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 14 05:57:25\",\"IsoTimestamp\":\"2021-03-14T12:57:25Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"88\",\"Desc\":\"Set Password\",\"Severity\":\"Info\",\"Issuer\":\"PSMPApp_SSH\",\"Action\":\"Set Password\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"34.71.250.247\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Set Password\",\"GatewayStation\":\"\"}}}", + "code": "88", + "kind": "event" + } + }, + { + "log": { + "syslog": { + "priority": 5 + } + }, + "source": { + "geo": { + "continent_name": "North America", + "country_name": "United States", + "location": { + "lon": -97.822, + "lat": 37.751 + }, + "country_iso_code": "US" + }, + "address": "34.71.250.247", + "ip": "34.71.250.247" + }, + "tags": [ + "preserve_original_event" + ], + "observer": { + "product": "Vault", + "hostname": "VAULT", + "version": "11.7.0000", + "vendor": "Cyber-Ark" + }, + "@timestamp": "2021-03-14T12:57:25.000Z", + "ecs": { + "version": "1.10.0" + }, + "related": { + "ip": [ + "34.71.250.247" + ] + }, + "cyberarkpas": { + "audit": { + "severity": "Info", + "rfc5424": true, + "iso_timestamp": "2021-03-14T12:57:25Z", + "station": "34.71.250.247", + "raw": "\u003csyslog\u003e\n\n \u003caudit_record\u003e\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\n \u003cTimestamp\u003eMar 14 05:57:25\u003c/Timestamp\u003e\n \u003cIsoTimestamp\u003e2021-03-14T12:57:25Z\u003c/IsoTimestamp\u003e\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\n \u003cProduct\u003eVault\u003c/Product\u003e\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\n \u003cMessageID\u003e88\u003c/MessageID\u003e\n \u003cDesc\u003eSet Password\u003c/Desc\u003e\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\n \u003cIssuer\u003ePSMP_ADB_asr-cyberark-psm-ssh\u003c/Issuer\u003e\n \u003cAction\u003eSet Password\u003c/Action\u003e\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\n \u003cSafe\u003e\u003c/Safe\u003e\n \u003cFile\u003e\u003c/File\u003e\n \u003cStation\u003e34.71.250.247\u003c/Station\u003e\n \u003cLocation\u003e\u003c/Location\u003e\n \u003cCategory\u003e\u003c/Category\u003e\n \u003cRequestId\u003e\u003c/RequestId\u003e\n \u003cReason\u003e\u003c/Reason\u003e\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\n \u003cMessage\u003eSet Password\u003c/Message\u003e\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\n \u003c/audit_record\u003e\n\n\u003c/syslog\u003e", + "action": "Set Password", + "message": "Set Password", + "issuer": "PSMP_ADB_asr-cyberark-psm-ssh", + "timestamp": "Mar 14 05:57:25", + "desc": "Set Password" + } + }, + "host": { + "name": "VAULT" + }, + "event": { + "severity": 2, + "action": "set password", + "ingested": "2021-05-31T15:30:25.635476100Z", + "original": "\u003c5\u003e1 2021-03-14T12:57:25Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 14 05:57:25\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-14T12:57:25Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e88\u003c/MessageID\u003e\\n \u003cDesc\u003eSet Password\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003ePSMP_ADB_asr-cyberark-psm-ssh\u003c/Issuer\u003e\\n \u003cAction\u003eSet Password\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003e\u003c/Safe\u003e\\n \u003cFile\u003e\u003c/File\u003e\\n \u003cStation\u003e34.71.250.247\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eSet Password\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 14 05:57:25\",\"IsoTimestamp\":\"2021-03-14T12:57:25Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"88\",\"Desc\":\"Set Password\",\"Severity\":\"Info\",\"Issuer\":\"PSMP_ADB_asr-cyberark-psm-ssh\",\"Action\":\"Set Password\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"34.71.250.247\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Set Password\",\"GatewayStation\":\"\"}}}", + "code": "88", + "kind": "event" + } + } + ] +} \ No newline at end of file diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-98-open-file-write-only.log-expected.json b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-98-open-file-write-only.log-expected.json new file mode 100644 index 00000000000..66f2f9ef62b --- /dev/null +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-98-open-file-write-only.log-expected.json @@ -0,0 +1,269 @@ +{ + "expected": [ + { + "log": { + "syslog": { + "priority": 5 + } + }, + "source": { + "address": "10.0.1.20", + "ip": "10.0.1.20" + }, + "tags": [ + "preserve_original_event" + ], + "observer": { + "product": "Vault", + "hostname": "VAULT", + "version": "11.7.0000", + "vendor": "Cyber-Ark" + }, + "@timestamp": "2021-03-08T18:24:50.000Z", + "file": { + "path": "Root\\YWRtaW5pc3RyYXRvcg==" + }, + "ecs": { + "version": "1.10.0" + }, + "related": { + "ip": [ + "10.0.1.20" + ] + }, + "cyberarkpas": { + "audit": { + "severity": "Info", + "rfc5424": true, + "iso_timestamp": "2021-03-08T18:24:50Z", + "file": "Root\\YWRtaW5pc3RyYXRvcg==", + "safe": "PVWAPrivateUserPrefs", + "station": "10.0.1.20", + "action": "Open File (Write Only)", + "message": "Open File (Write Only)", + "issuer": "PVWAAppUser", + "timestamp": "Mar 08 10:24:50", + "desc": "Open File (Write Only)" + } + }, + "host": { + "name": "VAULT" + }, + "event": { + "severity": 2, + "action": "open file (write only)", + "ingested": "2021-05-31T15:30:25.983717900Z", + "original": "\u003c5\u003e1 2021-03-08T18:24:50Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 08 10:24:50\",\"IsoTimestamp\":\"2021-03-08T18:24:50Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"98\",\"Desc\":\"Open File (Write Only)\",\"Severity\":\"Info\",\"Issuer\":\"PVWAAppUser\",\"Action\":\"Open File (Write Only)\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"PVWAPrivateUserPrefs\",\"File\":\"Root\\\\YWRtaW5pc3RyYXRvcg==\",\"Station\":\"10.0.1.20\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Open File (Write Only)\",\"GatewayStation\":\"\"}}}", + "code": "98", + "kind": "event" + } + }, + { + "log": { + "syslog": { + "priority": 5 + } + }, + "source": { + "geo": { + "continent_name": "Europe", + "region_iso_code": "ES-B", + "city_name": "Barcelona", + "country_iso_code": "ES", + "country_name": "Spain", + "region_name": "Barcelona", + "location": { + "lon": 2.1611, + "lat": 41.3891 + } + }, + "address": "81.32.170.205", + "ip": "81.32.170.205" + }, + "tags": [ + "preserve_original_event" + ], + "observer": { + "product": "Vault", + "hostname": "VAULT", + "version": "11.7.0000", + "vendor": "Cyber-Ark" + }, + "@timestamp": "2021-03-10T18:44:08.000Z", + "file": { + "path": "ROOT\\PVConfiguration.xml" + }, + "ecs": { + "version": "1.10.0" + }, + "related": { + "ip": [ + "81.32.170.205" + ] + }, + "cyberarkpas": { + "audit": { + "severity": "Info", + "rfc5424": true, + "iso_timestamp": "2021-03-10T18:44:08Z", + "file": "ROOT\\PVConfiguration.xml", + "safe": "PVWAConfig", + "station": "81.32.170.205", + "action": "Open File (Write Only)", + "message": "Open File (Write Only)", + "issuer": "Administrator", + "timestamp": "Mar 10 10:44:08", + "desc": "Open File (Write Only)" + } + }, + "host": { + "name": "VAULT" + }, + "event": { + "severity": 2, + "action": "open file (write only)", + "ingested": "2021-05-31T15:30:25.983724200Z", + "original": "\u003c5\u003e1 2021-03-10T18:44:08Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 10:44:08\",\"IsoTimestamp\":\"2021-03-10T18:44:08Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"98\",\"Desc\":\"Open File (Write Only)\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Open File (Write Only)\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"PVWAConfig\",\"File\":\"ROOT\\\\PVConfiguration.xml\",\"Station\":\"81.32.170.205\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Open File (Write Only)\",\"GatewayStation\":\"\"}}}", + "code": "98", + "kind": "event" + } + }, + { + "log": { + "syslog": { + "priority": 5 + } + }, + "source": { + "geo": { + "continent_name": "North America", + "region_iso_code": "US-VA", + "country_name": "United States", + "region_name": "Virginia", + "location": { + "lon": -77.2481, + "lat": 38.6583 + }, + "country_iso_code": "US" + }, + "address": "35.192.121.42", + "ip": "35.192.121.42" + }, + "tags": [ + "preserve_original_event" + ], + "observer": { + "product": "Vault", + "hostname": "VAULT", + "version": "11.7.0000", + "vendor": "Cyber-Ark" + }, + "@timestamp": "2021-03-10T22:17:40.000Z", + "file": { + "path": "ROOT\\PVConfiguration.xml" + }, + "ecs": { + "version": "1.10.0" + }, + "related": { + "ip": [ + "35.192.121.42" + ] + }, + "cyberarkpas": { + "audit": { + "severity": "Info", + "rfc5424": true, + "iso_timestamp": "2021-03-10T22:17:40Z", + "file": "ROOT\\PVConfiguration.xml", + "safe": "PVWAConfig", + "station": "35.192.121.42", + "action": "Open File (Write Only)", + "message": "Open File (Write Only)", + "issuer": "Administrator", + "timestamp": "Mar 10 14:17:40", + "desc": "Open File (Write Only)" + } + }, + "host": { + "name": "VAULT" + }, + "event": { + "severity": 2, + "action": "open file (write only)", + "ingested": "2021-05-31T15:30:25.983725500Z", + "original": "\u003c5\u003e1 2021-03-10T22:17:40Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 14:17:40\",\"IsoTimestamp\":\"2021-03-10T22:17:40Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"98\",\"Desc\":\"Open File (Write Only)\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Open File (Write Only)\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"PVWAConfig\",\"File\":\"ROOT\\\\PVConfiguration.xml\",\"Station\":\"35.192.121.42\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Open File (Write Only)\",\"GatewayStation\":\"\"}}}", + "code": "98", + "kind": "event" + } + }, + { + "log": { + "syslog": { + "priority": 5 + } + }, + "destination": { + "address": "10.0.1.20", + "ip": "10.0.1.20" + }, + "source": { + "address": "127.0.0.1", + "ip": "127.0.0.1" + }, + "tags": [ + "preserve_original_event" + ], + "network": { + "direction": "internal" + }, + "observer": { + "product": "Vault", + "hostname": "VAULT", + "version": "11.7.0000", + "vendor": "Cyber-Ark" + }, + "@timestamp": "2021-03-11T19:45:26.000Z", + "file": { + "path": "Root\\PVConfiguration.xml" + }, + "ecs": { + "version": "1.10.0" + }, + "related": { + "ip": [ + "127.0.0.1", + "10.0.1.20" + ] + }, + "cyberarkpas": { + "audit": { + "severity": "Info", + "iso_timestamp": "2021-03-11T19:45:26Z", + "gateway_station": "10.0.1.20", + "raw": "\u003csyslog\u003e\n\n \u003caudit_record\u003e\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\n \u003cTimestamp\u003eMar 11 11:45:26\u003c/Timestamp\u003e\n \u003cIsoTimestamp\u003e2021-03-11T19:45:26Z\u003c/IsoTimestamp\u003e\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\n \u003cProduct\u003eVault\u003c/Product\u003e\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\n \u003cMessageID\u003e98\u003c/MessageID\u003e\n \u003cDesc\u003eOpen File (Write Only)\u003c/Desc\u003e\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\n \u003cAction\u003eOpen File (Write Only)\u003c/Action\u003e\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\n \u003cSafe\u003ePVWAConfig\u003c/Safe\u003e\n \u003cFile\u003eRoot\\PVConfiguration.xml\u003c/File\u003e\n \u003cStation\u003e127.0.0.1\u003c/Station\u003e\n \u003cLocation\u003e\u003c/Location\u003e\n \u003cCategory\u003e\u003c/Category\u003e\n \u003cRequestId\u003e\u003c/RequestId\u003e\n \u003cReason\u003e\u003c/Reason\u003e\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\n \u003cMessage\u003eOpen File (Write Only)\u003c/Message\u003e\n \u003cGatewayStation\u003e10.0.1.20\u003c/GatewayStation\u003e\n \u003c/audit_record\u003e\n\n\u003c/syslog\u003e", + "message": "Open File (Write Only)", + "issuer": "Administrator", + "rfc5424": true, + "file": "Root\\PVConfiguration.xml", + "safe": "PVWAConfig", + "station": "127.0.0.1", + "action": "Open File (Write Only)", + "timestamp": "Mar 11 11:45:26", + "desc": "Open File (Write Only)" + } + }, + "host": { + "name": "VAULT" + }, + "event": { + "severity": 2, + "action": "open file (write only)", + "ingested": "2021-05-31T15:30:25.983726500Z", + "original": "\u003c5\u003e1 2021-03-11T19:45:26Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 11 11:45:26\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-11T19:45:26Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e98\u003c/MessageID\u003e\\n \u003cDesc\u003eOpen File (Write Only)\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003eOpen File (Write Only)\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003ePVWAConfig\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\PVConfiguration.xml\u003c/File\u003e\\n \u003cStation\u003e127.0.0.1\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eOpen File (Write Only)\u003c/Message\u003e\\n \u003cGatewayStation\u003e10.0.1.20\u003c/GatewayStation\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 11 11:45:26\",\"IsoTimestamp\":\"2021-03-11T19:45:26Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"98\",\"Desc\":\"Open File (Write Only)\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Open File (Write Only)\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"PVWAConfig\",\"File\":\"Root\\\\PVConfiguration.xml\",\"Station\":\"127.0.0.1\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Open File (Write Only)\",\"GatewayStation\":\"10.0.1.20\"}}}", + "code": "98", + "kind": "event" + } + } + ] +} \ No newline at end of file diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-99-open-file.log-expected.json b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-99-open-file.log-expected.json new file mode 100644 index 00000000000..34780332958 --- /dev/null +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-99-open-file.log-expected.json @@ -0,0 +1,62 @@ +{ + "expected": [ + { + "log": { + "syslog": { + "priority": 5 + } + }, + "source": { + "address": "10.0.1.20", + "ip": "10.0.1.20" + }, + "tags": [ + "preserve_original_event" + ], + "observer": { + "product": "Vault", + "hostname": "VAULT", + "version": "11.7.0000", + "vendor": "Cyber-Ark" + }, + "@timestamp": "2021-03-04T19:10:05.000Z", + "file": { + "path": "Root\\EPMConfiguration.xml" + }, + "ecs": { + "version": "1.10.0" + }, + "related": { + "ip": [ + "10.0.1.20" + ] + }, + "cyberarkpas": { + "audit": { + "severity": "Info", + "rfc5424": true, + "iso_timestamp": "2021-03-04T19:10:05Z", + "file": "Root\\EPMConfiguration.xml", + "safe": "PVWAConfig", + "station": "10.0.1.20", + "action": "Open File", + "message": "Open File", + "issuer": "PVWAAppUser", + "timestamp": "Mar 04 11:10:05", + "desc": "Open File" + } + }, + "host": { + "name": "VAULT" + }, + "event": { + "severity": 2, + "action": "open file", + "ingested": "2021-05-31T15:30:26.082470500Z", + "original": "\u003c5\u003e1 2021-03-04T19:10:05Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 04 11:10:05\",\"IsoTimestamp\":\"2021-03-04T19:10:05Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"99\",\"Desc\":\"Open File\",\"Severity\":\"Info\",\"Issuer\":\"PVWAAppUser\",\"Action\":\"Open File\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"PVWAConfig\",\"File\":\"Root\\\\EPMConfiguration.xml\",\"Station\":\"10.0.1.20\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Open File\",\"GatewayStation\":\"\"}}}", + "code": "99", + "kind": "event" + } + } + ] +} \ No newline at end of file diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-legacysyslog.log-expected.json b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-legacysyslog.log-expected.json new file mode 100644 index 00000000000..798a75633e1 --- /dev/null +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-legacysyslog.log-expected.json @@ -0,0 +1,55 @@ +{ + "expected": [ + { + "source": { + "address": "10.0.1.20", + "ip": "10.0.1.20" + }, + "tags": [ + "preserve_original_event" + ], + "observer": { + "product": "Vault", + "hostname": "VAULT", + "version": "11.7.0000", + "vendor": "Cyber-Ark" + }, + "@timestamp": "2021-03-08T03:41:01.000Z", + "file": { + "path": "Root\\Policies\\Policy-BusinessWebsite.ini" + }, + "ecs": { + "version": "1.10.0" + }, + "related": { + "ip": [ + "10.0.1.20" + ] + }, + "cyberarkpas": { + "audit": { + "severity": "Info", + "rfc5424": false, + "file": "Root\\Policies\\Policy-BusinessWebsite.ini", + "safe": "PasswordManagerShared", + "station": "10.0.1.20", + "action": "Retrieve File", + "message": "Retrieve File", + "issuer": "PasswordManager", + "desc": "Retrieve File" + } + }, + "host": { + "name": "VAULT" + }, + "event": { + "severity": 2, + "action": "retrieve file", + "ingested": "2021-05-31T15:30:26.111474600Z", + "original": "Mar 08 03:41:01 VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"no\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"51\",\"Desc\":\"Retrieve File\",\"Severity\":\"Info\",\"Issuer\":\"PasswordManager\",\"Action\":\"Retrieve File\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"PasswordManagerShared\",\"File\":\"Root\\\\Policies\\\\Policy-BusinessWebsite.ini\",\"Station\":\"10.0.1.20\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Retrieve File\",\"GatewayStation\":\"\"}}}", + "code": "51", + "kind": "event" + } + } + ] +} \ No newline at end of file diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-rfc5424syslog.log-expected.json b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-rfc5424syslog.log-expected.json new file mode 100644 index 00000000000..8ef6ddc91ed --- /dev/null +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-rfc5424syslog.log-expected.json @@ -0,0 +1,263 @@ +{ + "expected": [ + { + "log": { + "syslog": { + "priority": 5 + } + }, + "source": { + "address": "10.0.1.20", + "ip": "10.0.1.20" + }, + "tags": [ + "preserve_original_event" + ], + "observer": { + "product": "Vault", + "hostname": "VAULT", + "version": "11.7.0000", + "vendor": "Cyber-Ark" + }, + "@timestamp": "2021-03-04T17:27:14.000Z", + "ecs": { + "version": "1.10.0" + }, + "related": { + "user": [ + "PVWAGWUser" + ], + "ip": [ + "10.0.1.20" + ] + }, + "cyberarkpas": { + "audit": { + "severity": "Info", + "rfc5424": true, + "iso_timestamp": "2021-03-04T17:27:14Z", + "station": "10.0.1.20", + "action": "Logon", + "message": "Logon", + "issuer": "PVWAGWUser", + "timestamp": "Mar 04 09:27:14", + "desc": "Logon" + } + }, + "host": { + "name": "VAULT" + }, + "event": { + "severity": 2, + "ingested": "2021-05-31T15:30:26.139988800Z", + "original": "\u003c5\u003e1 2021-03-04T17:27:14Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 04 09:27:14\",\"IsoTimestamp\":\"2021-03-04T17:27:14Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"7\",\"Desc\":\"Logon\",\"Severity\":\"Info\",\"Issuer\":\"PVWAGWUser\",\"Action\":\"Logon\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"10.0.1.20\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Logon\",\"GatewayStation\":\"\"}}}", + "code": "7", + "kind": "event", + "action": "authentication_success", + "category": [ + "authentication", + "session" + ], + "type": [ + "start" + ], + "outcome": "success" + }, + "user": { + "name": "PVWAGWUser" + } + }, + { + "log": { + "syslog": { + "priority": 5 + } + }, + "source": { + "address": "10.0.1.20", + "ip": "10.0.1.20" + }, + "tags": [ + "preserve_original_event" + ], + "observer": { + "product": "Vault", + "hostname": "VAULT", + "version": "11.7.0000", + "vendor": "Cyber-Ark" + }, + "@timestamp": "2021-03-04T17:27:21.000Z", + "ecs": { + "version": "1.10.0" + }, + "related": { + "user": [ + "PasswordManager" + ], + "ip": [ + "10.0.1.20" + ] + }, + "cyberarkpas": { + "audit": { + "severity": "Info", + "rfc5424": true, + "iso_timestamp": "2021-03-04T17:27:21Z", + "station": "10.0.1.20", + "action": "Logon", + "message": "Logon", + "issuer": "PasswordManager", + "timestamp": "Mar 04 09:27:21", + "desc": "Logon" + } + }, + "host": { + "name": "VAULT" + }, + "event": { + "severity": 2, + "ingested": "2021-05-31T15:30:26.139995200Z", + "original": "\u003c5\u003e1 2021-03-04T17:27:21Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 04 09:27:21\",\"IsoTimestamp\":\"2021-03-04T17:27:21Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"7\",\"Desc\":\"Logon\",\"Severity\":\"Info\",\"Issuer\":\"PasswordManager\",\"Action\":\"Logon\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"10.0.1.20\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Logon\",\"GatewayStation\":\"\"}}}", + "code": "7", + "kind": "event", + "action": "authentication_success", + "category": [ + "authentication", + "session" + ], + "type": [ + "start" + ], + "outcome": "success" + }, + "user": { + "name": "PasswordManager" + } + }, + { + "log": { + "syslog": { + "priority": 5 + } + }, + "source": { + "address": "10.0.1.20", + "ip": "10.0.1.20" + }, + "tags": [ + "preserve_original_event" + ], + "observer": { + "product": "Vault", + "hostname": "VAULT", + "version": "11.7.0000", + "vendor": "Cyber-Ark" + }, + "@timestamp": "2021-03-04T17:27:21.000Z", + "file": { + "path": "Root\\Policies\\Policy-GenericWebApp.ini" + }, + "ecs": { + "version": "1.10.0" + }, + "related": { + "ip": [ + "10.0.1.20" + ] + }, + "cyberarkpas": { + "audit": { + "severity": "Info", + "rfc5424": true, + "iso_timestamp": "2021-03-04T17:27:21Z", + "file": "Root\\Policies\\Policy-GenericWebApp.ini", + "safe": "PasswordManagerShared", + "station": "10.0.1.20", + "action": "Retrieve File", + "message": "Retrieve File", + "issuer": "PasswordManager", + "timestamp": "Mar 04 09:27:21", + "desc": "Retrieve File" + } + }, + "host": { + "name": "VAULT" + }, + "event": { + "severity": 2, + "action": "retrieve file", + "ingested": "2021-05-31T15:30:26.139996500Z", + "original": "\u003c5\u003e1 2021-03-04T17:27:21Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 04 09:27:21\",\"IsoTimestamp\":\"2021-03-04T17:27:21Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"51\",\"Desc\":\"Retrieve File\",\"Severity\":\"Info\",\"Issuer\":\"PasswordManager\",\"Action\":\"Retrieve File\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"PasswordManagerShared\",\"File\":\"Root\\\\Policies\\\\Policy-GenericWebApp.ini\",\"Station\":\"10.0.1.20\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Retrieve File\",\"GatewayStation\":\"\"}}}", + "code": "51", + "kind": "event" + } + }, + { + "log": { + "syslog": { + "priority": 5 + } + }, + "source": { + "address": "10.0.1.20", + "ip": "10.0.1.20" + }, + "tags": [ + "preserve_original_event" + ], + "observer": { + "product": "Vault", + "hostname": "VAULT", + "version": "11.7.0000", + "vendor": "Cyber-Ark" + }, + "@timestamp": "2021-03-04T17:27:33.000Z", + "ecs": { + "version": "1.10.0" + }, + "related": { + "user": [ + "PVWAAppUser" + ], + "ip": [ + "10.0.1.20" + ] + }, + "cyberarkpas": { + "audit": { + "severity": "Info", + "rfc5424": true, + "iso_timestamp": "2021-03-04T17:27:33Z", + "station": "10.0.1.20", + "action": "Logon", + "message": "Logon", + "issuer": "PVWAAppUser", + "timestamp": "Mar 04 09:27:33", + "desc": "Logon" + } + }, + "host": { + "name": "VAULT" + }, + "event": { + "severity": 2, + "ingested": "2021-05-31T15:30:26.139997600Z", + "original": "\u003c5\u003e1 2021-03-04T17:27:33Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 04 09:27:33\",\"IsoTimestamp\":\"2021-03-04T17:27:33Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"7\",\"Desc\":\"Logon\",\"Severity\":\"Info\",\"Issuer\":\"PVWAAppUser\",\"Action\":\"Logon\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"10.0.1.20\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Logon\",\"GatewayStation\":\"\"}}}", + "code": "7", + "kind": "event", + "action": "authentication_success", + "category": [ + "authentication", + "session" + ], + "type": [ + "start" + ], + "outcome": "success" + }, + "user": { + "name": "PVWAAppUser" + } + } + ] +} \ No newline at end of file From a8b8873cb3f6ab6b479361df321dc76901ab86a0 Mon Sep 17 00:00:00 2001 From: Marius Iversen Date: Fri, 4 Jun 2021 13:34:43 +0200 Subject: [PATCH 3/7] linting and formatting, generating new test files and adding changelog/manifest changes --- packages/cyberarkpas/changelog.yml | 5 ++ ...st-105-add-file-category.log-expected.json | 12 ++--- ...st-106-update-file-category.log-config.yml | 5 -- ...106-update-file-category.log-expected.json | 12 ++--- ...st-107-delete-file-category.log-config.yml | 5 -- ...107-delete-file-category.log-expected.json | 2 +- .../test-124-rename-file.log-config.yml | 5 -- .../test-124-rename-file.log-expected.json | 2 +- .../test-125-rename-file-cont.log-config.yml | 5 -- ...est-125-rename-file-cont.log-expected.json | 2 +- .../test-126-unlock-file.log-config.yml | 5 -- .../test-126-unlock-file.log-expected.json | 2 +- ...st-130-cpm-disable-password.log-config.yml | 5 -- ...130-cpm-disable-password.log-expected.json | 2 +- ...test-178-get-user-s-details.log-config.yml | 5 -- ...t-178-get-user-s-details.log-expected.json | 2 +- .../pipeline/test-180-add-user.log-config.yml | 5 -- .../test-180-add-user.log-expected.json | 24 ++++----- .../test-181-update-safe.log-config.yml | 5 -- .../test-181-update-safe.log-expected.json | 2 +- .../pipeline/test-185-add-safe.log-config.yml | 5 -- .../test-185-add-safe.log-expected.json | 4 +- .../test-187-add-folder.log-config.yml | 5 -- .../test-187-add-folder.log-expected.json | 4 +- ...-19-full-gateway-connection.log-config.yml | 5 -- ...-full-gateway-connection.log-expected.json | 18 +++---- ...-partial-gateway-connection.log-config.yml | 5 -- ...rtial-gateway-connection.log-expected.json | 2 +- ...backup-files-deletion-start.log-config.yml | 5 -- ...kup-files-deletion-start.log-expected.json | 2 +- ...d-backup-files-deletion-end.log-config.yml | 5 -- ...ackup-files-deletion-end.log-expected.json | 2 +- ...test-22-cpm-verify-password.log-config.yml | 5 -- ...t-22-cpm-verify-password.log-expected.json | 4 +- ...st-23-action-on-closed-safe.log-config.yml | 5 -- ...23-action-on-closed-safe.log-expected.json | 6 +-- ...test-24-cpm-change-password.log-config.yml | 5 -- ...t-24-cpm-change-password.log-expected.json | 8 +-- .../test-259-add-update-group.log-config.yml | 5 -- ...est-259-add-update-group.log-expected.json | 8 +-- .../test-265-add-group-member.log-config.yml | 5 -- ...est-265-add-group-member.log-expected.json | 28 +++++------ ...est-266-remove-group-member.log-config.yml | 5 -- ...-266-remove-group-member.log-expected.json | 4 +- .../test-273-remove-owner.log-config.yml | 5 -- .../test-273-remove-owner.log-expected.json | 2 +- .../pipeline/test-278-add-rule.log-config.yml | 5 -- .../test-278-add-rule.log-expected.json | 2 +- ...o-clear-users-history-start.log-config.yml | 5 -- ...lear-users-history-start.log-expected.json | 4 +- ...uto-clear-users-history-end.log-config.yml | 5 -- ...-clear-users-history-end.log-expected.json | 4 +- ...o-clear-safes-history-start.log-config.yml | 5 -- ...lear-safes-history-start.log-expected.json | 2 +- ...uto-clear-safes-history-end.log-config.yml | 5 -- ...-clear-safes-history-end.log-expected.json | 2 +- .../test-294-store-password.log-config.yml | 5 -- .../test-294-store-password.log-expected.json | 20 ++++---- .../test-295-retrieve-password.log-config.yml | 5 -- ...st-295-retrieve-password.log-expected.json | 26 +++++----- .../test-300-psm-connect.log-config.yml | 5 -- .../test-300-psm-connect.log-expected.json | 34 ++++++------- .../test-302-psm-disconnect.log-config.yml | 5 -- .../test-302-psm-disconnect.log-expected.json | 32 ++++++------ ...st-304-psm-upload-recording.log-config.yml | 5 -- ...304-psm-upload-recording.log-expected.json | 2 +- .../test-308-use-password.log-config.yml | 5 -- .../test-308-use-password.log-expected.json | 22 ++++---- ...st-309-undefined-user-logon.log-config.yml | 5 -- ...309-undefined-user-logon.log-expected.json | 10 ++-- ...t-31-cpm-reconcile-password.log-config.yml | 5 -- ...1-cpm-reconcile-password.log-expected.json | 2 +- ...onitor-dr-replication-start.log-config.yml | 5 -- ...tor-dr-replication-start.log-expected.json | 4 +- ...-monitor-dr-replication-end.log-config.yml | 5 -- ...nitor-dr-replication-end.log-expected.json | 4 +- ...ssword-detailed-information.log-config.yml | 5 -- ...ord-detailed-information.log-expected.json | 2 +- ...est-317-reset-user-password.log-config.yml | 5 -- ...-317-reset-user-password.log-expected.json | 2 +- .../pipeline/test-32-add-owner.log-config.yml | 5 -- .../test-32-add-owner.log-expected.json | 32 ++++++------ ...26-cpm-auto-detection-start.log-config.yml | 5 -- ...cpm-auto-detection-start.log-expected.json | 2 +- ...-327-cpm-auto-detection-end.log-config.yml | 5 -- ...7-cpm-auto-detection-end.log-expected.json | 2 +- .../test-33-update-owner.log-config.yml | 5 -- .../test-33-update-owner.log-expected.json | 14 +++--- ...cense-expiration-date-start.log-config.yml | 5 -- ...se-expiration-date-start.log-expected.json | 2 +- ...license-expiration-date-end.log-config.yml | 5 -- ...ense-expiration-date-end.log-expected.json | 2 +- ...-357-monitor-fw-rules-start.log-config.yml | 5 -- ...7-monitor-fw-rules-start.log-expected.json | 4 +- ...st-358-monitor-fw-rules-end.log-config.yml | 5 -- ...358-monitor-fw-rules-end.log-expected.json | 4 +- .../test-359-sql-command.log-config.yml | 5 -- .../test-359-sql-command.log-expected.json | 20 ++++---- .../test-361-keystroke-logging.log-config.yml | 5 -- ...st-361-keystroke-logging.log-expected.json | 14 +++--- ...-cpm-verify-password-failed.log-config.yml | 5 -- ...m-verify-password-failed.log-expected.json | 30 +++++------ ...-385-blservice-audit-record.log-config.yml | 5 -- ...5-blservice-audit-record.log-expected.json | 10 ++-- .../test-4-user-authentication.log-config.yml | 5 -- ...st-4-user-authentication.log-expected.json | 4 +- .../test-411-window-title.log-config.yml | 5 -- .../test-411-window-title.log-expected.json | 2 +- .../test-412-keystroke-logging.log-config.yml | 5 -- ...st-412-keystroke-logging.log-expected.json | 2 +- ...test-414-cpm-verify-ssh-key.log-config.yml | 5 -- ...t-414-cpm-verify-ssh-key.log-expected.json | 2 +- .../test-427-store-ssh-key.log-config.yml | 5 -- .../test-427-store-ssh-key.log-expected.json | 2 +- .../test-428-retrieve-ssh-key.log-config.yml | 5 -- ...est-428-retrieve-ssh-key.log-expected.json | 6 +-- ...-create-discovery-succeeded.log-config.yml | 5 -- ...eate-discovery-succeeded.log-expected.json | 2 +- .../test-459-general-audit.log-config.yml | 5 -- .../test-459-general-audit.log-expected.json | 6 +-- ...-authentication-was-updated.log-config.yml | 5 -- ...thentication-was-updated.log-expected.json | 2 +- ...e-vault-certificate-is-sha1.log-config.yml | 5 -- ...ault-certificate-is-sha1.log-expected.json | 4 +- ...nt-bulk-operation-succeeded.log-config.yml | 5 -- ...bulk-operation-succeeded.log-expected.json | 2 +- .../test-50-store-file.log-config.yml | 5 -- .../test-50-store-file.log-expected.json | 12 ++--- .../test-51-retrieve-file.log-config.yml | 5 -- .../test-51-retrieve-file.log-expected.json | 4 +- .../test-52-delete-file.log-config.yml | 5 -- .../test-52-delete-file.log-expected.json | 20 ++++---- ...-cpm-change-password-failed.log-config.yml | 5 -- ...m-change-password-failed.log-expected.json | 2 +- .../test-59-clear-safe-history.log-config.yml | 5 -- ...st-59-clear-safe-history.log-expected.json | 6 +-- ...m-reconcile-password-failed.log-config.yml | 5 -- ...econcile-password-failed.log-expected.json | 18 +++---- ...test-62-create-file-version.log-config.yml | 5 -- ...t-62-create-file-version.log-expected.json | 16 +++--- .../test/pipeline/test-7-logon.log-config.yml | 5 -- .../pipeline/test-7-logon.log-expected.json | 24 ++++----- .../pipeline/test-8-logoff.log-config.yml | 5 -- .../pipeline/test-8-logoff.log-expected.json | 30 +++++------ .../test-88-set-password.log-config.yml | 5 -- .../test-88-set-password.log-expected.json | 36 ++++++------- ...est-98-open-file-write-only.log-config.yml | 5 -- ...-98-open-file-write-only.log-expected.json | 8 +-- .../pipeline/test-99-open-file.log-config.yml | 5 -- .../test-99-open-file.log-expected.json | 2 +- ....log-config.yml => test-common-config.yml} | 0 .../pipeline/test-legacysyslog.log-config.yml | 5 -- .../test-legacysyslog.log-expected.json | 2 +- .../test-rfc5424syslog.log-config.yml | 5 -- .../test-rfc5424syslog.log-expected.json | 8 +-- .../audit/agent/stream/log.yml.hbs | 3 ++ .../audit/agent/stream/tcp.yml.hbs | 3 ++ .../audit/agent/stream/udp.yml.hbs | 3 ++ .../elasticsearch/ingest_pipeline/default.yml | 5 -- .../data_stream/audit/manifest.yml | 50 +++++++++++++++++-- packages/cyberarkpas/docs/README.md | 2 +- packages/cyberarkpas/manifest.yml | 2 +- 162 files changed, 405 insertions(+), 734 deletions(-) delete mode 100644 packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-106-update-file-category.log-config.yml delete mode 100644 packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-107-delete-file-category.log-config.yml delete mode 100644 packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-124-rename-file.log-config.yml delete mode 100644 packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-125-rename-file-cont.log-config.yml delete mode 100644 packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-126-unlock-file.log-config.yml delete mode 100644 packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-130-cpm-disable-password.log-config.yml delete mode 100644 packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-178-get-user-s-details.log-config.yml delete mode 100644 packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-180-add-user.log-config.yml delete mode 100644 packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-181-update-safe.log-config.yml delete mode 100644 packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-185-add-safe.log-config.yml delete mode 100644 packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-187-add-folder.log-config.yml delete mode 100644 packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-19-full-gateway-connection.log-config.yml delete mode 100644 packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-20-partial-gateway-connection.log-config.yml delete mode 100644 packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-202-old-backup-files-deletion-start.log-config.yml delete mode 100644 packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-203-old-backup-files-deletion-end.log-config.yml delete mode 100644 packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-22-cpm-verify-password.log-config.yml delete mode 100644 packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-23-action-on-closed-safe.log-config.yml delete mode 100644 packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-24-cpm-change-password.log-config.yml delete mode 100644 packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-259-add-update-group.log-config.yml delete mode 100644 packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-265-add-group-member.log-config.yml delete mode 100644 packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-266-remove-group-member.log-config.yml delete mode 100644 packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-273-remove-owner.log-config.yml delete mode 100644 packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-278-add-rule.log-config.yml delete mode 100644 packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-288-auto-clear-users-history-start.log-config.yml delete mode 100644 packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-289-auto-clear-users-history-end.log-config.yml delete mode 100644 packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-290-auto-clear-safes-history-start.log-config.yml delete mode 100644 packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-291-auto-clear-safes-history-end.log-config.yml delete mode 100644 packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-294-store-password.log-config.yml delete mode 100644 packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-295-retrieve-password.log-config.yml delete mode 100644 packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-300-psm-connect.log-config.yml delete mode 100644 packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-302-psm-disconnect.log-config.yml delete mode 100644 packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-304-psm-upload-recording.log-config.yml delete mode 100644 packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-308-use-password.log-config.yml delete mode 100644 packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-309-undefined-user-logon.log-config.yml delete mode 100644 packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-31-cpm-reconcile-password.log-config.yml delete mode 100644 packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-310-monitor-dr-replication-start.log-config.yml delete mode 100644 packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-311-monitor-dr-replication-end.log-config.yml delete mode 100644 packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-316-reset-user-password-detailed-information.log-config.yml delete mode 100644 packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-317-reset-user-password.log-config.yml delete mode 100644 packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-32-add-owner.log-config.yml delete mode 100644 packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-326-cpm-auto-detection-start.log-config.yml delete mode 100644 packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-327-cpm-auto-detection-end.log-config.yml delete mode 100644 packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-33-update-owner.log-config.yml delete mode 100644 packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-355-monitor-license-expiration-date-start.log-config.yml delete mode 100644 packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-356-monitor-license-expiration-date-end.log-config.yml delete mode 100644 packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-357-monitor-fw-rules-start.log-config.yml delete mode 100644 packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-358-monitor-fw-rules-end.log-config.yml delete mode 100644 packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-359-sql-command.log-config.yml delete mode 100644 packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-361-keystroke-logging.log-config.yml delete mode 100644 packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-38-cpm-verify-password-failed.log-config.yml delete mode 100644 packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-385-blservice-audit-record.log-config.yml delete mode 100644 packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-4-user-authentication.log-config.yml delete mode 100644 packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-411-window-title.log-config.yml delete mode 100644 packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-412-keystroke-logging.log-config.yml delete mode 100644 packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-414-cpm-verify-ssh-key.log-config.yml delete mode 100644 packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-427-store-ssh-key.log-config.yml delete mode 100644 packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-428-retrieve-ssh-key.log-config.yml delete mode 100644 packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-449-create-discovery-succeeded.log-config.yml delete mode 100644 packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-459-general-audit.log-config.yml delete mode 100644 packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-467-the-component-public-key-for-jwt-authentication-was-updated.log-config.yml delete mode 100644 packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-479-security-warning-the-signature-hash-algorithm-of-the-vault-certificate-is-sha1.log-config.yml delete mode 100644 packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-482-update-existing-add-account-bulk-operation-succeeded.log-config.yml delete mode 100644 packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-50-store-file.log-config.yml delete mode 100644 packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-51-retrieve-file.log-config.yml delete mode 100644 packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-52-delete-file.log-config.yml delete mode 100644 packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-57-cpm-change-password-failed.log-config.yml delete mode 100644 packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-59-clear-safe-history.log-config.yml delete mode 100644 packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-60-cpm-reconcile-password-failed.log-config.yml delete mode 100644 packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-62-create-file-version.log-config.yml delete mode 100644 packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-7-logon.log-config.yml delete mode 100644 packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-8-logoff.log-config.yml delete mode 100644 packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-88-set-password.log-config.yml delete mode 100644 packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-98-open-file-write-only.log-config.yml delete mode 100644 packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-99-open-file.log-config.yml rename packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/{test-105-add-file-category.log-config.yml => test-common-config.yml} (100%) delete mode 100644 packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-legacysyslog.log-config.yml delete mode 100644 packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-rfc5424syslog.log-config.yml diff --git a/packages/cyberarkpas/changelog.yml b/packages/cyberarkpas/changelog.yml index 8ebfee80f03..442d9c25bd9 100644 --- a/packages/cyberarkpas/changelog.yml +++ b/packages/cyberarkpas/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: 1.0.1 + changes: + - description: updating ECS version and adding event.original options + type: enhancement + link: https://github.com/elastic/integrations/pull/1039 - version: 1.0.0 changes: - description: initial release diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-105-add-file-category.log-expected.json b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-105-add-file-category.log-expected.json index 2a4991e7a2b..a95bfa4aaaf 100644 --- a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-105-add-file-category.log-expected.json +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-105-add-file-category.log-expected.json @@ -63,7 +63,7 @@ "event": { "severity": 2, "action": "add file category", - "ingested": "2021-05-31T15:30:15.911672800Z", + "ingested": "2021-06-04T11:33:08.385128900Z", "original": "\u003c5\u003e1 2021-03-08T18:24:49Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 08 10:24:49\",\"IsoTimestamp\":\"2021-03-08T18:24:49Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"105\",\"Desc\":\"Add File Category\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Add File Category\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"Test\",\"File\":\"Root\\\\Operating System-WinDesktopLocal-Address-adriansr\",\"Station\":\"127.0.0.1\",\"Location\":\"\",\"Category\":\"Address\",\"RequestId\":\"\",\"Reason\":\"Value=[Address]\",\"ExtraDetails\":\"\",\"Message\":\"Add File Category\",\"GatewayStation\":\"10.0.1.20\"}}}", "code": "105", "kind": "event" @@ -134,7 +134,7 @@ "event": { "severity": 2, "action": "add file category", - "ingested": "2021-05-31T15:30:15.911698400Z", + "ingested": "2021-06-04T11:33:08.385153600Z", "original": "\u003c5\u003e1 2021-03-10T09:11:54Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 01:11:54\",\"IsoTimestamp\":\"2021-03-10T09:11:54Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"105\",\"Desc\":\"Add File Category\",\"Severity\":\"Info\",\"Issuer\":\"PSMPApp_localhost.localdomain\",\"Action\":\"Add File Category\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"PSMPLiveSessions\",\"File\":\"Root\\\\PSMPApp_localhost.localdomain.LiveSessions\",\"Station\":\"81.32.170.205\",\"Location\":\"\",\"Category\":\"_PSMLiveSessions_1\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Add File Category\",\"GatewayStation\":\"\"}}}", "code": "105", "kind": "event" @@ -205,7 +205,7 @@ "event": { "severity": 2, "action": "add file category", - "ingested": "2021-05-31T15:30:15.911707400Z", + "ingested": "2021-06-04T11:33:08.385164Z", "original": "\u003c5\u003e1 2021-03-10T18:46:48Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 10:46:48\",\"IsoTimestamp\":\"2021-03-10T18:46:48Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"105\",\"Desc\":\"Add File Category\",\"Severity\":\"Info\",\"Issuer\":\"PSMApp_VAGRANT\",\"Action\":\"Add File Category\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"PSMLiveSessions\",\"File\":\"Root\\\\PSMServer.LiveSessions\",\"Station\":\"81.32.170.205\",\"Location\":\"\",\"Category\":\"_PSMLiveSessions_1\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Add File Category\",\"GatewayStation\":\"\"}}}", "code": "105", "kind": "event" @@ -276,7 +276,7 @@ "event": { "severity": 2, "action": "add file category", - "ingested": "2021-05-31T15:30:15.911712900Z", + "ingested": "2021-06-04T11:33:08.385170400Z", "original": "\u003c5\u003e1 2021-03-10T22:17:26Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 14:17:26\",\"IsoTimestamp\":\"2021-03-10T22:17:26Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"105\",\"Desc\":\"Add File Category\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Add File Category\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"PSM\",\"File\":\"Root\\\\PSM-ASR-CYBERARK-WI\",\"Station\":\"35.192.121.42\",\"Location\":\"\",\"Category\":\"LogonDomain\",\"RequestId\":\"\",\"Reason\":\"Value=[ASR-CYBERARK-WI]\",\"ExtraDetails\":\"\",\"Message\":\"Add File Category\",\"GatewayStation\":\"\"}}}", "code": "105", "kind": "event" @@ -346,7 +346,7 @@ "event": { "severity": 2, "action": "add file category", - "ingested": "2021-05-31T15:30:15.911718Z", + "ingested": "2021-06-04T11:33:08.385176400Z", "original": "\u003c5\u003e1 2021-03-10T22:20:12Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 14:20:12\",\"IsoTimestamp\":\"2021-03-10T22:20:12Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"105\",\"Desc\":\"Add File Category\",\"Severity\":\"Info\",\"Issuer\":\"PSMApp_ASR-WIN\",\"Action\":\"Add File Category\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"PSMLiveSessions\",\"File\":\"Root\\\\PSM-ASR-CYBERARK-WI.LiveSessions\",\"Station\":\"35.192.121.42\",\"Location\":\"\",\"Category\":\"_PSMLiveSessions_1\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Add File Category\",\"GatewayStation\":\"\"}}}", "code": "105", "kind": "event" @@ -418,7 +418,7 @@ "event": { "severity": 2, "action": "add file category", - "ingested": "2021-05-31T15:30:15.911723500Z", + "ingested": "2021-06-04T11:33:08.385182600Z", "original": "\u003c5\u003e1 2021-03-11T16:59:58Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 11 08:59:58\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-11T16:59:58Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e105\u003c/MessageID\u003e\\n \u003cDesc\u003eAdd File Category\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003ePSMPApp_VAGRANT\u003c/Issuer\u003e\\n \u003cAction\u003eAdd File Category\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003ePSMPLiveSessions\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\PSMPApp_VAGRANT.LiveSessions\u003c/File\u003e\\n \u003cStation\u003e81.32.170.205\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e_PSMLiveSessions_1\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eAdd File Category\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 11 08:59:58\",\"IsoTimestamp\":\"2021-03-11T16:59:58Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"105\",\"Desc\":\"Add File Category\",\"Severity\":\"Info\",\"Issuer\":\"PSMPApp_VAGRANT\",\"Action\":\"Add File Category\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"PSMPLiveSessions\",\"File\":\"Root\\\\PSMPApp_VAGRANT.LiveSessions\",\"Station\":\"81.32.170.205\",\"Location\":\"\",\"Category\":\"_PSMLiveSessions_1\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Add File Category\",\"GatewayStation\":\"\"}}}", "code": "105", "kind": "event" diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-106-update-file-category.log-config.yml b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-106-update-file-category.log-config.yml deleted file mode 100644 index 5622947e4b8..00000000000 --- a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-106-update-file-category.log-config.yml +++ /dev/null @@ -1,5 +0,0 @@ -dynamic_fields: - event.ingested: ".*" -fields: - tags: - - preserve_original_event diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-106-update-file-category.log-expected.json b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-106-update-file-category.log-expected.json index f6711e9a618..20a4d3b064c 100644 --- a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-106-update-file-category.log-expected.json +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-106-update-file-category.log-expected.json @@ -63,7 +63,7 @@ "event": { "severity": 2, "action": "update file category", - "ingested": "2021-05-31T15:30:16.293054300Z", + "ingested": "2021-06-04T11:33:08.742124Z", "original": "\u003c5\u003e1 2021-03-08T18:25:52Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 08 10:25:52\",\"IsoTimestamp\":\"2021-03-08T18:25:52Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"106\",\"Desc\":\"Update File Category\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Update File Category\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"Test\",\"File\":\"Root\\\\Operating System-WinDesktopLocal-Address-adriansr\",\"Station\":\"127.0.0.1\",\"Location\":\"\",\"Category\":\"Address\",\"RequestId\":\"\",\"Reason\":\"Value=[components] Old Value=[Address]\",\"ExtraDetails\":\"\",\"Message\":\"Update File Category\",\"GatewayStation\":\"10.0.1.20\"}}}", "code": "106", "kind": "event" @@ -134,7 +134,7 @@ "event": { "severity": 2, "action": "update file category", - "ingested": "2021-05-31T15:30:16.293077600Z", + "ingested": "2021-06-04T11:33:08.742155800Z", "original": "\u003c5\u003e1 2021-03-10T18:46:48Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 10:46:48\",\"IsoTimestamp\":\"2021-03-10T18:46:48Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"106\",\"Desc\":\"Update File Category\",\"Severity\":\"Info\",\"Issuer\":\"PSMApp_VAGRANT\",\"Action\":\"Update File Category\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"PSMLiveSessions\",\"File\":\"Root\\\\PSMServer.LiveSessions\",\"Station\":\"81.32.170.205\",\"Location\":\"\",\"Category\":\"_PSMLiveSessions_1\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Update File Category\",\"GatewayStation\":\"\"}}}", "code": "106", "kind": "event" @@ -204,7 +204,7 @@ "event": { "severity": 2, "action": "update file category", - "ingested": "2021-05-31T15:30:16.293099700Z", + "ingested": "2021-06-04T11:33:08.742200500Z", "original": "\u003c5\u003e1 2021-03-10T22:20:12Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 14:20:12\",\"IsoTimestamp\":\"2021-03-10T22:20:12Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"106\",\"Desc\":\"Update File Category\",\"Severity\":\"Info\",\"Issuer\":\"PSMApp_ASR-WIN\",\"Action\":\"Update File Category\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"PSMLiveSessions\",\"File\":\"Root\\\\PSM-ASR-CYBERARK-WI.LiveSessions\",\"Station\":\"35.192.121.42\",\"Location\":\"\",\"Category\":\"_PSMLiveSessions_1\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Update File Category\",\"GatewayStation\":\"\"}}}", "code": "106", "kind": "event" @@ -276,7 +276,7 @@ "event": { "severity": 2, "action": "update file category", - "ingested": "2021-05-31T15:30:16.293106100Z", + "ingested": "2021-06-04T11:33:08.742207700Z", "original": "\u003c5\u003e1 2021-03-11T17:38:26Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 11 09:38:26\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-11T17:38:26Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e106\u003c/MessageID\u003e\\n \u003cDesc\u003eUpdate File Category\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003ePSMPApp_VAGRANT\u003c/Issuer\u003e\\n \u003cAction\u003eUpdate File Category\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003ePSMRecordings\u003c/Safe\u003e\\n \u003cFile\u003eroot\\\\87012dcc-8290-11eb-949e-080027efd402.session\u003c/File\u003e\\n \u003cStation\u003e81.32.170.205\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003ePSMStatus\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eUpdate File Category\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 11 09:38:26\",\"IsoTimestamp\":\"2021-03-11T17:38:26Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"106\",\"Desc\":\"Update File Category\",\"Severity\":\"Info\",\"Issuer\":\"PSMPApp_VAGRANT\",\"Action\":\"Update File Category\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"PSMRecordings\",\"File\":\"root\\\\87012dcc-8290-11eb-949e-080027efd402.session\",\"Station\":\"81.32.170.205\",\"Location\":\"\",\"Category\":\"PSMStatus\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Update File Category\",\"GatewayStation\":\"\"}}}", "code": "106", "kind": "event" @@ -347,7 +347,7 @@ "event": { "severity": 2, "action": "update file category", - "ingested": "2021-05-31T15:30:16.293111100Z", + "ingested": "2021-06-04T11:33:08.742212500Z", "original": "\u003c5\u003e1 2021-03-11T20:10:33Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 11 12:10:33\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-11T20:10:33Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e106\u003c/MessageID\u003e\\n \u003cDesc\u003eUpdate File Category\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003ePSMApp_ASR-WIN\u003c/Issuer\u003e\\n \u003cAction\u003eUpdate File Category\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003ePSMLiveSessions\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\PSM-ASR-CYBERARK-WI.LiveSessions\u003c/File\u003e\\n \u003cStation\u003e34.66.114.180\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e_PSMLiveSessions_1\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eUpdate File Category\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 11 12:10:33\",\"IsoTimestamp\":\"2021-03-11T20:10:33Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"106\",\"Desc\":\"Update File Category\",\"Severity\":\"Info\",\"Issuer\":\"PSMApp_ASR-WIN\",\"Action\":\"Update File Category\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"PSMLiveSessions\",\"File\":\"Root\\\\PSM-ASR-CYBERARK-WI.LiveSessions\",\"Station\":\"34.66.114.180\",\"Location\":\"\",\"Category\":\"_PSMLiveSessions_1\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Update File Category\",\"GatewayStation\":\"\"}}}", "code": "106", "kind": "event" @@ -416,7 +416,7 @@ "event": { "severity": 2, "action": "update file category", - "ingested": "2021-05-31T15:30:16.293115700Z", + "ingested": "2021-06-04T11:33:08.742217200Z", "original": "\u003c5\u003e1 2021-03-14T13:49:38Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 14 06:49:38\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-14T13:49:38Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e106\u003c/MessageID\u003e\\n \u003cDesc\u003eUpdate File Category\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003ePSMPApp_SSH\u003c/Issuer\u003e\\n \u003cAction\u003eUpdate File Category\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003ePSMPLiveSessions\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\PSMPApp_SSH.LiveSessions\u003c/File\u003e\\n \u003cStation\u003e34.71.250.247\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e_PSMLiveSessions_1\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eUpdate File Category\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 14 06:49:38\",\"IsoTimestamp\":\"2021-03-14T13:49:38Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"106\",\"Desc\":\"Update File Category\",\"Severity\":\"Info\",\"Issuer\":\"PSMPApp_SSH\",\"Action\":\"Update File Category\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"PSMPLiveSessions\",\"File\":\"Root\\\\PSMPApp_SSH.LiveSessions\",\"Station\":\"34.71.250.247\",\"Location\":\"\",\"Category\":\"_PSMLiveSessions_1\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Update File Category\",\"GatewayStation\":\"\"}}}", "code": "106", "kind": "event" diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-107-delete-file-category.log-config.yml b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-107-delete-file-category.log-config.yml deleted file mode 100644 index 5622947e4b8..00000000000 --- a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-107-delete-file-category.log-config.yml +++ /dev/null @@ -1,5 +0,0 @@ -dynamic_fields: - event.ingested: ".*" -fields: - tags: - - preserve_original_event diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-107-delete-file-category.log-expected.json b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-107-delete-file-category.log-expected.json index 65978555f97..d00fe44a368 100644 --- a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-107-delete-file-category.log-expected.json +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-107-delete-file-category.log-expected.json @@ -64,7 +64,7 @@ "event": { "severity": 2, "action": "delete file category", - "ingested": "2021-05-31T15:30:16.448225100Z", + "ingested": "2021-06-04T11:33:08.888766Z", "original": "\u003c5\u003e1 2021-03-15T10:22:24Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 15 03:22:24\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-15T10:22:24Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e107\u003c/MessageID\u003e\\n \u003cDesc\u003eDelete File Category\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003eDelete File Category\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003epartner\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Operating System-UnixSSH-34.123.103.115-testark\u003c/File\u003e\\n \u003cStation\u003e127.0.0.1\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003eLastFailDate\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003eOld Value=[1615803137]\u003c/Reason\u003e\\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eDelete File Category\u003c/Message\u003e\\n \u003cGatewayStation\u003e10.0.1.20\u003c/GatewayStation\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 15 03:22:24\",\"IsoTimestamp\":\"2021-03-15T10:22:24Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"107\",\"Desc\":\"Delete File Category\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Delete File Category\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"partner\",\"File\":\"Root\\\\Operating System-UnixSSH-34.123.103.115-testark\",\"Station\":\"127.0.0.1\",\"Location\":\"\",\"Category\":\"LastFailDate\",\"RequestId\":\"\",\"Reason\":\"Old Value=[1615803137]\",\"ExtraDetails\":\"\",\"Message\":\"Delete File Category\",\"GatewayStation\":\"10.0.1.20\"}}}", "code": "107", "kind": "event" diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-124-rename-file.log-config.yml b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-124-rename-file.log-config.yml deleted file mode 100644 index 5622947e4b8..00000000000 --- a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-124-rename-file.log-config.yml +++ /dev/null @@ -1,5 +0,0 @@ -dynamic_fields: - event.ingested: ".*" -fields: - tags: - - preserve_original_event diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-124-rename-file.log-expected.json b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-124-rename-file.log-expected.json index bd7666633a4..cf88343b908 100644 --- a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-124-rename-file.log-expected.json +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-124-rename-file.log-expected.json @@ -62,7 +62,7 @@ "event": { "severity": 2, "action": "rename file", - "ingested": "2021-05-31T15:30:16.483910300Z", + "ingested": "2021-06-04T11:33:08.919553200Z", "original": "\u003c5\u003e1 2021-03-14T13:42:20Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 14 06:42:20\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-14T13:42:20Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e124\u003c/MessageID\u003e\\n \u003cDesc\u003eRename File\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003eRename File\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003ePSM\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Operating System-UnixSSH-34.123.103.115-PSMConnect\u003c/File\u003e\\n \u003cStation\u003e127.0.0.1\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eRename File\u003c/Message\u003e\\n \u003cGatewayStation\u003e10.0.1.20\u003c/GatewayStation\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 14 06:42:20\",\"IsoTimestamp\":\"2021-03-14T13:42:20Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"124\",\"Desc\":\"Rename File\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Rename File\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"PSM\",\"File\":\"Root\\\\Operating System-UnixSSH-34.123.103.115-PSMConnect\",\"Station\":\"127.0.0.1\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Rename File\",\"GatewayStation\":\"10.0.1.20\"}}}", "code": "124", "kind": "event" diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-125-rename-file-cont.log-config.yml b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-125-rename-file-cont.log-config.yml deleted file mode 100644 index 5622947e4b8..00000000000 --- a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-125-rename-file-cont.log-config.yml +++ /dev/null @@ -1,5 +0,0 @@ -dynamic_fields: - event.ingested: ".*" -fields: - tags: - - preserve_original_event diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-125-rename-file-cont.log-expected.json b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-125-rename-file-cont.log-expected.json index 42a90fe6421..2597af743ef 100644 --- a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-125-rename-file-cont.log-expected.json +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-125-rename-file-cont.log-expected.json @@ -62,7 +62,7 @@ "event": { "severity": 2, "action": "rename file (cont.)", - "ingested": "2021-05-31T15:30:16.518188800Z", + "ingested": "2021-06-04T11:33:08.947968800Z", "original": "\u003c5\u003e1 2021-03-14T13:42:20Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 14 06:42:20\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-14T13:42:20Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e125\u003c/MessageID\u003e\\n \u003cDesc\u003eRename File (Cont.)\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003eRename File (Cont.)\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003ePSM\u003c/Safe\u003e\\n \u003cFile\u003eOperating System-UnixSSH-34.71.250.247-PSMConnect\u003c/File\u003e\\n \u003cStation\u003e127.0.0.1\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eRename File (Cont.)\u003c/Message\u003e\\n \u003cGatewayStation\u003e10.0.1.20\u003c/GatewayStation\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 14 06:42:20\",\"IsoTimestamp\":\"2021-03-14T13:42:20Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"125\",\"Desc\":\"Rename File (Cont.)\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Rename File (Cont.)\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"PSM\",\"File\":\"Operating System-UnixSSH-34.71.250.247-PSMConnect\",\"Station\":\"127.0.0.1\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Rename File (Cont.)\",\"GatewayStation\":\"10.0.1.20\"}}}", "code": "125", "kind": "event" diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-126-unlock-file.log-config.yml b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-126-unlock-file.log-config.yml deleted file mode 100644 index 5622947e4b8..00000000000 --- a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-126-unlock-file.log-config.yml +++ /dev/null @@ -1,5 +0,0 @@ -dynamic_fields: - event.ingested: ".*" -fields: - tags: - - preserve_original_event diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-126-unlock-file.log-expected.json b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-126-unlock-file.log-expected.json index 9b109c08816..3390e9f0315 100644 --- a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-126-unlock-file.log-expected.json +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-126-unlock-file.log-expected.json @@ -52,7 +52,7 @@ "event": { "severity": 2, "action": "unlock file", - "ingested": "2021-05-31T15:30:16.550492500Z", + "ingested": "2021-06-04T11:33:08.975976300Z", "original": "\u003c5\u003e1 2021-03-10T18:33:34Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 10:33:34\",\"IsoTimestamp\":\"2021-03-10T18:33:34Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"126\",\"Desc\":\"Unlock File\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Unlock File\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"PVWAConfig\",\"File\":\"Root\\\\PVConfiguration.xml\",\"Station\":\"127.0.0.1\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Unlock File\",\"GatewayStation\":\"\"}}}", "code": "126", "kind": "event" diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-130-cpm-disable-password.log-config.yml b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-130-cpm-disable-password.log-config.yml deleted file mode 100644 index 5622947e4b8..00000000000 --- a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-130-cpm-disable-password.log-config.yml +++ /dev/null @@ -1,5 +0,0 @@ -dynamic_fields: - event.ingested: ".*" -fields: - tags: - - preserve_original_event diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-130-cpm-disable-password.log-expected.json b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-130-cpm-disable-password.log-expected.json index 2bdd97b9e0f..3edb40d92e9 100644 --- a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-130-cpm-disable-password.log-expected.json +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-130-cpm-disable-password.log-expected.json @@ -81,7 +81,7 @@ "event": { "severity": 7, "reason": "Parameter Reconcile account is mandatory but has an empty value or is not defined", - "ingested": "2021-05-31T15:30:16.608141700Z", + "ingested": "2021-06-04T11:33:09.001670800Z", "original": "\u003c7\u003e1 2021-03-15T12:57:13Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 15 05:57:13\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-15T12:57:13Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e130\u003c/MessageID\u003e\\n \u003cDesc\u003eCPM Disable Password\u003c/Desc\u003e\\n \u003cSeverity\u003eError\u003c/Severity\u003e\\n \u003cIssuer\u003ePasswordManager\u003c/Issuer\u003e\\n \u003cAction\u003eCPM Disable Password\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003epartner\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Operating System-WinDomain-35.192.121.42-ELASTICbart\u003c/File\u003e\\n \u003cStation\u003e10.0.1.20\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003eMaxRetries. Failure Description: CACPM406E Reconciling Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-35.192.121.42-ELASTICbart failed (try #5). Code: 2101, Error: Parameter Reconcile account is mandatory but has an empty value or is not defined\\n\u003c/Reason\u003e\\n \u003cExtraDetails\u003eaddress=34.66.114.180;retriescount=5;username=ELASTIC\\\\bart;\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eCPM Disable Password\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"WinDomain\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"ELASTIC\\\\bart\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"34.66.114.180\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"ResetImmediately\\\" Value=\\\"ReconcileTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMStatus\\\" Value=\\\"failure\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMDisabled\\\" Value=\\\"(CPM)MaxRetries\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"RetriesCount\\\" Value=\\\"5\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastFailDate\\\" Value=\\\"1615813031\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastTask\\\" Value=\\\"ReconcileTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LogonDomain\\\" Value=\\\"34.66.114.180\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMErrorDetails\\\" Value=\\\"Parameter Reconcile account is mandatory but has an empty value or is not defined\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Operating System\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 15 05:57:13\",\"IsoTimestamp\":\"2021-03-15T12:57:13Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"130\",\"Desc\":\"CPM Disable Password\",\"Severity\":\"Error\",\"Issuer\":\"PasswordManager\",\"Action\":\"CPM Disable Password\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"partner\",\"File\":\"Root\\\\Operating System-WinDomain-35.192.121.42-ELASTICbart\",\"Station\":\"10.0.1.20\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"MaxRetries. Failure Description: CACPM406E Reconciling Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-35.192.121.42-ELASTICbart failed (try #5). Code: 2101, Error: Parameter Reconcile account is mandatory but has an empty value or is not defined\\n\",\"ExtraDetails\":\"address=34.66.114.180;retriescount=5;username=ELASTIC\\\\bart;\",\"Message\":\"CPM Disable Password\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"WinDomain\"},{\"Name\":\"UserName\",\"Value\":\"ELASTIC\\\\bart\"},{\"Name\":\"Address\",\"Value\":\"34.66.114.180\"},{\"Name\":\"ResetImmediately\",\"Value\":\"ReconcileTask\"},{\"Name\":\"CPMStatus\",\"Value\":\"failure\"},{\"Name\":\"CPMDisabled\",\"Value\":\"(CPM)MaxRetries\"},{\"Name\":\"RetriesCount\",\"Value\":\"5\"},{\"Name\":\"LastFailDate\",\"Value\":\"1615813031\"},{\"Name\":\"LastTask\",\"Value\":\"ReconcileTask\"},{\"Name\":\"LogonDomain\",\"Value\":\"34.66.114.180\"},{\"Name\":\"CPMErrorDetails\",\"Value\":\"Parameter Reconcile account is mandatory but has an empty value or is not defined\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"}]}}}}", "code": "130", "kind": "event", diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-178-get-user-s-details.log-config.yml b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-178-get-user-s-details.log-config.yml deleted file mode 100644 index 5622947e4b8..00000000000 --- a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-178-get-user-s-details.log-config.yml +++ /dev/null @@ -1,5 +0,0 @@ -dynamic_fields: - event.ingested: ".*" -fields: - tags: - - preserve_original_event diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-178-get-user-s-details.log-expected.json b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-178-get-user-s-details.log-expected.json index 910df9b470a..790372de445 100644 --- a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-178-get-user-s-details.log-expected.json +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-178-get-user-s-details.log-expected.json @@ -48,7 +48,7 @@ }, "event": { "severity": 7, - "ingested": "2021-05-31T15:30:16.687003100Z", + "ingested": "2021-06-04T11:33:09.053529200Z", "original": "\u003c7\u003e1 2021-03-11T18:45:23Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 11 10:45:23\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-11T18:45:23Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e178\u003c/MessageID\u003e\\n \u003cDesc\u003eGet User's Details\u003c/Desc\u003e\\n \u003cSeverity\u003eError\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003eGet User's Details\u003c/Action\u003e\\n \u003cSourceUser\u003eMaster\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003e\u003c/Safe\u003e\\n \u003cFile\u003e\u003c/File\u003e\\n \u003cStation\u003e127.0.0.1\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eGet User's Details\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 11 10:45:23\",\"IsoTimestamp\":\"2021-03-11T18:45:23Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"178\",\"Desc\":\"Get User's Details\",\"Severity\":\"Error\",\"Issuer\":\"Administrator\",\"Action\":\"Get User's Details\",\"SourceUser\":\"Master\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"127.0.0.1\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Get User's Details\",\"GatewayStation\":\"\"}}}", "code": "178", "kind": "event", diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-180-add-user.log-config.yml b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-180-add-user.log-config.yml deleted file mode 100644 index 5622947e4b8..00000000000 --- a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-180-add-user.log-config.yml +++ /dev/null @@ -1,5 +0,0 @@ -dynamic_fields: - event.ingested: ".*" -fields: - tags: - - preserve_original_event diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-180-add-user.log-expected.json b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-180-add-user.log-expected.json index 387f05f800f..1d01a1e2bc8 100644 --- a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-180-add-user.log-expected.json +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-180-add-user.log-expected.json @@ -62,7 +62,7 @@ }, "event": { "severity": 2, - "ingested": "2021-05-31T15:30:16.714782500Z", + "ingested": "2021-06-04T11:33:09.081082100Z", "original": "\u003c5\u003e1 2021-03-10T09:11:20Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 01:11:20\",\"IsoTimestamp\":\"2021-03-10T09:11:20Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"180\",\"Desc\":\"Add User\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Add User\",\"SourceUser\":\"PSMPApp_localhost.localdomain\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"81.32.170.205\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Add User\",\"GatewayStation\":\"\"}}}", "code": "180", "kind": "event", @@ -144,7 +144,7 @@ }, "event": { "severity": 2, - "ingested": "2021-05-31T15:30:16.714810800Z", + "ingested": "2021-06-04T11:33:09.081103200Z", "original": "\u003c5\u003e1 2021-03-10T09:11:20Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 01:11:20\",\"IsoTimestamp\":\"2021-03-10T09:11:20Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"180\",\"Desc\":\"Add User\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Add User\",\"SourceUser\":\"PSMPGW_localhost.localdomain\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"81.32.170.205\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Add User\",\"GatewayStation\":\"\"}}}", "code": "180", "kind": "event", @@ -226,7 +226,7 @@ }, "event": { "severity": 2, - "ingested": "2021-05-31T15:30:16.714816900Z", + "ingested": "2021-06-04T11:33:09.081109600Z", "original": "\u003c5\u003e1 2021-03-10T09:11:35Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 01:11:35\",\"IsoTimestamp\":\"2021-03-10T09:11:35Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"180\",\"Desc\":\"Add User\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Add User\",\"SourceUser\":\"PSMP_ADB_localhost.localdomain\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"81.32.170.205\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Add User\",\"GatewayStation\":\"\"}}}", "code": "180", "kind": "event", @@ -308,7 +308,7 @@ }, "event": { "severity": 2, - "ingested": "2021-05-31T15:30:16.714821500Z", + "ingested": "2021-06-04T11:33:09.081115600Z", "original": "\u003c5\u003e1 2021-03-10T17:59:19Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 09:59:19\",\"IsoTimestamp\":\"2021-03-10T17:59:19Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"180\",\"Desc\":\"Add User\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Add User\",\"SourceUser\":\"PSMApp_VAGRANT\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"81.32.170.205\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Add User\",\"GatewayStation\":\"\"}}}", "code": "180", "kind": "event", @@ -390,7 +390,7 @@ }, "event": { "severity": 2, - "ingested": "2021-05-31T15:30:16.714825700Z", + "ingested": "2021-06-04T11:33:09.081120Z", "original": "\u003c5\u003e1 2021-03-10T17:59:27Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 09:59:27\",\"IsoTimestamp\":\"2021-03-10T17:59:27Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"180\",\"Desc\":\"Add User\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Add User\",\"SourceUser\":\"PSMGw_VAGRANT\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"81.32.170.205\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Add User\",\"GatewayStation\":\"\"}}}", "code": "180", "kind": "event", @@ -471,7 +471,7 @@ }, "event": { "severity": 2, - "ingested": "2021-05-31T15:30:16.714829600Z", + "ingested": "2021-06-04T11:33:09.081123900Z", "original": "\u003c5\u003e1 2021-03-10T22:19:06Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 14:19:06\",\"IsoTimestamp\":\"2021-03-10T22:19:06Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"180\",\"Desc\":\"Add User\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Add User\",\"SourceUser\":\"PSMApp_ASR-WIN\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"35.192.121.42\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Add User\",\"GatewayStation\":\"\"}}}", "code": "180", "kind": "event", @@ -552,7 +552,7 @@ }, "event": { "severity": 2, - "ingested": "2021-05-31T15:30:16.714833500Z", + "ingested": "2021-06-04T11:33:09.081127800Z", "original": "\u003c5\u003e1 2021-03-10T22:19:15Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 14:19:15\",\"IsoTimestamp\":\"2021-03-10T22:19:15Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"180\",\"Desc\":\"Add User\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Add User\",\"SourceUser\":\"PSMGw_ASR-WIN\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"35.192.121.42\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Add User\",\"GatewayStation\":\"\"}}}", "code": "180", "kind": "event", @@ -635,7 +635,7 @@ }, "event": { "severity": 2, - "ingested": "2021-05-31T15:30:16.714837600Z", + "ingested": "2021-06-04T11:33:09.081132Z", "original": "\u003c5\u003e1 2021-03-11T16:59:36Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 11 08:59:36\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-11T16:59:36Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e180\u003c/MessageID\u003e\\n \u003cDesc\u003eAdd User\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003eAdd User\u003c/Action\u003e\\n \u003cSourceUser\u003ePSMPApp_VAGRANT\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003e\u003c/Safe\u003e\\n \u003cFile\u003e\u003c/File\u003e\\n \u003cStation\u003e81.32.170.205\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eAdd User\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 11 08:59:36\",\"IsoTimestamp\":\"2021-03-11T16:59:36Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"180\",\"Desc\":\"Add User\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Add User\",\"SourceUser\":\"PSMPApp_VAGRANT\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"81.32.170.205\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Add User\",\"GatewayStation\":\"\"}}}", "code": "180", "kind": "event", @@ -718,7 +718,7 @@ }, "event": { "severity": 2, - "ingested": "2021-05-31T15:30:16.714841900Z", + "ingested": "2021-06-04T11:33:09.081136Z", "original": "\u003c5\u003e1 2021-03-11T16:59:36Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 11 08:59:36\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-11T16:59:36Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e180\u003c/MessageID\u003e\\n \u003cDesc\u003eAdd User\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003eAdd User\u003c/Action\u003e\\n \u003cSourceUser\u003ePSMPGW_VAGRANT\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003e\u003c/Safe\u003e\\n \u003cFile\u003e\u003c/File\u003e\\n \u003cStation\u003e81.32.170.205\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eAdd User\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 11 08:59:36\",\"IsoTimestamp\":\"2021-03-11T16:59:36Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"180\",\"Desc\":\"Add User\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Add User\",\"SourceUser\":\"PSMPGW_VAGRANT\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"81.32.170.205\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Add User\",\"GatewayStation\":\"\"}}}", "code": "180", "kind": "event", @@ -798,7 +798,7 @@ }, "event": { "severity": 2, - "ingested": "2021-05-31T15:30:16.714845700Z", + "ingested": "2021-06-04T11:33:09.081139900Z", "original": "\u003c5\u003e1 2021-03-14T12:57:16Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 14 05:57:16\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-14T12:57:16Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e180\u003c/MessageID\u003e\\n \u003cDesc\u003eAdd User\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003eAdd User\u003c/Action\u003e\\n \u003cSourceUser\u003ePSMPGW_SSH\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003e\u003c/Safe\u003e\\n \u003cFile\u003e\u003c/File\u003e\\n \u003cStation\u003e34.71.250.247\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eAdd User\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 14 05:57:16\",\"IsoTimestamp\":\"2021-03-14T12:57:16Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"180\",\"Desc\":\"Add User\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Add User\",\"SourceUser\":\"PSMPGW_SSH\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"34.71.250.247\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Add User\",\"GatewayStation\":\"\"}}}", "code": "180", "kind": "event", @@ -878,7 +878,7 @@ }, "event": { "severity": 2, - "ingested": "2021-05-31T15:30:16.714850900Z", + "ingested": "2021-06-04T11:33:09.081144200Z", "original": "\u003c5\u003e1 2021-03-14T12:57:16Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 14 05:57:16\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-14T12:57:16Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e180\u003c/MessageID\u003e\\n \u003cDesc\u003eAdd User\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003eAdd User\u003c/Action\u003e\\n \u003cSourceUser\u003ePSMPApp_SSH\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003e\u003c/Safe\u003e\\n \u003cFile\u003e\u003c/File\u003e\\n \u003cStation\u003e34.71.250.247\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eAdd User\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 14 05:57:16\",\"IsoTimestamp\":\"2021-03-14T12:57:16Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"180\",\"Desc\":\"Add User\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Add User\",\"SourceUser\":\"PSMPApp_SSH\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"34.71.250.247\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Add User\",\"GatewayStation\":\"\"}}}", "code": "180", "kind": "event", @@ -958,7 +958,7 @@ }, "event": { "severity": 2, - "ingested": "2021-05-31T15:30:16.714855200Z", + "ingested": "2021-06-04T11:33:09.081148300Z", "original": "\u003c5\u003e1 2021-03-14T12:57:21Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 14 05:57:21\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-14T12:57:21Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e180\u003c/MessageID\u003e\\n \u003cDesc\u003eAdd User\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003eAdd User\u003c/Action\u003e\\n \u003cSourceUser\u003ePSMP_ADB_asr-cyberark-psm-ssh\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003e\u003c/Safe\u003e\\n \u003cFile\u003e\u003c/File\u003e\\n \u003cStation\u003e34.71.250.247\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eAdd User\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 14 05:57:21\",\"IsoTimestamp\":\"2021-03-14T12:57:21Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"180\",\"Desc\":\"Add User\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Add User\",\"SourceUser\":\"PSMP_ADB_asr-cyberark-psm-ssh\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"34.71.250.247\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Add User\",\"GatewayStation\":\"\"}}}", "code": "180", "kind": "event", diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-181-update-safe.log-config.yml b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-181-update-safe.log-config.yml deleted file mode 100644 index 5622947e4b8..00000000000 --- a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-181-update-safe.log-config.yml +++ /dev/null @@ -1,5 +0,0 @@ -dynamic_fields: - event.ingested: ".*" -fields: - tags: - - preserve_original_event diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-181-update-safe.log-expected.json b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-181-update-safe.log-expected.json index d6a164557d7..ed0c4a8a041 100644 --- a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-181-update-safe.log-expected.json +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-181-update-safe.log-expected.json @@ -60,7 +60,7 @@ "event": { "severity": 2, "action": "update safe", - "ingested": "2021-05-31T15:30:17.020127900Z", + "ingested": "2021-06-04T11:33:09.372305700Z", "original": "\u003c5\u003e1 2021-03-10T18:15:44Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 10:15:44\",\"IsoTimestamp\":\"2021-03-10T18:15:44Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"181\",\"Desc\":\"Update Safe\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Update Safe\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"PSM\",\"File\":\"\",\"Station\":\"81.32.170.205\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Update Safe\",\"GatewayStation\":\"\"}}}", "code": "181", "kind": "event" diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-185-add-safe.log-config.yml b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-185-add-safe.log-config.yml deleted file mode 100644 index 5622947e4b8..00000000000 --- a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-185-add-safe.log-config.yml +++ /dev/null @@ -1,5 +0,0 @@ -dynamic_fields: - event.ingested: ".*" -fields: - tags: - - preserve_original_event diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-185-add-safe.log-expected.json b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-185-add-safe.log-expected.json index 00d17811329..7ac53217e7c 100644 --- a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-185-add-safe.log-expected.json +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-185-add-safe.log-expected.json @@ -60,7 +60,7 @@ "event": { "severity": 2, "action": "add safe", - "ingested": "2021-05-31T15:30:17.056870700Z", + "ingested": "2021-06-04T11:33:09.401099Z", "original": "\u003c5\u003e1 2021-03-10T09:11:20Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 01:11:20\",\"IsoTimestamp\":\"2021-03-10T09:11:20Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"185\",\"Desc\":\"Add Safe\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Add Safe\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"PSMPConf\",\"File\":\"\",\"Station\":\"81.32.170.205\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Add Safe\",\"GatewayStation\":\"\"}}}", "code": "185", "kind": "event" @@ -127,7 +127,7 @@ "event": { "severity": 2, "action": "add safe", - "ingested": "2021-05-31T15:30:17.056892300Z", + "ingested": "2021-06-04T11:33:09.401119Z", "original": "\u003c5\u003e1 2021-03-11T17:38:13Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 11 09:38:13\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-11T17:38:13Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e185\u003c/MessageID\u003e\\n \u003cDesc\u003eAdd Safe\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003ePSMPApp_VAGRANT\u003c/Issuer\u003e\\n \u003cAction\u003eAdd Safe\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003ePSMRecordings\u003c/Safe\u003e\\n \u003cFile\u003e\u003c/File\u003e\\n \u003cStation\u003e81.32.170.205\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eAdd Safe\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 11 09:38:13\",\"IsoTimestamp\":\"2021-03-11T17:38:13Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"185\",\"Desc\":\"Add Safe\",\"Severity\":\"Info\",\"Issuer\":\"PSMPApp_VAGRANT\",\"Action\":\"Add Safe\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"PSMRecordings\",\"File\":\"\",\"Station\":\"81.32.170.205\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Add Safe\",\"GatewayStation\":\"\"}}}", "code": "185", "kind": "event" diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-187-add-folder.log-config.yml b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-187-add-folder.log-config.yml deleted file mode 100644 index 5622947e4b8..00000000000 --- a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-187-add-folder.log-config.yml +++ /dev/null @@ -1,5 +0,0 @@ -dynamic_fields: - event.ingested: ".*" -fields: - tags: - - preserve_original_event diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-187-add-folder.log-expected.json b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-187-add-folder.log-expected.json index 0c77139f49d..e6903db306f 100644 --- a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-187-add-folder.log-expected.json +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-187-add-folder.log-expected.json @@ -64,7 +64,7 @@ "event": { "severity": 2, "action": "add folder", - "ingested": "2021-05-31T15:30:17.112776900Z", + "ingested": "2021-06-04T11:33:09.460126100Z", "original": "\u003c5\u003e1 2021-03-10T09:11:40Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 01:11:40\",\"IsoTimestamp\":\"2021-03-10T09:11:40Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"187\",\"Desc\":\"Add Folder\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Add Folder\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"PSMPADBridgeConf\",\"File\":\"Root\\\\Scripts\\\\\",\"Station\":\"81.32.170.205\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Add Folder\",\"GatewayStation\":\"\"}}}", "code": "187", "kind": "event" @@ -123,7 +123,7 @@ "event": { "severity": 2, "action": "add folder", - "ingested": "2021-05-31T15:30:17.112797300Z", + "ingested": "2021-06-04T11:33:09.460145Z", "original": "\u003c5\u003e1 2021-03-11T18:01:14Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 11 10:01:14\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-11T18:01:14Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e187\u003c/MessageID\u003e\\n \u003cDesc\u003eAdd Folder\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003ePVWAAppUser\u003c/Issuer\u003e\\n \u003cAction\u003eAdd Folder\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003ePSMUnmanagedSessionAccounts\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\2\\\\\u003c/File\u003e\\n \u003cStation\u003e10.0.1.20\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eAdd Folder\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 11 10:01:14\",\"IsoTimestamp\":\"2021-03-11T18:01:14Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"187\",\"Desc\":\"Add Folder\",\"Severity\":\"Info\",\"Issuer\":\"PVWAAppUser\",\"Action\":\"Add Folder\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"PSMUnmanagedSessionAccounts\",\"File\":\"Root\\\\2\\\\\",\"Station\":\"10.0.1.20\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Add Folder\",\"GatewayStation\":\"\"}}}", "code": "187", "kind": "event" diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-19-full-gateway-connection.log-config.yml b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-19-full-gateway-connection.log-config.yml deleted file mode 100644 index 5622947e4b8..00000000000 --- a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-19-full-gateway-connection.log-config.yml +++ /dev/null @@ -1,5 +0,0 @@ -dynamic_fields: - event.ingested: ".*" -fields: - tags: - - preserve_original_event diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-19-full-gateway-connection.log-expected.json b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-19-full-gateway-connection.log-expected.json index 1784f6e09b9..8ab0f5085c5 100644 --- a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-19-full-gateway-connection.log-expected.json +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-19-full-gateway-connection.log-expected.json @@ -66,7 +66,7 @@ }, "event": { "severity": 2, - "ingested": "2021-05-31T15:30:17.169527500Z", + "ingested": "2021-06-04T11:33:09.530592300Z", "original": "\u003c5\u003e1 2021-03-08T18:07:51Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 08 10:07:51\",\"IsoTimestamp\":\"2021-03-08T18:07:51Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"19\",\"Desc\":\"Full Gateway Connection\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Full Gateway Connection\",\"SourceUser\":\"PVWAGWUser\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"127.0.0.1\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Full Gateway Connection\",\"GatewayStation\":\"10.0.1.20\"}}}", "code": "19", "kind": "event", @@ -161,7 +161,7 @@ }, "event": { "severity": 2, - "ingested": "2021-05-31T15:30:17.169546900Z", + "ingested": "2021-06-04T11:33:09.530611100Z", "original": "\u003c5\u003e1 2021-03-09T08:32:51Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 09 00:32:51\",\"IsoTimestamp\":\"2021-03-09T08:32:51Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"19\",\"Desc\":\"Full Gateway Connection\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Full Gateway Connection\",\"SourceUser\":\"PVWAGWUser\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"81.32.170.205\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Full Gateway Connection\",\"GatewayStation\":\"10.0.1.20\"}}}", "code": "19", "kind": "event", @@ -256,7 +256,7 @@ }, "event": { "severity": 2, - "ingested": "2021-05-31T15:30:17.169552400Z", + "ingested": "2021-06-04T11:33:09.530615800Z", "original": "\u003c5\u003e1 2021-03-09T10:14:58Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 09 02:14:58\",\"IsoTimestamp\":\"2021-03-09T10:14:58Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"19\",\"Desc\":\"Full Gateway Connection\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Full Gateway Connection\",\"SourceUser\":\"PVWAGWUser\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"37.223.7.45\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Full Gateway Connection\",\"GatewayStation\":\"10.0.1.20\"}}}", "code": "19", "kind": "event", @@ -338,7 +338,7 @@ }, "event": { "severity": 2, - "ingested": "2021-05-31T15:30:17.169557200Z", + "ingested": "2021-06-04T11:33:09.530619600Z", "original": "\u003c5\u003e1 2021-03-10T08:31:50Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 00:31:50\",\"IsoTimestamp\":\"2021-03-10T08:31:50Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"19\",\"Desc\":\"Full Gateway Connection\",\"Severity\":\"Info\",\"Issuer\":\"PasswordManager\",\"Action\":\"Full Gateway Connection\",\"SourceUser\":\"PVWAGWUser\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"10.0.1.20\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Full Gateway Connection\",\"GatewayStation\":\"10.0.1.20\"}}}", "code": "19", "kind": "event", @@ -421,7 +421,7 @@ }, "event": { "severity": 2, - "ingested": "2021-05-31T15:30:17.169561700Z", + "ingested": "2021-06-04T11:33:09.530623300Z", "original": "\u003c5\u003e1 2021-03-10T22:37:00Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 14:37:00\",\"IsoTimestamp\":\"2021-03-10T22:37:00Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"19\",\"Desc\":\"Full Gateway Connection\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Full Gateway Connection\",\"SourceUser\":\"PVWAGWUser\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"10.0.1.10\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Full Gateway Connection\",\"GatewayStation\":\"10.0.1.20\"}}}", "code": "19", "kind": "event", @@ -517,7 +517,7 @@ }, "event": { "severity": 2, - "ingested": "2021-05-31T15:30:17.169565600Z", + "ingested": "2021-06-04T11:33:09.530626800Z", "original": "\u003c5\u003e1 2021-03-11T17:38:05Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 11 09:38:05\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-11T17:38:05Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e19\u003c/MessageID\u003e\\n \u003cDesc\u003eFull Gateway Connection\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003eFull Gateway Connection\u003c/Action\u003e\\n \u003cSourceUser\u003ePSMPGW_VAGRANT\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003e\u003c/Safe\u003e\\n \u003cFile\u003e\u003c/File\u003e\\n \u003cStation\u003e127.0.0.1\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eFull Gateway Connection\u003c/Message\u003e\\n \u003cGatewayStation\u003e81.32.170.205\u003c/GatewayStation\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 11 09:38:05\",\"IsoTimestamp\":\"2021-03-11T17:38:05Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"19\",\"Desc\":\"Full Gateway Connection\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Full Gateway Connection\",\"SourceUser\":\"PSMPGW_VAGRANT\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"127.0.0.1\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Full Gateway Connection\",\"GatewayStation\":\"81.32.170.205\"}}}", "code": "19", "kind": "event", @@ -613,7 +613,7 @@ }, "event": { "severity": 2, - "ingested": "2021-05-31T15:30:17.169569600Z", + "ingested": "2021-06-04T11:33:09.530630500Z", "original": "\u003c5\u003e1 2021-03-11T17:48:22Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 11 09:48:22\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-11T17:48:22Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e19\u003c/MessageID\u003e\\n \u003cDesc\u003eFull Gateway Connection\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003eFull Gateway Connection\u003c/Action\u003e\\n \u003cSourceUser\u003ePSMPGW_VAGRANT\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003e\u003c/Safe\u003e\\n \u003cFile\u003e\u003c/File\u003e\\n \u003cStation\u003e10.0.2.2\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eFull Gateway Connection\u003c/Message\u003e\\n \u003cGatewayStation\u003e81.32.170.205\u003c/GatewayStation\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 11 09:48:22\",\"IsoTimestamp\":\"2021-03-11T17:48:22Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"19\",\"Desc\":\"Full Gateway Connection\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Full Gateway Connection\",\"SourceUser\":\"PSMPGW_VAGRANT\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"10.0.2.2\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Full Gateway Connection\",\"GatewayStation\":\"81.32.170.205\"}}}", "code": "19", "kind": "event", @@ -708,7 +708,7 @@ }, "event": { "severity": 2, - "ingested": "2021-05-31T15:30:17.169574200Z", + "ingested": "2021-06-04T11:33:09.530635Z", "original": "\u003c5\u003e1 2021-03-11T18:02:57Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 11 10:02:57\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-11T18:02:57Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e19\u003c/MessageID\u003e\\n \u003cDesc\u003eFull Gateway Connection\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003eFull Gateway Connection\u003c/Action\u003e\\n \u003cSourceUser\u003ePVWAGWUser\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003e\u003c/Safe\u003e\\n \u003cFile\u003e\u003c/File\u003e\\n \u003cStation\u003e35.192.121.42\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eFull Gateway Connection\u003c/Message\u003e\\n \u003cGatewayStation\u003e10.0.1.20\u003c/GatewayStation\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 11 10:02:57\",\"IsoTimestamp\":\"2021-03-11T18:02:57Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"19\",\"Desc\":\"Full Gateway Connection\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Full Gateway Connection\",\"SourceUser\":\"PVWAGWUser\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"35.192.121.42\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Full Gateway Connection\",\"GatewayStation\":\"10.0.1.20\"}}}", "code": "19", "kind": "event", @@ -813,7 +813,7 @@ }, "event": { "severity": 2, - "ingested": "2021-05-31T15:30:17.169578300Z", + "ingested": "2021-06-04T11:33:09.530638500Z", "original": "\u003c5\u003e1 2021-03-14T13:49:35Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 14 06:49:35\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-14T13:49:35Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e19\u003c/MessageID\u003e\\n \u003cDesc\u003eFull Gateway Connection\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003eFull Gateway Connection\u003c/Action\u003e\\n \u003cSourceUser\u003ePSMPGW_SSH\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003e\u003c/Safe\u003e\\n \u003cFile\u003e\u003c/File\u003e\\n \u003cStation\u003e81.32.170.205\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eFull Gateway Connection\u003c/Message\u003e\\n \u003cGatewayStation\u003e34.71.250.247\u003c/GatewayStation\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 14 06:49:35\",\"IsoTimestamp\":\"2021-03-14T13:49:35Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"19\",\"Desc\":\"Full Gateway Connection\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Full Gateway Connection\",\"SourceUser\":\"PSMPGW_SSH\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"81.32.170.205\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Full Gateway Connection\",\"GatewayStation\":\"34.71.250.247\"}}}", "code": "19", "kind": "event", diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-20-partial-gateway-connection.log-config.yml b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-20-partial-gateway-connection.log-config.yml deleted file mode 100644 index 5622947e4b8..00000000000 --- a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-20-partial-gateway-connection.log-config.yml +++ /dev/null @@ -1,5 +0,0 @@ -dynamic_fields: - event.ingested: ".*" -fields: - tags: - - preserve_original_event diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-20-partial-gateway-connection.log-expected.json b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-20-partial-gateway-connection.log-expected.json index 6941b57a37d..c45f7647b00 100644 --- a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-20-partial-gateway-connection.log-expected.json +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-20-partial-gateway-connection.log-expected.json @@ -49,7 +49,7 @@ "event": { "severity": 2, "action": "partial gateway connection", - "ingested": "2021-05-31T15:30:17.406591400Z", + "ingested": "2021-06-04T11:33:09.762012Z", "original": "\u003c5\u003e1 2021-03-25T09:20:07Z VLT01 {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 25 05:20:07\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-25T09:20:07Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVLT01\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e12.0.0000\u003c/Version\u003e\\n \u003cMessageID\u003e20\u003c/MessageID\u003e\\n \u003cDesc\u003ePartial Gateway Connection\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003ePSMGw_COMP01\u003c/Issuer\u003e\\n \u003cAction\u003ePartial Gateway Connection\u003c/Action\u003e\\n \u003cSourceUser\u003eAdministrator\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003e\u003c/Safe\u003e\\n \u003cFile\u003e\u003c/File\u003e\\n \u003cStation\u003e10.0.0.15\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\\n \u003cMessage\u003ePartial Gateway Connection\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 25 05:20:07\",\"IsoTimestamp\":\"2021-03-25T09:20:07Z\",\"Hostname\":\"VLT01\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"12.0.0000\",\"MessageID\":\"20\",\"Desc\":\"Partial Gateway Connection\",\"Severity\":\"Info\",\"Issuer\":\"PSMGw_COMP01\",\"Action\":\"Partial Gateway Connection\",\"SourceUser\":\"Administrator\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"10.0.0.15\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Partial Gateway Connection\",\"GatewayStation\":\"\"}}}", "code": "20", "kind": "event" diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-202-old-backup-files-deletion-start.log-config.yml b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-202-old-backup-files-deletion-start.log-config.yml deleted file mode 100644 index 5622947e4b8..00000000000 --- a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-202-old-backup-files-deletion-start.log-config.yml +++ /dev/null @@ -1,5 +0,0 @@ -dynamic_fields: - event.ingested: ".*" -fields: - tags: - - preserve_original_event diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-202-old-backup-files-deletion-start.log-expected.json b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-202-old-backup-files-deletion-start.log-expected.json index 6d6f5015c96..0574fcf3c12 100644 --- a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-202-old-backup-files-deletion-start.log-expected.json +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-202-old-backup-files-deletion-start.log-expected.json @@ -47,7 +47,7 @@ "event": { "severity": 2, "action": "old backup files deletion start", - "ingested": "2021-05-31T15:30:17.436108900Z", + "ingested": "2021-06-04T11:33:09.789639200Z", "original": "\u003c5\u003e1 2021-03-09T10:17:54Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 09 02:17:54\",\"IsoTimestamp\":\"2021-03-09T10:17:54Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"202\",\"Desc\":\"Old Backup Files Deletion Start\",\"Severity\":\"Info\",\"Issuer\":\"Batch\",\"Action\":\"Old Backup Files Deletion Start\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"0.0.0.0\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Old Backup Files Deletion Start\",\"GatewayStation\":\"\"}}}", "code": "202", "kind": "event" diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-203-old-backup-files-deletion-end.log-config.yml b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-203-old-backup-files-deletion-end.log-config.yml deleted file mode 100644 index 5622947e4b8..00000000000 --- a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-203-old-backup-files-deletion-end.log-config.yml +++ /dev/null @@ -1,5 +0,0 @@ -dynamic_fields: - event.ingested: ".*" -fields: - tags: - - preserve_original_event diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-203-old-backup-files-deletion-end.log-expected.json b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-203-old-backup-files-deletion-end.log-expected.json index ef84a29db62..fd7425e8c46 100644 --- a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-203-old-backup-files-deletion-end.log-expected.json +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-203-old-backup-files-deletion-end.log-expected.json @@ -47,7 +47,7 @@ "event": { "severity": 2, "action": "old backup files deletion end", - "ingested": "2021-05-31T15:30:17.459457400Z", + "ingested": "2021-06-04T11:33:09.813028800Z", "original": "\u003c5\u003e1 2021-03-09T10:17:54Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 09 02:17:54\",\"IsoTimestamp\":\"2021-03-09T10:17:54Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"203\",\"Desc\":\"Old Backup Files Deletion End\",\"Severity\":\"Info\",\"Issuer\":\"Batch\",\"Action\":\"Old Backup Files Deletion End\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"0.0.0.0\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Old Backup Files Deletion End\",\"GatewayStation\":\"\"}}}", "code": "203", "kind": "event" diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-22-cpm-verify-password.log-config.yml b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-22-cpm-verify-password.log-config.yml deleted file mode 100644 index 5622947e4b8..00000000000 --- a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-22-cpm-verify-password.log-config.yml +++ /dev/null @@ -1,5 +0,0 @@ -dynamic_fields: - event.ingested: ".*" -fields: - tags: - - preserve_original_event diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-22-cpm-verify-password.log-expected.json b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-22-cpm-verify-password.log-expected.json index ea6a2f7d1c6..ca196852178 100644 --- a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-22-cpm-verify-password.log-expected.json +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-22-cpm-verify-password.log-expected.json @@ -79,7 +79,7 @@ }, "event": { "severity": 2, - "ingested": "2021-05-31T15:30:17.486140100Z", + "ingested": "2021-06-04T11:33:09.835377500Z", "original": "Apr 07 09:51:42 VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eno\u003c/Rfc5424\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.6.0000\u003c/Version\u003e\\n \u003cMessageID\u003e22\u003c/MessageID\u003e\\n \u003cDesc\u003eCPM Verify Password\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003ePasswordManager\u003c/Issuer\u003e\\n \u003cAction\u003eCPM Verify Password\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003eLinux\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Operating System-LINUX-SSH-radiussrv.cyberark.local-test12\u003c/File\u003e\\n \u003cStation\u003e10.2.0.4\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003eImmediateTask\u003c/Reason\u003e\\n \u003cExtraDetails\u003eaddress=radiussrv.cyberark.local;username=test12;\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eCPM Verify Password\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"LINUX-SSH\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"test12\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"radiussrv.cyberark.local\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Operating System\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"RetriesCount\\\" Value=\\\"-1\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastSuccessVerification\\\" Value=\\\"1604943844\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastTask\\\" Value=\\\"VerifyTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMStatus\\\" Value=\\\"success\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"no\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.6.0000\",\"MessageID\":\"22\",\"Desc\":\"CPM Verify Password\",\"Severity\":\"Info\",\"Issuer\":\"PasswordManager\",\"Action\":\"CPM Verify Password\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"IsoTimestamp\":\"2021-03-16T15:01:00Z\",\"Safe\":\"Linux\",\"File\":\"Root\\\\Operating System-LINUX-SSH-radiussrv.cyberark.local-test12\",\"Station\":\"10.2.0.4\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"ImmediateTask\",\"ExtraDetails\":\"address=radiussrv.cyberark.local;username=test12;\",\"Message\":\"CPM Verify Password\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"LINUX-SSH\"},{\"Name\":\"UserName\",\"Value\":\"test12\"},{\"Name\":\"Address\",\"Value\":\"radiussrv.cyberark.local\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"},{\"Name\":\"RetriesCount\",\"Value\":\"-1\"},{\"Name\":\"LastSuccessVerification\",\"Value\":\"1604943844\"},{\"Name\":\"LastTask\",\"Value\":\"VerifyTask\"},{\"Name\":\"CPMStatus\",\"Value\":\"success\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"}]}}}}", "code": "22", "kind": "event", @@ -195,7 +195,7 @@ }, "event": { "severity": 2, - "ingested": "2021-05-31T15:30:17.486170800Z", + "ingested": "2021-06-04T11:33:09.835393500Z", "original": "\u003c5\u003e1 2021-03-15T10:22:44Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 15 03:22:44\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-15T10:22:44Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e22\u003c/MessageID\u003e\\n \u003cDesc\u003eCPM Verify Password\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003ePasswordManager\u003c/Issuer\u003e\\n \u003cAction\u003eCPM Verify Password\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003epartner\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Operating System-UnixSSH-34.123.103.115-testark\u003c/File\u003e\\n \u003cStation\u003e10.0.1.20\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003eImmediateTask\u003c/Reason\u003e\\n \u003cExtraDetails\u003eaddress=34.123.103.115;username=testark;\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eCPM Verify Password\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"UnixSSH\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"testark\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"34.123.103.115\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMStatus\\\" Value=\\\"success\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"RetriesCount\\\" Value=\\\"-1\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastTask\\\" Value=\\\"VerifyTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastSuccessVerification\\\" Value=\\\"1615803764\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Operating System\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 15 03:22:44\",\"IsoTimestamp\":\"2021-03-15T10:22:44Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"22\",\"Desc\":\"CPM Verify Password\",\"Severity\":\"Info\",\"Issuer\":\"PasswordManager\",\"Action\":\"CPM Verify Password\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"partner\",\"File\":\"Root\\\\Operating System-UnixSSH-34.123.103.115-testark\",\"Station\":\"10.0.1.20\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"ImmediateTask\",\"ExtraDetails\":\"address=34.123.103.115;username=testark;\",\"Message\":\"CPM Verify Password\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"UnixSSH\"},{\"Name\":\"UserName\",\"Value\":\"testark\"},{\"Name\":\"Address\",\"Value\":\"34.123.103.115\"},{\"Name\":\"CPMStatus\",\"Value\":\"success\"},{\"Name\":\"RetriesCount\",\"Value\":\"-1\"},{\"Name\":\"LastTask\",\"Value\":\"VerifyTask\"},{\"Name\":\"LastSuccessVerification\",\"Value\":\"1615803764\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"}]}}}}", "code": "22", "kind": "event", diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-23-action-on-closed-safe.log-config.yml b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-23-action-on-closed-safe.log-config.yml deleted file mode 100644 index 5622947e4b8..00000000000 --- a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-23-action-on-closed-safe.log-config.yml +++ /dev/null @@ -1,5 +0,0 @@ -dynamic_fields: - event.ingested: ".*" -fields: - tags: - - preserve_original_event diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-23-action-on-closed-safe.log-expected.json b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-23-action-on-closed-safe.log-expected.json index 09a7b43ab2e..79a8863d2e6 100644 --- a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-23-action-on-closed-safe.log-expected.json +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-23-action-on-closed-safe.log-expected.json @@ -59,7 +59,7 @@ }, "event": { "severity": 7, - "ingested": "2021-05-31T15:30:17.560759100Z", + "ingested": "2021-06-04T11:33:09.910908600Z", "original": "\u003c7\u003e1 2021-03-10T09:11:20Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 01:11:20\",\"IsoTimestamp\":\"2021-03-10T09:11:20Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"23\",\"Desc\":\"Action On Closed Safe\",\"Severity\":\"Error\",\"Issuer\":\"Administrator\",\"Action\":\"Action On Closed Safe\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"PSMPConf\",\"File\":\"\",\"Station\":\"81.32.170.205\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Action On Closed Safe\",\"GatewayStation\":\"\"}}}", "code": "23", "kind": "event", @@ -115,7 +115,7 @@ }, "event": { "severity": 7, - "ingested": "2021-05-31T15:30:17.560798600Z", + "ingested": "2021-06-04T11:33:09.910939200Z", "original": "\u003c7\u003e1 2021-03-14T12:07:27Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 14 05:07:27\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-14T12:07:27Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e23\u003c/MessageID\u003e\\n \u003cDesc\u003eAction On Closed Safe\u003c/Desc\u003e\\n \u003cSeverity\u003eError\u003c/Severity\u003e\\n \u003cIssuer\u003ePasswordManager\u003c/Issuer\u003e\\n \u003cAction\u003eAction On Closed Safe\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003eAccountsFeedADAccounts\u003c/Safe\u003e\\n \u003cFile\u003e\u003c/File\u003e\\n \u003cStation\u003e10.0.1.20\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eAction On Closed Safe\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 14 05:07:27\",\"IsoTimestamp\":\"2021-03-14T12:07:27Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"23\",\"Desc\":\"Action On Closed Safe\",\"Severity\":\"Error\",\"Issuer\":\"PasswordManager\",\"Action\":\"Action On Closed Safe\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"AccountsFeedADAccounts\",\"File\":\"\",\"Station\":\"10.0.1.20\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Action On Closed Safe\",\"GatewayStation\":\"\"}}}", "code": "23", "kind": "event", @@ -180,7 +180,7 @@ }, "event": { "severity": 7, - "ingested": "2021-05-31T15:30:17.560806300Z", + "ingested": "2021-06-04T11:33:09.910946400Z", "original": "\u003c7\u003e1 2021-03-14T12:57:16Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 14 05:57:16\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-14T12:57:16Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e23\u003c/MessageID\u003e\\n \u003cDesc\u003eAction On Closed Safe\u003c/Desc\u003e\\n \u003cSeverity\u003eError\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003eAction On Closed Safe\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003ePSMPConf\u003c/Safe\u003e\\n \u003cFile\u003e\u003c/File\u003e\\n \u003cStation\u003e34.71.250.247\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eAction On Closed Safe\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 14 05:57:16\",\"IsoTimestamp\":\"2021-03-14T12:57:16Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"23\",\"Desc\":\"Action On Closed Safe\",\"Severity\":\"Error\",\"Issuer\":\"Administrator\",\"Action\":\"Action On Closed Safe\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"PSMPConf\",\"File\":\"\",\"Station\":\"34.71.250.247\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Action On Closed Safe\",\"GatewayStation\":\"\"}}}", "code": "23", "kind": "event", diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-24-cpm-change-password.log-config.yml b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-24-cpm-change-password.log-config.yml deleted file mode 100644 index 5622947e4b8..00000000000 --- a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-24-cpm-change-password.log-config.yml +++ /dev/null @@ -1,5 +0,0 @@ -dynamic_fields: - event.ingested: ".*" -fields: - tags: - - preserve_original_event diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-24-cpm-change-password.log-expected.json b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-24-cpm-change-password.log-expected.json index 3840114c658..9e6ff795c80 100644 --- a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-24-cpm-change-password.log-expected.json +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-24-cpm-change-password.log-expected.json @@ -70,7 +70,7 @@ }, "event": { "severity": 2, - "ingested": "2021-05-31T15:30:17.633768800Z", + "ingested": "2021-06-04T11:33:09.979066700Z", "original": "{\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eno\u003c/Rfc5424\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.6.0000\u003c/Version\u003e\\n \u003cMessageID\u003e24\u003c/MessageID\u003e\\n \u003cDesc\u003eCPM Change Password\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003ePasswordManager\u003c/Issuer\u003e\\n \u003cAction\u003eCPM Change Password\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003eLinux\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Operating System-LINUX-SSH-radiussrv.cyberark.local-test12\u003c/File\u003e\\n \u003cStation\u003e10.2.0.4\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003eImmediateTask\u003c/Reason\u003e\\n \u003cExtraDetails\u003eaddress=radiussrv.cyberark.local;username=test12;\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eCPM Change Password\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"LINUX-SSH\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"test12\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"radiussrv.cyberark.local\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Operating System\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"RetriesCount\\\" Value=\\\"-1\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastSuccessVerification\\\" Value=\\\"1604943844\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastTask\\\" Value=\\\"ChangeTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMStatus\\\" Value=\\\"success\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastSuccessChange\\\" Value=\\\"1604944158\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"no\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.6.0000\",\"MessageID\":\"24\",\"Desc\":\"CPM Change Password\",\"Severity\":\"Info\",\"IsoTimestamp\":\"2021-03-16T15:01:00Z\",\"Issuer\":\"PasswordManager\",\"Action\":\"CPM Change Password\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"Linux\",\"File\":\"Root\\\\Operating System-LINUX-SSH-radiussrv.cyberark.local-test12\",\"Station\":\"10.2.0.4\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"ImmediateTask\",\"ExtraDetails\":\"address=radiussrv.cyberark.local;username=test12;\",\"Message\":\"CPM Change Password\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"LINUX-SSH\"},{\"Name\":\"UserName\",\"Value\":\"test12\"},{\"Name\":\"Address\",\"Value\":\"radiussrv.cyberark.local\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"},{\"Name\":\"RetriesCount\",\"Value\":\"-1\"},{\"Name\":\"LastSuccessVerification\",\"Value\":\"1604943844\"},{\"Name\":\"LastTask\",\"Value\":\"ChangeTask\"},{\"Name\":\"CPMStatus\",\"Value\":\"success\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"LastSuccessChange\",\"Value\":\"1604944158\"}]}}}}", "code": "24", "kind": "event", @@ -174,7 +174,7 @@ }, "event": { "severity": 2, - "ingested": "2021-05-31T15:30:17.633787300Z", + "ingested": "2021-06-04T11:33:09.979085300Z", "original": "\u003c5\u003e1 2021-03-08T19:20:05Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 08 11:20:05\",\"IsoTimestamp\":\"2021-03-08T19:20:05Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"24\",\"Desc\":\"CPM Change Password\",\"Severity\":\"Info\",\"Issuer\":\"PasswordManager\",\"Action\":\"CPM Change Password\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"Test\",\"File\":\"Root\\\\Operating System-WindowsDesktopLocalAccountsRotationalPolicy-10.0.1.20-x_accountA\",\"Station\":\"10.0.1.20\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"ImmediateTask\",\"ExtraDetails\":\"address=components;username=x_accountA;\",\"Message\":\"CPM Change Password\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"WinDesktopLocal\"},{\"Name\":\"UserName\",\"Value\":\"x_accountA\"},{\"Name\":\"Address\",\"Value\":\"components\"},{\"Name\":\"SequenceID\",\"Value\":\"27\"},{\"Name\":\"CPMStatus\",\"Value\":\"success\"},{\"Name\":\"RetriesCount\",\"Value\":\"-1\"},{\"Name\":\"LastTask\",\"Value\":\"ChangeTask\"},{\"Name\":\"GroupName\",\"Value\":\"WindowsGroup\"},{\"Name\":\"LastSuccessChange\",\"Value\":\"1615231204\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"},{\"Name\":\"Index\",\"Value\":\"1\"},{\"Name\":\"DualAccountStatus\",\"Value\":\"Inactive\"},{\"Name\":\"VirtualUsername\",\"Value\":\"virtual\"}]}}}}", "code": "24", "kind": "event", @@ -278,7 +278,7 @@ }, "event": { "severity": 2, - "ingested": "2021-05-31T15:30:17.633792700Z", + "ingested": "2021-06-04T11:33:09.979090200Z", "original": "\u003c5\u003e1 2021-03-10T23:39:28Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 15:39:28\",\"IsoTimestamp\":\"2021-03-10T23:39:28Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"24\",\"Desc\":\"CPM Change Password\",\"Severity\":\"Info\",\"Issuer\":\"PasswordManager\",\"Action\":\"CPM Change Password\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"Test\",\"File\":\"Root\\\\Operating System-WindowsDesktopLocalAccountsRotationalPolicy-10.0.1.20-x_accountB\",\"Station\":\"10.0.1.20\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"ImmediateTask\",\"ExtraDetails\":\"address=components;username=x_accountB;\",\"Message\":\"CPM Change Password\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"WinDesktopLocal\"},{\"Name\":\"UserName\",\"Value\":\"x_accountB\"},{\"Name\":\"Address\",\"Value\":\"components\"},{\"Name\":\"SequenceID\",\"Value\":\"25\"},{\"Name\":\"CPMStatus\",\"Value\":\"success\"},{\"Name\":\"RetriesCount\",\"Value\":\"-1\"},{\"Name\":\"LastTask\",\"Value\":\"ChangeTask\"},{\"Name\":\"GroupName\",\"Value\":\"WindowsGroup\"},{\"Name\":\"LastSuccessChange\",\"Value\":\"1615419568\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"},{\"Name\":\"Index\",\"Value\":\"2\"},{\"Name\":\"DualAccountStatus\",\"Value\":\"Inactive\"},{\"Name\":\"VirtualUsername\",\"Value\":\"virtual\"}]}}}}", "code": "24", "kind": "event", @@ -383,7 +383,7 @@ }, "event": { "severity": 2, - "ingested": "2021-05-31T15:30:17.633796700Z", + "ingested": "2021-06-04T11:33:09.979094Z", "original": "\u003c5\u003e1 2021-03-15T10:12:24Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 15 03:12:24\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-15T10:12:24Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e24\u003c/MessageID\u003e\\n \u003cDesc\u003eCPM Change Password\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003ePasswordManager\u003c/Issuer\u003e\\n \u003cAction\u003eCPM Change Password\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003eTest\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Operating System-WindowsDesktopLocalAccountsRotationalPolicy-10.0.1.20-x_accountA\u003c/File\u003e\\n \u003cStation\u003e10.0.1.20\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003eImmediateTask\u003c/Reason\u003e\\n \u003cExtraDetails\u003eaddress=components;username=x_accountA;\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eCPM Change Password\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"WinDesktopLocal\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"x_accountA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"components\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"SequenceID\\\" Value=\\\"28\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMStatus\\\" Value=\\\"success\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"RetriesCount\\\" Value=\\\"-1\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastTask\\\" Value=\\\"ChangeTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"GroupName\\\" Value=\\\"WindowsGroup\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastSuccessChange\\\" Value=\\\"1615803143\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Operating System\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Index\\\" Value=\\\"1\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DualAccountStatus\\\" Value=\\\"Inactive\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"VirtualUsername\\\" Value=\\\"virtual\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 15 03:12:24\",\"IsoTimestamp\":\"2021-03-15T10:12:24Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"24\",\"Desc\":\"CPM Change Password\",\"Severity\":\"Info\",\"Issuer\":\"PasswordManager\",\"Action\":\"CPM Change Password\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"Test\",\"File\":\"Root\\\\Operating System-WindowsDesktopLocalAccountsRotationalPolicy-10.0.1.20-x_accountA\",\"Station\":\"10.0.1.20\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"ImmediateTask\",\"ExtraDetails\":\"address=components;username=x_accountA;\",\"Message\":\"CPM Change Password\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"WinDesktopLocal\"},{\"Name\":\"UserName\",\"Value\":\"x_accountA\"},{\"Name\":\"Address\",\"Value\":\"components\"},{\"Name\":\"SequenceID\",\"Value\":\"28\"},{\"Name\":\"CPMStatus\",\"Value\":\"success\"},{\"Name\":\"RetriesCount\",\"Value\":\"-1\"},{\"Name\":\"LastTask\",\"Value\":\"ChangeTask\"},{\"Name\":\"GroupName\",\"Value\":\"WindowsGroup\"},{\"Name\":\"LastSuccessChange\",\"Value\":\"1615803143\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"},{\"Name\":\"Index\",\"Value\":\"1\"},{\"Name\":\"DualAccountStatus\",\"Value\":\"Inactive\"},{\"Name\":\"VirtualUsername\",\"Value\":\"virtual\"}]}}}}", "code": "24", "kind": "event", diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-259-add-update-group.log-config.yml b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-259-add-update-group.log-config.yml deleted file mode 100644 index 5622947e4b8..00000000000 --- a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-259-add-update-group.log-config.yml +++ /dev/null @@ -1,5 +0,0 @@ -dynamic_fields: - event.ingested: ".*" -fields: - tags: - - preserve_original_event diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-259-add-update-group.log-expected.json b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-259-add-update-group.log-expected.json index 8d5ea132e8b..e3153e57b80 100644 --- a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-259-add-update-group.log-expected.json +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-259-add-update-group.log-expected.json @@ -60,7 +60,7 @@ "event": { "severity": 2, "action": "add/update group", - "ingested": "2021-05-31T15:30:17.777210400Z", + "ingested": "2021-06-04T11:33:10.118061600Z", "original": "\u003c5\u003e1 2021-03-10T09:11:21Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 01:11:21\",\"IsoTimestamp\":\"2021-03-10T09:11:21Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"259\",\"Desc\":\"Add/Update Group\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Add/Update Group\",\"SourceUser\":\"PSMMaster\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"81.32.170.205\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Add/Update Group\",\"GatewayStation\":\"\"}}}", "code": "259", "kind": "event" @@ -126,7 +126,7 @@ "event": { "severity": 2, "action": "add/update group", - "ingested": "2021-05-31T15:30:17.777229Z", + "ingested": "2021-06-04T11:33:10.118081300Z", "original": "\u003c5\u003e1 2021-03-10T09:11:21Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 01:11:21\",\"IsoTimestamp\":\"2021-03-10T09:11:21Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"259\",\"Desc\":\"Add/Update Group\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Add/Update Group\",\"SourceUser\":\"PSMAppUsers\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"81.32.170.205\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Add/Update Group\",\"GatewayStation\":\"\"}}}", "code": "259", "kind": "event" @@ -192,7 +192,7 @@ "event": { "severity": 2, "action": "add/update group", - "ingested": "2021-05-31T15:30:17.777233900Z", + "ingested": "2021-06-04T11:33:10.118086Z", "original": "\u003c5\u003e1 2021-03-10T09:11:35Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 01:11:35\",\"IsoTimestamp\":\"2021-03-10T09:11:35Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"259\",\"Desc\":\"Add/Update Group\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Add/Update Group\",\"SourceUser\":\"PSMP_ADB_AppUsers\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"81.32.170.205\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Add/Update Group\",\"GatewayStation\":\"\"}}}", "code": "259", "kind": "event" @@ -258,7 +258,7 @@ "event": { "severity": 2, "action": "add/update group", - "ingested": "2021-05-31T15:30:17.777237700Z", + "ingested": "2021-06-04T11:33:10.118089900Z", "original": "\u003c5\u003e1 2021-03-10T17:59:29Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 09:59:29\",\"IsoTimestamp\":\"2021-03-10T17:59:29Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"259\",\"Desc\":\"Add/Update Group\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Add/Update Group\",\"SourceUser\":\"PSMLiveSessionTerminators\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"81.32.170.205\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Add/Update Group\",\"GatewayStation\":\"\"}}}", "code": "259", "kind": "event" diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-265-add-group-member.log-config.yml b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-265-add-group-member.log-config.yml deleted file mode 100644 index 5622947e4b8..00000000000 --- a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-265-add-group-member.log-config.yml +++ /dev/null @@ -1,5 +0,0 @@ -dynamic_fields: - event.ingested: ".*" -fields: - tags: - - preserve_original_event diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-265-add-group-member.log-expected.json b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-265-add-group-member.log-expected.json index 1c7ecce0ffa..4e95f5b893b 100644 --- a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-265-add-group-member.log-expected.json +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-265-add-group-member.log-expected.json @@ -61,7 +61,7 @@ "event": { "severity": 2, "action": "add group member", - "ingested": "2021-05-31T15:30:17.878014100Z", + "ingested": "2021-06-04T11:33:10.209076700Z", "original": "\u003c5\u003e1 2021-03-10T09:11:22Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 01:11:22\",\"IsoTimestamp\":\"2021-03-10T09:11:22Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"265\",\"Desc\":\"Add Group Member\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Add Group Member\",\"SourceUser\":\"PSMAppUsers\",\"TargetUser\":\"PSMPApp_localhost.localdomain\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"81.32.170.205\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Add Group Member\",\"GatewayStation\":\"\"}}}", "code": "265", "kind": "event" @@ -128,7 +128,7 @@ "event": { "severity": 2, "action": "add group member", - "ingested": "2021-05-31T15:30:17.878032900Z", + "ingested": "2021-06-04T11:33:10.209095400Z", "original": "\u003c5\u003e1 2021-03-10T09:11:22Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 01:11:22\",\"IsoTimestamp\":\"2021-03-10T09:11:22Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"265\",\"Desc\":\"Add Group Member\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Add Group Member\",\"SourceUser\":\"PVWAGWAccounts\",\"TargetUser\":\"PSMPGW_localhost.localdomain\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"81.32.170.205\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Add Group Member\",\"GatewayStation\":\"\"}}}", "code": "265", "kind": "event" @@ -195,7 +195,7 @@ "event": { "severity": 2, "action": "add group member", - "ingested": "2021-05-31T15:30:17.878038200Z", + "ingested": "2021-06-04T11:33:10.209100200Z", "original": "\u003c5\u003e1 2021-03-10T09:11:35Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 01:11:35\",\"IsoTimestamp\":\"2021-03-10T09:11:35Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"265\",\"Desc\":\"Add Group Member\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Add Group Member\",\"SourceUser\":\"PSMP_ADB_AppUsers\",\"TargetUser\":\"PSMP_ADB_localhost.localdomain\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"81.32.170.205\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Add Group Member\",\"GatewayStation\":\"\"}}}", "code": "265", "kind": "event" @@ -262,7 +262,7 @@ "event": { "severity": 2, "action": "add group member", - "ingested": "2021-05-31T15:30:17.878068500Z", + "ingested": "2021-06-04T11:33:10.209104500Z", "original": "\u003c5\u003e1 2021-03-10T17:58:01Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 09:58:01\",\"IsoTimestamp\":\"2021-03-10T17:58:01Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"265\",\"Desc\":\"Add Group Member\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Add Group Member\",\"SourceUser\":\"PSMMaster\",\"TargetUser\":\"Administrator\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"81.32.170.205\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Add Group Member\",\"GatewayStation\":\"\"}}}", "code": "265", "kind": "event" @@ -329,7 +329,7 @@ "event": { "severity": 2, "action": "add group member", - "ingested": "2021-05-31T15:30:17.878073900Z", + "ingested": "2021-06-04T11:33:10.209108300Z", "original": "\u003c5\u003e1 2021-03-10T17:59:29Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 09:59:29\",\"IsoTimestamp\":\"2021-03-10T17:59:29Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"265\",\"Desc\":\"Add Group Member\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Add Group Member\",\"SourceUser\":\"PSMAppUsers\",\"TargetUser\":\"PSMApp_VAGRANT\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"81.32.170.205\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Add Group Member\",\"GatewayStation\":\"\"}}}", "code": "265", "kind": "event" @@ -396,7 +396,7 @@ "event": { "severity": 2, "action": "add group member", - "ingested": "2021-05-31T15:30:17.878078100Z", + "ingested": "2021-06-04T11:33:10.209111700Z", "original": "\u003c5\u003e1 2021-03-10T17:59:30Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 09:59:30\",\"IsoTimestamp\":\"2021-03-10T17:59:30Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"265\",\"Desc\":\"Add Group Member\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Add Group Member\",\"SourceUser\":\"PVWAGWAccounts\",\"TargetUser\":\"PSMGw_VAGRANT\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"81.32.170.205\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Add Group Member\",\"GatewayStation\":\"\"}}}", "code": "265", "kind": "event" @@ -462,7 +462,7 @@ "event": { "severity": 2, "action": "add group member", - "ingested": "2021-05-31T15:30:17.878081800Z", + "ingested": "2021-06-04T11:33:10.209115100Z", "original": "\u003c5\u003e1 2021-03-10T22:17:15Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 14:17:15\",\"IsoTimestamp\":\"2021-03-10T22:17:15Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"265\",\"Desc\":\"Add Group Member\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Add Group Member\",\"SourceUser\":\"PSMMaster\",\"TargetUser\":\"Administrator\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"35.192.121.42\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Add Group Member\",\"GatewayStation\":\"\"}}}", "code": "265", "kind": "event" @@ -528,7 +528,7 @@ "event": { "severity": 2, "action": "add group member", - "ingested": "2021-05-31T15:30:17.878085500Z", + "ingested": "2021-06-04T11:33:10.209127600Z", "original": "\u003c5\u003e1 2021-03-10T22:19:16Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 14:19:16\",\"IsoTimestamp\":\"2021-03-10T22:19:16Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"265\",\"Desc\":\"Add Group Member\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Add Group Member\",\"SourceUser\":\"PSMAppUsers\",\"TargetUser\":\"PSMApp_ASR-WIN\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"35.192.121.42\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Add Group Member\",\"GatewayStation\":\"\"}}}", "code": "265", "kind": "event" @@ -594,7 +594,7 @@ "event": { "severity": 2, "action": "add group member", - "ingested": "2021-05-31T15:30:17.878089100Z", + "ingested": "2021-06-04T11:33:10.209131100Z", "original": "\u003c5\u003e1 2021-03-10T22:19:16Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 14:19:16\",\"IsoTimestamp\":\"2021-03-10T22:19:16Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"265\",\"Desc\":\"Add Group Member\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Add Group Member\",\"SourceUser\":\"PVWAGWAccounts\",\"TargetUser\":\"PSMGw_ASR-WIN\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"35.192.121.42\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Add Group Member\",\"GatewayStation\":\"\"}}}", "code": "265", "kind": "event" @@ -662,7 +662,7 @@ "event": { "severity": 2, "action": "add group member", - "ingested": "2021-05-31T15:30:17.878092700Z", + "ingested": "2021-06-04T11:33:10.209134600Z", "original": "\u003c5\u003e1 2021-03-11T16:59:38Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 11 08:59:38\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-11T16:59:38Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e265\u003c/MessageID\u003e\\n \u003cDesc\u003eAdd Group Member\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003eAdd Group Member\u003c/Action\u003e\\n \u003cSourceUser\u003ePSMAppUsers\u003c/SourceUser\u003e\\n \u003cTargetUser\u003ePSMPApp_VAGRANT\u003c/TargetUser\u003e\\n \u003cSafe\u003e\u003c/Safe\u003e\\n \u003cFile\u003e\u003c/File\u003e\\n \u003cStation\u003e81.32.170.205\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eAdd Group Member\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 11 08:59:38\",\"IsoTimestamp\":\"2021-03-11T16:59:38Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"265\",\"Desc\":\"Add Group Member\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Add Group Member\",\"SourceUser\":\"PSMAppUsers\",\"TargetUser\":\"PSMPApp_VAGRANT\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"81.32.170.205\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Add Group Member\",\"GatewayStation\":\"\"}}}", "code": "265", "kind": "event" @@ -730,7 +730,7 @@ "event": { "severity": 2, "action": "add group member", - "ingested": "2021-05-31T15:30:17.878109700Z", + "ingested": "2021-06-04T11:33:10.209139300Z", "original": "\u003c5\u003e1 2021-03-11T16:59:38Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 11 08:59:38\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-11T16:59:38Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e265\u003c/MessageID\u003e\\n \u003cDesc\u003eAdd Group Member\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003eAdd Group Member\u003c/Action\u003e\\n \u003cSourceUser\u003ePVWAGWAccounts\u003c/SourceUser\u003e\\n \u003cTargetUser\u003ePSMPGW_VAGRANT\u003c/TargetUser\u003e\\n \u003cSafe\u003e\u003c/Safe\u003e\\n \u003cFile\u003e\u003c/File\u003e\\n \u003cStation\u003e81.32.170.205\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eAdd Group Member\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 11 08:59:38\",\"IsoTimestamp\":\"2021-03-11T16:59:38Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"265\",\"Desc\":\"Add Group Member\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Add Group Member\",\"SourceUser\":\"PVWAGWAccounts\",\"TargetUser\":\"PSMPGW_VAGRANT\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"81.32.170.205\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Add Group Member\",\"GatewayStation\":\"\"}}}", "code": "265", "kind": "event" @@ -795,7 +795,7 @@ "event": { "severity": 2, "action": "add group member", - "ingested": "2021-05-31T15:30:17.878115800Z", + "ingested": "2021-06-04T11:33:10.209143600Z", "original": "\u003c5\u003e1 2021-03-14T12:57:17Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 14 05:57:17\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-14T12:57:17Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e265\u003c/MessageID\u003e\\n \u003cDesc\u003eAdd Group Member\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003eAdd Group Member\u003c/Action\u003e\\n \u003cSourceUser\u003ePVWAGWAccounts\u003c/SourceUser\u003e\\n \u003cTargetUser\u003ePSMPGW_SSH\u003c/TargetUser\u003e\\n \u003cSafe\u003e\u003c/Safe\u003e\\n \u003cFile\u003e\u003c/File\u003e\\n \u003cStation\u003e34.71.250.247\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eAdd Group Member\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 14 05:57:17\",\"IsoTimestamp\":\"2021-03-14T12:57:17Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"265\",\"Desc\":\"Add Group Member\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Add Group Member\",\"SourceUser\":\"PVWAGWAccounts\",\"TargetUser\":\"PSMPGW_SSH\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"34.71.250.247\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Add Group Member\",\"GatewayStation\":\"\"}}}", "code": "265", "kind": "event" @@ -860,7 +860,7 @@ "event": { "severity": 2, "action": "add group member", - "ingested": "2021-05-31T15:30:17.878120100Z", + "ingested": "2021-06-04T11:33:10.209147100Z", "original": "\u003c5\u003e1 2021-03-14T12:57:17Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 14 05:57:17\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-14T12:57:17Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e265\u003c/MessageID\u003e\\n \u003cDesc\u003eAdd Group Member\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003eAdd Group Member\u003c/Action\u003e\\n \u003cSourceUser\u003ePSMAppUsers\u003c/SourceUser\u003e\\n \u003cTargetUser\u003ePSMPApp_SSH\u003c/TargetUser\u003e\\n \u003cSafe\u003e\u003c/Safe\u003e\\n \u003cFile\u003e\u003c/File\u003e\\n \u003cStation\u003e34.71.250.247\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eAdd Group Member\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 14 05:57:17\",\"IsoTimestamp\":\"2021-03-14T12:57:17Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"265\",\"Desc\":\"Add Group Member\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Add Group Member\",\"SourceUser\":\"PSMAppUsers\",\"TargetUser\":\"PSMPApp_SSH\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"34.71.250.247\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Add Group Member\",\"GatewayStation\":\"\"}}}", "code": "265", "kind": "event" @@ -925,7 +925,7 @@ "event": { "severity": 2, "action": "add group member", - "ingested": "2021-05-31T15:30:17.878124200Z", + "ingested": "2021-06-04T11:33:10.209150500Z", "original": "\u003c5\u003e1 2021-03-14T12:57:21Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 14 05:57:21\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-14T12:57:21Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e265\u003c/MessageID\u003e\\n \u003cDesc\u003eAdd Group Member\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003eAdd Group Member\u003c/Action\u003e\\n \u003cSourceUser\u003ePSMP_ADB_AppUsers\u003c/SourceUser\u003e\\n \u003cTargetUser\u003ePSMP_ADB_asr-cyberark-psm-ssh\u003c/TargetUser\u003e\\n \u003cSafe\u003e\u003c/Safe\u003e\\n \u003cFile\u003e\u003c/File\u003e\\n \u003cStation\u003e34.71.250.247\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eAdd Group Member\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 14 05:57:21\",\"IsoTimestamp\":\"2021-03-14T12:57:21Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"265\",\"Desc\":\"Add Group Member\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Add Group Member\",\"SourceUser\":\"PSMP_ADB_AppUsers\",\"TargetUser\":\"PSMP_ADB_asr-cyberark-psm-ssh\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"34.71.250.247\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Add Group Member\",\"GatewayStation\":\"\"}}}", "code": "265", "kind": "event" diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-266-remove-group-member.log-config.yml b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-266-remove-group-member.log-config.yml deleted file mode 100644 index 5622947e4b8..00000000000 --- a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-266-remove-group-member.log-config.yml +++ /dev/null @@ -1,5 +0,0 @@ -dynamic_fields: - event.ingested: ".*" -fields: - tags: - - preserve_original_event diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-266-remove-group-member.log-expected.json b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-266-remove-group-member.log-expected.json index d2d050933f4..33d47ebf847 100644 --- a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-266-remove-group-member.log-expected.json +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-266-remove-group-member.log-expected.json @@ -61,7 +61,7 @@ "event": { "severity": 2, "action": "remove group member", - "ingested": "2021-05-31T15:30:18.201329900Z", + "ingested": "2021-06-04T11:33:10.530824300Z", "original": "\u003c5\u003e1 2021-03-10T17:59:48Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 09:59:48\",\"IsoTimestamp\":\"2021-03-10T17:59:48Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"266\",\"Desc\":\"Remove Group Member\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Remove Group Member\",\"SourceUser\":\"PSMMaster\",\"TargetUser\":\"Administrator\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"81.32.170.205\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Remove Group Member\",\"GatewayStation\":\"\"}}}", "code": "266", "kind": "event" @@ -127,7 +127,7 @@ "event": { "severity": 2, "action": "remove group member", - "ingested": "2021-05-31T15:30:18.201348Z", + "ingested": "2021-06-04T11:33:10.530840600Z", "original": "\u003c5\u003e1 2021-03-10T22:19:23Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 14:19:23\",\"IsoTimestamp\":\"2021-03-10T22:19:23Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"266\",\"Desc\":\"Remove Group Member\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Remove Group Member\",\"SourceUser\":\"PSMMaster\",\"TargetUser\":\"Administrator\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"35.192.121.42\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Remove Group Member\",\"GatewayStation\":\"\"}}}", "code": "266", "kind": "event" diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-273-remove-owner.log-config.yml b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-273-remove-owner.log-config.yml deleted file mode 100644 index 5622947e4b8..00000000000 --- a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-273-remove-owner.log-config.yml +++ /dev/null @@ -1,5 +0,0 @@ -dynamic_fields: - event.ingested: ".*" -fields: - tags: - - preserve_original_event diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-273-remove-owner.log-expected.json b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-273-remove-owner.log-expected.json index 1e8b47a569d..327c21fe6b7 100644 --- a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-273-remove-owner.log-expected.json +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-273-remove-owner.log-expected.json @@ -61,7 +61,7 @@ "event": { "severity": 2, "action": "remove owner", - "ingested": "2021-05-31T15:30:18.264087900Z", + "ingested": "2021-06-04T11:33:10.584014600Z", "original": "\u003c5\u003e1 2021-03-10T17:59:33Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 09:59:33\",\"IsoTimestamp\":\"2021-03-10T17:59:33Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"273\",\"Desc\":\"Remove Owner\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Remove Owner\",\"SourceUser\":\"Administrator\",\"TargetUser\":\"\",\"Safe\":\"PSMSessions\",\"File\":\"\",\"Station\":\"81.32.170.205\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Remove Owner\",\"GatewayStation\":\"\"}}}", "code": "273", "kind": "event" diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-278-add-rule.log-config.yml b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-278-add-rule.log-config.yml deleted file mode 100644 index 5622947e4b8..00000000000 --- a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-278-add-rule.log-config.yml +++ /dev/null @@ -1,5 +0,0 @@ -dynamic_fields: - event.ingested: ".*" -fields: - tags: - - preserve_original_event diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-278-add-rule.log-expected.json b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-278-add-rule.log-expected.json index f2b2c0925f7..b3d3fffc259 100644 --- a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-278-add-rule.log-expected.json +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-278-add-rule.log-expected.json @@ -55,7 +55,7 @@ "event": { "severity": 2, "action": "add rule", - "ingested": "2021-05-31T15:30:18.318037500Z", + "ingested": "2021-06-04T11:33:10.630981200Z", "original": "\u003c5\u003e1 2021-03-11T18:01:14Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 11 10:01:14\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-11T18:01:14Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e278\u003c/MessageID\u003e\\n \u003cDesc\u003eAdd Rule\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003ePVWAAppUser\u003c/Issuer\u003e\\n \u003cAction\u003eAdd Rule\u003c/Action\u003e\\n \u003cSourceUser\u003eAdministrator\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003ePSMUnmanagedSessionAccounts\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\2\u003c/File\u003e\\n \u003cStation\u003e10.0.1.20\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003eAllow\u003c/Reason\u003e\\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eAdd Rule\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 11 10:01:14\",\"IsoTimestamp\":\"2021-03-11T18:01:14Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"278\",\"Desc\":\"Add Rule\",\"Severity\":\"Info\",\"Issuer\":\"PVWAAppUser\",\"Action\":\"Add Rule\",\"SourceUser\":\"Administrator\",\"TargetUser\":\"\",\"Safe\":\"PSMUnmanagedSessionAccounts\",\"File\":\"Root\\\\2\",\"Station\":\"10.0.1.20\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"Allow\",\"ExtraDetails\":\"\",\"Message\":\"Add Rule\",\"GatewayStation\":\"\"}}}", "code": "278", "kind": "event" diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-288-auto-clear-users-history-start.log-config.yml b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-288-auto-clear-users-history-start.log-config.yml deleted file mode 100644 index 5622947e4b8..00000000000 --- a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-288-auto-clear-users-history-start.log-config.yml +++ /dev/null @@ -1,5 +0,0 @@ -dynamic_fields: - event.ingested: ".*" -fields: - tags: - - preserve_original_event diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-288-auto-clear-users-history-start.log-expected.json b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-288-auto-clear-users-history-start.log-expected.json index a794fb8de5e..dc159d439ee 100644 --- a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-288-auto-clear-users-history-start.log-expected.json +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-288-auto-clear-users-history-start.log-expected.json @@ -47,7 +47,7 @@ "event": { "severity": 2, "action": "auto clear users history start", - "ingested": "2021-05-31T15:30:18.346643100Z", + "ingested": "2021-06-04T11:33:10.659234400Z", "original": "\u003c5\u003e1 2021-03-05T11:00:06Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 05 03:00:06\",\"IsoTimestamp\":\"2021-03-05T11:00:06Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"288\",\"Desc\":\"Auto Clear Users History start\",\"Severity\":\"Info\",\"Issuer\":\"Batch\",\"Action\":\"Auto Clear Users History start\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"0.0.0.0\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Auto Clear Users History start\",\"GatewayStation\":\"\"}}}", "code": "288", "kind": "event" @@ -90,7 +90,7 @@ "event": { "severity": 2, "action": "auto clear users history start", - "ingested": "2021-05-31T15:30:18.346669900Z", + "ingested": "2021-06-04T11:33:10.659257800Z", "original": "Mar 08 03:00:20 VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"no\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"288\",\"Desc\":\"Auto Clear Users History start\",\"Severity\":\"Info\",\"Issuer\":\"Batch\",\"Action\":\"Auto Clear Users History start\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"0.0.0.0\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Auto Clear Users History start\",\"GatewayStation\":\"\"}}}", "code": "288", "kind": "event" diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-289-auto-clear-users-history-end.log-config.yml b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-289-auto-clear-users-history-end.log-config.yml deleted file mode 100644 index 5622947e4b8..00000000000 --- a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-289-auto-clear-users-history-end.log-config.yml +++ /dev/null @@ -1,5 +0,0 @@ -dynamic_fields: - event.ingested: ".*" -fields: - tags: - - preserve_original_event diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-289-auto-clear-users-history-end.log-expected.json b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-289-auto-clear-users-history-end.log-expected.json index 2610c72f1d2..fa2e21660a9 100644 --- a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-289-auto-clear-users-history-end.log-expected.json +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-289-auto-clear-users-history-end.log-expected.json @@ -47,7 +47,7 @@ "event": { "severity": 2, "action": "auto clear users history end", - "ingested": "2021-05-31T15:30:18.420015400Z", + "ingested": "2021-06-04T11:33:10.700528200Z", "original": "\u003c5\u003e1 2021-03-05T11:00:06Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 05 03:00:06\",\"IsoTimestamp\":\"2021-03-05T11:00:06Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"289\",\"Desc\":\"Auto Clear Users History end\",\"Severity\":\"Info\",\"Issuer\":\"Batch\",\"Action\":\"Auto Clear Users History end\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"0.0.0.0\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Auto Clear Users History end\",\"GatewayStation\":\"\"}}}", "code": "289", "kind": "event" @@ -90,7 +90,7 @@ "event": { "severity": 2, "action": "auto clear users history end", - "ingested": "2021-05-31T15:30:18.420031500Z", + "ingested": "2021-06-04T11:33:10.700542700Z", "original": "Mar 08 03:00:20 VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"no\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"289\",\"Desc\":\"Auto Clear Users History end\",\"Severity\":\"Info\",\"Issuer\":\"Batch\",\"Action\":\"Auto Clear Users History end\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"0.0.0.0\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Auto Clear Users History end\",\"GatewayStation\":\"\"}}}", "code": "289", "kind": "event" diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-290-auto-clear-safes-history-start.log-config.yml b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-290-auto-clear-safes-history-start.log-config.yml deleted file mode 100644 index 5622947e4b8..00000000000 --- a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-290-auto-clear-safes-history-start.log-config.yml +++ /dev/null @@ -1,5 +0,0 @@ -dynamic_fields: - event.ingested: ".*" -fields: - tags: - - preserve_original_event diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-290-auto-clear-safes-history-start.log-expected.json b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-290-auto-clear-safes-history-start.log-expected.json index d90b2d424e9..d0eb3b68598 100644 --- a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-290-auto-clear-safes-history-start.log-expected.json +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-290-auto-clear-safes-history-start.log-expected.json @@ -47,7 +47,7 @@ "event": { "severity": 2, "action": "auto clear safes history start", - "ingested": "2021-05-31T15:30:18.460922600Z", + "ingested": "2021-06-04T11:33:10.738618500Z", "original": "\u003c5\u003e1 2021-03-09T09:00:47Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 09 01:00:47\",\"IsoTimestamp\":\"2021-03-09T09:00:47Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"290\",\"Desc\":\"Auto Clear Safes History start\",\"Severity\":\"Info\",\"Issuer\":\"Batch\",\"Action\":\"Auto Clear Safes History start\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"0.0.0.0\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Auto Clear Safes History start\",\"GatewayStation\":\"\"}}}", "code": "290", "kind": "event" diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-291-auto-clear-safes-history-end.log-config.yml b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-291-auto-clear-safes-history-end.log-config.yml deleted file mode 100644 index 5622947e4b8..00000000000 --- a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-291-auto-clear-safes-history-end.log-config.yml +++ /dev/null @@ -1,5 +0,0 @@ -dynamic_fields: - event.ingested: ".*" -fields: - tags: - - preserve_original_event diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-291-auto-clear-safes-history-end.log-expected.json b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-291-auto-clear-safes-history-end.log-expected.json index 0f228aa361a..86d0b0e33c7 100644 --- a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-291-auto-clear-safes-history-end.log-expected.json +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-291-auto-clear-safes-history-end.log-expected.json @@ -47,7 +47,7 @@ "event": { "severity": 2, "action": "auto clear safes history end", - "ingested": "2021-05-31T15:30:18.485427900Z", + "ingested": "2021-06-04T11:33:10.762740700Z", "original": "\u003c5\u003e1 2021-03-09T09:00:47Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 09 01:00:47\",\"IsoTimestamp\":\"2021-03-09T09:00:47Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"291\",\"Desc\":\"Auto Clear Safes History end\",\"Severity\":\"Info\",\"Issuer\":\"Batch\",\"Action\":\"Auto Clear Safes History end\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"0.0.0.0\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Auto Clear Safes History end\",\"GatewayStation\":\"\"}}}", "code": "291", "kind": "event" diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-294-store-password.log-config.yml b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-294-store-password.log-config.yml deleted file mode 100644 index 5622947e4b8..00000000000 --- a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-294-store-password.log-config.yml +++ /dev/null @@ -1,5 +0,0 @@ -dynamic_fields: - event.ingested: ".*" -fields: - tags: - - preserve_original_event diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-294-store-password.log-expected.json b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-294-store-password.log-expected.json index 1e2be9bedf2..0d96d994926 100644 --- a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-294-store-password.log-expected.json +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-294-store-password.log-expected.json @@ -62,7 +62,7 @@ "event": { "severity": 2, "action": "store password", - "ingested": "2021-05-31T15:30:18.510911600Z", + "ingested": "2021-06-04T11:33:10.788206700Z", "original": "\u003c5\u003e1 2021-03-08T10:19:42Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 08 02:19:42\",\"IsoTimestamp\":\"2021-03-08T10:19:42Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"294\",\"Desc\":\"Store password\",\"Severity\":\"Info\",\"Issuer\":\"PasswordManager\",\"Action\":\"Store password\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"Test\",\"File\":\"Root\\\\Groups\\\\WindowsGroup\",\"Station\":\"10.0.1.20\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Store password\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"WindowsDesktopLocalAccountsRotationalPolicy\"},{\"Name\":\"InProcess\",\"Value\":\"ChangeTask\"},{\"Name\":\"CPMStatus\",\"Value\":\"failure\"},{\"Name\":\"LastTask\",\"Value\":\"ChangeTask\"},{\"Name\":\"LastSuccessChange\",\"Value\":\"1615198782\"},{\"Name\":\"CurrInd\",\"Value\":\"2\"}]}}}}", "code": "294", "kind": "event" @@ -129,7 +129,7 @@ "event": { "severity": 2, "action": "store password", - "ingested": "2021-05-31T15:30:18.510931Z", + "ingested": "2021-06-04T11:33:10.788244600Z", "original": "\u003c5\u003e1 2021-03-08T18:24:49Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 08 10:24:49\",\"IsoTimestamp\":\"2021-03-08T18:24:49Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"294\",\"Desc\":\"Store password\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Store password\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"Test\",\"File\":\"Root\\\\Operating System-WinDesktopLocal-Address-adriansr\",\"Station\":\"127.0.0.1\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Store password\",\"GatewayStation\":\"10.0.1.20\"}}}", "code": "294", "kind": "event" @@ -208,7 +208,7 @@ "event": { "severity": 2, "action": "store password", - "ingested": "2021-05-31T15:30:18.510935300Z", + "ingested": "2021-06-04T11:33:10.788252100Z", "original": "\u003c5\u003e1 2021-03-08T19:20:02Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 08 11:20:02\",\"IsoTimestamp\":\"2021-03-08T19:20:02Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"294\",\"Desc\":\"Store password\",\"Severity\":\"Info\",\"Issuer\":\"PasswordManager\",\"Action\":\"Store password\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"Test\",\"File\":\"Root\\\\Operating System-WindowsDesktopLocalAccountsRotationalPolicy-10.0.1.20-x_accountA\",\"Station\":\"10.0.1.20\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Store password\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"WinDesktopLocal\"},{\"Name\":\"UserName\",\"Value\":\"x_accountA\"},{\"Name\":\"Address\",\"Value\":\"components\"},{\"Name\":\"ResetImmediately\",\"Value\":\"ChangeTask\"},{\"Name\":\"InProcess\",\"Value\":\"ChangeTask\"},{\"Name\":\"SequenceID\",\"Value\":\"26\"},{\"Name\":\"CPMStatus\",\"Value\":\"failure\"},{\"Name\":\"RetriesCount\",\"Value\":\"0\"},{\"Name\":\"LastTask\",\"Value\":\"ChangeTask\"},{\"Name\":\"StartChangeNotBefore\",\"Value\":\"1615231182\"},{\"Name\":\"GroupName\",\"Value\":\"WindowsGroup\"},{\"Name\":\"LastSuccessChange\",\"Value\":\"1614785704\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"},{\"Name\":\"Index\",\"Value\":\"1\"},{\"Name\":\"DualAccountStatus\",\"Value\":\"Inactive\"},{\"Name\":\"VirtualUsername\",\"Value\":\"virtual\"}]}}}}", "code": "294", "kind": "event" @@ -276,7 +276,7 @@ "event": { "severity": 2, "action": "store password", - "ingested": "2021-05-31T15:30:18.510938700Z", + "ingested": "2021-06-04T11:33:10.788256200Z", "original": "\u003c5\u003e1 2021-03-10T14:38:57Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 06:38:57\",\"IsoTimestamp\":\"2021-03-10T14:38:57Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"294\",\"Desc\":\"Store password\",\"Severity\":\"Info\",\"Issuer\":\"PasswordManager\",\"Action\":\"Store password\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"Test\",\"File\":\"Root\\\\Groups\\\\WindowsGroup\",\"Station\":\"10.0.1.20\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Store password\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"WindowsDesktopLocalAccountsRotationalPolicy\"},{\"Name\":\"InProcess\",\"Value\":\"ChangeTask\"},{\"Name\":\"CPMStatus\",\"Value\":\"failure\"},{\"Name\":\"LastTask\",\"Value\":\"ChangeTask\"},{\"Name\":\"LastSuccessChange\",\"Value\":\"1615387136\"},{\"Name\":\"CurrInd\",\"Value\":\"1\"}]}}}}", "code": "294", "kind": "event" @@ -346,7 +346,7 @@ "event": { "severity": 2, "action": "store password", - "ingested": "2021-05-31T15:30:18.510941900Z", + "ingested": "2021-06-04T11:33:10.788259600Z", "original": "\u003c5\u003e1 2021-03-10T17:58:06Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 09:58:06\",\"IsoTimestamp\":\"2021-03-10T17:58:06Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"294\",\"Desc\":\"Store password\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Store password\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"PSM\",\"File\":\"Root\\\\PSMServer\",\"Station\":\"81.32.170.205\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Store password\",\"GatewayStation\":\"\"}}}", "code": "294", "kind": "event" @@ -415,7 +415,7 @@ "event": { "severity": 2, "action": "store password", - "ingested": "2021-05-31T15:30:18.510945100Z", + "ingested": "2021-06-04T11:33:10.788262700Z", "original": "\u003c5\u003e1 2021-03-10T22:17:26Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 14:17:26\",\"IsoTimestamp\":\"2021-03-10T22:17:26Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"294\",\"Desc\":\"Store password\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Store password\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"PSM\",\"File\":\"Root\\\\PSM-ASR-CYBERARK-WI\",\"Station\":\"35.192.121.42\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Store password\",\"GatewayStation\":\"\"}}}", "code": "294", "kind": "event" @@ -494,7 +494,7 @@ "event": { "severity": 2, "action": "store password", - "ingested": "2021-05-31T15:30:18.510948100Z", + "ingested": "2021-06-04T11:33:10.788265800Z", "original": "\u003c5\u003e1 2021-03-10T23:39:25Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 15:39:25\",\"IsoTimestamp\":\"2021-03-10T23:39:25Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"294\",\"Desc\":\"Store password\",\"Severity\":\"Info\",\"Issuer\":\"PasswordManager\",\"Action\":\"Store password\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"Test\",\"File\":\"Root\\\\Operating System-WindowsDesktopLocalAccountsRotationalPolicy-10.0.1.20-x_accountB\",\"Station\":\"10.0.1.20\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Store password\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"WinDesktopLocal\"},{\"Name\":\"UserName\",\"Value\":\"x_accountB\"},{\"Name\":\"Address\",\"Value\":\"components\"},{\"Name\":\"ResetImmediately\",\"Value\":\"ChangeTask\"},{\"Name\":\"InProcess\",\"Value\":\"ChangeTask\"},{\"Name\":\"SequenceID\",\"Value\":\"24\"},{\"Name\":\"CPMStatus\",\"Value\":\"failure\"},{\"Name\":\"RetriesCount\",\"Value\":\"0\"},{\"Name\":\"LastTask\",\"Value\":\"ChangeTask\"},{\"Name\":\"StartChangeNotBefore\",\"Value\":\"1615419536\"},{\"Name\":\"GroupName\",\"Value\":\"WindowsGroup\"},{\"Name\":\"LastSuccessChange\",\"Value\":\"1614868762\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"},{\"Name\":\"Index\",\"Value\":\"2\"},{\"Name\":\"DualAccountStatus\",\"Value\":\"Inactive\"},{\"Name\":\"VirtualUsername\",\"Value\":\"virtual\"}]}}}}", "code": "294", "kind": "event" @@ -563,7 +563,7 @@ "event": { "severity": 2, "action": "store password", - "ingested": "2021-05-31T15:30:18.510951300Z", + "ingested": "2021-06-04T11:33:10.788268800Z", "original": "\u003c5\u003e1 2021-03-14T11:48:26Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 14 04:48:26\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-14T11:48:26Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e294\u003c/MessageID\u003e\\n \u003cDesc\u003eStore password\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003ePasswordManager\u003c/Issuer\u003e\\n \u003cAction\u003eStore password\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003eTest\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Groups\\\\WindowsGroup\u003c/File\u003e\\n \u003cStation\u003e10.0.1.20\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eStore password\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"WindowsDesktopLocalAccountsRotationalPolicy\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"InProcess\\\" Value=\\\"ChangeTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMStatus\\\" Value=\\\"failure\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastTask\\\" Value=\\\"ChangeTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastSuccessChange\\\" Value=\\\"1615722505\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CurrInd\\\" Value=\\\"2\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 14 04:48:26\",\"IsoTimestamp\":\"2021-03-14T11:48:26Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"294\",\"Desc\":\"Store password\",\"Severity\":\"Info\",\"Issuer\":\"PasswordManager\",\"Action\":\"Store password\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"Test\",\"File\":\"Root\\\\Groups\\\\WindowsGroup\",\"Station\":\"10.0.1.20\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Store password\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"WindowsDesktopLocalAccountsRotationalPolicy\"},{\"Name\":\"InProcess\",\"Value\":\"ChangeTask\"},{\"Name\":\"CPMStatus\",\"Value\":\"failure\"},{\"Name\":\"LastTask\",\"Value\":\"ChangeTask\"},{\"Name\":\"LastSuccessChange\",\"Value\":\"1615722505\"},{\"Name\":\"CurrInd\",\"Value\":\"2\"}]}}}}", "code": "294", "kind": "event" @@ -643,7 +643,7 @@ "event": { "severity": 2, "action": "store password", - "ingested": "2021-05-31T15:30:18.510954200Z", + "ingested": "2021-06-04T11:33:10.788272700Z", "original": "\u003c5\u003e1 2021-03-15T10:12:21Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 15 03:12:21\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-15T10:12:21Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e294\u003c/MessageID\u003e\\n \u003cDesc\u003eStore password\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003ePasswordManager\u003c/Issuer\u003e\\n \u003cAction\u003eStore password\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003eTest\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Operating System-WindowsDesktopLocalAccountsRotationalPolicy-10.0.1.20-x_accountA\u003c/File\u003e\\n \u003cStation\u003e10.0.1.20\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eStore password\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"WinDesktopLocal\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"x_accountA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"components\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"ResetImmediately\\\" Value=\\\"ChangeTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"InProcess\\\" Value=\\\"ChangeTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"SequenceID\\\" Value=\\\"27\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMStatus\\\" Value=\\\"failure\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"RetriesCount\\\" Value=\\\"0\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastTask\\\" Value=\\\"ChangeTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"StartChangeNotBefore\\\" Value=\\\"1615754905\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"GroupName\\\" Value=\\\"WindowsGroup\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastSuccessChange\\\" Value=\\\"1615231204\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Operating System\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Index\\\" Value=\\\"1\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DualAccountStatus\\\" Value=\\\"Inactive\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"VirtualUsername\\\" Value=\\\"virtual\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 15 03:12:21\",\"IsoTimestamp\":\"2021-03-15T10:12:21Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"294\",\"Desc\":\"Store password\",\"Severity\":\"Info\",\"Issuer\":\"PasswordManager\",\"Action\":\"Store password\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"Test\",\"File\":\"Root\\\\Operating System-WindowsDesktopLocalAccountsRotationalPolicy-10.0.1.20-x_accountA\",\"Station\":\"10.0.1.20\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Store password\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"WinDesktopLocal\"},{\"Name\":\"UserName\",\"Value\":\"x_accountA\"},{\"Name\":\"Address\",\"Value\":\"components\"},{\"Name\":\"ResetImmediately\",\"Value\":\"ChangeTask\"},{\"Name\":\"InProcess\",\"Value\":\"ChangeTask\"},{\"Name\":\"SequenceID\",\"Value\":\"27\"},{\"Name\":\"CPMStatus\",\"Value\":\"failure\"},{\"Name\":\"RetriesCount\",\"Value\":\"0\"},{\"Name\":\"LastTask\",\"Value\":\"ChangeTask\"},{\"Name\":\"StartChangeNotBefore\",\"Value\":\"1615754905\"},{\"Name\":\"GroupName\",\"Value\":\"WindowsGroup\"},{\"Name\":\"LastSuccessChange\",\"Value\":\"1615231204\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"},{\"Name\":\"Index\",\"Value\":\"1\"},{\"Name\":\"DualAccountStatus\",\"Value\":\"Inactive\"},{\"Name\":\"VirtualUsername\",\"Value\":\"virtual\"}]}}}}", "code": "294", "kind": "event" @@ -726,7 +726,7 @@ "event": { "severity": 2, "action": "store password", - "ingested": "2021-05-31T15:30:18.510957200Z", + "ingested": "2021-06-04T11:33:10.788277Z", "original": "\u003c5\u003e1 2021-03-15T13:13:01Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 15 06:13:01\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-15T13:13:01Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e294\u003c/MessageID\u003e\\n \u003cDesc\u003eStore password\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003eStore password\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003epartner\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Operating System-UnixSSH-34.123.103.115-testark\u003c/File\u003e\\n \u003cStation\u003e127.0.0.1\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eStore password\u003c/Message\u003e\\n \u003cGatewayStation\u003e10.0.1.20\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"UnixSSH\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"testark\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"34.123.103.115\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"ResetImmediately\\\" Value=\\\"ReconcileTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMStatus\\\" Value=\\\"failure\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"RetriesCount\\\" Value=\\\"0\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastFailDate\\\" Value=\\\"1615813465\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastTask\\\" Value=\\\"ReconcileTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastSuccessVerification\\\" Value=\\\"1615803764\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMErrorDetails\\\" Value=\\\"First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Operating System\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 15 06:13:01\",\"IsoTimestamp\":\"2021-03-15T13:13:01Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"294\",\"Desc\":\"Store password\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Store password\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"partner\",\"File\":\"Root\\\\Operating System-UnixSSH-34.123.103.115-testark\",\"Station\":\"127.0.0.1\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Store password\",\"GatewayStation\":\"10.0.1.20\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"UnixSSH\"},{\"Name\":\"UserName\",\"Value\":\"testark\"},{\"Name\":\"Address\",\"Value\":\"34.123.103.115\"},{\"Name\":\"ResetImmediately\",\"Value\":\"ReconcileTask\"},{\"Name\":\"CPMStatus\",\"Value\":\"failure\"},{\"Name\":\"RetriesCount\",\"Value\":\"0\"},{\"Name\":\"LastFailDate\",\"Value\":\"1615813465\"},{\"Name\":\"LastTask\",\"Value\":\"ReconcileTask\"},{\"Name\":\"LastSuccessVerification\",\"Value\":\"1615803764\"},{\"Name\":\"CPMErrorDetails\",\"Value\":\"First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"}]}}}}", "code": "294", "kind": "event" diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-295-retrieve-password.log-config.yml b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-295-retrieve-password.log-config.yml deleted file mode 100644 index 5622947e4b8..00000000000 --- a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-295-retrieve-password.log-config.yml +++ /dev/null @@ -1,5 +0,0 @@ -dynamic_fields: - event.ingested: ".*" -fields: - tags: - - preserve_original_event diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-295-retrieve-password.log-expected.json b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-295-retrieve-password.log-expected.json index 96a954e2485..12da067a655 100644 --- a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-295-retrieve-password.log-expected.json +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-295-retrieve-password.log-expected.json @@ -68,7 +68,7 @@ "event": { "severity": 2, "reason": "AIM password request", - "ingested": "2021-05-31T15:30:18.767877400Z", + "ingested": "2021-06-04T11:33:11.050515Z", "original": "{\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eno\u003c/Rfc5424\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.6.0000\u003c/Version\u003e\\n \u003cMessageID\u003e295\u003c/MessageID\u003e\\n \u003cDesc\u003eRetrieve password\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eProv_PVWA\u003c/Issuer\u003e\\n \u003cAction\u003eRetrieve password\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003eLinux\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Operating System-LINUX-SSH-radiussrv.cyberark.local-admin2\u003c/File\u003e\\n \u003cStation\u003e10.2.0.3\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003eAIM password request\u003c/Reason\u003e\\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eRetrieve password\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"LINUX-SSH\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"admin2\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"radiussrv.cyberark.local\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Operating System\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMDisabled\\\" Value=\\\"No Reason\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Customer\\\" Value=\\\"Nobody\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"no\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.6.0000\",\"MessageID\":\"295\",\"IsoTimestamp\":\"2021-03-16T15:01:00Z\",\"Desc\":\"Retrieve password\",\"Severity\":\"Info\",\"Issuer\":\"Prov_PVWA\",\"Action\":\"Retrieve password\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"Linux\",\"File\":\"Root\\\\Operating System-LINUX-SSH-radiussrv.cyberark.local-admin2\",\"Station\":\"10.2.0.3\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"AIM password request\",\"ExtraDetails\":\"\",\"Message\":\"Retrieve password\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"LINUX-SSH\"},{\"Name\":\"UserName\",\"Value\":\"admin2\"},{\"Name\":\"Address\",\"Value\":\"radiussrv.cyberark.local\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"},{\"Name\":\"CPMDisabled\",\"Value\":\"No Reason\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"Customer\",\"Value\":\"Nobody\"}]}}}}", "code": "295", "kind": "event", @@ -168,7 +168,7 @@ "event": { "severity": 2, "reason": "(Action: Show Password)", - "ingested": "2021-05-31T15:30:18.767937100Z", + "ingested": "2021-06-04T11:33:11.050583100Z", "original": "{\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eno\u003c/Rfc5424\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.6.0000\u003c/Version\u003e\\n \u003cMessageID\u003e295\u003c/MessageID\u003e\\n \u003cDesc\u003eRetrieve password\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eadm2\u003c/Issuer\u003e\\n \u003cAction\u003eRetrieve password\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003eWindows\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Operating System-WIN-SERVER-LOCAL-dbserver.cyberark.local-Administrator2\u003c/File\u003e\\n \u003cStation\u003e10.2.0.6\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e(Action: Show Password)\u003c/Reason\u003e\\n \u003cPvwaDetails\u003e\u003cRetrieveReason\u003e\\n \u003cGeneral\u003e\\n \u003cRetrieveAction\u003eShow Password\u003c/RetrieveAction\u003e\\n \u003c/General\u003e\\n\u003c/RetrieveReason\u003e\u003c/PvwaDetails\u003e\\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eRetrieve password\u003c/Message\u003e\\n \u003cGatewayStation\u003e10.2.0.3\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"WIN-SERVER-LOCAL\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"Administrator2\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"dbserver.cyberark.local\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Operating System\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LogonDomain\\\" Value=\\\"DBServer\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"SequenceID\\\" Value=\\\"1\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"RetriesCount\\\" Value=\\\"-1\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastTask\\\" Value=\\\"ReconcileTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMStatus\\\" Value=\\\"success\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastSuccessReconciliation\\\" Value=\\\"1604944215\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Customer\\\" Value=\\\"EvilCorp\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"no\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.6.0000\",\"MessageID\":\"295\",\"IsoTimestamp\":\"2021-03-16T15:01:00Z\",\"Desc\":\"Retrieve password\",\"Severity\":\"Info\",\"Issuer\":\"adm2\",\"Action\":\"Retrieve password\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"Windows\",\"File\":\"Root\\\\Operating System-WIN-SERVER-LOCAL-dbserver.cyberark.local-Administrator2\",\"Station\":\"10.2.0.6\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"(Action: Show Password)\",\"PvwaDetails\":{\"RetrieveReason\":{\"General\":{\"RetrieveAction\":\"Show Password\"}}},\"ExtraDetails\":\"\",\"Message\":\"Retrieve password\",\"GatewayStation\":\"10.2.0.3\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"WIN-SERVER-LOCAL\"},{\"Name\":\"UserName\",\"Value\":\"Administrator2\"},{\"Name\":\"Address\",\"Value\":\"dbserver.cyberark.local\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"},{\"Name\":\"LogonDomain\",\"Value\":\"DBServer\"},{\"Name\":\"SequenceID\",\"Value\":\"1\"},{\"Name\":\"RetriesCount\",\"Value\":\"-1\"},{\"Name\":\"LastTask\",\"Value\":\"ReconcileTask\"},{\"Name\":\"CPMStatus\",\"Value\":\"success\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"LastSuccessReconciliation\",\"Value\":\"1604944215\"},{\"Name\":\"Customer\",\"Value\":\"EvilCorp\"}]}}}}", "code": "295", "kind": "event", @@ -262,7 +262,7 @@ "event": { "severity": 2, "reason": "testing", - "ingested": "2021-05-31T15:30:18.767946Z", + "ingested": "2021-06-04T11:33:11.050593300Z", "original": "\u003c5\u003e1 2021-03-08T18:16:51Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 08 10:16:51\",\"IsoTimestamp\":\"2021-03-08T18:16:51Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"295\",\"Desc\":\"Retrieve password\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Retrieve password\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"Test\",\"File\":\"Root\\\\testobject\",\"Station\":\"10.0.1.20\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"testing\",\"ExtraDetails\":\"\",\"Message\":\"Retrieve password\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"WinDesktopLocal\"},{\"Name\":\"UserName\",\"Value\":\"test\"},{\"Name\":\"Address\",\"Value\":\"test\"},{\"Name\":\"CPMDisabled\",\"Value\":\"testing\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"}]}}}}", "code": "295", "kind": "event", @@ -368,7 +368,7 @@ "event": { "severity": 2, "reason": "CPM", - "ingested": "2021-05-31T15:30:18.767950600Z", + "ingested": "2021-06-04T11:33:11.050597600Z", "original": "\u003c5\u003e1 2021-03-08T19:19:59Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 08 11:19:59\",\"IsoTimestamp\":\"2021-03-08T19:19:59Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"295\",\"Desc\":\"Retrieve password\",\"Severity\":\"Info\",\"Issuer\":\"PasswordManager\",\"Action\":\"Retrieve password\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"Test\",\"File\":\"Root\\\\Operating System-WindowsDesktopLocalAccountsRotationalPolicy-10.0.1.20-x_accountA\",\"Station\":\"10.0.1.20\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"CPM\",\"ExtraDetails\":\"\",\"Message\":\"Retrieve password\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"WinDesktopLocal\"},{\"Name\":\"UserName\",\"Value\":\"x_accountA\"},{\"Name\":\"Address\",\"Value\":\"components\"},{\"Name\":\"ResetImmediately\",\"Value\":\"ChangeTask\"},{\"Name\":\"InProcess\",\"Value\":\"ChangeTask\"},{\"Name\":\"SequenceID\",\"Value\":\"26\"},{\"Name\":\"CPMStatus\",\"Value\":\"failure\"},{\"Name\":\"RetriesCount\",\"Value\":\"0\"},{\"Name\":\"LastTask\",\"Value\":\"ChangeTask\"},{\"Name\":\"StartChangeNotBefore\",\"Value\":\"1615231182\"},{\"Name\":\"GroupName\",\"Value\":\"WindowsGroup\"},{\"Name\":\"LastSuccessChange\",\"Value\":\"1614785704\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"},{\"Name\":\"Index\",\"Value\":\"1\"},{\"Name\":\"DualAccountStatus\",\"Value\":\"Inactive\"},{\"Name\":\"VirtualUsername\",\"Value\":\"virtual\"}]}}}}", "code": "295", "kind": "event", @@ -454,7 +454,7 @@ "event": { "severity": 2, "reason": "CPM", - "ingested": "2021-05-31T15:30:18.767953800Z", + "ingested": "2021-06-04T11:33:11.050600800Z", "original": "\u003c5\u003e1 2021-03-08T19:20:02Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 08 11:20:02\",\"IsoTimestamp\":\"2021-03-08T19:20:02Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"295\",\"Desc\":\"Retrieve password\",\"Severity\":\"Info\",\"Issuer\":\"PasswordManager\",\"Action\":\"Retrieve password\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"Test\",\"File\":\"Root\\\\Groups\\\\WindowsGroup\",\"Station\":\"10.0.1.20\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"CPM\",\"ExtraDetails\":\"\",\"Message\":\"Retrieve password\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"WindowsDesktopLocalAccountsRotationalPolicy\"},{\"Name\":\"CPMStatus\",\"Value\":\"success\"},{\"Name\":\"LastTask\",\"Value\":\"ChangeTask\"},{\"Name\":\"LastSuccessChange\",\"Value\":\"1615198782\"},{\"Name\":\"CurrInd\",\"Value\":\"2\"}]}}}}", "code": "295", "kind": "event", @@ -556,7 +556,7 @@ "event": { "severity": 2, "reason": "Application provider background refresh job", - "ingested": "2021-05-31T15:30:18.767956900Z", + "ingested": "2021-06-04T11:33:11.050603700Z", "original": "\u003c5\u003e1 2021-03-10T14:40:37Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 06:40:37\",\"IsoTimestamp\":\"2021-03-10T14:40:37Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"295\",\"Desc\":\"Retrieve password\",\"Severity\":\"Info\",\"Issuer\":\"Prov_COMPONENTS\",\"Action\":\"Retrieve password\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"Test\",\"File\":\"Root\\\\Operating System-WindowsDesktopLocalAccountsRotationalPolicy-10.0.1.20-x_accountA\",\"Station\":\"10.0.1.20\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"Application provider background refresh job\",\"ExtraDetails\":\"\",\"Message\":\"Retrieve password\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"WinDesktopLocal\"},{\"Name\":\"UserName\",\"Value\":\"x_accountA\"},{\"Name\":\"Address\",\"Value\":\"components\"},{\"Name\":\"SequenceID\",\"Value\":\"27\"},{\"Name\":\"CPMStatus\",\"Value\":\"success\"},{\"Name\":\"RetriesCount\",\"Value\":\"-1\"},{\"Name\":\"LastTask\",\"Value\":\"ChangeTask\"},{\"Name\":\"GroupName\",\"Value\":\"WindowsGroup\"},{\"Name\":\"LastSuccessChange\",\"Value\":\"1615231204\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"},{\"Name\":\"Index\",\"Value\":\"1\"},{\"Name\":\"DualAccountStatus\",\"Value\":\"Active\"},{\"Name\":\"VirtualUsername\",\"Value\":\"virtual\"}]}}}}", "code": "295", "kind": "event", @@ -651,7 +651,7 @@ "event": { "severity": 2, "reason": "test", - "ingested": "2021-05-31T15:30:18.767960Z", + "ingested": "2021-06-04T11:33:11.050606600Z", "original": "\u003c5\u003e1 2021-03-10T18:27:57Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 10:27:57\",\"IsoTimestamp\":\"2021-03-10T18:27:57Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"295\",\"Desc\":\"Retrieve password\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Retrieve password\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"PSM\",\"File\":\"Root\\\\PSMAdmin\",\"Station\":\"127.0.0.1\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"test\",\"ExtraDetails\":\"\",\"Message\":\"Retrieve password\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"UserName\",\"Value\":\"PSMAdminConnect\"},{\"Name\":\"Address\",\"Value\":\"169.254.180.25\"},{\"Name\":\"LogonDomain\",\"Value\":\"VAGRANT-2012-R2\"}]}}}}", "code": "295", "kind": "event", @@ -746,7 +746,7 @@ "event": { "severity": 2, "reason": "test", - "ingested": "2021-05-31T15:30:18.767963400Z", + "ingested": "2021-06-04T11:33:11.050609500Z", "original": "\u003c5\u003e1 2021-03-10T18:28:07Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 10:28:07\",\"IsoTimestamp\":\"2021-03-10T18:28:07Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"295\",\"Desc\":\"Retrieve password\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Retrieve password\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"PSM\",\"File\":\"Root\\\\PSMServer\",\"Station\":\"127.0.0.1\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"test\",\"ExtraDetails\":\"\",\"Message\":\"Retrieve password\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"UserName\",\"Value\":\"PSMConnect\"},{\"Name\":\"Address\",\"Value\":\"169.254.180.25\"},{\"Name\":\"LogonDomain\",\"Value\":\"VAGRANT-2012-R2\"}]}}}}", "code": "295", "kind": "event", @@ -852,7 +852,7 @@ "event": { "severity": 2, "reason": "CPM", - "ingested": "2021-05-31T15:30:18.767966400Z", + "ingested": "2021-06-04T11:33:11.050612800Z", "original": "\u003c5\u003e1 2021-03-10T23:39:22Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 15:39:22\",\"IsoTimestamp\":\"2021-03-10T23:39:22Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"295\",\"Desc\":\"Retrieve password\",\"Severity\":\"Info\",\"Issuer\":\"PasswordManager\",\"Action\":\"Retrieve password\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"Test\",\"File\":\"Root\\\\Operating System-WindowsDesktopLocalAccountsRotationalPolicy-10.0.1.20-x_accountB\",\"Station\":\"10.0.1.20\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"CPM\",\"ExtraDetails\":\"\",\"Message\":\"Retrieve password\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"WinDesktopLocal\"},{\"Name\":\"UserName\",\"Value\":\"x_accountB\"},{\"Name\":\"Address\",\"Value\":\"components\"},{\"Name\":\"ResetImmediately\",\"Value\":\"ChangeTask\"},{\"Name\":\"InProcess\",\"Value\":\"ChangeTask\"},{\"Name\":\"SequenceID\",\"Value\":\"24\"},{\"Name\":\"CPMStatus\",\"Value\":\"failure\"},{\"Name\":\"RetriesCount\",\"Value\":\"0\"},{\"Name\":\"LastTask\",\"Value\":\"ChangeTask\"},{\"Name\":\"StartChangeNotBefore\",\"Value\":\"1615419536\"},{\"Name\":\"GroupName\",\"Value\":\"WindowsGroup\"},{\"Name\":\"LastSuccessChange\",\"Value\":\"1614868762\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"},{\"Name\":\"Index\",\"Value\":\"2\"},{\"Name\":\"DualAccountStatus\",\"Value\":\"Inactive\"},{\"Name\":\"VirtualUsername\",\"Value\":\"virtual\"}]}}}}", "code": "295", "kind": "event", @@ -938,7 +938,7 @@ "event": { "severity": 2, "reason": "CPM", - "ingested": "2021-05-31T15:30:18.767969100Z", + "ingested": "2021-06-04T11:33:11.050615600Z", "original": "\u003c5\u003e1 2021-03-10T23:39:25Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 15:39:25\",\"IsoTimestamp\":\"2021-03-10T23:39:25Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"295\",\"Desc\":\"Retrieve password\",\"Severity\":\"Info\",\"Issuer\":\"PasswordManager\",\"Action\":\"Retrieve password\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"Test\",\"File\":\"Root\\\\Groups\\\\WindowsGroup\",\"Station\":\"10.0.1.20\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"CPM\",\"ExtraDetails\":\"\",\"Message\":\"Retrieve password\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"WindowsDesktopLocalAccountsRotationalPolicy\"},{\"Name\":\"CPMStatus\",\"Value\":\"success\"},{\"Name\":\"LastTask\",\"Value\":\"ChangeTask\"},{\"Name\":\"LastSuccessChange\",\"Value\":\"1615387136\"},{\"Name\":\"CurrInd\",\"Value\":\"1\"}]}}}}", "code": "295", "kind": "event", @@ -1034,7 +1034,7 @@ "event": { "severity": 2, "reason": "lksajdflkasdf", - "ingested": "2021-05-31T15:30:18.767972Z", + "ingested": "2021-06-04T11:33:11.050618700Z", "original": "\u003c5\u003e1 2021-03-11T16:41:21Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 11 08:41:21\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-11T16:41:21Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e295\u003c/MessageID\u003e\\n \u003cDesc\u003eRetrieve password\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003eRetrieve password\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003ePSM\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\PSMAdmin\u003c/File\u003e\\n \u003cStation\u003e127.0.0.1\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003elksajdflkasdf\u003c/Reason\u003e\\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eRetrieve password\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"PSMAdminConnect\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"169.254.180.25\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LogonDomain\\\" Value=\\\"VAGRANT-2012-R2\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 11 08:41:21\",\"IsoTimestamp\":\"2021-03-11T16:41:21Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"295\",\"Desc\":\"Retrieve password\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Retrieve password\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"PSM\",\"File\":\"Root\\\\PSMAdmin\",\"Station\":\"127.0.0.1\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"lksajdflkasdf\",\"ExtraDetails\":\"\",\"Message\":\"Retrieve password\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"UserName\",\"Value\":\"PSMAdminConnect\"},{\"Name\":\"Address\",\"Value\":\"169.254.180.25\"},{\"Name\":\"LogonDomain\",\"Value\":\"VAGRANT-2012-R2\"}]}}}}", "code": "295", "kind": "event", @@ -1128,7 +1128,7 @@ }, "event": { "severity": 2, - "ingested": "2021-05-31T15:30:18.767975100Z", + "ingested": "2021-06-04T11:33:11.050621800Z", "original": "\u003c5\u003e1 2021-03-11T16:50:28Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 11 08:50:28\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-11T16:50:28Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e295\u003c/MessageID\u003e\\n \u003cDesc\u003eRetrieve password\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003ePVWAAppUser\u003c/Issuer\u003e\\n \u003cAction\u003eRetrieve password\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003ePSM\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\PSMServer\u003c/File\u003e\\n \u003cStation\u003e10.0.1.20\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eRetrieve password\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"PSMConnect\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"169.254.180.25\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LogonDomain\\\" Value=\\\"VAGRANT-2012-R2\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 11 08:50:28\",\"IsoTimestamp\":\"2021-03-11T16:50:28Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"295\",\"Desc\":\"Retrieve password\",\"Severity\":\"Info\",\"Issuer\":\"PVWAAppUser\",\"Action\":\"Retrieve password\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"PSM\",\"File\":\"Root\\\\PSMServer\",\"Station\":\"10.0.1.20\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Retrieve password\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"UserName\",\"Value\":\"PSMConnect\"},{\"Name\":\"Address\",\"Value\":\"169.254.180.25\"},{\"Name\":\"LogonDomain\",\"Value\":\"VAGRANT-2012-R2\"}]}}}}", "code": "295", "kind": "event", @@ -1222,7 +1222,7 @@ "event": { "severity": 2, "reason": "sdfsdf", - "ingested": "2021-05-31T15:30:18.767978500Z", + "ingested": "2021-06-04T11:33:11.050624500Z", "original": "\u003c5\u003e1 2021-03-11T16:54:20Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 11 08:54:20\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-11T16:54:20Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e295\u003c/MessageID\u003e\\n \u003cDesc\u003eRetrieve password\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003eRetrieve password\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003ePSM\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Operating System-UnixSSH-centos8-PSMApp_VAGRANT\u003c/File\u003e\\n \u003cStation\u003e127.0.0.1\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003esdfsdf\u003c/Reason\u003e\\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eRetrieve password\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"UnixSSH\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"PSMApp_VAGRANT\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"centos8\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Operating System\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 11 08:54:20\",\"IsoTimestamp\":\"2021-03-11T16:54:20Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"295\",\"Desc\":\"Retrieve password\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Retrieve password\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"PSM\",\"File\":\"Root\\\\Operating System-UnixSSH-centos8-PSMApp_VAGRANT\",\"Station\":\"127.0.0.1\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"sdfsdf\",\"ExtraDetails\":\"\",\"Message\":\"Retrieve password\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"UnixSSH\"},{\"Name\":\"UserName\",\"Value\":\"PSMApp_VAGRANT\"},{\"Name\":\"Address\",\"Value\":\"centos8\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"}]}}}}", "code": "295", "kind": "event", diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-300-psm-connect.log-config.yml b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-300-psm-connect.log-config.yml deleted file mode 100644 index 5622947e4b8..00000000000 --- a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-300-psm-connect.log-config.yml +++ /dev/null @@ -1,5 +0,0 @@ -dynamic_fields: - event.ingested: ".*" -fields: - tags: - - preserve_original_event diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-300-psm-connect.log-expected.json b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-300-psm-connect.log-expected.json index 48191f30069..e9bc5866f5b 100644 --- a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-300-psm-connect.log-expected.json +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-300-psm-connect.log-expected.json @@ -82,7 +82,7 @@ }, "event": { "severity": 2, - "ingested": "2021-05-31T15:30:19.154739100Z", + "ingested": "2021-06-04T11:33:11.439597700Z", "original": "{\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eno\u003c/Rfc5424\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.6.0000\u003c/Version\u003e\\n \u003cMessageID\u003e300\u003c/MessageID\u003e\\n \u003cDesc\u003ePSM Connect\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003ePSM Connect\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003eLinux\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Operating System-LINUX-SSH-radiussrv.cyberark.local-admin2\u003c/File\u003e\\n \u003cStation\u003e10.2.0.7\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003eApplicationType=PSMP-SSH;DstHost=radiussrv.cyberark.local;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=35fac41e-22b5-11eb-83ca-000c297aae88;SrcHost=10.2.0.6;User=admin2;\u003c/ExtraDetails\u003e\\n \u003cMessage\u003ePSM Connect\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"LINUX-SSH\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"admin2\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"radiussrv.cyberark.local\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Operating System\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMDisabled\\\" Value=\\\"No Reason\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Customer\\\" Value=\\\"Tesla\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"no\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.6.0000\",\"MessageID\":\"300\",\"IsoTimestamp\":\"2021-03-16T15:01:00Z\",\"Desc\":\"PSM Connect\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"PSM Connect\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"Linux\",\"File\":\"Root\\\\Operating System-LINUX-SSH-radiussrv.cyberark.local-admin2\",\"Station\":\"10.2.0.7\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"ApplicationType=PSMP-SSH;DstHost=radiussrv.cyberark.local;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=35fac41e-22b5-11eb-83ca-000c297aae88;SrcHost=10.2.0.6;User=admin2;\",\"Message\":\"PSM Connect\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"LINUX-SSH\"},{\"Name\":\"UserName\",\"Value\":\"admin2\"},{\"Name\":\"Address\",\"Value\":\"radiussrv.cyberark.local\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"},{\"Name\":\"CPMDisabled\",\"Value\":\"No Reason\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"Customer\",\"Value\":\"Tesla\"}]}}}}", "code": "300", "kind": "event", @@ -200,7 +200,7 @@ }, "event": { "severity": 2, - "ingested": "2021-05-31T15:30:19.154755600Z", + "ingested": "2021-06-04T11:33:11.439614600Z", "original": "\u003c5\u003e1 2021-03-11T17:38:20Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 11 09:38:20\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-11T17:38:20Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e300\u003c/MessageID\u003e\\n \u003cDesc\u003ePSM Connect\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003ePSM Connect\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003ePSM\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Operating System-UnixSSHKeys-34.123.103.115-adrian\u003c/File\u003e\\n \u003cStation\u003e81.32.170.205\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003eApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=ssh;PSMID=PSMServer;SessionID=87012dcc-8290-11eb-949e-080027efd402;SrcHost=127.0.0.1;User=adrian;\u003c/ExtraDetails\u003e\\n \u003cMessage\u003ePSM Connect\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"UnixSSHKeys\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"adrian\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"34.123.103.115\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Operating System\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 11 09:38:20\",\"IsoTimestamp\":\"2021-03-11T17:38:20Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"300\",\"Desc\":\"PSM Connect\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"PSM Connect\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"PSM\",\"File\":\"Root\\\\Operating System-UnixSSHKeys-34.123.103.115-adrian\",\"Station\":\"81.32.170.205\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=ssh;PSMID=PSMServer;SessionID=87012dcc-8290-11eb-949e-080027efd402;SrcHost=127.0.0.1;User=adrian;\",\"Message\":\"PSM Connect\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"UnixSSHKeys\"},{\"Name\":\"UserName\",\"Value\":\"adrian\"},{\"Name\":\"Address\",\"Value\":\"34.123.103.115\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"}]}}}}", "code": "300", "kind": "event", @@ -318,7 +318,7 @@ }, "event": { "severity": 2, - "ingested": "2021-05-31T15:30:19.154759500Z", + "ingested": "2021-06-04T11:33:11.439618600Z", "original": "\u003c5\u003e1 2021-03-11T17:46:56Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 11 09:46:56\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-11T17:46:56Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e300\u003c/MessageID\u003e\\n \u003cDesc\u003ePSM Connect\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003ePSM Connect\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003ePSM\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Operating System-UnixSSHKeys-34.123.103.115-adrian\u003c/File\u003e\\n \u003cStation\u003e81.32.170.205\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003eApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=ssh;PSMID=PSMServer;SessionID=ba22b012-8291-11eb-b981-080027efd402;SrcHost=127.0.0.1;User=adrian;\u003c/ExtraDetails\u003e\\n \u003cMessage\u003ePSM Connect\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"UnixSSHKeys\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"adrian\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"34.123.103.115\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Operating System\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 11 09:46:56\",\"IsoTimestamp\":\"2021-03-11T17:46:56Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"300\",\"Desc\":\"PSM Connect\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"PSM Connect\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"PSM\",\"File\":\"Root\\\\Operating System-UnixSSHKeys-34.123.103.115-adrian\",\"Station\":\"81.32.170.205\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=ssh;PSMID=PSMServer;SessionID=ba22b012-8291-11eb-b981-080027efd402;SrcHost=127.0.0.1;User=adrian;\",\"Message\":\"PSM Connect\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"UnixSSHKeys\"},{\"Name\":\"UserName\",\"Value\":\"adrian\"},{\"Name\":\"Address\",\"Value\":\"34.123.103.115\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"}]}}}}", "code": "300", "kind": "event", @@ -436,7 +436,7 @@ }, "event": { "severity": 2, - "ingested": "2021-05-31T15:30:19.154762400Z", + "ingested": "2021-06-04T11:33:11.439621800Z", "original": "\u003c5\u003e1 2021-03-11T17:48:34Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 11 09:48:34\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-11T17:48:34Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e300\u003c/MessageID\u003e\\n \u003cDesc\u003ePSM Connect\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003ePSM Connect\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003ePSM\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Operating System-UnixSSHKeys-34.123.103.115-adrian\u003c/File\u003e\\n \u003cStation\u003e81.32.170.205\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003eApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=ssh;PSMID=PSMServer;SessionID=f6acbf00-8291-11eb-b9ba-080027efd402;SrcHost=10.0.2.2;User=adrian;\u003c/ExtraDetails\u003e\\n \u003cMessage\u003ePSM Connect\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"UnixSSHKeys\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"adrian\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"34.123.103.115\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Operating System\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 11 09:48:34\",\"IsoTimestamp\":\"2021-03-11T17:48:34Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"300\",\"Desc\":\"PSM Connect\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"PSM Connect\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"PSM\",\"File\":\"Root\\\\Operating System-UnixSSHKeys-34.123.103.115-adrian\",\"Station\":\"81.32.170.205\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=ssh;PSMID=PSMServer;SessionID=f6acbf00-8291-11eb-b9ba-080027efd402;SrcHost=10.0.2.2;User=adrian;\",\"Message\":\"PSM Connect\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"UnixSSHKeys\"},{\"Name\":\"UserName\",\"Value\":\"adrian\"},{\"Name\":\"Address\",\"Value\":\"34.123.103.115\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"}]}}}}", "code": "300", "kind": "event", @@ -554,7 +554,7 @@ }, "event": { "severity": 2, - "ingested": "2021-05-31T15:30:19.154765400Z", + "ingested": "2021-06-04T11:33:11.439624700Z", "original": "\u003c5\u003e1 2021-03-11T17:54:56Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 11 09:54:56\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-11T17:54:56Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e300\u003c/MessageID\u003e\\n \u003cDesc\u003ePSM Connect\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003ePSM Connect\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003ePSM\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Operating System-UnixSSHKeys-34.123.103.115-adrian\u003c/File\u003e\\n \u003cStation\u003e81.32.170.205\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003eApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=ssh;PSMID=PSMServer;SessionID=d8ff4d32-8292-11eb-b962-080027efd402;SrcHost=10.0.2.2;User=adrian;\u003c/ExtraDetails\u003e\\n \u003cMessage\u003ePSM Connect\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"UnixSSHKeys\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"adrian\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"34.123.103.115\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Operating System\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 11 09:54:56\",\"IsoTimestamp\":\"2021-03-11T17:54:56Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"300\",\"Desc\":\"PSM Connect\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"PSM Connect\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"PSM\",\"File\":\"Root\\\\Operating System-UnixSSHKeys-34.123.103.115-adrian\",\"Station\":\"81.32.170.205\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=ssh;PSMID=PSMServer;SessionID=d8ff4d32-8292-11eb-b962-080027efd402;SrcHost=10.0.2.2;User=adrian;\",\"Message\":\"PSM Connect\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"UnixSSHKeys\"},{\"Name\":\"UserName\",\"Value\":\"adrian\"},{\"Name\":\"Address\",\"Value\":\"34.123.103.115\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"}]}}}}", "code": "300", "kind": "event", @@ -672,7 +672,7 @@ }, "event": { "severity": 2, - "ingested": "2021-05-31T15:30:19.154768100Z", + "ingested": "2021-06-04T11:33:11.439627400Z", "original": "\u003c5\u003e1 2021-03-11T17:56:37Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 11 09:56:37\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-11T17:56:37Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e300\u003c/MessageID\u003e\\n \u003cDesc\u003ePSM Connect\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003ePSM Connect\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003ePSM\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Operating System-UnixSSHKeys-34.123.103.115-adrian\u003c/File\u003e\\n \u003cStation\u003e81.32.170.205\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003eApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=ssh;PSMID=PSMServer;SessionID=173dd46a-8293-11eb-afcb-080027efd402;SrcHost=10.0.2.2;User=adrian;\u003c/ExtraDetails\u003e\\n \u003cMessage\u003ePSM Connect\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"UnixSSHKeys\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"adrian\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"34.123.103.115\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Operating System\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 11 09:56:37\",\"IsoTimestamp\":\"2021-03-11T17:56:37Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"300\",\"Desc\":\"PSM Connect\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"PSM Connect\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"PSM\",\"File\":\"Root\\\\Operating System-UnixSSHKeys-34.123.103.115-adrian\",\"Station\":\"81.32.170.205\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=ssh;PSMID=PSMServer;SessionID=173dd46a-8293-11eb-afcb-080027efd402;SrcHost=10.0.2.2;User=adrian;\",\"Message\":\"PSM Connect\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"UnixSSHKeys\"},{\"Name\":\"UserName\",\"Value\":\"adrian\"},{\"Name\":\"Address\",\"Value\":\"34.123.103.115\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"}]}}}}", "code": "300", "kind": "event", @@ -790,7 +790,7 @@ }, "event": { "severity": 2, - "ingested": "2021-05-31T15:30:19.154770600Z", + "ingested": "2021-06-04T11:33:11.439630100Z", "original": "\u003c5\u003e1 2021-03-11T20:23:25Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 11 12:23:25\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-11T20:23:25Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e300\u003c/MessageID\u003e\\n \u003cDesc\u003ePSM Connect\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003ePSM Connect\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003ePSM\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Operating System-UnixSSHKeys-34.123.103.115-adrian\u003c/File\u003e\\n \u003cStation\u003e81.32.170.205\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003eApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=ssh;PSMID=PSMServer;SessionID=988b22e8-82a7-11eb-83b9-080027efd402;SrcHost=10.0.2.2;User=adrian;\u003c/ExtraDetails\u003e\\n \u003cMessage\u003ePSM Connect\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"UnixSSHKeys\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"adrian\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"34.123.103.115\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Operating System\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 11 12:23:25\",\"IsoTimestamp\":\"2021-03-11T20:23:25Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"300\",\"Desc\":\"PSM Connect\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"PSM Connect\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"PSM\",\"File\":\"Root\\\\Operating System-UnixSSHKeys-34.123.103.115-adrian\",\"Station\":\"81.32.170.205\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=ssh;PSMID=PSMServer;SessionID=988b22e8-82a7-11eb-83b9-080027efd402;SrcHost=10.0.2.2;User=adrian;\",\"Message\":\"PSM Connect\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"UnixSSHKeys\"},{\"Name\":\"UserName\",\"Value\":\"adrian\"},{\"Name\":\"Address\",\"Value\":\"34.123.103.115\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"}]}}}}", "code": "300", "kind": "event", @@ -926,7 +926,7 @@ }, "event": { "severity": 2, - "ingested": "2021-05-31T15:30:19.154773400Z", + "ingested": "2021-06-04T11:33:11.439633Z", "original": "\u003c5\u003e1 2021-03-14T13:49:37Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 14 06:49:37\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-14T13:49:37Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e300\u003c/MessageID\u003e\\n \u003cDesc\u003ePSM Connect\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003ePSM Connect\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003epartner\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Operating System-UnixSSH-34.123.103.115-testark\u003c/File\u003e\\n \u003cStation\u003e34.71.250.247\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003eApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=d284c268-2ba0-4366-af52-e33459b073a1;SrcHost=81.32.170.205;User=testark;\u003c/ExtraDetails\u003e\\n \u003cMessage\u003ePSM Connect\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"UnixSSH\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"testark\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"34.123.103.115\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"ResetImmediately\\\" Value=\\\"ReconcileTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMStatus\\\" Value=\\\"failure\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"RetriesCount\\\" Value=\\\"0\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastFailDate\\\" Value=\\\"1615729572\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastTask\\\" Value=\\\"ReconcileTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMErrorDetails\\\" Value=\\\"First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Operating System\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 14 06:49:37\",\"IsoTimestamp\":\"2021-03-14T13:49:37Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"300\",\"Desc\":\"PSM Connect\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"PSM Connect\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"partner\",\"File\":\"Root\\\\Operating System-UnixSSH-34.123.103.115-testark\",\"Station\":\"34.71.250.247\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=d284c268-2ba0-4366-af52-e33459b073a1;SrcHost=81.32.170.205;User=testark;\",\"Message\":\"PSM Connect\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"UnixSSH\"},{\"Name\":\"UserName\",\"Value\":\"testark\"},{\"Name\":\"Address\",\"Value\":\"34.123.103.115\"},{\"Name\":\"ResetImmediately\",\"Value\":\"ReconcileTask\"},{\"Name\":\"CPMStatus\",\"Value\":\"failure\"},{\"Name\":\"RetriesCount\",\"Value\":\"0\"},{\"Name\":\"LastFailDate\",\"Value\":\"1615729572\"},{\"Name\":\"LastTask\",\"Value\":\"ReconcileTask\"},{\"Name\":\"CPMErrorDetails\",\"Value\":\"First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"}]}}}}", "code": "300", "kind": "event", @@ -1062,7 +1062,7 @@ }, "event": { "severity": 2, - "ingested": "2021-05-31T15:30:19.154776Z", + "ingested": "2021-06-04T11:33:11.439635900Z", "original": "\u003c5\u003e1 2021-03-14T13:50:43Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 14 06:50:43\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-14T13:50:43Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e300\u003c/MessageID\u003e\\n \u003cDesc\u003ePSM Connect\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003ePSM Connect\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003epartner\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Operating System-UnixSSH-34.123.103.115-testark\u003c/File\u003e\\n \u003cStation\u003e34.71.250.247\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003eApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=47747796-03e1-4a11-af39-ab56c00e7732;SrcHost=81.32.170.205;User=testark;\u003c/ExtraDetails\u003e\\n \u003cMessage\u003ePSM Connect\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"UnixSSH\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"testark\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"34.123.103.115\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"ResetImmediately\\\" Value=\\\"ReconcileTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMStatus\\\" Value=\\\"failure\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"RetriesCount\\\" Value=\\\"0\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastFailDate\\\" Value=\\\"1615729572\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastTask\\\" Value=\\\"ReconcileTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMErrorDetails\\\" Value=\\\"First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Operating System\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 14 06:50:43\",\"IsoTimestamp\":\"2021-03-14T13:50:43Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"300\",\"Desc\":\"PSM Connect\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"PSM Connect\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"partner\",\"File\":\"Root\\\\Operating System-UnixSSH-34.123.103.115-testark\",\"Station\":\"34.71.250.247\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=47747796-03e1-4a11-af39-ab56c00e7732;SrcHost=81.32.170.205;User=testark;\",\"Message\":\"PSM Connect\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"UnixSSH\"},{\"Name\":\"UserName\",\"Value\":\"testark\"},{\"Name\":\"Address\",\"Value\":\"34.123.103.115\"},{\"Name\":\"ResetImmediately\",\"Value\":\"ReconcileTask\"},{\"Name\":\"CPMStatus\",\"Value\":\"failure\"},{\"Name\":\"RetriesCount\",\"Value\":\"0\"},{\"Name\":\"LastFailDate\",\"Value\":\"1615729572\"},{\"Name\":\"LastTask\",\"Value\":\"ReconcileTask\"},{\"Name\":\"CPMErrorDetails\",\"Value\":\"First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"}]}}}}", "code": "300", "kind": "event", @@ -1196,7 +1196,7 @@ }, "event": { "severity": 2, - "ingested": "2021-05-31T15:30:19.154778700Z", + "ingested": "2021-06-04T11:33:11.439639100Z", "original": "\u003c5\u003e1 2021-03-15T10:31:56Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 15 03:31:56\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-15T10:31:56Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e300\u003c/MessageID\u003e\\n \u003cDesc\u003ePSM Connect\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003ePSM Connect\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003epartner\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Operating System-UnixSSH-34.123.103.115-testark\u003c/File\u003e\\n \u003cStation\u003e34.71.250.247\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003eApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=29f340df-89e9-405a-beae-0216390cda42;SrcHost=81.32.170.205;User=testark;\u003c/ExtraDetails\u003e\\n \u003cMessage\u003ePSM Connect\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"UnixSSH\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"testark\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"34.123.103.115\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMStatus\\\" Value=\\\"success\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"RetriesCount\\\" Value=\\\"-1\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastTask\\\" Value=\\\"VerifyTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastSuccessVerification\\\" Value=\\\"1615803764\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Operating System\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 15 03:31:56\",\"IsoTimestamp\":\"2021-03-15T10:31:56Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"300\",\"Desc\":\"PSM Connect\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"PSM Connect\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"partner\",\"File\":\"Root\\\\Operating System-UnixSSH-34.123.103.115-testark\",\"Station\":\"34.71.250.247\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=29f340df-89e9-405a-beae-0216390cda42;SrcHost=81.32.170.205;User=testark;\",\"Message\":\"PSM Connect\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"UnixSSH\"},{\"Name\":\"UserName\",\"Value\":\"testark\"},{\"Name\":\"Address\",\"Value\":\"34.123.103.115\"},{\"Name\":\"CPMStatus\",\"Value\":\"success\"},{\"Name\":\"RetriesCount\",\"Value\":\"-1\"},{\"Name\":\"LastTask\",\"Value\":\"VerifyTask\"},{\"Name\":\"LastSuccessVerification\",\"Value\":\"1615803764\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"}]}}}}", "code": "300", "kind": "event", @@ -1330,7 +1330,7 @@ }, "event": { "severity": 2, - "ingested": "2021-05-31T15:30:19.154781400Z", + "ingested": "2021-06-04T11:33:11.439643800Z", "original": "\u003c5\u003e1 2021-03-15T10:33:39Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 15 03:33:39\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-15T10:33:39Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e300\u003c/MessageID\u003e\\n \u003cDesc\u003ePSM Connect\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003ePSM Connect\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003epartner\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Operating System-UnixSSH-34.123.103.115-testark\u003c/File\u003e\\n \u003cStation\u003e34.71.250.247\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003eApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=f1654cf8-8ce5-472a-8205-ba731b0fab46;SrcHost=81.32.170.205;User=testark;\u003c/ExtraDetails\u003e\\n \u003cMessage\u003ePSM Connect\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"UnixSSH\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"testark\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"34.123.103.115\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMStatus\\\" Value=\\\"success\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"RetriesCount\\\" Value=\\\"-1\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastTask\\\" Value=\\\"VerifyTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastSuccessVerification\\\" Value=\\\"1615803764\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Operating System\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 15 03:33:39\",\"IsoTimestamp\":\"2021-03-15T10:33:39Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"300\",\"Desc\":\"PSM Connect\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"PSM Connect\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"partner\",\"File\":\"Root\\\\Operating System-UnixSSH-34.123.103.115-testark\",\"Station\":\"34.71.250.247\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=f1654cf8-8ce5-472a-8205-ba731b0fab46;SrcHost=81.32.170.205;User=testark;\",\"Message\":\"PSM Connect\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"UnixSSH\"},{\"Name\":\"UserName\",\"Value\":\"testark\"},{\"Name\":\"Address\",\"Value\":\"34.123.103.115\"},{\"Name\":\"CPMStatus\",\"Value\":\"success\"},{\"Name\":\"RetriesCount\",\"Value\":\"-1\"},{\"Name\":\"LastTask\",\"Value\":\"VerifyTask\"},{\"Name\":\"LastSuccessVerification\",\"Value\":\"1615803764\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"}]}}}}", "code": "300", "kind": "event", @@ -1464,7 +1464,7 @@ }, "event": { "severity": 2, - "ingested": "2021-05-31T15:30:19.154784300Z", + "ingested": "2021-06-04T11:33:11.439646900Z", "original": "\u003c5\u003e1 2021-03-15T10:35:00Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 15 03:35:00\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-15T10:35:00Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e300\u003c/MessageID\u003e\\n \u003cDesc\u003ePSM Connect\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003ePSM Connect\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003epartner\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Operating System-UnixSSH-34.123.103.115-testark\u003c/File\u003e\\n \u003cStation\u003e34.71.250.247\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003eApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=8b3d0b38-aef5-49d9-bdd7-d57706887d8b;SrcHost=81.32.170.205;User=testark;\u003c/ExtraDetails\u003e\\n \u003cMessage\u003ePSM Connect\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"UnixSSH\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"testark\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"34.123.103.115\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMStatus\\\" Value=\\\"success\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"RetriesCount\\\" Value=\\\"-1\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastTask\\\" Value=\\\"VerifyTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastSuccessVerification\\\" Value=\\\"1615803764\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Operating System\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 15 03:35:00\",\"IsoTimestamp\":\"2021-03-15T10:35:00Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"300\",\"Desc\":\"PSM Connect\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"PSM Connect\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"partner\",\"File\":\"Root\\\\Operating System-UnixSSH-34.123.103.115-testark\",\"Station\":\"34.71.250.247\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=8b3d0b38-aef5-49d9-bdd7-d57706887d8b;SrcHost=81.32.170.205;User=testark;\",\"Message\":\"PSM Connect\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"UnixSSH\"},{\"Name\":\"UserName\",\"Value\":\"testark\"},{\"Name\":\"Address\",\"Value\":\"34.123.103.115\"},{\"Name\":\"CPMStatus\",\"Value\":\"success\"},{\"Name\":\"RetriesCount\",\"Value\":\"-1\"},{\"Name\":\"LastTask\",\"Value\":\"VerifyTask\"},{\"Name\":\"LastSuccessVerification\",\"Value\":\"1615803764\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"}]}}}}", "code": "300", "kind": "event", @@ -1594,7 +1594,7 @@ }, "event": { "severity": 2, - "ingested": "2021-05-31T15:30:19.154787Z", + "ingested": "2021-06-04T11:33:11.439649700Z", "original": "\u003c5\u003e1 2021-03-15T13:18:31Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 15 06:18:31\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-15T13:18:31Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e300\u003c/MessageID\u003e\\n \u003cDesc\u003ePSM Connect\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003ePSM Connect\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003ePSM\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Operating System-UnixSSHKeys-34.123.103.115-adrian\u003c/File\u003e\\n \u003cStation\u003e34.71.250.247\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003eApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=692fe25f-f940-4170-8ea4-5241b35173f0;SrcHost=81.32.170.205;User=adrian;\u003c/ExtraDetails\u003e\\n \u003cMessage\u003ePSM Connect\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"UnixSSHKeys\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"adrian\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"34.123.103.115\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Operating System\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 15 06:18:31\",\"IsoTimestamp\":\"2021-03-15T13:18:31Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"300\",\"Desc\":\"PSM Connect\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"PSM Connect\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"PSM\",\"File\":\"Root\\\\Operating System-UnixSSHKeys-34.123.103.115-adrian\",\"Station\":\"34.71.250.247\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=692fe25f-f940-4170-8ea4-5241b35173f0;SrcHost=81.32.170.205;User=adrian;\",\"Message\":\"PSM Connect\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"UnixSSHKeys\"},{\"Name\":\"UserName\",\"Value\":\"adrian\"},{\"Name\":\"Address\",\"Value\":\"34.123.103.115\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"}]}}}}", "code": "300", "kind": "event", @@ -1724,7 +1724,7 @@ }, "event": { "severity": 2, - "ingested": "2021-05-31T15:30:19.154789800Z", + "ingested": "2021-06-04T11:33:11.439652700Z", "original": "\u003c5\u003e1 2021-03-15T14:08:06Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 15 07:08:06\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-15T14:08:06Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e300\u003c/MessageID\u003e\\n \u003cDesc\u003ePSM Connect\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003ePSM Connect\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003ePSM\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Operating System-UnixSSHKeys-34.123.103.115-adrian\u003c/File\u003e\\n \u003cStation\u003e34.71.250.247\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003eApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=f5725611-ca57-4a2a-a089-f45b3174a358;SrcHost=81.32.170.205;User=adrian;\u003c/ExtraDetails\u003e\\n \u003cMessage\u003ePSM Connect\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"UnixSSHKeys\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"adrian\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"34.123.103.115\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Operating System\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 15 07:08:06\",\"IsoTimestamp\":\"2021-03-15T14:08:06Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"300\",\"Desc\":\"PSM Connect\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"PSM Connect\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"PSM\",\"File\":\"Root\\\\Operating System-UnixSSHKeys-34.123.103.115-adrian\",\"Station\":\"34.71.250.247\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=f5725611-ca57-4a2a-a089-f45b3174a358;SrcHost=81.32.170.205;User=adrian;\",\"Message\":\"PSM Connect\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"UnixSSHKeys\"},{\"Name\":\"UserName\",\"Value\":\"adrian\"},{\"Name\":\"Address\",\"Value\":\"34.123.103.115\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"}]}}}}", "code": "300", "kind": "event", @@ -1863,7 +1863,7 @@ }, "event": { "severity": 2, - "ingested": "2021-05-31T15:30:19.154793100Z", + "ingested": "2021-06-04T11:33:11.439656Z", "original": "\u003c5\u003e1 2021-03-15T14:08:28Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 15 07:08:28\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-15T14:08:28Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e300\u003c/MessageID\u003e\\n \u003cDesc\u003ePSM Connect\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003ePSM Connect\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003epartner\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Operating System-UnixSSH-34.123.103.115-testark\u003c/File\u003e\\n \u003cStation\u003e34.71.250.247\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003eApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=7db90436-8a1a-4203-9a96-65137625ab2d;SrcHost=81.32.170.205;User=testark;\u003c/ExtraDetails\u003e\\n \u003cMessage\u003ePSM Connect\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"UnixSSH\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"testark\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"34.123.103.115\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"ResetImmediately\\\" Value=\\\"ReconcileTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMStatus\\\" Value=\\\"failure\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"RetriesCount\\\" Value=\\\"0\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastFailDate\\\" Value=\\\"1615814025\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastTask\\\" Value=\\\"ReconcileTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastSuccessVerification\\\" Value=\\\"1615803764\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMErrorDetails\\\" Value=\\\"First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Operating System\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UseSudoOnReconcile\\\" Value=\\\"Yes\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 15 07:08:28\",\"IsoTimestamp\":\"2021-03-15T14:08:28Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"300\",\"Desc\":\"PSM Connect\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"PSM Connect\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"partner\",\"File\":\"Root\\\\Operating System-UnixSSH-34.123.103.115-testark\",\"Station\":\"34.71.250.247\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=7db90436-8a1a-4203-9a96-65137625ab2d;SrcHost=81.32.170.205;User=testark;\",\"Message\":\"PSM Connect\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"UnixSSH\"},{\"Name\":\"UserName\",\"Value\":\"testark\"},{\"Name\":\"Address\",\"Value\":\"34.123.103.115\"},{\"Name\":\"ResetImmediately\",\"Value\":\"ReconcileTask\"},{\"Name\":\"CPMStatus\",\"Value\":\"failure\"},{\"Name\":\"RetriesCount\",\"Value\":\"0\"},{\"Name\":\"LastFailDate\",\"Value\":\"1615814025\"},{\"Name\":\"LastTask\",\"Value\":\"ReconcileTask\"},{\"Name\":\"LastSuccessVerification\",\"Value\":\"1615803764\"},{\"Name\":\"CPMErrorDetails\",\"Value\":\"First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"},{\"Name\":\"UseSudoOnReconcile\",\"Value\":\"Yes\"}]}}}}", "code": "300", "kind": "event", @@ -2002,7 +2002,7 @@ }, "event": { "severity": 2, - "ingested": "2021-05-31T15:30:19.154795900Z", + "ingested": "2021-06-04T11:33:11.439659Z", "original": "\u003c5\u003e1 2021-03-15T14:11:09Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 15 07:11:09\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-15T14:11:09Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e300\u003c/MessageID\u003e\\n \u003cDesc\u003ePSM Connect\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003ePSM Connect\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003epartner\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Operating System-UnixSSH-34.123.103.115-testark\u003c/File\u003e\\n \u003cStation\u003e34.71.250.247\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003eApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=27f74dce-f5d5-4c94-bf99-ca6aafe2c518;SrcHost=81.32.170.205;User=testark;\u003c/ExtraDetails\u003e\\n \u003cMessage\u003ePSM Connect\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"UnixSSH\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"testark\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"34.123.103.115\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"ResetImmediately\\\" Value=\\\"ReconcileTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMStatus\\\" Value=\\\"failure\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"RetriesCount\\\" Value=\\\"0\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastFailDate\\\" Value=\\\"1615814025\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastTask\\\" Value=\\\"ReconcileTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastSuccessVerification\\\" Value=\\\"1615803764\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMErrorDetails\\\" Value=\\\"First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Operating System\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UseSudoOnReconcile\\\" Value=\\\"Yes\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 15 07:11:09\",\"IsoTimestamp\":\"2021-03-15T14:11:09Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"300\",\"Desc\":\"PSM Connect\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"PSM Connect\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"partner\",\"File\":\"Root\\\\Operating System-UnixSSH-34.123.103.115-testark\",\"Station\":\"34.71.250.247\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=27f74dce-f5d5-4c94-bf99-ca6aafe2c518;SrcHost=81.32.170.205;User=testark;\",\"Message\":\"PSM Connect\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"UnixSSH\"},{\"Name\":\"UserName\",\"Value\":\"testark\"},{\"Name\":\"Address\",\"Value\":\"34.123.103.115\"},{\"Name\":\"ResetImmediately\",\"Value\":\"ReconcileTask\"},{\"Name\":\"CPMStatus\",\"Value\":\"failure\"},{\"Name\":\"RetriesCount\",\"Value\":\"0\"},{\"Name\":\"LastFailDate\",\"Value\":\"1615814025\"},{\"Name\":\"LastTask\",\"Value\":\"ReconcileTask\"},{\"Name\":\"LastSuccessVerification\",\"Value\":\"1615803764\"},{\"Name\":\"CPMErrorDetails\",\"Value\":\"First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"},{\"Name\":\"UseSudoOnReconcile\",\"Value\":\"Yes\"}]}}}}", "code": "300", "kind": "event", @@ -2141,7 +2141,7 @@ }, "event": { "severity": 2, - "ingested": "2021-05-31T15:30:19.154798900Z", + "ingested": "2021-06-04T11:33:11.439662100Z", "original": "\u003c5\u003e1 2021-03-16T10:04:51Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 16 03:04:51\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-16T10:04:51Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e300\u003c/MessageID\u003e\\n \u003cDesc\u003ePSM Connect\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003ePSM Connect\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003epartner\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Operating System-UnixSSH-34.123.103.115-testark\u003c/File\u003e\\n \u003cStation\u003e34.71.250.247\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003eApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=8b222ac9-c2ad-49ea-9c4e-6829940f58d4;SrcHost=81.32.170.205;User=testark;\u003c/ExtraDetails\u003e\\n \u003cMessage\u003ePSM Connect\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"UnixSSH\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"testark\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"34.123.103.115\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"ResetImmediately\\\" Value=\\\"ReconcileTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMStatus\\\" Value=\\\"failure\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"RetriesCount\\\" Value=\\\"4\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastFailDate\\\" Value=\\\"1615888216\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastTask\\\" Value=\\\"ReconcileTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastSuccessVerification\\\" Value=\\\"1615803764\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMErrorDetails\\\" Value=\\\"First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Operating System\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UseSudoOnReconcile\\\" Value=\\\"Yes\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 16 03:04:51\",\"IsoTimestamp\":\"2021-03-16T10:04:51Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"300\",\"Desc\":\"PSM Connect\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"PSM Connect\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"partner\",\"File\":\"Root\\\\Operating System-UnixSSH-34.123.103.115-testark\",\"Station\":\"34.71.250.247\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=8b222ac9-c2ad-49ea-9c4e-6829940f58d4;SrcHost=81.32.170.205;User=testark;\",\"Message\":\"PSM Connect\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"UnixSSH\"},{\"Name\":\"UserName\",\"Value\":\"testark\"},{\"Name\":\"Address\",\"Value\":\"34.123.103.115\"},{\"Name\":\"ResetImmediately\",\"Value\":\"ReconcileTask\"},{\"Name\":\"CPMStatus\",\"Value\":\"failure\"},{\"Name\":\"RetriesCount\",\"Value\":\"4\"},{\"Name\":\"LastFailDate\",\"Value\":\"1615888216\"},{\"Name\":\"LastTask\",\"Value\":\"ReconcileTask\"},{\"Name\":\"LastSuccessVerification\",\"Value\":\"1615803764\"},{\"Name\":\"CPMErrorDetails\",\"Value\":\"First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"},{\"Name\":\"UseSudoOnReconcile\",\"Value\":\"Yes\"}]}}}}", "code": "300", "kind": "event", diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-302-psm-disconnect.log-config.yml b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-302-psm-disconnect.log-config.yml deleted file mode 100644 index 5622947e4b8..00000000000 --- a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-302-psm-disconnect.log-config.yml +++ /dev/null @@ -1,5 +0,0 @@ -dynamic_fields: - event.ingested: ".*" -fields: - tags: - - preserve_original_event diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-302-psm-disconnect.log-expected.json b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-302-psm-disconnect.log-expected.json index 710c3b92741..7331a8b6857 100644 --- a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-302-psm-disconnect.log-expected.json +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-302-psm-disconnect.log-expected.json @@ -84,7 +84,7 @@ "event": { "severity": 2, "duration": 7000000000, - "ingested": "2021-05-31T15:30:19.830741900Z", + "ingested": "2021-06-04T11:33:12.127431300Z", "original": "{\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eno\u003c/Rfc5424\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.6.0000\u003c/Version\u003e\\n \u003cMessageID\u003e302\u003c/MessageID\u003e\\n \u003cDesc\u003ePSM Disconnect\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003ePSM Disconnect\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003eLinux\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Operating System-LINUX-SSH-radiussrv.cyberark.local-admin2\u003c/File\u003e\\n \u003cStation\u003e10.2.0.7\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003eApplicationType=PSMP-SSH;DstHost=radiussrv.cyberark.local;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionDuration=00:00:07;SessionID=35fac41e-22b5-11eb-83ca-000c297aae88;SrcHost=10.2.0.6;User=admin2;\u003c/ExtraDetails\u003e\\n \u003cMessage\u003ePSM Disconnect\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"LINUX-SSH\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"admin2\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"radiussrv.cyberark.local\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Operating System\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMDisabled\\\" Value=\\\"No Reason\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Customer\\\" Value=\\\"Tesla\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"no\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.6.0000\",\"MessageID\":\"302\",\"IsoTimestamp\":\"2021-03-16T15:01:00Z\",\"Desc\":\"PSM Disconnect\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"PSM Disconnect\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"Linux\",\"File\":\"Root\\\\Operating System-LINUX-SSH-radiussrv.cyberark.local-admin2\",\"Station\":\"10.2.0.7\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"ApplicationType=PSMP-SSH;DstHost=radiussrv.cyberark.local;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionDuration=00:00:07;SessionID=35fac41e-22b5-11eb-83ca-000c297aae88;SrcHost=10.2.0.6;User=admin2;\",\"Message\":\"PSM Disconnect\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"LINUX-SSH\"},{\"Name\":\"UserName\",\"Value\":\"admin2\"},{\"Name\":\"Address\",\"Value\":\"radiussrv.cyberark.local\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"},{\"Name\":\"CPMDisabled\",\"Value\":\"No Reason\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"Customer\",\"Value\":\"Tesla\"}]}}}}", "code": "302", "kind": "event", @@ -204,7 +204,7 @@ "event": { "severity": 2, "duration": 13000000000, - "ingested": "2021-05-31T15:30:19.830758900Z", + "ingested": "2021-06-04T11:33:12.127448100Z", "original": "\u003c5\u003e1 2021-03-11T17:38:26Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 11 09:38:26\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-11T17:38:26Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e302\u003c/MessageID\u003e\\n \u003cDesc\u003ePSM Disconnect\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003ePSM Disconnect\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003ePSM\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Operating System-UnixSSHKeys-34.123.103.115-adrian\u003c/File\u003e\\n \u003cStation\u003e81.32.170.205\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003eApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=ssh;PSMID=PSMServer;SessionDuration=00:00:13;SessionID=87012dcc-8290-11eb-949e-080027efd402;SrcHost=127.0.0.1;User=adrian;\u003c/ExtraDetails\u003e\\n \u003cMessage\u003ePSM Disconnect\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"UnixSSHKeys\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"adrian\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"34.123.103.115\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Operating System\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 11 09:38:26\",\"IsoTimestamp\":\"2021-03-11T17:38:26Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"302\",\"Desc\":\"PSM Disconnect\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"PSM Disconnect\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"PSM\",\"File\":\"Root\\\\Operating System-UnixSSHKeys-34.123.103.115-adrian\",\"Station\":\"81.32.170.205\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=ssh;PSMID=PSMServer;SessionDuration=00:00:13;SessionID=87012dcc-8290-11eb-949e-080027efd402;SrcHost=127.0.0.1;User=adrian;\",\"Message\":\"PSM Disconnect\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"UnixSSHKeys\"},{\"Name\":\"UserName\",\"Value\":\"adrian\"},{\"Name\":\"Address\",\"Value\":\"34.123.103.115\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"}]}}}}", "code": "302", "kind": "event", @@ -324,7 +324,7 @@ "event": { "severity": 2, "duration": 11000000000, - "ingested": "2021-05-31T15:30:19.830763200Z", + "ingested": "2021-06-04T11:33:12.127453500Z", "original": "\u003c5\u003e1 2021-03-11T17:47:01Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 11 09:47:01\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-11T17:47:01Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e302\u003c/MessageID\u003e\\n \u003cDesc\u003ePSM Disconnect\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003ePSM Disconnect\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003ePSM\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Operating System-UnixSSHKeys-34.123.103.115-adrian\u003c/File\u003e\\n \u003cStation\u003e81.32.170.205\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003eApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=ssh;PSMID=PSMServer;SessionDuration=00:00:11;SessionID=ba22b012-8291-11eb-b981-080027efd402;SrcHost=127.0.0.1;User=adrian;\u003c/ExtraDetails\u003e\\n \u003cMessage\u003ePSM Disconnect\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"UnixSSHKeys\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"adrian\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"34.123.103.115\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Operating System\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 11 09:47:01\",\"IsoTimestamp\":\"2021-03-11T17:47:01Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"302\",\"Desc\":\"PSM Disconnect\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"PSM Disconnect\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"PSM\",\"File\":\"Root\\\\Operating System-UnixSSHKeys-34.123.103.115-adrian\",\"Station\":\"81.32.170.205\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=ssh;PSMID=PSMServer;SessionDuration=00:00:11;SessionID=ba22b012-8291-11eb-b981-080027efd402;SrcHost=127.0.0.1;User=adrian;\",\"Message\":\"PSM Disconnect\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"UnixSSHKeys\"},{\"Name\":\"UserName\",\"Value\":\"adrian\"},{\"Name\":\"Address\",\"Value\":\"34.123.103.115\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"}]}}}}", "code": "302", "kind": "event", @@ -444,7 +444,7 @@ "event": { "severity": 2, "duration": 12000000000, - "ingested": "2021-05-31T15:30:19.830767100Z", + "ingested": "2021-06-04T11:33:12.127457200Z", "original": "\u003c5\u003e1 2021-03-11T17:48:40Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 11 09:48:40\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-11T17:48:40Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e302\u003c/MessageID\u003e\\n \u003cDesc\u003ePSM Disconnect\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003ePSM Disconnect\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003ePSM\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Operating System-UnixSSHKeys-34.123.103.115-adrian\u003c/File\u003e\\n \u003cStation\u003e81.32.170.205\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003eApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=ssh;PSMID=PSMServer;SessionDuration=00:00:12;SessionID=f6acbf00-8291-11eb-b9ba-080027efd402;SrcHost=10.0.2.2;User=adrian;\u003c/ExtraDetails\u003e\\n \u003cMessage\u003ePSM Disconnect\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"UnixSSHKeys\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"adrian\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"34.123.103.115\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Operating System\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 11 09:48:40\",\"IsoTimestamp\":\"2021-03-11T17:48:40Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"302\",\"Desc\":\"PSM Disconnect\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"PSM Disconnect\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"PSM\",\"File\":\"Root\\\\Operating System-UnixSSHKeys-34.123.103.115-adrian\",\"Station\":\"81.32.170.205\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=ssh;PSMID=PSMServer;SessionDuration=00:00:12;SessionID=f6acbf00-8291-11eb-b9ba-080027efd402;SrcHost=10.0.2.2;User=adrian;\",\"Message\":\"PSM Disconnect\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"UnixSSHKeys\"},{\"Name\":\"UserName\",\"Value\":\"adrian\"},{\"Name\":\"Address\",\"Value\":\"34.123.103.115\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"}]}}}}", "code": "302", "kind": "event", @@ -564,7 +564,7 @@ "event": { "severity": 2, "duration": 12000000000, - "ingested": "2021-05-31T15:30:19.830770100Z", + "ingested": "2021-06-04T11:33:12.127486800Z", "original": "\u003c5\u003e1 2021-03-11T17:55:02Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 11 09:55:02\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-11T17:55:02Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e302\u003c/MessageID\u003e\\n \u003cDesc\u003ePSM Disconnect\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003ePSM Disconnect\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003ePSM\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Operating System-UnixSSHKeys-34.123.103.115-adrian\u003c/File\u003e\\n \u003cStation\u003e81.32.170.205\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003eApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=ssh;PSMID=PSMServer;SessionDuration=00:00:12;SessionID=d8ff4d32-8292-11eb-b962-080027efd402;SrcHost=10.0.2.2;User=adrian;\u003c/ExtraDetails\u003e\\n \u003cMessage\u003ePSM Disconnect\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"UnixSSHKeys\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"adrian\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"34.123.103.115\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Operating System\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 11 09:55:02\",\"IsoTimestamp\":\"2021-03-11T17:55:02Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"302\",\"Desc\":\"PSM Disconnect\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"PSM Disconnect\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"PSM\",\"File\":\"Root\\\\Operating System-UnixSSHKeys-34.123.103.115-adrian\",\"Station\":\"81.32.170.205\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=ssh;PSMID=PSMServer;SessionDuration=00:00:12;SessionID=d8ff4d32-8292-11eb-b962-080027efd402;SrcHost=10.0.2.2;User=adrian;\",\"Message\":\"PSM Disconnect\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"UnixSSHKeys\"},{\"Name\":\"UserName\",\"Value\":\"adrian\"},{\"Name\":\"Address\",\"Value\":\"34.123.103.115\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"}]}}}}", "code": "302", "kind": "event", @@ -684,7 +684,7 @@ "event": { "severity": 2, "duration": 12000000000, - "ingested": "2021-05-31T15:30:19.830773Z", + "ingested": "2021-06-04T11:33:12.127491700Z", "original": "\u003c5\u003e1 2021-03-11T17:56:42Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 11 09:56:42\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-11T17:56:42Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e302\u003c/MessageID\u003e\\n \u003cDesc\u003ePSM Disconnect\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003ePSM Disconnect\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003ePSM\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Operating System-UnixSSHKeys-34.123.103.115-adrian\u003c/File\u003e\\n \u003cStation\u003e81.32.170.205\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003eApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=ssh;PSMID=PSMServer;SessionDuration=00:00:12;SessionID=173dd46a-8293-11eb-afcb-080027efd402;SrcHost=10.0.2.2;User=adrian;\u003c/ExtraDetails\u003e\\n \u003cMessage\u003ePSM Disconnect\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"UnixSSHKeys\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"adrian\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"34.123.103.115\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Operating System\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 11 09:56:42\",\"IsoTimestamp\":\"2021-03-11T17:56:42Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"302\",\"Desc\":\"PSM Disconnect\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"PSM Disconnect\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"PSM\",\"File\":\"Root\\\\Operating System-UnixSSHKeys-34.123.103.115-adrian\",\"Station\":\"81.32.170.205\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=ssh;PSMID=PSMServer;SessionDuration=00:00:12;SessionID=173dd46a-8293-11eb-afcb-080027efd402;SrcHost=10.0.2.2;User=adrian;\",\"Message\":\"PSM Disconnect\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"UnixSSHKeys\"},{\"Name\":\"UserName\",\"Value\":\"adrian\"},{\"Name\":\"Address\",\"Value\":\"34.123.103.115\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"}]}}}}", "code": "302", "kind": "event", @@ -804,7 +804,7 @@ "event": { "severity": 2, "duration": 12000000000, - "ingested": "2021-05-31T15:30:19.830775800Z", + "ingested": "2021-06-04T11:33:12.127495200Z", "original": "\u003c5\u003e1 2021-03-11T20:23:30Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 11 12:23:30\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-11T20:23:30Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e302\u003c/MessageID\u003e\\n \u003cDesc\u003ePSM Disconnect\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003ePSM Disconnect\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003ePSM\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Operating System-UnixSSHKeys-34.123.103.115-adrian\u003c/File\u003e\\n \u003cStation\u003e81.32.170.205\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003eApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=ssh;PSMID=PSMServer;SessionDuration=00:00:12;SessionID=988b22e8-82a7-11eb-83b9-080027efd402;SrcHost=10.0.2.2;User=adrian;\u003c/ExtraDetails\u003e\\n \u003cMessage\u003ePSM Disconnect\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"UnixSSHKeys\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"adrian\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"34.123.103.115\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Operating System\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 11 12:23:30\",\"IsoTimestamp\":\"2021-03-11T20:23:30Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"302\",\"Desc\":\"PSM Disconnect\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"PSM Disconnect\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"PSM\",\"File\":\"Root\\\\Operating System-UnixSSHKeys-34.123.103.115-adrian\",\"Station\":\"81.32.170.205\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=ssh;PSMID=PSMServer;SessionDuration=00:00:12;SessionID=988b22e8-82a7-11eb-83b9-080027efd402;SrcHost=10.0.2.2;User=adrian;\",\"Message\":\"PSM Disconnect\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"UnixSSHKeys\"},{\"Name\":\"UserName\",\"Value\":\"adrian\"},{\"Name\":\"Address\",\"Value\":\"34.123.103.115\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"}]}}}}", "code": "302", "kind": "event", @@ -942,7 +942,7 @@ "event": { "severity": 2, "duration": 18000000000, - "ingested": "2021-05-31T15:30:19.830778400Z", + "ingested": "2021-06-04T11:33:12.127497900Z", "original": "\u003c5\u003e1 2021-03-14T13:49:54Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 14 06:49:54\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-14T13:49:54Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e302\u003c/MessageID\u003e\\n \u003cDesc\u003ePSM Disconnect\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003ePSM Disconnect\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003epartner\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Operating System-UnixSSH-34.123.103.115-testark\u003c/File\u003e\\n \u003cStation\u003e34.71.250.247\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003eApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionDuration=00:00:18;SessionID=d284c268-2ba0-4366-af52-e33459b073a1;SrcHost=81.32.170.205;User=testark;\u003c/ExtraDetails\u003e\\n \u003cMessage\u003ePSM Disconnect\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"UnixSSH\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"testark\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"34.123.103.115\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"ResetImmediately\\\" Value=\\\"ReconcileTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMStatus\\\" Value=\\\"failure\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"RetriesCount\\\" Value=\\\"0\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastFailDate\\\" Value=\\\"1615729572\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastTask\\\" Value=\\\"ReconcileTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMErrorDetails\\\" Value=\\\"First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Operating System\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 14 06:49:54\",\"IsoTimestamp\":\"2021-03-14T13:49:54Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"302\",\"Desc\":\"PSM Disconnect\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"PSM Disconnect\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"partner\",\"File\":\"Root\\\\Operating System-UnixSSH-34.123.103.115-testark\",\"Station\":\"34.71.250.247\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionDuration=00:00:18;SessionID=d284c268-2ba0-4366-af52-e33459b073a1;SrcHost=81.32.170.205;User=testark;\",\"Message\":\"PSM Disconnect\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"UnixSSH\"},{\"Name\":\"UserName\",\"Value\":\"testark\"},{\"Name\":\"Address\",\"Value\":\"34.123.103.115\"},{\"Name\":\"ResetImmediately\",\"Value\":\"ReconcileTask\"},{\"Name\":\"CPMStatus\",\"Value\":\"failure\"},{\"Name\":\"RetriesCount\",\"Value\":\"0\"},{\"Name\":\"LastFailDate\",\"Value\":\"1615729572\"},{\"Name\":\"LastTask\",\"Value\":\"ReconcileTask\"},{\"Name\":\"CPMErrorDetails\",\"Value\":\"First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"}]}}}}", "code": "302", "kind": "event", @@ -1080,7 +1080,7 @@ "event": { "severity": 2, "duration": 54000000000, - "ingested": "2021-05-31T15:30:19.830781300Z", + "ingested": "2021-06-04T11:33:12.127500400Z", "original": "\u003c5\u003e1 2021-03-14T13:51:35Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 14 06:51:35\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-14T13:51:35Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e302\u003c/MessageID\u003e\\n \u003cDesc\u003ePSM Disconnect\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003ePSM Disconnect\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003epartner\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Operating System-UnixSSH-34.123.103.115-testark\u003c/File\u003e\\n \u003cStation\u003e34.71.250.247\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003eApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionDuration=00:00:54;SessionID=47747796-03e1-4a11-af39-ab56c00e7732;SrcHost=81.32.170.205;User=testark;\u003c/ExtraDetails\u003e\\n \u003cMessage\u003ePSM Disconnect\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"UnixSSH\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"testark\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"34.123.103.115\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"ResetImmediately\\\" Value=\\\"ReconcileTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMStatus\\\" Value=\\\"failure\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"RetriesCount\\\" Value=\\\"0\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastFailDate\\\" Value=\\\"1615729572\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastTask\\\" Value=\\\"ReconcileTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMErrorDetails\\\" Value=\\\"First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Operating System\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 14 06:51:35\",\"IsoTimestamp\":\"2021-03-14T13:51:35Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"302\",\"Desc\":\"PSM Disconnect\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"PSM Disconnect\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"partner\",\"File\":\"Root\\\\Operating System-UnixSSH-34.123.103.115-testark\",\"Station\":\"34.71.250.247\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionDuration=00:00:54;SessionID=47747796-03e1-4a11-af39-ab56c00e7732;SrcHost=81.32.170.205;User=testark;\",\"Message\":\"PSM Disconnect\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"UnixSSH\"},{\"Name\":\"UserName\",\"Value\":\"testark\"},{\"Name\":\"Address\",\"Value\":\"34.123.103.115\"},{\"Name\":\"ResetImmediately\",\"Value\":\"ReconcileTask\"},{\"Name\":\"CPMStatus\",\"Value\":\"failure\"},{\"Name\":\"RetriesCount\",\"Value\":\"0\"},{\"Name\":\"LastFailDate\",\"Value\":\"1615729572\"},{\"Name\":\"LastTask\",\"Value\":\"ReconcileTask\"},{\"Name\":\"CPMErrorDetails\",\"Value\":\"First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"}]}}}}", "code": "302", "kind": "event", @@ -1216,7 +1216,7 @@ "event": { "severity": 2, "duration": 95000000000, - "ingested": "2021-05-31T15:30:19.830784Z", + "ingested": "2021-06-04T11:33:12.127502900Z", "original": "\u003c5\u003e1 2021-03-15T10:33:30Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 15 03:33:30\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-15T10:33:30Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e302\u003c/MessageID\u003e\\n \u003cDesc\u003ePSM Disconnect\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003ePSM Disconnect\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003epartner\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Operating System-UnixSSH-34.123.103.115-testark\u003c/File\u003e\\n \u003cStation\u003e34.71.250.247\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003eApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionDuration=00:01:35;SessionID=29f340df-89e9-405a-beae-0216390cda42;SrcHost=81.32.170.205;User=testark;\u003c/ExtraDetails\u003e\\n \u003cMessage\u003ePSM Disconnect\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"UnixSSH\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"testark\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"34.123.103.115\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMStatus\\\" Value=\\\"success\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"RetriesCount\\\" Value=\\\"-1\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastTask\\\" Value=\\\"VerifyTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastSuccessVerification\\\" Value=\\\"1615803764\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Operating System\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 15 03:33:30\",\"IsoTimestamp\":\"2021-03-15T10:33:30Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"302\",\"Desc\":\"PSM Disconnect\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"PSM Disconnect\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"partner\",\"File\":\"Root\\\\Operating System-UnixSSH-34.123.103.115-testark\",\"Station\":\"34.71.250.247\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionDuration=00:01:35;SessionID=29f340df-89e9-405a-beae-0216390cda42;SrcHost=81.32.170.205;User=testark;\",\"Message\":\"PSM Disconnect\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"UnixSSH\"},{\"Name\":\"UserName\",\"Value\":\"testark\"},{\"Name\":\"Address\",\"Value\":\"34.123.103.115\"},{\"Name\":\"CPMStatus\",\"Value\":\"success\"},{\"Name\":\"RetriesCount\",\"Value\":\"-1\"},{\"Name\":\"LastTask\",\"Value\":\"VerifyTask\"},{\"Name\":\"LastSuccessVerification\",\"Value\":\"1615803764\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"}]}}}}", "code": "302", "kind": "event", @@ -1352,7 +1352,7 @@ "event": { "severity": 2, "duration": 73000000000, - "ingested": "2021-05-31T15:30:19.830786800Z", + "ingested": "2021-06-04T11:33:12.127505400Z", "original": "\u003c5\u003e1 2021-03-15T10:34:50Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 15 03:34:50\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-15T10:34:50Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e302\u003c/MessageID\u003e\\n \u003cDesc\u003ePSM Disconnect\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003ePSM Disconnect\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003epartner\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Operating System-UnixSSH-34.123.103.115-testark\u003c/File\u003e\\n \u003cStation\u003e34.71.250.247\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003eApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionDuration=00:01:13;SessionID=f1654cf8-8ce5-472a-8205-ba731b0fab46;SrcHost=81.32.170.205;User=testark;\u003c/ExtraDetails\u003e\\n \u003cMessage\u003ePSM Disconnect\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"UnixSSH\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"testark\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"34.123.103.115\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMStatus\\\" Value=\\\"success\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"RetriesCount\\\" Value=\\\"-1\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastTask\\\" Value=\\\"VerifyTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastSuccessVerification\\\" Value=\\\"1615803764\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Operating System\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 15 03:34:50\",\"IsoTimestamp\":\"2021-03-15T10:34:50Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"302\",\"Desc\":\"PSM Disconnect\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"PSM Disconnect\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"partner\",\"File\":\"Root\\\\Operating System-UnixSSH-34.123.103.115-testark\",\"Station\":\"34.71.250.247\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionDuration=00:01:13;SessionID=f1654cf8-8ce5-472a-8205-ba731b0fab46;SrcHost=81.32.170.205;User=testark;\",\"Message\":\"PSM Disconnect\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"UnixSSH\"},{\"Name\":\"UserName\",\"Value\":\"testark\"},{\"Name\":\"Address\",\"Value\":\"34.123.103.115\"},{\"Name\":\"CPMStatus\",\"Value\":\"success\"},{\"Name\":\"RetriesCount\",\"Value\":\"-1\"},{\"Name\":\"LastTask\",\"Value\":\"VerifyTask\"},{\"Name\":\"LastSuccessVerification\",\"Value\":\"1615803764\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"}]}}}}", "code": "302", "kind": "event", @@ -1488,7 +1488,7 @@ "event": { "severity": 2, "duration": 2230000000000, - "ingested": "2021-05-31T15:30:19.830789700Z", + "ingested": "2021-06-04T11:33:12.127508100Z", "original": "\u003c5\u003e1 2021-03-15T11:12:09Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 15 04:12:09\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-15T11:12:09Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e302\u003c/MessageID\u003e\\n \u003cDesc\u003ePSM Disconnect\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003ePSM Disconnect\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003epartner\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Operating System-UnixSSH-34.123.103.115-testark\u003c/File\u003e\\n \u003cStation\u003e34.71.250.247\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003eApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionDuration=00:37:10;SessionID=8b3d0b38-aef5-49d9-bdd7-d57706887d8b;SrcHost=81.32.170.205;User=testark;\u003c/ExtraDetails\u003e\\n \u003cMessage\u003ePSM Disconnect\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"UnixSSH\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"testark\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"34.123.103.115\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMStatus\\\" Value=\\\"success\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"RetriesCount\\\" Value=\\\"-1\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastTask\\\" Value=\\\"VerifyTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastSuccessVerification\\\" Value=\\\"1615803764\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Operating System\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 15 04:12:09\",\"IsoTimestamp\":\"2021-03-15T11:12:09Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"302\",\"Desc\":\"PSM Disconnect\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"PSM Disconnect\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"partner\",\"File\":\"Root\\\\Operating System-UnixSSH-34.123.103.115-testark\",\"Station\":\"34.71.250.247\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionDuration=00:37:10;SessionID=8b3d0b38-aef5-49d9-bdd7-d57706887d8b;SrcHost=81.32.170.205;User=testark;\",\"Message\":\"PSM Disconnect\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"UnixSSH\"},{\"Name\":\"UserName\",\"Value\":\"testark\"},{\"Name\":\"Address\",\"Value\":\"34.123.103.115\"},{\"Name\":\"CPMStatus\",\"Value\":\"success\"},{\"Name\":\"RetriesCount\",\"Value\":\"-1\"},{\"Name\":\"LastTask\",\"Value\":\"VerifyTask\"},{\"Name\":\"LastSuccessVerification\",\"Value\":\"1615803764\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"}]}}}}", "code": "302", "kind": "event", @@ -1620,7 +1620,7 @@ "event": { "severity": 2, "duration": 5000000000, - "ingested": "2021-05-31T15:30:19.830792400Z", + "ingested": "2021-06-04T11:33:12.127511Z", "original": "\u003c5\u003e1 2021-03-15T13:18:36Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 15 06:18:36\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-15T13:18:36Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e302\u003c/MessageID\u003e\\n \u003cDesc\u003ePSM Disconnect\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003ePSM Disconnect\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003ePSM\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Operating System-UnixSSHKeys-34.123.103.115-adrian\u003c/File\u003e\\n \u003cStation\u003e34.71.250.247\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003eApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionDuration=00:00:05;SessionID=692fe25f-f940-4170-8ea4-5241b35173f0;SrcHost=81.32.170.205;User=adrian;\u003c/ExtraDetails\u003e\\n \u003cMessage\u003ePSM Disconnect\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"UnixSSHKeys\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"adrian\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"34.123.103.115\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Operating System\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 15 06:18:36\",\"IsoTimestamp\":\"2021-03-15T13:18:36Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"302\",\"Desc\":\"PSM Disconnect\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"PSM Disconnect\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"PSM\",\"File\":\"Root\\\\Operating System-UnixSSHKeys-34.123.103.115-adrian\",\"Station\":\"34.71.250.247\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionDuration=00:00:05;SessionID=692fe25f-f940-4170-8ea4-5241b35173f0;SrcHost=81.32.170.205;User=adrian;\",\"Message\":\"PSM Disconnect\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"UnixSSHKeys\"},{\"Name\":\"UserName\",\"Value\":\"adrian\"},{\"Name\":\"Address\",\"Value\":\"34.123.103.115\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"}]}}}}", "code": "302", "kind": "event", @@ -1752,7 +1752,7 @@ "event": { "severity": 2, "duration": 6000000000, - "ingested": "2021-05-31T15:30:19.830795200Z", + "ingested": "2021-06-04T11:33:12.127513500Z", "original": "\u003c5\u003e1 2021-03-15T14:08:11Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 15 07:08:11\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-15T14:08:11Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e302\u003c/MessageID\u003e\\n \u003cDesc\u003ePSM Disconnect\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003ePSM Disconnect\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003ePSM\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Operating System-UnixSSHKeys-34.123.103.115-adrian\u003c/File\u003e\\n \u003cStation\u003e34.71.250.247\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003eApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionDuration=00:00:06;SessionID=f5725611-ca57-4a2a-a089-f45b3174a358;SrcHost=81.32.170.205;User=adrian;\u003c/ExtraDetails\u003e\\n \u003cMessage\u003ePSM Disconnect\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"UnixSSHKeys\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"adrian\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"34.123.103.115\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Operating System\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 15 07:08:11\",\"IsoTimestamp\":\"2021-03-15T14:08:11Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"302\",\"Desc\":\"PSM Disconnect\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"PSM Disconnect\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"PSM\",\"File\":\"Root\\\\Operating System-UnixSSHKeys-34.123.103.115-adrian\",\"Station\":\"34.71.250.247\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionDuration=00:00:06;SessionID=f5725611-ca57-4a2a-a089-f45b3174a358;SrcHost=81.32.170.205;User=adrian;\",\"Message\":\"PSM Disconnect\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"UnixSSHKeys\"},{\"Name\":\"UserName\",\"Value\":\"adrian\"},{\"Name\":\"Address\",\"Value\":\"34.123.103.115\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"}]}}}}", "code": "302", "kind": "event", @@ -1893,7 +1893,7 @@ "event": { "severity": 2, "duration": 9000000000, - "ingested": "2021-05-31T15:30:19.830797700Z", + "ingested": "2021-06-04T11:33:12.127516300Z", "original": "\u003c5\u003e1 2021-03-15T14:08:36Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 15 07:08:36\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-15T14:08:36Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e302\u003c/MessageID\u003e\\n \u003cDesc\u003ePSM Disconnect\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003ePSM Disconnect\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003epartner\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Operating System-UnixSSH-34.123.103.115-testark\u003c/File\u003e\\n \u003cStation\u003e34.71.250.247\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003eApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionDuration=00:00:09;SessionID=7db90436-8a1a-4203-9a96-65137625ab2d;SrcHost=81.32.170.205;User=testark;\u003c/ExtraDetails\u003e\\n \u003cMessage\u003ePSM Disconnect\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"UnixSSH\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"testark\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"34.123.103.115\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"ResetImmediately\\\" Value=\\\"ReconcileTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMStatus\\\" Value=\\\"failure\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"RetriesCount\\\" Value=\\\"0\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastFailDate\\\" Value=\\\"1615814025\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastTask\\\" Value=\\\"ReconcileTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastSuccessVerification\\\" Value=\\\"1615803764\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMErrorDetails\\\" Value=\\\"First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Operating System\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UseSudoOnReconcile\\\" Value=\\\"Yes\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 15 07:08:36\",\"IsoTimestamp\":\"2021-03-15T14:08:36Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"302\",\"Desc\":\"PSM Disconnect\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"PSM Disconnect\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"partner\",\"File\":\"Root\\\\Operating System-UnixSSH-34.123.103.115-testark\",\"Station\":\"34.71.250.247\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionDuration=00:00:09;SessionID=7db90436-8a1a-4203-9a96-65137625ab2d;SrcHost=81.32.170.205;User=testark;\",\"Message\":\"PSM Disconnect\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"UnixSSH\"},{\"Name\":\"UserName\",\"Value\":\"testark\"},{\"Name\":\"Address\",\"Value\":\"34.123.103.115\"},{\"Name\":\"ResetImmediately\",\"Value\":\"ReconcileTask\"},{\"Name\":\"CPMStatus\",\"Value\":\"failure\"},{\"Name\":\"RetriesCount\",\"Value\":\"0\"},{\"Name\":\"LastFailDate\",\"Value\":\"1615814025\"},{\"Name\":\"LastTask\",\"Value\":\"ReconcileTask\"},{\"Name\":\"LastSuccessVerification\",\"Value\":\"1615803764\"},{\"Name\":\"CPMErrorDetails\",\"Value\":\"First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"},{\"Name\":\"UseSudoOnReconcile\",\"Value\":\"Yes\"}]}}}}", "code": "302", "kind": "event", @@ -2034,7 +2034,7 @@ "event": { "severity": 2, "duration": 2952000000000, - "ingested": "2021-05-31T15:30:19.830800600Z", + "ingested": "2021-06-04T11:33:12.127518800Z", "original": "\u003c5\u003e1 2021-03-15T15:00:21Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 15 08:00:21\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-15T15:00:21Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e302\u003c/MessageID\u003e\\n \u003cDesc\u003ePSM Disconnect\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003ePSM Disconnect\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003epartner\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Operating System-UnixSSH-34.123.103.115-testark\u003c/File\u003e\\n \u003cStation\u003e34.71.250.247\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003eApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionDuration=00:49:12;SessionID=27f74dce-f5d5-4c94-bf99-ca6aafe2c518;SrcHost=81.32.170.205;User=testark;\u003c/ExtraDetails\u003e\\n \u003cMessage\u003ePSM Disconnect\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"UnixSSH\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"testark\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"34.123.103.115\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"ResetImmediately\\\" Value=\\\"ReconcileTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMStatus\\\" Value=\\\"failure\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"RetriesCount\\\" Value=\\\"1\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastFailDate\\\" Value=\\\"1615819476\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastTask\\\" Value=\\\"ReconcileTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastSuccessVerification\\\" Value=\\\"1615803764\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMErrorDetails\\\" Value=\\\"First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Operating System\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UseSudoOnReconcile\\\" Value=\\\"Yes\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 15 08:00:21\",\"IsoTimestamp\":\"2021-03-15T15:00:21Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"302\",\"Desc\":\"PSM Disconnect\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"PSM Disconnect\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"partner\",\"File\":\"Root\\\\Operating System-UnixSSH-34.123.103.115-testark\",\"Station\":\"34.71.250.247\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionDuration=00:49:12;SessionID=27f74dce-f5d5-4c94-bf99-ca6aafe2c518;SrcHost=81.32.170.205;User=testark;\",\"Message\":\"PSM Disconnect\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"UnixSSH\"},{\"Name\":\"UserName\",\"Value\":\"testark\"},{\"Name\":\"Address\",\"Value\":\"34.123.103.115\"},{\"Name\":\"ResetImmediately\",\"Value\":\"ReconcileTask\"},{\"Name\":\"CPMStatus\",\"Value\":\"failure\"},{\"Name\":\"RetriesCount\",\"Value\":\"1\"},{\"Name\":\"LastFailDate\",\"Value\":\"1615819476\"},{\"Name\":\"LastTask\",\"Value\":\"ReconcileTask\"},{\"Name\":\"LastSuccessVerification\",\"Value\":\"1615803764\"},{\"Name\":\"CPMErrorDetails\",\"Value\":\"First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"},{\"Name\":\"UseSudoOnReconcile\",\"Value\":\"Yes\"}]}}}}", "code": "302", "kind": "event", diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-304-psm-upload-recording.log-config.yml b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-304-psm-upload-recording.log-config.yml deleted file mode 100644 index 5622947e4b8..00000000000 --- a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-304-psm-upload-recording.log-config.yml +++ /dev/null @@ -1,5 +0,0 @@ -dynamic_fields: - event.ingested: ".*" -fields: - tags: - - preserve_original_event diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-304-psm-upload-recording.log-expected.json b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-304-psm-upload-recording.log-expected.json index 62887f4c6b7..601d4d22ac9 100644 --- a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-304-psm-upload-recording.log-expected.json +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-304-psm-upload-recording.log-expected.json @@ -65,7 +65,7 @@ "event": { "severity": 2, "action": "psm upload recording", - "ingested": "2021-05-31T15:30:20.491148200Z", + "ingested": "2021-06-04T11:33:12.779110700Z", "original": "\u003c5\u003e1 2021-03-25T09:20:56Z VLT01 {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 25 05:20:56\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-25T09:20:56Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVLT01\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e12.0.0000\u003c/Version\u003e\\n \u003cMessageID\u003e304\u003c/MessageID\u003e\\n \u003cDesc\u003ePSM Upload Recording\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003ePSMApp_COMP01\u003c/Issuer\u003e\\n \u003cAction\u003ePSM Upload Recording\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003ePSMRecordings\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\a4636750-50a2-492e-984c-e08743d8a883.SSH.txt\u003c/File\u003e\\n \u003cStation\u003e10.0.0.15\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003eDstHost=rhel7.cybr.com;LogonAccount=logon;Protocol=SSH;PSMID=PSMServer;SessionDuration=00:00:46;SessionID=a4636750-50a2-492e-984c-e08743d8a883;SrcHost=127.0.0.1;User=root;\u003c/ExtraDetails\u003e\\n \u003cMessage\u003ePSM Upload Recording\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 25 05:20:56\",\"IsoTimestamp\":\"2021-03-25T09:20:56Z\",\"Hostname\":\"VLT01\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"12.0.0000\",\"MessageID\":\"304\",\"Desc\":\"PSM Upload Recording\",\"Severity\":\"Info\",\"Issuer\":\"PSMApp_COMP01\",\"Action\":\"PSM Upload Recording\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"PSMRecordings\",\"File\":\"Root\\\\a4636750-50a2-492e-984c-e08743d8a883.SSH.txt\",\"Station\":\"10.0.0.15\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"DstHost=rhel7.cybr.com;LogonAccount=logon;Protocol=SSH;PSMID=PSMServer;SessionDuration=00:00:46;SessionID=a4636750-50a2-492e-984c-e08743d8a883;SrcHost=127.0.0.1;User=root;\",\"Message\":\"PSM Upload Recording\",\"GatewayStation\":\"\"}}}", "code": "304", "kind": "event" diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-308-use-password.log-config.yml b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-308-use-password.log-config.yml deleted file mode 100644 index 5622947e4b8..00000000000 --- a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-308-use-password.log-config.yml +++ /dev/null @@ -1,5 +0,0 @@ -dynamic_fields: - event.ingested: ".*" -fields: - tags: - - preserve_original_event diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-308-use-password.log-expected.json b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-308-use-password.log-expected.json index 0b7cbaa9500..821531cf8a5 100644 --- a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-308-use-password.log-expected.json +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-308-use-password.log-expected.json @@ -75,7 +75,7 @@ "event": { "severity": 2, "reason": "(Action: Connect)", - "ingested": "2021-05-31T15:30:20.525192800Z", + "ingested": "2021-06-04T11:33:12.812445Z", "original": "{\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eno\u003c/Rfc5424\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.6.0000\u003c/Version\u003e\\n \u003cMessageID\u003e308\u003c/MessageID\u003e\\n \u003cDesc\u003eUse Password\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eadm2\u003c/Issuer\u003e\\n \u003cAction\u003eUse Password\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003eWindows\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Operating System-WIN-SERVER-LOCAL-dbserver.cyberark.local-Administrator2\u003c/File\u003e\\n \u003cStation\u003e10.2.0.6\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e(Action: Connect)\u003c/Reason\u003e\\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eUse Password\u003c/Message\u003e\\n \u003cGatewayStation\u003e10.2.0.3\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"WIN-SERVER-LOCAL\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"Administrator2\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"dbserver.cyberark.local\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Operating System\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LogonDomain\\\" Value=\\\"DBServer\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"SequenceID\\\" Value=\\\"1\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"RetriesCount\\\" Value=\\\"-1\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastTask\\\" Value=\\\"ReconcileTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMStatus\\\" Value=\\\"success\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastSuccessReconciliation\\\" Value=\\\"1604944215\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Customer\\\" Value=\\\"EvilCorp\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"no\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.6.0000\",\"MessageID\":\"308\",\"IsoTimestamp\":\"2021-03-16T15:01:00Z\",\"Desc\":\"Use Password\",\"Severity\":\"Info\",\"Issuer\":\"adm2\",\"Action\":\"Use Password\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"Windows\",\"File\":\"Root\\\\Operating System-WIN-SERVER-LOCAL-dbserver.cyberark.local-Administrator2\",\"Station\":\"10.2.0.6\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"(Action: Connect)\",\"ExtraDetails\":\"\",\"Message\":\"Use Password\",\"GatewayStation\":\"10.2.0.3\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"WIN-SERVER-LOCAL\"},{\"Name\":\"UserName\",\"Value\":\"Administrator2\"},{\"Name\":\"Address\",\"Value\":\"dbserver.cyberark.local\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"},{\"Name\":\"LogonDomain\",\"Value\":\"DBServer\"},{\"Name\":\"SequenceID\",\"Value\":\"1\"},{\"Name\":\"RetriesCount\",\"Value\":\"-1\"},{\"Name\":\"LastTask\",\"Value\":\"ReconcileTask\"},{\"Name\":\"CPMStatus\",\"Value\":\"success\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"LastSuccessReconciliation\",\"Value\":\"1604944215\"},{\"Name\":\"Customer\",\"Value\":\"EvilCorp\"}]}}}}", "code": "308", "kind": "event", @@ -184,7 +184,7 @@ "event": { "severity": 2, "reason": "fun and profit", - "ingested": "2021-05-31T15:30:20.525207800Z", + "ingested": "2021-06-04T11:33:12.812459700Z", "original": "\u003c5\u003e1 2021-03-11T17:38:12Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 11 09:38:12\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-11T17:38:12Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e308\u003c/MessageID\u003e\\n \u003cDesc\u003eUse Password\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003eUse Password\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003ePSM\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Operating System-UnixSSHKeys-34.123.103.115-adrian\u003c/File\u003e\\n \u003cStation\u003e127.0.0.1\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003efun and profit\u003c/Reason\u003e\\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eUse Password\u003c/Message\u003e\\n \u003cGatewayStation\u003e81.32.170.205\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"UnixSSHKeys\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"adrian\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"34.123.103.115\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Operating System\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 11 09:38:12\",\"IsoTimestamp\":\"2021-03-11T17:38:12Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"308\",\"Desc\":\"Use Password\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Use Password\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"PSM\",\"File\":\"Root\\\\Operating System-UnixSSHKeys-34.123.103.115-adrian\",\"Station\":\"127.0.0.1\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"fun and profit\",\"ExtraDetails\":\"\",\"Message\":\"Use Password\",\"GatewayStation\":\"81.32.170.205\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"UnixSSHKeys\"},{\"Name\":\"UserName\",\"Value\":\"adrian\"},{\"Name\":\"Address\",\"Value\":\"34.123.103.115\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"}]}}}}", "code": "308", "kind": "event", @@ -292,7 +292,7 @@ "event": { "severity": 2, "reason": "FOR FUN.", - "ingested": "2021-05-31T15:30:20.525211500Z", + "ingested": "2021-06-04T11:33:12.812463Z", "original": "\u003c5\u003e1 2021-03-11T17:46:49Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 11 09:46:49\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-11T17:46:49Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e308\u003c/MessageID\u003e\\n \u003cDesc\u003eUse Password\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003eUse Password\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003ePSM\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Operating System-UnixSSHKeys-34.123.103.115-adrian\u003c/File\u003e\\n \u003cStation\u003e127.0.0.1\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003eFOR FUN.\u003c/Reason\u003e\\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eUse Password\u003c/Message\u003e\\n \u003cGatewayStation\u003e81.32.170.205\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"UnixSSHKeys\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"adrian\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"34.123.103.115\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Operating System\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 11 09:46:49\",\"IsoTimestamp\":\"2021-03-11T17:46:49Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"308\",\"Desc\":\"Use Password\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Use Password\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"PSM\",\"File\":\"Root\\\\Operating System-UnixSSHKeys-34.123.103.115-adrian\",\"Station\":\"127.0.0.1\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"FOR FUN.\",\"ExtraDetails\":\"\",\"Message\":\"Use Password\",\"GatewayStation\":\"81.32.170.205\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"UnixSSHKeys\"},{\"Name\":\"UserName\",\"Value\":\"adrian\"},{\"Name\":\"Address\",\"Value\":\"34.123.103.115\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"}]}}}}", "code": "308", "kind": "event", @@ -400,7 +400,7 @@ "event": { "severity": 2, "reason": "For fun and profit", - "ingested": "2021-05-31T15:30:20.525214500Z", + "ingested": "2021-06-04T11:33:12.812465400Z", "original": "\u003c5\u003e1 2021-03-11T17:48:27Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 11 09:48:27\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-11T17:48:27Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e308\u003c/MessageID\u003e\\n \u003cDesc\u003eUse Password\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003eUse Password\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003ePSM\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Operating System-UnixSSHKeys-34.123.103.115-adrian\u003c/File\u003e\\n \u003cStation\u003e10.0.2.2\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003eFor fun and profit\u003c/Reason\u003e\\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eUse Password\u003c/Message\u003e\\n \u003cGatewayStation\u003e81.32.170.205\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"UnixSSHKeys\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"adrian\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"34.123.103.115\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Operating System\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 11 09:48:27\",\"IsoTimestamp\":\"2021-03-11T17:48:27Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"308\",\"Desc\":\"Use Password\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Use Password\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"PSM\",\"File\":\"Root\\\\Operating System-UnixSSHKeys-34.123.103.115-adrian\",\"Station\":\"10.0.2.2\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"For fun and profit\",\"ExtraDetails\":\"\",\"Message\":\"Use Password\",\"GatewayStation\":\"81.32.170.205\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"UnixSSHKeys\"},{\"Name\":\"UserName\",\"Value\":\"adrian\"},{\"Name\":\"Address\",\"Value\":\"34.123.103.115\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"}]}}}}", "code": "308", "kind": "event", @@ -508,7 +508,7 @@ "event": { "severity": 2, "reason": "Because I say so", - "ingested": "2021-05-31T15:30:20.525217400Z", + "ingested": "2021-06-04T11:33:12.812468Z", "original": "\u003c5\u003e1 2021-03-11T17:54:49Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 11 09:54:49\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-11T17:54:49Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e308\u003c/MessageID\u003e\\n \u003cDesc\u003eUse Password\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003eUse Password\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003ePSM\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Operating System-UnixSSHKeys-34.123.103.115-adrian\u003c/File\u003e\\n \u003cStation\u003e10.0.2.2\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003eBecause I say so\u003c/Reason\u003e\\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eUse Password\u003c/Message\u003e\\n \u003cGatewayStation\u003e81.32.170.205\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"UnixSSHKeys\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"adrian\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"34.123.103.115\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Operating System\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 11 09:54:49\",\"IsoTimestamp\":\"2021-03-11T17:54:49Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"308\",\"Desc\":\"Use Password\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Use Password\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"PSM\",\"File\":\"Root\\\\Operating System-UnixSSHKeys-34.123.103.115-adrian\",\"Station\":\"10.0.2.2\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"Because I say so\",\"ExtraDetails\":\"\",\"Message\":\"Use Password\",\"GatewayStation\":\"81.32.170.205\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"UnixSSHKeys\"},{\"Name\":\"UserName\",\"Value\":\"adrian\"},{\"Name\":\"Address\",\"Value\":\"34.123.103.115\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"}]}}}}", "code": "308", "kind": "event", @@ -616,7 +616,7 @@ "event": { "severity": 2, "reason": "for fun", - "ingested": "2021-05-31T15:30:20.525257300Z", + "ingested": "2021-06-04T11:33:12.812470400Z", "original": "\u003c5\u003e1 2021-03-11T17:56:30Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 11 09:56:30\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-11T17:56:30Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e308\u003c/MessageID\u003e\\n \u003cDesc\u003eUse Password\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003eUse Password\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003ePSM\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Operating System-UnixSSHKeys-34.123.103.115-adrian\u003c/File\u003e\\n \u003cStation\u003e10.0.2.2\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003efor fun\u003c/Reason\u003e\\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eUse Password\u003c/Message\u003e\\n \u003cGatewayStation\u003e81.32.170.205\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"UnixSSHKeys\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"adrian\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"34.123.103.115\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Operating System\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 11 09:56:30\",\"IsoTimestamp\":\"2021-03-11T17:56:30Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"308\",\"Desc\":\"Use Password\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Use Password\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"PSM\",\"File\":\"Root\\\\Operating System-UnixSSHKeys-34.123.103.115-adrian\",\"Station\":\"10.0.2.2\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"for fun\",\"ExtraDetails\":\"\",\"Message\":\"Use Password\",\"GatewayStation\":\"81.32.170.205\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"UnixSSHKeys\"},{\"Name\":\"UserName\",\"Value\":\"adrian\"},{\"Name\":\"Address\",\"Value\":\"34.123.103.115\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"}]}}}}", "code": "308", "kind": "event", @@ -724,7 +724,7 @@ "event": { "severity": 2, "reason": "testing", - "ingested": "2021-05-31T15:30:20.525274800Z", + "ingested": "2021-06-04T11:33:12.812488100Z", "original": "\u003c5\u003e1 2021-03-11T20:23:17Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 11 12:23:17\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-11T20:23:17Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e308\u003c/MessageID\u003e\\n \u003cDesc\u003eUse Password\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003eUse Password\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003ePSM\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Operating System-UnixSSHKeys-34.123.103.115-adrian\u003c/File\u003e\\n \u003cStation\u003e10.0.2.2\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003etesting\u003c/Reason\u003e\\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eUse Password\u003c/Message\u003e\\n \u003cGatewayStation\u003e81.32.170.205\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"UnixSSHKeys\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"adrian\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"34.123.103.115\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Operating System\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 11 12:23:17\",\"IsoTimestamp\":\"2021-03-11T20:23:17Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"308\",\"Desc\":\"Use Password\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Use Password\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"PSM\",\"File\":\"Root\\\\Operating System-UnixSSHKeys-34.123.103.115-adrian\",\"Station\":\"10.0.2.2\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"testing\",\"ExtraDetails\":\"\",\"Message\":\"Use Password\",\"GatewayStation\":\"81.32.170.205\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"UnixSSHKeys\"},{\"Name\":\"UserName\",\"Value\":\"adrian\"},{\"Name\":\"Address\",\"Value\":\"34.123.103.115\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"}]}}}}", "code": "308", "kind": "event", @@ -848,7 +848,7 @@ }, "event": { "severity": 2, - "ingested": "2021-05-31T15:30:20.525279Z", + "ingested": "2021-06-04T11:33:12.812497400Z", "original": "\u003c5\u003e1 2021-03-14T13:49:35Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 14 06:49:35\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-14T13:49:35Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e308\u003c/MessageID\u003e\\n \u003cDesc\u003eUse Password\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003eUse Password\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003epartner\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Operating System-UnixSSH-34.123.103.115-testark\u003c/File\u003e\\n \u003cStation\u003e81.32.170.205\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eUse Password\u003c/Message\u003e\\n \u003cGatewayStation\u003e34.71.250.247\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"UnixSSH\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"testark\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"34.123.103.115\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"ResetImmediately\\\" Value=\\\"ReconcileTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMStatus\\\" Value=\\\"failure\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"RetriesCount\\\" Value=\\\"0\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastFailDate\\\" Value=\\\"1615729572\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastTask\\\" Value=\\\"ReconcileTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMErrorDetails\\\" Value=\\\"First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Operating System\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 14 06:49:35\",\"IsoTimestamp\":\"2021-03-14T13:49:35Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"308\",\"Desc\":\"Use Password\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Use Password\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"partner\",\"File\":\"Root\\\\Operating System-UnixSSH-34.123.103.115-testark\",\"Station\":\"81.32.170.205\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Use Password\",\"GatewayStation\":\"34.71.250.247\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"UnixSSH\"},{\"Name\":\"UserName\",\"Value\":\"testark\"},{\"Name\":\"Address\",\"Value\":\"34.123.103.115\"},{\"Name\":\"ResetImmediately\",\"Value\":\"ReconcileTask\"},{\"Name\":\"CPMStatus\",\"Value\":\"failure\"},{\"Name\":\"RetriesCount\",\"Value\":\"0\"},{\"Name\":\"LastFailDate\",\"Value\":\"1615729572\"},{\"Name\":\"LastTask\",\"Value\":\"ReconcileTask\"},{\"Name\":\"CPMErrorDetails\",\"Value\":\"First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"}]}}}}", "code": "308", "kind": "event", @@ -971,7 +971,7 @@ }, "event": { "severity": 2, - "ingested": "2021-05-31T15:30:20.525282500Z", + "ingested": "2021-06-04T11:33:12.812500500Z", "original": "\u003c5\u003e1 2021-03-15T10:31:54Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 15 03:31:54\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-15T10:31:54Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e308\u003c/MessageID\u003e\\n \u003cDesc\u003eUse Password\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003eUse Password\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003epartner\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Operating System-UnixSSH-34.123.103.115-testark\u003c/File\u003e\\n \u003cStation\u003e81.32.170.205\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eUse Password\u003c/Message\u003e\\n \u003cGatewayStation\u003e34.71.250.247\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"UnixSSH\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"testark\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"34.123.103.115\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMStatus\\\" Value=\\\"success\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"RetriesCount\\\" Value=\\\"-1\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastTask\\\" Value=\\\"VerifyTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastSuccessVerification\\\" Value=\\\"1615803764\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Operating System\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 15 03:31:54\",\"IsoTimestamp\":\"2021-03-15T10:31:54Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"308\",\"Desc\":\"Use Password\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Use Password\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"partner\",\"File\":\"Root\\\\Operating System-UnixSSH-34.123.103.115-testark\",\"Station\":\"81.32.170.205\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Use Password\",\"GatewayStation\":\"34.71.250.247\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"UnixSSH\"},{\"Name\":\"UserName\",\"Value\":\"testark\"},{\"Name\":\"Address\",\"Value\":\"34.123.103.115\"},{\"Name\":\"CPMStatus\",\"Value\":\"success\"},{\"Name\":\"RetriesCount\",\"Value\":\"-1\"},{\"Name\":\"LastTask\",\"Value\":\"VerifyTask\"},{\"Name\":\"LastSuccessVerification\",\"Value\":\"1615803764\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"}]}}}}", "code": "308", "kind": "event", @@ -1099,7 +1099,7 @@ }, "event": { "severity": 2, - "ingested": "2021-05-31T15:30:20.525285500Z", + "ingested": "2021-06-04T11:33:12.812503800Z", "original": "\u003c5\u003e1 2021-03-15T14:08:26Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 15 07:08:26\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-15T14:08:26Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e308\u003c/MessageID\u003e\\n \u003cDesc\u003eUse Password\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003eUse Password\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003epartner\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Operating System-UnixSSH-34.123.103.115-testark\u003c/File\u003e\\n \u003cStation\u003e81.32.170.205\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eUse Password\u003c/Message\u003e\\n \u003cGatewayStation\u003e34.71.250.247\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"UnixSSH\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"testark\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"34.123.103.115\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"ResetImmediately\\\" Value=\\\"ReconcileTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMStatus\\\" Value=\\\"failure\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"RetriesCount\\\" Value=\\\"0\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastFailDate\\\" Value=\\\"1615814025\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastTask\\\" Value=\\\"ReconcileTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastSuccessVerification\\\" Value=\\\"1615803764\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMErrorDetails\\\" Value=\\\"First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Operating System\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UseSudoOnReconcile\\\" Value=\\\"Yes\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 15 07:08:26\",\"IsoTimestamp\":\"2021-03-15T14:08:26Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"308\",\"Desc\":\"Use Password\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Use Password\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"partner\",\"File\":\"Root\\\\Operating System-UnixSSH-34.123.103.115-testark\",\"Station\":\"81.32.170.205\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Use Password\",\"GatewayStation\":\"34.71.250.247\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"UnixSSH\"},{\"Name\":\"UserName\",\"Value\":\"testark\"},{\"Name\":\"Address\",\"Value\":\"34.123.103.115\"},{\"Name\":\"ResetImmediately\",\"Value\":\"ReconcileTask\"},{\"Name\":\"CPMStatus\",\"Value\":\"failure\"},{\"Name\":\"RetriesCount\",\"Value\":\"0\"},{\"Name\":\"LastFailDate\",\"Value\":\"1615814025\"},{\"Name\":\"LastTask\",\"Value\":\"ReconcileTask\"},{\"Name\":\"LastSuccessVerification\",\"Value\":\"1615803764\"},{\"Name\":\"CPMErrorDetails\",\"Value\":\"First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"},{\"Name\":\"UseSudoOnReconcile\",\"Value\":\"Yes\"}]}}}}", "code": "308", "kind": "event", @@ -1227,7 +1227,7 @@ }, "event": { "severity": 2, - "ingested": "2021-05-31T15:30:20.525288500Z", + "ingested": "2021-06-04T11:33:12.812506300Z", "original": "\u003c5\u003e1 2021-03-16T10:04:49Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 16 03:04:49\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-16T10:04:49Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e308\u003c/MessageID\u003e\\n \u003cDesc\u003eUse Password\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003eUse Password\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003epartner\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Operating System-UnixSSH-34.123.103.115-testark\u003c/File\u003e\\n \u003cStation\u003e81.32.170.205\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eUse Password\u003c/Message\u003e\\n \u003cGatewayStation\u003e34.71.250.247\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"UnixSSH\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"testark\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"34.123.103.115\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"ResetImmediately\\\" Value=\\\"ReconcileTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMStatus\\\" Value=\\\"failure\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"RetriesCount\\\" Value=\\\"4\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastFailDate\\\" Value=\\\"1615888216\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastTask\\\" Value=\\\"ReconcileTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastSuccessVerification\\\" Value=\\\"1615803764\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMErrorDetails\\\" Value=\\\"First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Operating System\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UseSudoOnReconcile\\\" Value=\\\"Yes\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 16 03:04:49\",\"IsoTimestamp\":\"2021-03-16T10:04:49Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"308\",\"Desc\":\"Use Password\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Use Password\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"partner\",\"File\":\"Root\\\\Operating System-UnixSSH-34.123.103.115-testark\",\"Station\":\"81.32.170.205\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Use Password\",\"GatewayStation\":\"34.71.250.247\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"UnixSSH\"},{\"Name\":\"UserName\",\"Value\":\"testark\"},{\"Name\":\"Address\",\"Value\":\"34.123.103.115\"},{\"Name\":\"ResetImmediately\",\"Value\":\"ReconcileTask\"},{\"Name\":\"CPMStatus\",\"Value\":\"failure\"},{\"Name\":\"RetriesCount\",\"Value\":\"4\"},{\"Name\":\"LastFailDate\",\"Value\":\"1615888216\"},{\"Name\":\"LastTask\",\"Value\":\"ReconcileTask\"},{\"Name\":\"LastSuccessVerification\",\"Value\":\"1615803764\"},{\"Name\":\"CPMErrorDetails\",\"Value\":\"First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"},{\"Name\":\"UseSudoOnReconcile\",\"Value\":\"Yes\"}]}}}}", "code": "308", "kind": "event", diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-309-undefined-user-logon.log-config.yml b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-309-undefined-user-logon.log-config.yml deleted file mode 100644 index 5622947e4b8..00000000000 --- a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-309-undefined-user-logon.log-config.yml +++ /dev/null @@ -1,5 +0,0 @@ -dynamic_fields: - event.ingested: ".*" -fields: - tags: - - preserve_original_event diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-309-undefined-user-logon.log-expected.json b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-309-undefined-user-logon.log-expected.json index d7e4552eb46..3e674937811 100644 --- a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-309-undefined-user-logon.log-expected.json +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-309-undefined-user-logon.log-expected.json @@ -58,7 +58,7 @@ }, "event": { "severity": 7, - "ingested": "2021-05-31T15:30:20.886786200Z", + "ingested": "2021-06-04T11:33:13.186536400Z", "original": "\u003c7\u003e1 2021-03-08T18:31:52Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 08 10:31:52\",\"IsoTimestamp\":\"2021-03-08T18:31:52Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"309\",\"Desc\":\"Undefined User Logon\",\"Severity\":\"Error\",\"Issuer\":\"adriansr\",\"Action\":\"Undefined User Logon\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"127.0.0.1\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Undefined User Logon\",\"GatewayStation\":\"10.0.1.20\"}}}", "code": "309", "kind": "event", @@ -133,7 +133,7 @@ }, "event": { "severity": 7, - "ingested": "2021-05-31T15:30:20.886811900Z", + "ingested": "2021-06-04T11:33:13.186550800Z", "original": "\u003c7\u003e1 2021-03-08T18:32:03Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 08 10:32:03\",\"IsoTimestamp\":\"2021-03-08T18:32:03Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"309\",\"Desc\":\"Undefined User Logon\",\"Severity\":\"Error\",\"Issuer\":\"adriansra\",\"Action\":\"Undefined User Logon\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"127.0.0.1\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Undefined User Logon\",\"GatewayStation\":\"10.0.1.20\"}}}", "code": "309", "kind": "event", @@ -212,7 +212,7 @@ }, "event": { "severity": 7, - "ingested": "2021-05-31T15:30:20.886815500Z", + "ingested": "2021-06-04T11:33:13.186555300Z", "original": "\u003c7\u003e1 2021-03-11T16:43:26Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 11 08:43:26\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-11T16:43:26Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e309\u003c/MessageID\u003e\\n \u003cDesc\u003eUndefined User Logon\u003c/Desc\u003e\\n \u003cSeverity\u003eError\u003c/Severity\u003e\\n \u003cIssuer\u003ePSMAdmin\u003c/Issuer\u003e\\n \u003cAction\u003eUndefined User Logon\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003e\u003c/Safe\u003e\\n \u003cFile\u003e\u003c/File\u003e\\n \u003cStation\u003e81.32.170.205\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eUndefined User Logon\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 11 08:43:26\",\"IsoTimestamp\":\"2021-03-11T16:43:26Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"309\",\"Desc\":\"Undefined User Logon\",\"Severity\":\"Error\",\"Issuer\":\"PSMAdmin\",\"Action\":\"Undefined User Logon\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"81.32.170.205\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Undefined User Logon\",\"GatewayStation\":\"\"}}}", "code": "309", "kind": "event", @@ -300,7 +300,7 @@ }, "event": { "severity": 7, - "ingested": "2021-05-31T15:30:20.886818400Z", + "ingested": "2021-06-04T11:33:13.186558Z", "original": "\u003c7\u003e1 2021-03-11T17:46:28Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 11 09:46:28\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-11T17:46:28Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e309\u003c/MessageID\u003e\\n \u003cDesc\u003eUndefined User Logon\u003c/Desc\u003e\\n \u003cSeverity\u003eError\u003c/Severity\u003e\\n \u003cIssuer\u003eadrian\u003c/Issuer\u003e\\n \u003cAction\u003eUndefined User Logon\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003e\u003c/Safe\u003e\\n \u003cFile\u003e\u003c/File\u003e\\n \u003cStation\u003e127.0.0.1\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eUndefined User Logon\u003c/Message\u003e\\n \u003cGatewayStation\u003e81.32.170.205\u003c/GatewayStation\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 11 09:46:28\",\"IsoTimestamp\":\"2021-03-11T17:46:28Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"309\",\"Desc\":\"Undefined User Logon\",\"Severity\":\"Error\",\"Issuer\":\"adrian\",\"Action\":\"Undefined User Logon\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"127.0.0.1\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Undefined User Logon\",\"GatewayStation\":\"81.32.170.205\"}}}", "code": "309", "kind": "event", @@ -397,7 +397,7 @@ }, "event": { "severity": 7, - "ingested": "2021-05-31T15:30:20.886820900Z", + "ingested": "2021-06-04T11:33:13.186560300Z", "original": "\u003c7\u003e1 2021-03-14T13:28:00Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 14 06:28:00\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-14T13:28:00Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e309\u003c/MessageID\u003e\\n \u003cDesc\u003eUndefined User Logon\u003c/Desc\u003e\\n \u003cSeverity\u003eError\u003c/Severity\u003e\\n \u003cIssuer\u003etestark\u003c/Issuer\u003e\\n \u003cAction\u003eUndefined User Logon\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003e\u003c/Safe\u003e\\n \u003cFile\u003e\u003c/File\u003e\\n \u003cStation\u003e81.32.170.205\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eUndefined User Logon\u003c/Message\u003e\\n \u003cGatewayStation\u003e34.71.250.247\u003c/GatewayStation\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 14 06:28:00\",\"IsoTimestamp\":\"2021-03-14T13:28:00Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"309\",\"Desc\":\"Undefined User Logon\",\"Severity\":\"Error\",\"Issuer\":\"testark\",\"Action\":\"Undefined User Logon\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"81.32.170.205\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Undefined User Logon\",\"GatewayStation\":\"34.71.250.247\"}}}", "code": "309", "kind": "event", diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-31-cpm-reconcile-password.log-config.yml b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-31-cpm-reconcile-password.log-config.yml deleted file mode 100644 index 5622947e4b8..00000000000 --- a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-31-cpm-reconcile-password.log-config.yml +++ /dev/null @@ -1,5 +0,0 @@ -dynamic_fields: - event.ingested: ".*" -fields: - tags: - - preserve_original_event diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-31-cpm-reconcile-password.log-expected.json b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-31-cpm-reconcile-password.log-expected.json index 2b87f5b6212..b6b9c2c8a11 100644 --- a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-31-cpm-reconcile-password.log-expected.json +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-31-cpm-reconcile-password.log-expected.json @@ -72,7 +72,7 @@ }, "event": { "severity": 2, - "ingested": "2021-05-31T15:30:21.012386200Z", + "ingested": "2021-06-04T11:33:13.302401500Z", "original": "{\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eno\u003c/Rfc5424\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.6.0000\u003c/Version\u003e\\n \u003cMessageID\u003e31\u003c/MessageID\u003e\\n \u003cDesc\u003eCPM Reconcile Password\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003ePasswordManager\u003c/Issuer\u003e\\n \u003cAction\u003eCPM Reconcile Password\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003eWindows\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Operating System-WIN-SERVER-LOCAL-dbserver.cyberark.local-Administrator2\u003c/File\u003e\\n \u003cStation\u003e10.2.0.4\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003eImmediateTask\u003c/Reason\u003e\\n \u003cExtraDetails\u003eaddress=dbserver.cyberark.local;username=Administrator2;\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eCPM Reconcile Password\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"WIN-SERVER-LOCAL\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"Administrator2\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"dbserver.cyberark.local\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Operating System\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LogonDomain\\\" Value=\\\"DBServer\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"SequenceID\\\" Value=\\\"1\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"RetriesCount\\\" Value=\\\"-1\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastTask\\\" Value=\\\"ReconcileTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMStatus\\\" Value=\\\"success\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastSuccessReconciliation\\\" Value=\\\"1604944215\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Customer\\\" Value=\\\"EvilCorp\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"no\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"IsoTimestamp\":\"2021-03-16T15:01:00Z\",\"Version\":\"11.6.0000\",\"MessageID\":\"31\",\"Desc\":\"CPM Reconcile Password\",\"Severity\":\"Info\",\"Issuer\":\"PasswordManager\",\"Action\":\"CPM Reconcile Password\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"Windows\",\"File\":\"Root\\\\Operating System-WIN-SERVER-LOCAL-dbserver.cyberark.local-Administrator2\",\"Station\":\"10.2.0.4\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"ImmediateTask\",\"ExtraDetails\":\"address=dbserver.cyberark.local;username=Administrator2;\",\"Message\":\"CPM Reconcile Password\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"WIN-SERVER-LOCAL\"},{\"Name\":\"UserName\",\"Value\":\"Administrator2\"},{\"Name\":\"Address\",\"Value\":\"dbserver.cyberark.local\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"},{\"Name\":\"LogonDomain\",\"Value\":\"DBServer\"},{\"Name\":\"SequenceID\",\"Value\":\"1\"},{\"Name\":\"RetriesCount\",\"Value\":\"-1\"},{\"Name\":\"LastTask\",\"Value\":\"ReconcileTask\"},{\"Name\":\"CPMStatus\",\"Value\":\"success\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"LastSuccessReconciliation\",\"Value\":\"1604944215\"},{\"Name\":\"Customer\",\"Value\":\"EvilCorp\"}]}}}}", "code": "31", "kind": "event", diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-310-monitor-dr-replication-start.log-config.yml b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-310-monitor-dr-replication-start.log-config.yml deleted file mode 100644 index 5622947e4b8..00000000000 --- a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-310-monitor-dr-replication-start.log-config.yml +++ /dev/null @@ -1,5 +0,0 @@ -dynamic_fields: - event.ingested: ".*" -fields: - tags: - - preserve_original_event diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-310-monitor-dr-replication-start.log-expected.json b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-310-monitor-dr-replication-start.log-expected.json index 88c9e117319..c6b75fca4ba 100644 --- a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-310-monitor-dr-replication-start.log-expected.json +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-310-monitor-dr-replication-start.log-expected.json @@ -47,7 +47,7 @@ "event": { "severity": 2, "action": "monitor dr replication start", - "ingested": "2021-05-31T15:30:21.062012500Z", + "ingested": "2021-06-04T11:33:13.339254200Z", "original": "\u003c5\u003e1 2021-03-04T19:10:01Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 04 11:10:01\",\"IsoTimestamp\":\"2021-03-04T19:10:01Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"310\",\"Desc\":\"Monitor DR Replication start\",\"Severity\":\"Info\",\"Issuer\":\"Batch\",\"Action\":\"Monitor DR Replication start\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"0.0.0.0\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Monitor DR Replication start\",\"GatewayStation\":\"\"}}}", "code": "310", "kind": "event" @@ -90,7 +90,7 @@ "event": { "severity": 2, "action": "monitor dr replication start", - "ingested": "2021-05-31T15:30:21.062027700Z", + "ingested": "2021-06-04T11:33:13.339268800Z", "original": "Mar 08 02:48:07 VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"no\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"310\",\"Desc\":\"Monitor DR Replication start\",\"Severity\":\"Info\",\"Issuer\":\"Batch\",\"Action\":\"Monitor DR Replication start\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"0.0.0.0\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Monitor DR Replication start\",\"GatewayStation\":\"\"}}}", "code": "310", "kind": "event" diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-311-monitor-dr-replication-end.log-config.yml b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-311-monitor-dr-replication-end.log-config.yml deleted file mode 100644 index 5622947e4b8..00000000000 --- a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-311-monitor-dr-replication-end.log-config.yml +++ /dev/null @@ -1,5 +0,0 @@ -dynamic_fields: - event.ingested: ".*" -fields: - tags: - - preserve_original_event diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-311-monitor-dr-replication-end.log-expected.json b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-311-monitor-dr-replication-end.log-expected.json index 6c761623f1e..0fc53703252 100644 --- a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-311-monitor-dr-replication-end.log-expected.json +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-311-monitor-dr-replication-end.log-expected.json @@ -47,7 +47,7 @@ "event": { "severity": 2, "action": "monitor dr replication end", - "ingested": "2021-05-31T15:30:21.100917900Z", + "ingested": "2021-06-04T11:33:13.373469900Z", "original": "\u003c5\u003e1 2021-03-04T19:10:01Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 04 11:10:01\",\"IsoTimestamp\":\"2021-03-04T19:10:01Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"311\",\"Desc\":\"Monitor DR Replication end\",\"Severity\":\"Info\",\"Issuer\":\"Batch\",\"Action\":\"Monitor DR Replication end\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"0.0.0.0\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Monitor DR Replication end\",\"GatewayStation\":\"\"}}}", "code": "311", "kind": "event" @@ -90,7 +90,7 @@ "event": { "severity": 2, "action": "monitor dr replication end", - "ingested": "2021-05-31T15:30:21.100932600Z", + "ingested": "2021-06-04T11:33:13.373479200Z", "original": "Mar 08 02:48:07 VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"no\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"311\",\"Desc\":\"Monitor DR Replication end\",\"Severity\":\"Info\",\"Issuer\":\"Batch\",\"Action\":\"Monitor DR Replication end\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"0.0.0.0\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Monitor DR Replication end\",\"GatewayStation\":\"\"}}}", "code": "311", "kind": "event" diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-316-reset-user-password-detailed-information.log-config.yml b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-316-reset-user-password-detailed-information.log-config.yml deleted file mode 100644 index 5622947e4b8..00000000000 --- a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-316-reset-user-password-detailed-information.log-config.yml +++ /dev/null @@ -1,5 +0,0 @@ -dynamic_fields: - event.ingested: ".*" -fields: - tags: - - preserve_original_event diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-316-reset-user-password-detailed-information.log-expected.json b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-316-reset-user-password-detailed-information.log-expected.json index f941d4c5f05..bf0083ddb54 100644 --- a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-316-reset-user-password-detailed-information.log-expected.json +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-316-reset-user-password-detailed-information.log-expected.json @@ -61,7 +61,7 @@ "event": { "severity": 2, "action": "reset user password detailed information", - "ingested": "2021-05-31T15:30:21.142743500Z", + "ingested": "2021-06-04T11:33:13.410630600Z", "original": "\u003c5\u003e1 2021-03-10T18:16:45Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 10:16:45\",\"IsoTimestamp\":\"2021-03-10T18:16:45Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"316\",\"Desc\":\"Reset User Password Detailed Information\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Reset User Password Detailed Information\",\"SourceUser\":\"PSMGw_VAGRANT\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"81.32.170.205\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"Password changed\",\"ExtraDetails\":\"\",\"Message\":\"Reset User Password Detailed Information\",\"GatewayStation\":\"\"}}}", "code": "316", "kind": "event" diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-317-reset-user-password.log-config.yml b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-317-reset-user-password.log-config.yml deleted file mode 100644 index 5622947e4b8..00000000000 --- a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-317-reset-user-password.log-config.yml +++ /dev/null @@ -1,5 +0,0 @@ -dynamic_fields: - event.ingested: ".*" -fields: - tags: - - preserve_original_event diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-317-reset-user-password.log-expected.json b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-317-reset-user-password.log-expected.json index 58ec72323f7..1d90ab078bb 100644 --- a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-317-reset-user-password.log-expected.json +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-317-reset-user-password.log-expected.json @@ -60,7 +60,7 @@ "event": { "severity": 2, "action": "reset user password", - "ingested": "2021-05-31T15:30:21.177432100Z", + "ingested": "2021-06-04T11:33:13.438169700Z", "original": "\u003c5\u003e1 2021-03-10T18:16:45Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 10:16:45\",\"IsoTimestamp\":\"2021-03-10T18:16:45Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"317\",\"Desc\":\"Reset User Password\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Reset User Password\",\"SourceUser\":\"PSMGw_VAGRANT\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"81.32.170.205\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Reset User Password\",\"GatewayStation\":\"\"}}}", "code": "317", "kind": "event" diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-32-add-owner.log-config.yml b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-32-add-owner.log-config.yml deleted file mode 100644 index 5622947e4b8..00000000000 --- a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-32-add-owner.log-config.yml +++ /dev/null @@ -1,5 +0,0 @@ -dynamic_fields: - event.ingested: ".*" -fields: - tags: - - preserve_original_event diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-32-add-owner.log-expected.json b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-32-add-owner.log-expected.json index a4b334bc4e7..afe4df95a34 100644 --- a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-32-add-owner.log-expected.json +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-32-add-owner.log-expected.json @@ -64,7 +64,7 @@ }, "event": { "severity": 2, - "ingested": "2021-05-31T15:30:21.206498800Z", + "ingested": "2021-06-04T11:33:13.462377900Z", "original": "\u003c5\u003e1 2021-03-10T09:11:20Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 01:11:20\",\"IsoTimestamp\":\"2021-03-10T09:11:20Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"32\",\"Desc\":\"Add Owner\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Add Owner\",\"SourceUser\":\"Master\",\"TargetUser\":\"\",\"Safe\":\"PSMPConf\",\"File\":\"\",\"Station\":\"81.32.170.205\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Add Owner\",\"GatewayStation\":\"\"}}}", "code": "32", "kind": "event", @@ -148,7 +148,7 @@ }, "event": { "severity": 2, - "ingested": "2021-05-31T15:30:21.206512700Z", + "ingested": "2021-06-04T11:33:13.462388900Z", "original": "\u003c5\u003e1 2021-03-10T09:11:20Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 01:11:20\",\"IsoTimestamp\":\"2021-03-10T09:11:20Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"32\",\"Desc\":\"Add Owner\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Add Owner\",\"SourceUser\":\"Administrator\",\"TargetUser\":\"\",\"Safe\":\"PSMPConf\",\"File\":\"\",\"Station\":\"81.32.170.205\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Add Owner\",\"GatewayStation\":\"\"}}}", "code": "32", "kind": "event", @@ -233,7 +233,7 @@ }, "event": { "severity": 2, - "ingested": "2021-05-31T15:30:21.206516100Z", + "ingested": "2021-06-04T11:33:13.462392200Z", "original": "\u003c5\u003e1 2021-03-10T09:11:20Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 01:11:20\",\"IsoTimestamp\":\"2021-03-10T09:11:20Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"32\",\"Desc\":\"Add Owner\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Add Owner\",\"SourceUser\":\"Batch\",\"TargetUser\":\"\",\"Safe\":\"PSMPConf\",\"File\":\"\",\"Station\":\"81.32.170.205\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Add Owner\",\"GatewayStation\":\"\"}}}", "code": "32", "kind": "event", @@ -318,7 +318,7 @@ }, "event": { "severity": 2, - "ingested": "2021-05-31T15:30:21.206518800Z", + "ingested": "2021-06-04T11:33:13.462394900Z", "original": "\u003c5\u003e1 2021-03-10T09:11:20Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 01:11:20\",\"IsoTimestamp\":\"2021-03-10T09:11:20Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"32\",\"Desc\":\"Add Owner\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Add Owner\",\"SourceUser\":\"Operators\",\"TargetUser\":\"\",\"Safe\":\"PSMPConf\",\"File\":\"\",\"Station\":\"81.32.170.205\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Add Owner\",\"GatewayStation\":\"\"}}}", "code": "32", "kind": "event", @@ -403,7 +403,7 @@ }, "event": { "severity": 2, - "ingested": "2021-05-31T15:30:21.206521500Z", + "ingested": "2021-06-04T11:33:13.462397300Z", "original": "\u003c5\u003e1 2021-03-10T09:11:20Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 01:11:20\",\"IsoTimestamp\":\"2021-03-10T09:11:20Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"32\",\"Desc\":\"Add Owner\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Add Owner\",\"SourceUser\":\"Backup Users\",\"TargetUser\":\"\",\"Safe\":\"PSMPConf\",\"File\":\"\",\"Station\":\"81.32.170.205\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Add Owner\",\"GatewayStation\":\"\"}}}", "code": "32", "kind": "event", @@ -488,7 +488,7 @@ }, "event": { "severity": 2, - "ingested": "2021-05-31T15:30:21.206523800Z", + "ingested": "2021-06-04T11:33:13.462399500Z", "original": "\u003c5\u003e1 2021-03-10T09:11:20Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 01:11:20\",\"IsoTimestamp\":\"2021-03-10T09:11:20Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"32\",\"Desc\":\"Add Owner\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Add Owner\",\"SourceUser\":\"Auditors\",\"TargetUser\":\"\",\"Safe\":\"PSMPConf\",\"File\":\"\",\"Station\":\"81.32.170.205\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Add Owner\",\"GatewayStation\":\"\"}}}", "code": "32", "kind": "event", @@ -573,7 +573,7 @@ }, "event": { "severity": 2, - "ingested": "2021-05-31T15:30:21.206526200Z", + "ingested": "2021-06-04T11:33:13.462401800Z", "original": "\u003c5\u003e1 2021-03-10T09:11:20Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 01:11:20\",\"IsoTimestamp\":\"2021-03-10T09:11:20Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"32\",\"Desc\":\"Add Owner\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Add Owner\",\"SourceUser\":\"DR Users\",\"TargetUser\":\"\",\"Safe\":\"PSMPConf\",\"File\":\"\",\"Station\":\"81.32.170.205\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Add Owner\",\"GatewayStation\":\"\"}}}", "code": "32", "kind": "event", @@ -658,7 +658,7 @@ }, "event": { "severity": 2, - "ingested": "2021-05-31T15:30:21.206528500Z", + "ingested": "2021-06-04T11:33:13.462404200Z", "original": "\u003c5\u003e1 2021-03-10T09:11:20Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 01:11:20\",\"IsoTimestamp\":\"2021-03-10T09:11:20Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"32\",\"Desc\":\"Add Owner\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Add Owner\",\"SourceUser\":\"Notification Engines\",\"TargetUser\":\"\",\"Safe\":\"PSMPConf\",\"File\":\"\",\"Station\":\"81.32.170.205\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Add Owner\",\"GatewayStation\":\"\"}}}", "code": "32", "kind": "event", @@ -743,7 +743,7 @@ }, "event": { "severity": 2, - "ingested": "2021-05-31T15:30:21.206530900Z", + "ingested": "2021-06-04T11:33:13.462406400Z", "original": "\u003c5\u003e1 2021-03-10T09:11:22Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 01:11:22\",\"IsoTimestamp\":\"2021-03-10T09:11:22Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"32\",\"Desc\":\"Add Owner\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Add Owner\",\"SourceUser\":\"PSMPApp_localhost.localdomain\",\"TargetUser\":\"\",\"Safe\":\"PVWAConfig\",\"File\":\"\",\"Station\":\"81.32.170.205\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Add Owner\",\"GatewayStation\":\"\"}}}", "code": "32", "kind": "event", @@ -828,7 +828,7 @@ }, "event": { "severity": 2, - "ingested": "2021-05-31T15:30:21.206533300Z", + "ingested": "2021-06-04T11:33:13.462408600Z", "original": "\u003c5\u003e1 2021-03-10T09:11:23Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 01:11:23\",\"IsoTimestamp\":\"2021-03-10T09:11:23Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"32\",\"Desc\":\"Add Owner\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Add Owner\",\"SourceUser\":\"PSMAppUsers\",\"TargetUser\":\"\",\"Safe\":\"PSMPLiveSessions\",\"File\":\"\",\"Station\":\"81.32.170.205\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Add Owner\",\"GatewayStation\":\"\"}}}", "code": "32", "kind": "event", @@ -913,7 +913,7 @@ }, "event": { "severity": 2, - "ingested": "2021-05-31T15:30:21.206535500Z", + "ingested": "2021-06-04T11:33:13.462410900Z", "original": "\u003c5\u003e1 2021-03-10T09:11:23Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 01:11:23\",\"IsoTimestamp\":\"2021-03-10T09:11:23Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"32\",\"Desc\":\"Add Owner\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Add Owner\",\"SourceUser\":\"Vault Admins\",\"TargetUser\":\"\",\"Safe\":\"PSMPConf\",\"File\":\"\",\"Station\":\"81.32.170.205\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Add Owner\",\"GatewayStation\":\"\"}}}", "code": "32", "kind": "event", @@ -998,7 +998,7 @@ }, "event": { "severity": 2, - "ingested": "2021-05-31T15:30:21.206538400Z", + "ingested": "2021-06-04T11:33:13.462413400Z", "original": "\u003c5\u003e1 2021-03-10T09:11:23Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 01:11:23\",\"IsoTimestamp\":\"2021-03-10T09:11:23Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"32\",\"Desc\":\"Add Owner\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Add Owner\",\"SourceUser\":\"PVWAAppUsers\",\"TargetUser\":\"\",\"Safe\":\"PSMPLiveSessions\",\"File\":\"\",\"Station\":\"81.32.170.205\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Add Owner\",\"GatewayStation\":\"\"}}}", "code": "32", "kind": "event", @@ -1083,7 +1083,7 @@ }, "event": { "severity": 2, - "ingested": "2021-05-31T15:30:21.206540800Z", + "ingested": "2021-06-04T11:33:13.462415800Z", "original": "\u003c5\u003e1 2021-03-10T09:11:36Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 01:11:36\",\"IsoTimestamp\":\"2021-03-10T09:11:36Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"32\",\"Desc\":\"Add Owner\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Add Owner\",\"SourceUser\":\"PVWAGWAccounts\",\"TargetUser\":\"\",\"Safe\":\"PSMPADBUserProfile\",\"File\":\"\",\"Station\":\"81.32.170.205\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Add Owner\",\"GatewayStation\":\"\"}}}", "code": "32", "kind": "event", @@ -1168,7 +1168,7 @@ }, "event": { "severity": 2, - "ingested": "2021-05-31T15:30:21.206543100Z", + "ingested": "2021-06-04T11:33:13.462418100Z", "original": "\u003c5\u003e1 2021-03-10T09:11:37Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 01:11:37\",\"IsoTimestamp\":\"2021-03-10T09:11:37Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"32\",\"Desc\":\"Add Owner\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Add Owner\",\"SourceUser\":\"PSMP_ADB_localhost.localdomain\",\"TargetUser\":\"\",\"Safe\":\"PSMPADBridgeConf\",\"File\":\"\",\"Station\":\"81.32.170.205\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Add Owner\",\"GatewayStation\":\"\"}}}", "code": "32", "kind": "event", @@ -1253,7 +1253,7 @@ }, "event": { "severity": 2, - "ingested": "2021-05-31T15:30:21.206545500Z", + "ingested": "2021-06-04T11:33:13.462420400Z", "original": "\u003c5\u003e1 2021-03-10T09:11:38Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 01:11:38\",\"IsoTimestamp\":\"2021-03-10T09:11:38Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"32\",\"Desc\":\"Add Owner\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Add Owner\",\"SourceUser\":\"PSMP_ADB_AppUsers\",\"TargetUser\":\"\",\"Safe\":\"PSMPADBridgeCustom\",\"File\":\"\",\"Station\":\"81.32.170.205\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Add Owner\",\"GatewayStation\":\"\"}}}", "code": "32", "kind": "event", @@ -1338,7 +1338,7 @@ }, "event": { "severity": 2, - "ingested": "2021-05-31T15:30:21.206547800Z", + "ingested": "2021-06-04T11:33:13.462422800Z", "original": "\u003c5\u003e1 2021-03-10T17:59:32Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 09:59:32\",\"IsoTimestamp\":\"2021-03-10T17:59:32Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"32\",\"Desc\":\"Add Owner\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Add Owner\",\"SourceUser\":\"PSMApp_VAGRANT\",\"TargetUser\":\"\",\"Safe\":\"PVWAConfig\",\"File\":\"\",\"Station\":\"81.32.170.205\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Add Owner\",\"GatewayStation\":\"\"}}}", "code": "32", "kind": "event", diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-326-cpm-auto-detection-start.log-config.yml b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-326-cpm-auto-detection-start.log-config.yml deleted file mode 100644 index 5622947e4b8..00000000000 --- a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-326-cpm-auto-detection-start.log-config.yml +++ /dev/null @@ -1,5 +0,0 @@ -dynamic_fields: - event.ingested: ".*" -fields: - tags: - - preserve_original_event diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-326-cpm-auto-detection-start.log-expected.json b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-326-cpm-auto-detection-start.log-expected.json index 70b232ef8d7..8dffa2f64df 100644 --- a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-326-cpm-auto-detection-start.log-expected.json +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-326-cpm-auto-detection-start.log-expected.json @@ -59,7 +59,7 @@ "event": { "severity": 2, "action": "cpm auto-detection start", - "ingested": "2021-05-31T15:30:21.610055Z", + "ingested": "2021-06-04T11:33:13.854526500Z", "original": "\u003c5\u003e1 2021-03-11T16:21:37Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 11 08:21:37\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-11T16:21:37Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e326\u003c/MessageID\u003e\\n \u003cDesc\u003eCPM Auto-detection Start\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003ePasswordManager\u003c/Issuer\u003e\\n \u003cAction\u003eCPM Auto-detection Start\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003ePasswordManager_info\u003c/Safe\u003e\\n \u003cFile\u003e \u003c/File\u003e\\n \u003cStation\u003e10.0.1.20\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e \u003c/Reason\u003e\\n \u003cExtraDetails\u003eADProcessID=2b2d3024-be5a-4b57-9f64-3813fb56e9b9;ADProcessName=LDAP Based Windows Local Administrator Account Provisioning;\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eCPM Auto-detection Start\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 11 08:21:37\",\"IsoTimestamp\":\"2021-03-11T16:21:37Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"326\",\"Desc\":\"CPM Auto-detection Start\",\"Severity\":\"Info\",\"Issuer\":\"PasswordManager\",\"Action\":\"CPM Auto-detection Start\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"PasswordManager_info\",\"File\":\" \",\"Station\":\"10.0.1.20\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\" \",\"ExtraDetails\":\"ADProcessID=2b2d3024-be5a-4b57-9f64-3813fb56e9b9;ADProcessName=LDAP Based Windows Local Administrator Account Provisioning;\",\"Message\":\"CPM Auto-detection Start\",\"GatewayStation\":\"\"}}}", "code": "326", "kind": "event" diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-327-cpm-auto-detection-end.log-config.yml b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-327-cpm-auto-detection-end.log-config.yml deleted file mode 100644 index 5622947e4b8..00000000000 --- a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-327-cpm-auto-detection-end.log-config.yml +++ /dev/null @@ -1,5 +0,0 @@ -dynamic_fields: - event.ingested: ".*" -fields: - tags: - - preserve_original_event diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-327-cpm-auto-detection-end.log-expected.json b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-327-cpm-auto-detection-end.log-expected.json index 8a01d9d5ae7..4960b9d2f44 100644 --- a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-327-cpm-auto-detection-end.log-expected.json +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-327-cpm-auto-detection-end.log-expected.json @@ -59,7 +59,7 @@ "event": { "severity": 2, "action": "cpm auto-detection end", - "ingested": "2021-05-31T15:30:21.644006Z", + "ingested": "2021-06-04T11:33:13.883078500Z", "original": "\u003c5\u003e1 2021-03-11T16:21:37Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 11 08:21:37\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-11T16:21:37Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e327\u003c/MessageID\u003e\\n \u003cDesc\u003eCPM Auto-detection End\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003ePasswordManager\u003c/Issuer\u003e\\n \u003cAction\u003eCPM Auto-detection End\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003ePasswordManager_info\u003c/Safe\u003e\\n \u003cFile\u003e \u003c/File\u003e\\n \u003cStation\u003e10.0.1.20\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e \u003c/Reason\u003e\\n \u003cExtraDetails\u003eADProcessID=2b2d3024-be5a-4b57-9f64-3813fb56e9b9;ADProcessName=LDAP Based Windows Local Administrator Account Provisioning;\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eCPM Auto-detection End\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 11 08:21:37\",\"IsoTimestamp\":\"2021-03-11T16:21:37Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"327\",\"Desc\":\"CPM Auto-detection End\",\"Severity\":\"Info\",\"Issuer\":\"PasswordManager\",\"Action\":\"CPM Auto-detection End\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"PasswordManager_info\",\"File\":\" \",\"Station\":\"10.0.1.20\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\" \",\"ExtraDetails\":\"ADProcessID=2b2d3024-be5a-4b57-9f64-3813fb56e9b9;ADProcessName=LDAP Based Windows Local Administrator Account Provisioning;\",\"Message\":\"CPM Auto-detection End\",\"GatewayStation\":\"\"}}}", "code": "327", "kind": "event" diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-33-update-owner.log-config.yml b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-33-update-owner.log-config.yml deleted file mode 100644 index 5622947e4b8..00000000000 --- a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-33-update-owner.log-config.yml +++ /dev/null @@ -1,5 +0,0 @@ -dynamic_fields: - event.ingested: ".*" -fields: - tags: - - preserve_original_event diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-33-update-owner.log-expected.json b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-33-update-owner.log-expected.json index 65523adddec..a97a3b2c9ed 100644 --- a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-33-update-owner.log-expected.json +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-33-update-owner.log-expected.json @@ -64,7 +64,7 @@ }, "event": { "severity": 2, - "ingested": "2021-05-31T15:30:21.676707Z", + "ingested": "2021-06-04T11:33:13.917022900Z", "original": "\u003c5\u003e1 2021-03-10T18:16:49Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 10:16:49\",\"IsoTimestamp\":\"2021-03-10T18:16:49Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"33\",\"Desc\":\"Update Owner\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Update Owner\",\"SourceUser\":\"PVWAAppUsers\",\"TargetUser\":\"\",\"Safe\":\"PSM\",\"File\":\"\",\"Station\":\"81.32.170.205\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Update Owner\",\"GatewayStation\":\"\"}}}", "code": "33", "kind": "event", @@ -149,7 +149,7 @@ }, "event": { "severity": 2, - "ingested": "2021-05-31T15:30:21.676721300Z", + "ingested": "2021-06-04T11:33:13.917035800Z", "original": "\u003c5\u003e1 2021-03-10T18:16:50Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 10:16:50\",\"IsoTimestamp\":\"2021-03-10T18:16:50Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"33\",\"Desc\":\"Update Owner\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Update Owner\",\"SourceUser\":\"PSMApp_VAGRANT\",\"TargetUser\":\"\",\"Safe\":\"PVWAConfig\",\"File\":\"\",\"Station\":\"81.32.170.205\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Update Owner\",\"GatewayStation\":\"\"}}}", "code": "33", "kind": "event", @@ -234,7 +234,7 @@ }, "event": { "severity": 2, - "ingested": "2021-05-31T15:30:21.676724500Z", + "ingested": "2021-06-04T11:33:13.917039Z", "original": "\u003c5\u003e1 2021-03-10T18:16:51Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 10:16:51\",\"IsoTimestamp\":\"2021-03-10T18:16:51Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"33\",\"Desc\":\"Update Owner\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Update Owner\",\"SourceUser\":\"PSMAppUsers\",\"TargetUser\":\"\",\"Safe\":\"PSM\",\"File\":\"\",\"Station\":\"81.32.170.205\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Update Owner\",\"GatewayStation\":\"\"}}}", "code": "33", "kind": "event", @@ -319,7 +319,7 @@ }, "event": { "severity": 2, - "ingested": "2021-05-31T15:30:21.676727300Z", + "ingested": "2021-06-04T11:33:13.917041400Z", "original": "\u003c5\u003e1 2021-03-10T18:16:51Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 10:16:51\",\"IsoTimestamp\":\"2021-03-10T18:16:51Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"33\",\"Desc\":\"Update Owner\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Update Owner\",\"SourceUser\":\"PSMMaster\",\"TargetUser\":\"\",\"Safe\":\"PSM\",\"File\":\"\",\"Station\":\"81.32.170.205\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Update Owner\",\"GatewayStation\":\"\"}}}", "code": "33", "kind": "event", @@ -404,7 +404,7 @@ }, "event": { "severity": 2, - "ingested": "2021-05-31T15:30:21.676730100Z", + "ingested": "2021-06-04T11:33:13.917043900Z", "original": "\u003c5\u003e1 2021-03-10T18:16:53Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 10:16:53\",\"IsoTimestamp\":\"2021-03-10T18:16:53Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"33\",\"Desc\":\"Update Owner\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Update Owner\",\"SourceUser\":\"Vault Admins\",\"TargetUser\":\"\",\"Safe\":\"PSMUniversalConnectors\",\"File\":\"\",\"Station\":\"81.32.170.205\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Update Owner\",\"GatewayStation\":\"\"}}}", "code": "33", "kind": "event", @@ -488,7 +488,7 @@ }, "event": { "severity": 2, - "ingested": "2021-05-31T15:30:21.676732600Z", + "ingested": "2021-06-04T11:33:13.917046100Z", "original": "\u003c5\u003e1 2021-03-10T22:19:18Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 14:19:18\",\"IsoTimestamp\":\"2021-03-10T22:19:18Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"33\",\"Desc\":\"Update Owner\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Update Owner\",\"SourceUser\":\"PVWAAppUsers\",\"TargetUser\":\"\",\"Safe\":\"PSM\",\"File\":\"\",\"Station\":\"35.192.121.42\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Update Owner\",\"GatewayStation\":\"\"}}}", "code": "33", "kind": "event", @@ -574,7 +574,7 @@ }, "event": { "severity": 2, - "ingested": "2021-05-31T15:30:21.676735Z", + "ingested": "2021-06-04T11:33:13.917048400Z", "original": "\u003c5\u003e1 2021-03-11T17:38:14Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 11 09:38:14\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-11T17:38:14Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e33\u003c/MessageID\u003e\\n \u003cDesc\u003eUpdate Owner\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003ePSMPApp_VAGRANT\u003c/Issuer\u003e\\n \u003cAction\u003eUpdate Owner\u003c/Action\u003e\\n \u003cSourceUser\u003eAuditors\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003ePSMRecordings\u003c/Safe\u003e\\n \u003cFile\u003e\u003c/File\u003e\\n \u003cStation\u003e81.32.170.205\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eUpdate Owner\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 11 09:38:14\",\"IsoTimestamp\":\"2021-03-11T17:38:14Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"33\",\"Desc\":\"Update Owner\",\"Severity\":\"Info\",\"Issuer\":\"PSMPApp_VAGRANT\",\"Action\":\"Update Owner\",\"SourceUser\":\"Auditors\",\"TargetUser\":\"\",\"Safe\":\"PSMRecordings\",\"File\":\"\",\"Station\":\"81.32.170.205\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Update Owner\",\"GatewayStation\":\"\"}}}", "code": "33", "kind": "event", diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-355-monitor-license-expiration-date-start.log-config.yml b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-355-monitor-license-expiration-date-start.log-config.yml deleted file mode 100644 index 5622947e4b8..00000000000 --- a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-355-monitor-license-expiration-date-start.log-config.yml +++ /dev/null @@ -1,5 +0,0 @@ -dynamic_fields: - event.ingested: ".*" -fields: - tags: - - preserve_original_event diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-355-monitor-license-expiration-date-start.log-expected.json b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-355-monitor-license-expiration-date-start.log-expected.json index acad450bae2..fbb54c9165b 100644 --- a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-355-monitor-license-expiration-date-start.log-expected.json +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-355-monitor-license-expiration-date-start.log-expected.json @@ -47,7 +47,7 @@ "event": { "severity": 2, "action": "monitor license expiration date start", - "ingested": "2021-05-31T15:30:21.851265300Z", + "ingested": "2021-06-04T11:33:14.089316900Z", "original": "\u003c5\u003e1 2021-03-09T10:17:54Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 09 02:17:54\",\"IsoTimestamp\":\"2021-03-09T10:17:54Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"355\",\"Desc\":\"Monitor License Expiration Date start\",\"Severity\":\"Info\",\"Issuer\":\"Batch\",\"Action\":\"Monitor License Expiration Date start\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"0.0.0.0\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Monitor License Expiration Date start\",\"GatewayStation\":\"\"}}}", "code": "355", "kind": "event" diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-356-monitor-license-expiration-date-end.log-config.yml b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-356-monitor-license-expiration-date-end.log-config.yml deleted file mode 100644 index 5622947e4b8..00000000000 --- a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-356-monitor-license-expiration-date-end.log-config.yml +++ /dev/null @@ -1,5 +0,0 @@ -dynamic_fields: - event.ingested: ".*" -fields: - tags: - - preserve_original_event diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-356-monitor-license-expiration-date-end.log-expected.json b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-356-monitor-license-expiration-date-end.log-expected.json index 140dd837eff..755d06e5a88 100644 --- a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-356-monitor-license-expiration-date-end.log-expected.json +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-356-monitor-license-expiration-date-end.log-expected.json @@ -47,7 +47,7 @@ "event": { "severity": 2, "action": "monitor license expiration date end", - "ingested": "2021-05-31T15:30:21.876955900Z", + "ingested": "2021-06-04T11:33:14.113820700Z", "original": "\u003c5\u003e1 2021-03-09T10:17:54Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 09 02:17:54\",\"IsoTimestamp\":\"2021-03-09T10:17:54Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"356\",\"Desc\":\"Monitor License Expiration Date end\",\"Severity\":\"Info\",\"Issuer\":\"Batch\",\"Action\":\"Monitor License Expiration Date end\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"0.0.0.0\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Monitor License Expiration Date end\",\"GatewayStation\":\"\"}}}", "code": "356", "kind": "event" diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-357-monitor-fw-rules-start.log-config.yml b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-357-monitor-fw-rules-start.log-config.yml deleted file mode 100644 index 5622947e4b8..00000000000 --- a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-357-monitor-fw-rules-start.log-config.yml +++ /dev/null @@ -1,5 +0,0 @@ -dynamic_fields: - event.ingested: ".*" -fields: - tags: - - preserve_original_event diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-357-monitor-fw-rules-start.log-expected.json b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-357-monitor-fw-rules-start.log-expected.json index 51056144419..bd6ad4b1693 100644 --- a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-357-monitor-fw-rules-start.log-expected.json +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-357-monitor-fw-rules-start.log-expected.json @@ -47,7 +47,7 @@ "event": { "severity": 2, "action": "monitor fw rules start", - "ingested": "2021-05-31T15:30:21.901440800Z", + "ingested": "2021-06-04T11:33:14.160454200Z", "original": "\u003c5\u003e1 2021-03-04T19:10:01Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 04 11:10:01\",\"IsoTimestamp\":\"2021-03-04T19:10:01Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"357\",\"Desc\":\"Monitor FW rules start\",\"Severity\":\"Info\",\"Issuer\":\"Batch\",\"Action\":\"Monitor FW rules start\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"0.0.0.0\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Monitor FW rules start\",\"GatewayStation\":\"\"}}}", "code": "357", "kind": "event" @@ -90,7 +90,7 @@ "event": { "severity": 2, "action": "monitor fw rules start", - "ingested": "2021-05-31T15:30:21.901459500Z", + "ingested": "2021-06-04T11:33:14.160469100Z", "original": "Mar 08 02:32:56 VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"no\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"357\",\"Desc\":\"Monitor FW rules start\",\"Severity\":\"Info\",\"Issuer\":\"Batch\",\"Action\":\"Monitor FW rules start\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"0.0.0.0\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Monitor FW rules start\",\"GatewayStation\":\"\"}}}", "code": "357", "kind": "event" diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-358-monitor-fw-rules-end.log-config.yml b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-358-monitor-fw-rules-end.log-config.yml deleted file mode 100644 index 5622947e4b8..00000000000 --- a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-358-monitor-fw-rules-end.log-config.yml +++ /dev/null @@ -1,5 +0,0 @@ -dynamic_fields: - event.ingested: ".*" -fields: - tags: - - preserve_original_event diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-358-monitor-fw-rules-end.log-expected.json b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-358-monitor-fw-rules-end.log-expected.json index c0d1e845fbd..42fb47fd3b9 100644 --- a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-358-monitor-fw-rules-end.log-expected.json +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-358-monitor-fw-rules-end.log-expected.json @@ -47,7 +47,7 @@ "event": { "severity": 2, "action": "monitor fw rules end", - "ingested": "2021-05-31T15:30:21.939691400Z", + "ingested": "2021-06-04T11:33:14.196022700Z", "original": "\u003c5\u003e1 2021-03-04T19:10:01Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 04 11:10:01\",\"IsoTimestamp\":\"2021-03-04T19:10:01Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"358\",\"Desc\":\"Monitor FW Rules end\",\"Severity\":\"Info\",\"Issuer\":\"Batch\",\"Action\":\"Monitor FW Rules end\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"0.0.0.0\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Monitor FW Rules end\",\"GatewayStation\":\"\"}}}", "code": "358", "kind": "event" @@ -90,7 +90,7 @@ "event": { "severity": 2, "action": "monitor fw rules end", - "ingested": "2021-05-31T15:30:21.939706400Z", + "ingested": "2021-06-04T11:33:14.196035800Z", "original": "Mar 08 02:32:56 VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"no\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"358\",\"Desc\":\"Monitor FW Rules end\",\"Severity\":\"Info\",\"Issuer\":\"Batch\",\"Action\":\"Monitor FW Rules end\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"0.0.0.0\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Monitor FW Rules end\",\"GatewayStation\":\"\"}}}", "code": "358", "kind": "event" diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-359-sql-command.log-config.yml b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-359-sql-command.log-config.yml deleted file mode 100644 index 5622947e4b8..00000000000 --- a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-359-sql-command.log-config.yml +++ /dev/null @@ -1,5 +0,0 @@ -dynamic_fields: - event.ingested: ".*" -fields: - tags: - - preserve_original_event diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-359-sql-command.log-expected.json b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-359-sql-command.log-expected.json index aa9ab0a90fa..8f7fb9f6823 100644 --- a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-359-sql-command.log-expected.json +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-359-sql-command.log-expected.json @@ -102,7 +102,7 @@ }, "event": { "severity": 2, - "ingested": "2021-05-31T15:30:21.983073300Z", + "ingested": "2021-06-04T11:33:14.230205Z", "original": "\u003c5\u003e1 2021-03-25T14:56:44Z VLT01 {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 25 10:56:44\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-25T14:56:44Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVLT01\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e12.0.0000\u003c/Version\u003e\\n \u003cMessageID\u003e359\u003c/MessageID\u003e\\n \u003cDesc\u003eSQL Command\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003eSQL Command\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003eOracle\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Database-Oracle-oracle.cybr.com-HR\u003c/File\u003e\\n \u003cStation\u003e10.0.0.15\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003eCommand=SELECT USER FROM DUAL;ConnectionComponentId=PSM-SQLPlus;DataBase=XE;DstHost=oracle.cybr.com;Protocol=SQLNet;PSMID=PSMServer;SessionID=0887c643-42f2-4a4f-806e-58c1689de0e6;SQLOffset=69B;SrcHost=127.0.0.1;User=HR;VIDOffset=4T;\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eSQL Command\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"Oracle\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"HR\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"oracle.cybr.com\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Database\\\" Value=\\\"XE\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Database\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMStatus\\\" Value=\\\"success\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"RetriesCount\\\" Value=\\\"-1\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastTask\\\" Value=\\\"VerifyTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastSuccessVerification\\\" Value=\\\"1616580248\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Port\\\" Value=\\\"1521\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastSuccessChange\\\" Value=\\\"1616011984\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Tags\\\" Value=\\\"Oracle;DB\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Privcloud\\\" Value=\\\"privcloud\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 25 10:56:44\",\"IsoTimestamp\":\"2021-03-25T14:56:44Z\",\"Hostname\":\"VLT01\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"12.0.0000\",\"MessageID\":\"359\",\"Desc\":\"SQL Command\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"SQL Command\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"Oracle\",\"File\":\"Root\\\\Database-Oracle-oracle.cybr.com-HR\",\"Station\":\"10.0.0.15\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"Command=SELECT USER FROM DUAL;ConnectionComponentId=PSM-SQLPlus;DataBase=XE;DstHost=oracle.cybr.com;Protocol=SQLNet;PSMID=PSMServer;SessionID=0887c643-42f2-4a4f-806e-58c1689de0e6;SQLOffset=69B;SrcHost=127.0.0.1;User=HR;VIDOffset=4T;\",\"Message\":\"SQL Command\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"Oracle\"},{\"Name\":\"UserName\",\"Value\":\"HR\"},{\"Name\":\"Address\",\"Value\":\"oracle.cybr.com\"},{\"Name\":\"Database\",\"Value\":\"XE\"},{\"Name\":\"DeviceType\",\"Value\":\"Database\"},{\"Name\":\"CPMStatus\",\"Value\":\"success\"},{\"Name\":\"RetriesCount\",\"Value\":\"-1\"},{\"Name\":\"LastTask\",\"Value\":\"VerifyTask\"},{\"Name\":\"LastSuccessVerification\",\"Value\":\"1616580248\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"Port\",\"Value\":\"1521\"},{\"Name\":\"LastSuccessChange\",\"Value\":\"1616011984\"},{\"Name\":\"Tags\",\"Value\":\"Oracle;DB\"},{\"Name\":\"Privcloud\",\"Value\":\"privcloud\"}]}}}}", "code": "359", "kind": "event", @@ -221,7 +221,7 @@ }, "event": { "severity": 2, - "ingested": "2021-05-31T15:30:21.983089100Z", + "ingested": "2021-06-04T11:33:14.230216500Z", "original": "\u003c5\u003e1 2021-03-25T14:56:44Z VLT01 {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 25 10:56:44\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-25T14:56:44Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVLT01\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e12.0.0000\u003c/Version\u003e\\n \u003cMessageID\u003e359\u003c/MessageID\u003e\\n \u003cDesc\u003eSQL Command\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003eSQL Command\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003eOracle\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Database-Oracle-oracle.cybr.com-HR\u003c/File\u003e\\n \u003cStation\u003e10.0.0.15\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003eCommand=BEGIN DBMS_OUTPUT.DISABLE\\\\; END\\\\;;ConnectionComponentId=PSM-SQLPlus;DataBase=XE;DstHost=oracle.cybr.com;Protocol=SQLNet;PSMID=PSMServer;SessionID=0887c643-42f2-4a4f-806e-58c1689de0e6;SQLOffset=123B;SrcHost=127.0.0.1;User=HR;VIDOffset=4T;\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eSQL Command\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"Oracle\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"HR\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"oracle.cybr.com\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Database\\\" Value=\\\"XE\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Database\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMStatus\\\" Value=\\\"success\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"RetriesCount\\\" Value=\\\"-1\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastTask\\\" Value=\\\"VerifyTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastSuccessVerification\\\" Value=\\\"1616580248\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Port\\\" Value=\\\"1521\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastSuccessChange\\\" Value=\\\"1616011984\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Tags\\\" Value=\\\"Oracle;DB\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Privcloud\\\" Value=\\\"privcloud\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 25 10:56:44\",\"IsoTimestamp\":\"2021-03-25T14:56:44Z\",\"Hostname\":\"VLT01\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"12.0.0000\",\"MessageID\":\"359\",\"Desc\":\"SQL Command\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"SQL Command\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"Oracle\",\"File\":\"Root\\\\Database-Oracle-oracle.cybr.com-HR\",\"Station\":\"10.0.0.15\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"Command=BEGIN DBMS_OUTPUT.DISABLE\\\\; END\\\\;;ConnectionComponentId=PSM-SQLPlus;DataBase=XE;DstHost=oracle.cybr.com;Protocol=SQLNet;PSMID=PSMServer;SessionID=0887c643-42f2-4a4f-806e-58c1689de0e6;SQLOffset=123B;SrcHost=127.0.0.1;User=HR;VIDOffset=4T;\",\"Message\":\"SQL Command\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"Oracle\"},{\"Name\":\"UserName\",\"Value\":\"HR\"},{\"Name\":\"Address\",\"Value\":\"oracle.cybr.com\"},{\"Name\":\"Database\",\"Value\":\"XE\"},{\"Name\":\"DeviceType\",\"Value\":\"Database\"},{\"Name\":\"CPMStatus\",\"Value\":\"success\"},{\"Name\":\"RetriesCount\",\"Value\":\"-1\"},{\"Name\":\"LastTask\",\"Value\":\"VerifyTask\"},{\"Name\":\"LastSuccessVerification\",\"Value\":\"1616580248\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"Port\",\"Value\":\"1521\"},{\"Name\":\"LastSuccessChange\",\"Value\":\"1616011984\"},{\"Name\":\"Tags\",\"Value\":\"Oracle;DB\"},{\"Name\":\"Privcloud\",\"Value\":\"privcloud\"}]}}}}", "code": "359", "kind": "event", @@ -340,7 +340,7 @@ }, "event": { "severity": 2, - "ingested": "2021-05-31T15:30:21.983092700Z", + "ingested": "2021-06-04T11:33:14.230219500Z", "original": "\u003c5\u003e1 2021-03-25T14:56:44Z VLT01 {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 25 10:56:44\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-25T14:56:44Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVLT01\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e12.0.0000\u003c/Version\u003e\\n \u003cMessageID\u003e359\u003c/MessageID\u003e\\n \u003cDesc\u003eSQL Command\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003eSQL Command\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003eOracle\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Database-Oracle-oracle.cybr.com-HR\u003c/File\u003e\\n \u003cStation\u003e10.0.0.15\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003eCommand=SELECT ATTRIBUTE,SCOPE,NUMERIC_VALUE,CHAR_VALUE,DATE_VALUE FROM SYSTEM.PRODUCT_PRIVS WHERE (UPPER('SQL*Plus') LIKE UPPER(PRODUCT)) AND (UPPER(USER) LIKE USERID);ConnectionComponentId=PSM-SQLPlus;DataBase=XE;DstHost=oracle.cybr.com;Protocol=SQLNet;PSMID=PSMServer;SessionID=0887c643-42f2-4a4f-806e-58c1689de0e6;SQLOffset=187B;SrcHost=127.0.0.1;User=HR;VIDOffset=4T;\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eSQL Command\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"Oracle\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"HR\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"oracle.cybr.com\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Database\\\" Value=\\\"XE\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Database\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMStatus\\\" Value=\\\"success\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"RetriesCount\\\" Value=\\\"-1\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastTask\\\" Value=\\\"VerifyTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastSuccessVerification\\\" Value=\\\"1616580248\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Port\\\" Value=\\\"1521\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastSuccessChange\\\" Value=\\\"1616011984\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Tags\\\" Value=\\\"Oracle;DB\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Privcloud\\\" Value=\\\"privcloud\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 25 10:56:44\",\"IsoTimestamp\":\"2021-03-25T14:56:44Z\",\"Hostname\":\"VLT01\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"12.0.0000\",\"MessageID\":\"359\",\"Desc\":\"SQL Command\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"SQL Command\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"Oracle\",\"File\":\"Root\\\\Database-Oracle-oracle.cybr.com-HR\",\"Station\":\"10.0.0.15\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"Command=SELECT ATTRIBUTE,SCOPE,NUMERIC_VALUE,CHAR_VALUE,DATE_VALUE FROM SYSTEM.PRODUCT_PRIVS WHERE (UPPER('SQL*Plus') LIKE UPPER(PRODUCT)) AND (UPPER(USER) LIKE USERID);ConnectionComponentId=PSM-SQLPlus;DataBase=XE;DstHost=oracle.cybr.com;Protocol=SQLNet;PSMID=PSMServer;SessionID=0887c643-42f2-4a4f-806e-58c1689de0e6;SQLOffset=187B;SrcHost=127.0.0.1;User=HR;VIDOffset=4T;\",\"Message\":\"SQL Command\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"Oracle\"},{\"Name\":\"UserName\",\"Value\":\"HR\"},{\"Name\":\"Address\",\"Value\":\"oracle.cybr.com\"},{\"Name\":\"Database\",\"Value\":\"XE\"},{\"Name\":\"DeviceType\",\"Value\":\"Database\"},{\"Name\":\"CPMStatus\",\"Value\":\"success\"},{\"Name\":\"RetriesCount\",\"Value\":\"-1\"},{\"Name\":\"LastTask\",\"Value\":\"VerifyTask\"},{\"Name\":\"LastSuccessVerification\",\"Value\":\"1616580248\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"Port\",\"Value\":\"1521\"},{\"Name\":\"LastSuccessChange\",\"Value\":\"1616011984\"},{\"Name\":\"Tags\",\"Value\":\"Oracle;DB\"},{\"Name\":\"Privcloud\",\"Value\":\"privcloud\"}]}}}}", "code": "359", "kind": "event", @@ -459,7 +459,7 @@ }, "event": { "severity": 2, - "ingested": "2021-05-31T15:30:21.983095800Z", + "ingested": "2021-06-04T11:33:14.230222Z", "original": "\u003c5\u003e1 2021-03-25T14:56:44Z VLT01 {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 25 10:56:44\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-25T14:56:44Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVLT01\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e12.0.0000\u003c/Version\u003e\\n \u003cMessageID\u003e359\u003c/MessageID\u003e\\n \u003cDesc\u003eSQL Command\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003eSQL Command\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003eOracle\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Database-Oracle-oracle.cybr.com-HR\u003c/File\u003e\\n \u003cStation\u003e10.0.0.15\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003eCommand=SELECT CHAR_VALUE FROM SYSTEM.PRODUCT_PRIVS WHERE (UPPER('SQL*Plus') LIKE UPPER(PRODUCT)) AND ((UPPER(USER) LIKE USERID) OR (USERID \\\\= 'PUBLIC')) AND (UPPER(ATTRIBUTE) \\\\= 'ROLES');ConnectionComponentId=PSM-SQLPlus;DataBase=XE;DstHost=oracle.cybr.com;Protocol=SQLNet;PSMID=PSMServer;SessionID=0887c643-42f2-4a4f-806e-58c1689de0e6;SQLOffset=380B;SrcHost=127.0.0.1;User=HR;VIDOffset=4T;\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eSQL Command\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"Oracle\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"HR\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"oracle.cybr.com\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Database\\\" Value=\\\"XE\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Database\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMStatus\\\" Value=\\\"success\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"RetriesCount\\\" Value=\\\"-1\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastTask\\\" Value=\\\"VerifyTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastSuccessVerification\\\" Value=\\\"1616580248\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Port\\\" Value=\\\"1521\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastSuccessChange\\\" Value=\\\"1616011984\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Tags\\\" Value=\\\"Oracle;DB\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Privcloud\\\" Value=\\\"privcloud\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 25 10:56:44\",\"IsoTimestamp\":\"2021-03-25T14:56:44Z\",\"Hostname\":\"VLT01\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"12.0.0000\",\"MessageID\":\"359\",\"Desc\":\"SQL Command\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"SQL Command\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"Oracle\",\"File\":\"Root\\\\Database-Oracle-oracle.cybr.com-HR\",\"Station\":\"10.0.0.15\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"Command=SELECT CHAR_VALUE FROM SYSTEM.PRODUCT_PRIVS WHERE (UPPER('SQL*Plus') LIKE UPPER(PRODUCT)) AND ((UPPER(USER) LIKE USERID) OR (USERID \\\\= 'PUBLIC')) AND (UPPER(ATTRIBUTE) \\\\= 'ROLES');ConnectionComponentId=PSM-SQLPlus;DataBase=XE;DstHost=oracle.cybr.com;Protocol=SQLNet;PSMID=PSMServer;SessionID=0887c643-42f2-4a4f-806e-58c1689de0e6;SQLOffset=380B;SrcHost=127.0.0.1;User=HR;VIDOffset=4T;\",\"Message\":\"SQL Command\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"Oracle\"},{\"Name\":\"UserName\",\"Value\":\"HR\"},{\"Name\":\"Address\",\"Value\":\"oracle.cybr.com\"},{\"Name\":\"Database\",\"Value\":\"XE\"},{\"Name\":\"DeviceType\",\"Value\":\"Database\"},{\"Name\":\"CPMStatus\",\"Value\":\"success\"},{\"Name\":\"RetriesCount\",\"Value\":\"-1\"},{\"Name\":\"LastTask\",\"Value\":\"VerifyTask\"},{\"Name\":\"LastSuccessVerification\",\"Value\":\"1616580248\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"Port\",\"Value\":\"1521\"},{\"Name\":\"LastSuccessChange\",\"Value\":\"1616011984\"},{\"Name\":\"Tags\",\"Value\":\"Oracle;DB\"},{\"Name\":\"Privcloud\",\"Value\":\"privcloud\"}]}}}}", "code": "359", "kind": "event", @@ -578,7 +578,7 @@ }, "event": { "severity": 2, - "ingested": "2021-05-31T15:30:21.983098500Z", + "ingested": "2021-06-04T11:33:14.230224300Z", "original": "\u003c5\u003e1 2021-03-25T14:56:44Z VLT01 {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 25 10:56:44\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-25T14:56:44Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVLT01\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e12.0.0000\u003c/Version\u003e\\n \u003cMessageID\u003e359\u003c/MessageID\u003e\\n \u003cDesc\u003eSQL Command\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003eSQL Command\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003eOracle\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Database-Oracle-oracle.cybr.com-HR\u003c/File\u003e\\n \u003cStation\u003e10.0.0.15\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003eCommand=BEGIN DBMS_APPLICATION_INFO.SET_MODULE(:1,NULL)\\\\; END\\\\; (Parameters bound by position: 1\\\\=[SQL*Plus]);ConnectionComponentId=PSM-SQLPlus;DataBase=XE;DstHost=oracle.cybr.com;Protocol=SQLNet;PSMID=PSMServer;SessionID=0887c643-42f2-4a4f-806e-58c1689de0e6;SQLOffset=596B;SrcHost=127.0.0.1;User=HR;VIDOffset=4T;\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eSQL Command\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"Oracle\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"HR\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"oracle.cybr.com\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Database\\\" Value=\\\"XE\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Database\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMStatus\\\" Value=\\\"success\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"RetriesCount\\\" Value=\\\"-1\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastTask\\\" Value=\\\"VerifyTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastSuccessVerification\\\" Value=\\\"1616580248\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Port\\\" Value=\\\"1521\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastSuccessChange\\\" Value=\\\"1616011984\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Tags\\\" Value=\\\"Oracle;DB\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Privcloud\\\" Value=\\\"privcloud\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 25 10:56:44\",\"IsoTimestamp\":\"2021-03-25T14:56:44Z\",\"Hostname\":\"VLT01\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"12.0.0000\",\"MessageID\":\"359\",\"Desc\":\"SQL Command\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"SQL Command\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"Oracle\",\"File\":\"Root\\\\Database-Oracle-oracle.cybr.com-HR\",\"Station\":\"10.0.0.15\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"Command=BEGIN DBMS_APPLICATION_INFO.SET_MODULE(:1,NULL)\\\\; END\\\\; (Parameters bound by position: 1\\\\=[SQL*Plus]);ConnectionComponentId=PSM-SQLPlus;DataBase=XE;DstHost=oracle.cybr.com;Protocol=SQLNet;PSMID=PSMServer;SessionID=0887c643-42f2-4a4f-806e-58c1689de0e6;SQLOffset=596B;SrcHost=127.0.0.1;User=HR;VIDOffset=4T;\",\"Message\":\"SQL Command\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"Oracle\"},{\"Name\":\"UserName\",\"Value\":\"HR\"},{\"Name\":\"Address\",\"Value\":\"oracle.cybr.com\"},{\"Name\":\"Database\",\"Value\":\"XE\"},{\"Name\":\"DeviceType\",\"Value\":\"Database\"},{\"Name\":\"CPMStatus\",\"Value\":\"success\"},{\"Name\":\"RetriesCount\",\"Value\":\"-1\"},{\"Name\":\"LastTask\",\"Value\":\"VerifyTask\"},{\"Name\":\"LastSuccessVerification\",\"Value\":\"1616580248\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"Port\",\"Value\":\"1521\"},{\"Name\":\"LastSuccessChange\",\"Value\":\"1616011984\"},{\"Name\":\"Tags\",\"Value\":\"Oracle;DB\"},{\"Name\":\"Privcloud\",\"Value\":\"privcloud\"}]}}}}", "code": "359", "kind": "event", @@ -697,7 +697,7 @@ }, "event": { "severity": 2, - "ingested": "2021-05-31T15:30:21.983101200Z", + "ingested": "2021-06-04T11:33:14.230226800Z", "original": "\u003c5\u003e1 2021-03-25T14:56:45Z VLT01 {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 25 10:56:45\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-25T14:56:45Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVLT01\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e12.0.0000\u003c/Version\u003e\\n \u003cMessageID\u003e359\u003c/MessageID\u003e\\n \u003cDesc\u003eSQL Command\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003eSQL Command\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003eOracle\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Database-Oracle-oracle.cybr.com-HR\u003c/File\u003e\\n \u003cStation\u003e10.0.0.15\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003eCommand=SELECT DECODE('A','A','1','2') FROM DUAL;ConnectionComponentId=PSM-SQLPlus;DataBase=XE;DstHost=oracle.cybr.com;Protocol=SQLNet;PSMID=PSMServer;SessionID=0887c643-42f2-4a4f-806e-58c1689de0e6;SQLOffset=727B;SrcHost=127.0.0.1;User=HR;VIDOffset=5T;\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eSQL Command\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"Oracle\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"HR\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"oracle.cybr.com\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Database\\\" Value=\\\"XE\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Database\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMStatus\\\" Value=\\\"success\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"RetriesCount\\\" Value=\\\"-1\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastTask\\\" Value=\\\"VerifyTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastSuccessVerification\\\" Value=\\\"1616580248\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Port\\\" Value=\\\"1521\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastSuccessChange\\\" Value=\\\"1616011984\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Tags\\\" Value=\\\"Oracle;DB\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Privcloud\\\" Value=\\\"privcloud\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 25 10:56:45\",\"IsoTimestamp\":\"2021-03-25T14:56:45Z\",\"Hostname\":\"VLT01\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"12.0.0000\",\"MessageID\":\"359\",\"Desc\":\"SQL Command\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"SQL Command\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"Oracle\",\"File\":\"Root\\\\Database-Oracle-oracle.cybr.com-HR\",\"Station\":\"10.0.0.15\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"Command=SELECT DECODE('A','A','1','2') FROM DUAL;ConnectionComponentId=PSM-SQLPlus;DataBase=XE;DstHost=oracle.cybr.com;Protocol=SQLNet;PSMID=PSMServer;SessionID=0887c643-42f2-4a4f-806e-58c1689de0e6;SQLOffset=727B;SrcHost=127.0.0.1;User=HR;VIDOffset=5T;\",\"Message\":\"SQL Command\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"Oracle\"},{\"Name\":\"UserName\",\"Value\":\"HR\"},{\"Name\":\"Address\",\"Value\":\"oracle.cybr.com\"},{\"Name\":\"Database\",\"Value\":\"XE\"},{\"Name\":\"DeviceType\",\"Value\":\"Database\"},{\"Name\":\"CPMStatus\",\"Value\":\"success\"},{\"Name\":\"RetriesCount\",\"Value\":\"-1\"},{\"Name\":\"LastTask\",\"Value\":\"VerifyTask\"},{\"Name\":\"LastSuccessVerification\",\"Value\":\"1616580248\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"Port\",\"Value\":\"1521\"},{\"Name\":\"LastSuccessChange\",\"Value\":\"1616011984\"},{\"Name\":\"Tags\",\"Value\":\"Oracle;DB\"},{\"Name\":\"Privcloud\",\"Value\":\"privcloud\"}]}}}}", "code": "359", "kind": "event", @@ -816,7 +816,7 @@ }, "event": { "severity": 2, - "ingested": "2021-05-31T15:30:21.983104200Z", + "ingested": "2021-06-04T11:33:14.230229100Z", "original": "\u003c5\u003e1 2021-03-25T14:56:54Z VLT01 {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 25 10:56:54\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-25T14:56:54Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVLT01\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e12.0.0000\u003c/Version\u003e\\n \u003cMessageID\u003e359\u003c/MessageID\u003e\\n \u003cDesc\u003eSQL Command\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003eSQL Command\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003eOracle\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Database-Oracle-oracle.cybr.com-HR\u003c/File\u003e\\n \u003cStation\u003e10.0.0.15\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003eCommand=SELECT INFO FROM SYSTEM.HELP WHERE UPPER(TOPIC) LIKE :1 ORDER BY TOPIC,SEQ (Parameters bound by position: 1\\\\=[HELP]);ConnectionComponentId=PSM-SQLPlus;DataBase=XE;DstHost=oracle.cybr.com;Protocol=SQLNet;PSMID=PSMServer;SessionID=0887c643-42f2-4a4f-806e-58c1689de0e6;SQLOffset=800B;SrcHost=127.0.0.1;User=HR;VIDOffset=14T;\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eSQL Command\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"Oracle\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"HR\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"oracle.cybr.com\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Database\\\" Value=\\\"XE\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Database\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMStatus\\\" Value=\\\"success\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"RetriesCount\\\" Value=\\\"-1\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastTask\\\" Value=\\\"VerifyTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastSuccessVerification\\\" Value=\\\"1616580248\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Port\\\" Value=\\\"1521\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastSuccessChange\\\" Value=\\\"1616011984\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Tags\\\" Value=\\\"Oracle;DB\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Privcloud\\\" Value=\\\"privcloud\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 25 10:56:54\",\"IsoTimestamp\":\"2021-03-25T14:56:54Z\",\"Hostname\":\"VLT01\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"12.0.0000\",\"MessageID\":\"359\",\"Desc\":\"SQL Command\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"SQL Command\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"Oracle\",\"File\":\"Root\\\\Database-Oracle-oracle.cybr.com-HR\",\"Station\":\"10.0.0.15\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"Command=SELECT INFO FROM SYSTEM.HELP WHERE UPPER(TOPIC) LIKE :1 ORDER BY TOPIC,SEQ (Parameters bound by position: 1\\\\=[HELP]);ConnectionComponentId=PSM-SQLPlus;DataBase=XE;DstHost=oracle.cybr.com;Protocol=SQLNet;PSMID=PSMServer;SessionID=0887c643-42f2-4a4f-806e-58c1689de0e6;SQLOffset=800B;SrcHost=127.0.0.1;User=HR;VIDOffset=14T;\",\"Message\":\"SQL Command\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"Oracle\"},{\"Name\":\"UserName\",\"Value\":\"HR\"},{\"Name\":\"Address\",\"Value\":\"oracle.cybr.com\"},{\"Name\":\"Database\",\"Value\":\"XE\"},{\"Name\":\"DeviceType\",\"Value\":\"Database\"},{\"Name\":\"CPMStatus\",\"Value\":\"success\"},{\"Name\":\"RetriesCount\",\"Value\":\"-1\"},{\"Name\":\"LastTask\",\"Value\":\"VerifyTask\"},{\"Name\":\"LastSuccessVerification\",\"Value\":\"1616580248\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"Port\",\"Value\":\"1521\"},{\"Name\":\"LastSuccessChange\",\"Value\":\"1616011984\"},{\"Name\":\"Tags\",\"Value\":\"Oracle;DB\"},{\"Name\":\"Privcloud\",\"Value\":\"privcloud\"}]}}}}", "code": "359", "kind": "event", @@ -935,7 +935,7 @@ }, "event": { "severity": 2, - "ingested": "2021-05-31T15:30:21.983106800Z", + "ingested": "2021-06-04T11:33:14.230231300Z", "original": "\u003c5\u003e1 2021-03-25T14:58:02Z VLT01 {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 25 10:58:02\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-25T14:58:02Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVLT01\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e12.0.0000\u003c/Version\u003e\\n \u003cMessageID\u003e359\u003c/MessageID\u003e\\n \u003cDesc\u003eSQL Command\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003eSQL Command\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003eOracle\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Database-Oracle-oracle.cybr.com-HR\u003c/File\u003e\\n \u003cStation\u003e10.0.0.15\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003eCommand=SELECT * FROM DBA_USERS;ConnectionComponentId=PSM-SQLPlus;DataBase=XE;DstHost=oracle.cybr.com;Protocol=SQLNet;PSMID=PSMServer;SessionID=0887c643-42f2-4a4f-806e-58c1689de0e6;SQLOffset=1097B;SrcHost=127.0.0.1;User=HR;VIDOffset=82T;\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eSQL Command\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"Oracle\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"HR\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"oracle.cybr.com\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Database\\\" Value=\\\"XE\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Database\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMStatus\\\" Value=\\\"success\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"RetriesCount\\\" Value=\\\"-1\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastTask\\\" Value=\\\"VerifyTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastSuccessVerification\\\" Value=\\\"1616580248\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Port\\\" Value=\\\"1521\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastSuccessChange\\\" Value=\\\"1616011984\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Tags\\\" Value=\\\"Oracle;DB\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Privcloud\\\" Value=\\\"privcloud\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 25 10:58:02\",\"IsoTimestamp\":\"2021-03-25T14:58:02Z\",\"Hostname\":\"VLT01\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"12.0.0000\",\"MessageID\":\"359\",\"Desc\":\"SQL Command\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"SQL Command\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"Oracle\",\"File\":\"Root\\\\Database-Oracle-oracle.cybr.com-HR\",\"Station\":\"10.0.0.15\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"Command=SELECT * FROM DBA_USERS;ConnectionComponentId=PSM-SQLPlus;DataBase=XE;DstHost=oracle.cybr.com;Protocol=SQLNet;PSMID=PSMServer;SessionID=0887c643-42f2-4a4f-806e-58c1689de0e6;SQLOffset=1097B;SrcHost=127.0.0.1;User=HR;VIDOffset=82T;\",\"Message\":\"SQL Command\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"Oracle\"},{\"Name\":\"UserName\",\"Value\":\"HR\"},{\"Name\":\"Address\",\"Value\":\"oracle.cybr.com\"},{\"Name\":\"Database\",\"Value\":\"XE\"},{\"Name\":\"DeviceType\",\"Value\":\"Database\"},{\"Name\":\"CPMStatus\",\"Value\":\"success\"},{\"Name\":\"RetriesCount\",\"Value\":\"-1\"},{\"Name\":\"LastTask\",\"Value\":\"VerifyTask\"},{\"Name\":\"LastSuccessVerification\",\"Value\":\"1616580248\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"Port\",\"Value\":\"1521\"},{\"Name\":\"LastSuccessChange\",\"Value\":\"1616011984\"},{\"Name\":\"Tags\",\"Value\":\"Oracle;DB\"},{\"Name\":\"Privcloud\",\"Value\":\"privcloud\"}]}}}}", "code": "359", "kind": "event", @@ -1054,7 +1054,7 @@ }, "event": { "severity": 2, - "ingested": "2021-05-31T15:30:21.983109300Z", + "ingested": "2021-06-04T11:33:14.230233800Z", "original": "\u003c5\u003e1 2021-03-25T14:57:05Z VLT01 {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 25 10:57:05\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-25T14:57:05Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVLT01\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e12.0.0000\u003c/Version\u003e\\n \u003cMessageID\u003e359\u003c/MessageID\u003e\\n \u003cDesc\u003eSQL Command\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003eSQL Command\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003eOracle\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Database-Oracle-oracle.cybr.com-HR\u003c/File\u003e\\n \u003cStation\u003e10.0.0.15\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003eCommand=SELECT INFO FROM SYSTEM.HELP WHERE UPPER(TOPIC) LIKE :1 ORDER BY TOPIC,SEQ (Parameters bound by position: 1\\\\=[SHOW%]);ConnectionComponentId=PSM-SQLPlus;DataBase=XE;DstHost=oracle.cybr.com;Protocol=SQLNet;PSMID=PSMServer;SessionID=0887c643-42f2-4a4f-806e-58c1689de0e6;SQLOffset=948B;SrcHost=127.0.0.1;User=HR;VIDOffset=25T;\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eSQL Command\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"Oracle\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"HR\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"oracle.cybr.com\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Database\\\" Value=\\\"XE\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Database\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMStatus\\\" Value=\\\"success\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"RetriesCount\\\" Value=\\\"-1\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastTask\\\" Value=\\\"VerifyTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastSuccessVerification\\\" Value=\\\"1616580248\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Port\\\" Value=\\\"1521\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastSuccessChange\\\" Value=\\\"1616011984\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Tags\\\" Value=\\\"Oracle;DB\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Privcloud\\\" Value=\\\"privcloud\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 25 10:57:05\",\"IsoTimestamp\":\"2021-03-25T14:57:05Z\",\"Hostname\":\"VLT01\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"12.0.0000\",\"MessageID\":\"359\",\"Desc\":\"SQL Command\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"SQL Command\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"Oracle\",\"File\":\"Root\\\\Database-Oracle-oracle.cybr.com-HR\",\"Station\":\"10.0.0.15\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"Command=SELECT INFO FROM SYSTEM.HELP WHERE UPPER(TOPIC) LIKE :1 ORDER BY TOPIC,SEQ (Parameters bound by position: 1\\\\=[SHOW%]);ConnectionComponentId=PSM-SQLPlus;DataBase=XE;DstHost=oracle.cybr.com;Protocol=SQLNet;PSMID=PSMServer;SessionID=0887c643-42f2-4a4f-806e-58c1689de0e6;SQLOffset=948B;SrcHost=127.0.0.1;User=HR;VIDOffset=25T;\",\"Message\":\"SQL Command\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"Oracle\"},{\"Name\":\"UserName\",\"Value\":\"HR\"},{\"Name\":\"Address\",\"Value\":\"oracle.cybr.com\"},{\"Name\":\"Database\",\"Value\":\"XE\"},{\"Name\":\"DeviceType\",\"Value\":\"Database\"},{\"Name\":\"CPMStatus\",\"Value\":\"success\"},{\"Name\":\"RetriesCount\",\"Value\":\"-1\"},{\"Name\":\"LastTask\",\"Value\":\"VerifyTask\"},{\"Name\":\"LastSuccessVerification\",\"Value\":\"1616580248\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"Port\",\"Value\":\"1521\"},{\"Name\":\"LastSuccessChange\",\"Value\":\"1616011984\"},{\"Name\":\"Tags\",\"Value\":\"Oracle;DB\"},{\"Name\":\"Privcloud\",\"Value\":\"privcloud\"}]}}}}", "code": "359", "kind": "event", @@ -1173,7 +1173,7 @@ }, "event": { "severity": 2, - "ingested": "2021-05-31T15:30:21.983111900Z", + "ingested": "2021-06-04T11:33:14.230236100Z", "original": "\u003c5\u003e1 2021-03-25T14:58:44Z VLT01 {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 25 10:58:44\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-25T14:58:44Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVLT01\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e12.0.0000\u003c/Version\u003e\\n \u003cMessageID\u003e359\u003c/MessageID\u003e\\n \u003cDesc\u003eSQL Command\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003eSQL Command\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003eOracle\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Database-Oracle-oracle.cybr.com-HR\u003c/File\u003e\\n \u003cStation\u003e10.0.0.15\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003eCommand=select distinct owner from all_objects;ConnectionComponentId=PSM-SQLPlus;DataBase=XE;DstHost=oracle.cybr.com;Protocol=SQLNet;PSMID=PSMServer;SessionID=0887c643-42f2-4a4f-806e-58c1689de0e6;SQLOffset=1153B;SrcHost=127.0.0.1;User=HR;VIDOffset=124T;\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eSQL Command\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"Oracle\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"HR\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"oracle.cybr.com\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Database\\\" Value=\\\"XE\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Database\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMStatus\\\" Value=\\\"success\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"RetriesCount\\\" Value=\\\"-1\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastTask\\\" Value=\\\"VerifyTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastSuccessVerification\\\" Value=\\\"1616580248\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Port\\\" Value=\\\"1521\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastSuccessChange\\\" Value=\\\"1616011984\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Tags\\\" Value=\\\"Oracle;DB\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Privcloud\\\" Value=\\\"privcloud\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 25 10:58:44\",\"IsoTimestamp\":\"2021-03-25T14:58:44Z\",\"Hostname\":\"VLT01\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"12.0.0000\",\"MessageID\":\"359\",\"Desc\":\"SQL Command\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"SQL Command\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"Oracle\",\"File\":\"Root\\\\Database-Oracle-oracle.cybr.com-HR\",\"Station\":\"10.0.0.15\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"Command=select distinct owner from all_objects;ConnectionComponentId=PSM-SQLPlus;DataBase=XE;DstHost=oracle.cybr.com;Protocol=SQLNet;PSMID=PSMServer;SessionID=0887c643-42f2-4a4f-806e-58c1689de0e6;SQLOffset=1153B;SrcHost=127.0.0.1;User=HR;VIDOffset=124T;\",\"Message\":\"SQL Command\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"Oracle\"},{\"Name\":\"UserName\",\"Value\":\"HR\"},{\"Name\":\"Address\",\"Value\":\"oracle.cybr.com\"},{\"Name\":\"Database\",\"Value\":\"XE\"},{\"Name\":\"DeviceType\",\"Value\":\"Database\"},{\"Name\":\"CPMStatus\",\"Value\":\"success\"},{\"Name\":\"RetriesCount\",\"Value\":\"-1\"},{\"Name\":\"LastTask\",\"Value\":\"VerifyTask\"},{\"Name\":\"LastSuccessVerification\",\"Value\":\"1616580248\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"Port\",\"Value\":\"1521\"},{\"Name\":\"LastSuccessChange\",\"Value\":\"1616011984\"},{\"Name\":\"Tags\",\"Value\":\"Oracle;DB\"},{\"Name\":\"Privcloud\",\"Value\":\"privcloud\"}]}}}}", "code": "359", "kind": "event", diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-361-keystroke-logging.log-config.yml b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-361-keystroke-logging.log-config.yml deleted file mode 100644 index 5622947e4b8..00000000000 --- a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-361-keystroke-logging.log-config.yml +++ /dev/null @@ -1,5 +0,0 @@ -dynamic_fields: - event.ingested: ".*" -fields: - tags: - - preserve_original_event diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-361-keystroke-logging.log-expected.json b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-361-keystroke-logging.log-expected.json index afffaeaecd0..358c273e228 100644 --- a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-361-keystroke-logging.log-expected.json +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-361-keystroke-logging.log-expected.json @@ -85,7 +85,7 @@ }, "event": { "severity": 2, - "ingested": "2021-05-31T15:30:22.392225300Z", + "ingested": "2021-06-04T11:33:14.622793600Z", "original": "{\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eno\u003c/Rfc5424\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.6.0000\u003c/Version\u003e\\n \u003cMessageID\u003e361\u003c/MessageID\u003e\\n \u003cDesc\u003eKeystroke logging\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003eKeystroke logging\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003eLinux\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Operating System-LINUX-SSH-radiussrv.cyberark.local-admin2\u003c/File\u003e\\n \u003cStation\u003e10.2.0.7\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003eCommand=ls \\\"/var/tmp\\\";ConnectionComponentId=PSMP-SSH;DstHost=radiussrv.cyberark.local;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=499852f2-22b5-11eb-8bff-000c297aae88;SrcHost=10.2.0.6;SSHOffset=3642B;User=admin2;VIDOffset=125T;\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eKeystroke logging\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"LINUX-SSH\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"admin2\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"radiussrv.cyberark.local\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Operating System\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMDisabled\\\" Value=\\\"No Reason\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Customer\\\" Value=\\\"Tesla\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"no\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.6.0000\",\"MessageID\":\"361\",\"IsoTimestamp\":\"2021-03-16T15:01:00Z\",\"Desc\":\"Keystroke logging\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Keystroke logging\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"Linux\",\"File\":\"Root\\\\Operating System-LINUX-SSH-radiussrv.cyberark.local-admin2\",\"Station\":\"10.2.0.7\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"Command=ls \\\"/var/tmp\\\";ConnectionComponentId=PSMP-SSH;DstHost=radiussrv.cyberark.local;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=499852f2-22b5-11eb-8bff-000c297aae88;SrcHost=10.2.0.6;SSHOffset=3642B;User=admin2;VIDOffset=125T;\",\"Message\":\"Keystroke logging\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"LINUX-SSH\"},{\"Name\":\"UserName\",\"Value\":\"admin2\"},{\"Name\":\"Address\",\"Value\":\"radiussrv.cyberark.local\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"},{\"Name\":\"CPMDisabled\",\"Value\":\"No Reason\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"Customer\",\"Value\":\"Tesla\"}]}}}}", "code": "361", "kind": "event", @@ -223,7 +223,7 @@ }, "event": { "severity": 2, - "ingested": "2021-05-31T15:30:22.392239100Z", + "ingested": "2021-06-04T11:33:14.622807500Z", "original": "\u003c5\u003e1 2021-03-14T13:49:49Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 14 06:49:49\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-14T13:49:49Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e361\u003c/MessageID\u003e\\n \u003cDesc\u003eKeystroke logging\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003eKeystroke logging\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003epartner\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Operating System-UnixSSH-34.123.103.115-testark\u003c/File\u003e\\n \u003cStation\u003e34.71.250.247\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003eCommand=sudo su;ConnectionComponentId=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=d284c268-2ba0-4366-af52-e33459b073a1;SrcHost=81.32.170.205;SSHOffset=1309B;User=testark;VIDOffset=10T;\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eKeystroke logging\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"UnixSSH\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"testark\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"34.123.103.115\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"ResetImmediately\\\" Value=\\\"ReconcileTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMStatus\\\" Value=\\\"failure\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"RetriesCount\\\" Value=\\\"0\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastFailDate\\\" Value=\\\"1615729572\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastTask\\\" Value=\\\"ReconcileTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMErrorDetails\\\" Value=\\\"First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Operating System\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 14 06:49:49\",\"IsoTimestamp\":\"2021-03-14T13:49:49Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"361\",\"Desc\":\"Keystroke logging\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Keystroke logging\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"partner\",\"File\":\"Root\\\\Operating System-UnixSSH-34.123.103.115-testark\",\"Station\":\"34.71.250.247\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"Command=sudo su;ConnectionComponentId=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=d284c268-2ba0-4366-af52-e33459b073a1;SrcHost=81.32.170.205;SSHOffset=1309B;User=testark;VIDOffset=10T;\",\"Message\":\"Keystroke logging\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"UnixSSH\"},{\"Name\":\"UserName\",\"Value\":\"testark\"},{\"Name\":\"Address\",\"Value\":\"34.123.103.115\"},{\"Name\":\"ResetImmediately\",\"Value\":\"ReconcileTask\"},{\"Name\":\"CPMStatus\",\"Value\":\"failure\"},{\"Name\":\"RetriesCount\",\"Value\":\"0\"},{\"Name\":\"LastFailDate\",\"Value\":\"1615729572\"},{\"Name\":\"LastTask\",\"Value\":\"ReconcileTask\"},{\"Name\":\"CPMErrorDetails\",\"Value\":\"First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"}]}}}}", "code": "361", "kind": "event", @@ -359,7 +359,7 @@ }, "event": { "severity": 2, - "ingested": "2021-05-31T15:30:22.392242300Z", + "ingested": "2021-06-04T11:33:14.622810700Z", "original": "\u003c5\u003e1 2021-03-15T10:32:04Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 15 03:32:04\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-15T10:32:04Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e361\u003c/MessageID\u003e\\n \u003cDesc\u003eKeystroke logging\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003eKeystroke logging\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003epartner\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Operating System-UnixSSH-34.123.103.115-testark\u003c/File\u003e\\n \u003cStation\u003e34.71.250.247\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003eCommand=sudo su;ConnectionComponentId=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=29f340df-89e9-405a-beae-0216390cda42;SrcHost=81.32.170.205;SSHOffset=1312B;User=testark;VIDOffset=6T;\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eKeystroke logging\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"UnixSSH\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"testark\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"34.123.103.115\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMStatus\\\" Value=\\\"success\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"RetriesCount\\\" Value=\\\"-1\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastTask\\\" Value=\\\"VerifyTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastSuccessVerification\\\" Value=\\\"1615803764\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Operating System\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 15 03:32:04\",\"IsoTimestamp\":\"2021-03-15T10:32:04Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"361\",\"Desc\":\"Keystroke logging\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Keystroke logging\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"partner\",\"File\":\"Root\\\\Operating System-UnixSSH-34.123.103.115-testark\",\"Station\":\"34.71.250.247\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"Command=sudo su;ConnectionComponentId=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=29f340df-89e9-405a-beae-0216390cda42;SrcHost=81.32.170.205;SSHOffset=1312B;User=testark;VIDOffset=6T;\",\"Message\":\"Keystroke logging\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"UnixSSH\"},{\"Name\":\"UserName\",\"Value\":\"testark\"},{\"Name\":\"Address\",\"Value\":\"34.123.103.115\"},{\"Name\":\"CPMStatus\",\"Value\":\"success\"},{\"Name\":\"RetriesCount\",\"Value\":\"-1\"},{\"Name\":\"LastTask\",\"Value\":\"VerifyTask\"},{\"Name\":\"LastSuccessVerification\",\"Value\":\"1615803764\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"}]}}}}", "code": "361", "kind": "event", @@ -495,7 +495,7 @@ }, "event": { "severity": 2, - "ingested": "2021-05-31T15:30:22.392245Z", + "ingested": "2021-06-04T11:33:14.622813600Z", "original": "\u003c5\u003e1 2021-03-15T10:33:47Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 15 03:33:47\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-15T10:33:47Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e361\u003c/MessageID\u003e\\n \u003cDesc\u003eKeystroke logging\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003eKeystroke logging\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003epartner\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Operating System-UnixSSH-34.123.103.115-testark\u003c/File\u003e\\n \u003cStation\u003e34.71.250.247\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003eCommand=sudo su;ConnectionComponentId=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=f1654cf8-8ce5-472a-8205-ba731b0fab46;SrcHost=81.32.170.205;SSHOffset=1309B;User=testark;VIDOffset=7T;\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eKeystroke logging\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"UnixSSH\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"testark\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"34.123.103.115\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMStatus\\\" Value=\\\"success\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"RetriesCount\\\" Value=\\\"-1\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastTask\\\" Value=\\\"VerifyTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastSuccessVerification\\\" Value=\\\"1615803764\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Operating System\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 15 03:33:47\",\"IsoTimestamp\":\"2021-03-15T10:33:47Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"361\",\"Desc\":\"Keystroke logging\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Keystroke logging\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"partner\",\"File\":\"Root\\\\Operating System-UnixSSH-34.123.103.115-testark\",\"Station\":\"34.71.250.247\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"Command=sudo su;ConnectionComponentId=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=f1654cf8-8ce5-472a-8205-ba731b0fab46;SrcHost=81.32.170.205;SSHOffset=1309B;User=testark;VIDOffset=7T;\",\"Message\":\"Keystroke logging\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"UnixSSH\"},{\"Name\":\"UserName\",\"Value\":\"testark\"},{\"Name\":\"Address\",\"Value\":\"34.123.103.115\"},{\"Name\":\"CPMStatus\",\"Value\":\"success\"},{\"Name\":\"RetriesCount\",\"Value\":\"-1\"},{\"Name\":\"LastTask\",\"Value\":\"VerifyTask\"},{\"Name\":\"LastSuccessVerification\",\"Value\":\"1615803764\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"}]}}}}", "code": "361", "kind": "event", @@ -631,7 +631,7 @@ }, "event": { "severity": 2, - "ingested": "2021-05-31T15:30:22.392247600Z", + "ingested": "2021-06-04T11:33:14.622816Z", "original": "\u003c5\u003e1 2021-03-15T10:35:08Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 15 03:35:08\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-15T10:35:08Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e361\u003c/MessageID\u003e\\n \u003cDesc\u003eKeystroke logging\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003eKeystroke logging\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003epartner\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Operating System-UnixSSH-34.123.103.115-testark\u003c/File\u003e\\n \u003cStation\u003e34.71.250.247\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003eCommand=sudo su;ConnectionComponentId=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=8b3d0b38-aef5-49d9-bdd7-d57706887d8b;SrcHost=81.32.170.205;SSHOffset=1309B;User=testark;VIDOffset=7T;\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eKeystroke logging\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"UnixSSH\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"testark\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"34.123.103.115\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMStatus\\\" Value=\\\"success\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"RetriesCount\\\" Value=\\\"-1\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastTask\\\" Value=\\\"VerifyTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastSuccessVerification\\\" Value=\\\"1615803764\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Operating System\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 15 03:35:08\",\"IsoTimestamp\":\"2021-03-15T10:35:08Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"361\",\"Desc\":\"Keystroke logging\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Keystroke logging\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"partner\",\"File\":\"Root\\\\Operating System-UnixSSH-34.123.103.115-testark\",\"Station\":\"34.71.250.247\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"Command=sudo su;ConnectionComponentId=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=8b3d0b38-aef5-49d9-bdd7-d57706887d8b;SrcHost=81.32.170.205;SSHOffset=1309B;User=testark;VIDOffset=7T;\",\"Message\":\"Keystroke logging\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"UnixSSH\"},{\"Name\":\"UserName\",\"Value\":\"testark\"},{\"Name\":\"Address\",\"Value\":\"34.123.103.115\"},{\"Name\":\"CPMStatus\",\"Value\":\"success\"},{\"Name\":\"RetriesCount\",\"Value\":\"-1\"},{\"Name\":\"LastTask\",\"Value\":\"VerifyTask\"},{\"Name\":\"LastSuccessVerification\",\"Value\":\"1615803764\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"}]}}}}", "code": "361", "kind": "event", @@ -772,7 +772,7 @@ }, "event": { "severity": 2, - "ingested": "2021-05-31T15:30:22.392250100Z", + "ingested": "2021-06-04T11:33:14.622859Z", "original": "\u003c5\u003e1 2021-03-15T14:11:18Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 15 07:11:18\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-15T14:11:18Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e361\u003c/MessageID\u003e\\n \u003cDesc\u003eKeystroke logging\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003eKeystroke logging\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003epartner\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Operating System-UnixSSH-34.123.103.115-testark\u003c/File\u003e\\n \u003cStation\u003e34.71.250.247\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003eCommand=sudo su;ConnectionComponentId=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=27f74dce-f5d5-4c94-bf99-ca6aafe2c518;SrcHost=81.32.170.205;SSHOffset=1309B;User=testark;VIDOffset=8T;\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eKeystroke logging\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"UnixSSH\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"testark\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"34.123.103.115\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"ResetImmediately\\\" Value=\\\"ReconcileTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMStatus\\\" Value=\\\"failure\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"RetriesCount\\\" Value=\\\"0\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastFailDate\\\" Value=\\\"1615814025\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastTask\\\" Value=\\\"ReconcileTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastSuccessVerification\\\" Value=\\\"1615803764\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMErrorDetails\\\" Value=\\\"First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Operating System\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UseSudoOnReconcile\\\" Value=\\\"Yes\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 15 07:11:18\",\"IsoTimestamp\":\"2021-03-15T14:11:18Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"361\",\"Desc\":\"Keystroke logging\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Keystroke logging\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"partner\",\"File\":\"Root\\\\Operating System-UnixSSH-34.123.103.115-testark\",\"Station\":\"34.71.250.247\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"Command=sudo su;ConnectionComponentId=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=27f74dce-f5d5-4c94-bf99-ca6aafe2c518;SrcHost=81.32.170.205;SSHOffset=1309B;User=testark;VIDOffset=8T;\",\"Message\":\"Keystroke logging\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"UnixSSH\"},{\"Name\":\"UserName\",\"Value\":\"testark\"},{\"Name\":\"Address\",\"Value\":\"34.123.103.115\"},{\"Name\":\"ResetImmediately\",\"Value\":\"ReconcileTask\"},{\"Name\":\"CPMStatus\",\"Value\":\"failure\"},{\"Name\":\"RetriesCount\",\"Value\":\"0\"},{\"Name\":\"LastFailDate\",\"Value\":\"1615814025\"},{\"Name\":\"LastTask\",\"Value\":\"ReconcileTask\"},{\"Name\":\"LastSuccessVerification\",\"Value\":\"1615803764\"},{\"Name\":\"CPMErrorDetails\",\"Value\":\"First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"},{\"Name\":\"UseSudoOnReconcile\",\"Value\":\"Yes\"}]}}}}", "code": "361", "kind": "event", @@ -913,7 +913,7 @@ }, "event": { "severity": 2, - "ingested": "2021-05-31T15:30:22.392291400Z", + "ingested": "2021-06-04T11:33:14.622862600Z", "original": "\u003c5\u003e1 2021-03-15T14:45:51Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 15 07:45:51\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-15T14:45:51Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e361\u003c/MessageID\u003e\\n \u003cDesc\u003eKeystroke logging\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003eKeystroke logging\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003epartner\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Operating System-UnixSSH-34.123.103.115-testark\u003c/File\u003e\\n \u003cStation\u003e34.71.250.247\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003eCommand=(reverse-i-search)`grant': grant all privileges on *.* TO 'root'@'%' with grant option\\\\;;ConnectionComponentId=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=27f74dce-f5d5-4c94-bf99-ca6aafe2c518;SrcHost=81.32.170.205;SSHOffset=296291B;User=testark;VIDOffset=2081T;\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eKeystroke logging\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"UnixSSH\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"testark\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"34.123.103.115\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"ResetImmediately\\\" Value=\\\"ReconcileTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMStatus\\\" Value=\\\"failure\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"RetriesCount\\\" Value=\\\"1\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastFailDate\\\" Value=\\\"1615819476\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastTask\\\" Value=\\\"ReconcileTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastSuccessVerification\\\" Value=\\\"1615803764\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMErrorDetails\\\" Value=\\\"First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Operating System\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UseSudoOnReconcile\\\" Value=\\\"Yes\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 15 07:45:51\",\"IsoTimestamp\":\"2021-03-15T14:45:51Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"361\",\"Desc\":\"Keystroke logging\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Keystroke logging\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"partner\",\"File\":\"Root\\\\Operating System-UnixSSH-34.123.103.115-testark\",\"Station\":\"34.71.250.247\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"Command=(reverse-i-search)`grant': grant all privileges on *.* TO 'root'@'%' with grant option\\\\;;ConnectionComponentId=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=27f74dce-f5d5-4c94-bf99-ca6aafe2c518;SrcHost=81.32.170.205;SSHOffset=296291B;User=testark;VIDOffset=2081T;\",\"Message\":\"Keystroke logging\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"UnixSSH\"},{\"Name\":\"UserName\",\"Value\":\"testark\"},{\"Name\":\"Address\",\"Value\":\"34.123.103.115\"},{\"Name\":\"ResetImmediately\",\"Value\":\"ReconcileTask\"},{\"Name\":\"CPMStatus\",\"Value\":\"failure\"},{\"Name\":\"RetriesCount\",\"Value\":\"1\"},{\"Name\":\"LastFailDate\",\"Value\":\"1615819476\"},{\"Name\":\"LastTask\",\"Value\":\"ReconcileTask\"},{\"Name\":\"LastSuccessVerification\",\"Value\":\"1615803764\"},{\"Name\":\"CPMErrorDetails\",\"Value\":\"First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"},{\"Name\":\"UseSudoOnReconcile\",\"Value\":\"Yes\"}]}}}}", "code": "361", "kind": "event", diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-38-cpm-verify-password-failed.log-config.yml b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-38-cpm-verify-password-failed.log-config.yml deleted file mode 100644 index 5622947e4b8..00000000000 --- a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-38-cpm-verify-password-failed.log-config.yml +++ /dev/null @@ -1,5 +0,0 @@ -dynamic_fields: - event.ingested: ".*" -fields: - tags: - - preserve_original_event diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-38-cpm-verify-password-failed.log-expected.json b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-38-cpm-verify-password-failed.log-expected.json index 92274921ebc..b5352383175 100644 --- a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-38-cpm-verify-password-failed.log-expected.json +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-38-cpm-verify-password-failed.log-expected.json @@ -104,7 +104,7 @@ "event": { "severity": 7, "reason": "Error in verifypass to user 34.66.114.180\\ELASTIC\\bart on domain 34.66.114.180(\\\\34.66.114.180). Reason: The specified username is invalid. (winRc=2202). ", - "ingested": "2021-05-31T15:30:22.703434Z", + "ingested": "2021-06-04T11:33:14.919425Z", "original": "\u003c7\u003e1 2021-03-15T13:19:58Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 15 06:19:58\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-15T13:19:58Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e38\u003c/MessageID\u003e\\n \u003cDesc\u003eCPM Verify Password Failed\u003c/Desc\u003e\\n \u003cSeverity\u003eError\u003c/Severity\u003e\\n \u003cIssuer\u003ePasswordManager\u003c/Issuer\u003e\\n \u003cAction\u003eCPM Verify Password Failed\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003epartner\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Operating System-WinDomain-35.192.121.42-ELASTICbart\u003c/File\u003e\\n \u003cStation\u003e10.0.1.20\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003eImmediateTask. Failure Description: CACPM344E Verifying Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-35.192.121.42-ELASTICbart failed (try #0). Code: 2101, Error: Error in verifypass to user 34.66.114.180\\\\ELASTIC\\\\bart on domain 34.66.114.180(\\\\\\\\34.66.114.180). Reason: The specified username is invalid. (winRc=2202). \\n\u003c/Reason\u003e\\n \u003cExtraDetails\u003eaddress=34.66.114.180;username=ELASTIC\\\\bart;\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eCPM Verify Password Failed\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"WinDomain\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"ELASTIC\\\\bart\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"34.66.114.180\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"ResetImmediately\\\" Value=\\\"VerifyTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMStatus\\\" Value=\\\"failure\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"RetriesCount\\\" Value=\\\"0\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastFailDate\\\" Value=\\\"1615814397\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastTask\\\" Value=\\\"VerifyTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LogonDomain\\\" Value=\\\"34.66.114.180\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMErrorDetails\\\" Value=\\\"Error in verifypass to user 34.66.114.180\\\\ELASTIC\\\\bart on domain 34.66.114.180(\\\\\\\\34.66.114.180). Reason: The specified username is invalid. (winRc=2202). \\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Operating System\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 15 06:19:58\",\"IsoTimestamp\":\"2021-03-15T13:19:58Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"38\",\"Desc\":\"CPM Verify Password Failed\",\"Severity\":\"Error\",\"Issuer\":\"PasswordManager\",\"Action\":\"CPM Verify Password Failed\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"partner\",\"File\":\"Root\\\\Operating System-WinDomain-35.192.121.42-ELASTICbart\",\"Station\":\"10.0.1.20\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"ImmediateTask. Failure Description: CACPM344E Verifying Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-35.192.121.42-ELASTICbart failed (try #0). Code: 2101, Error: Error in verifypass to user 34.66.114.180\\\\ELASTIC\\\\bart on domain 34.66.114.180(\\\\\\\\34.66.114.180). Reason: The specified username is invalid. (winRc=2202). \\n\",\"ExtraDetails\":\"address=34.66.114.180;username=ELASTIC\\\\bart;\",\"Message\":\"CPM Verify Password Failed\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"WinDomain\"},{\"Name\":\"UserName\",\"Value\":\"ELASTIC\\\\bart\"},{\"Name\":\"Address\",\"Value\":\"34.66.114.180\"},{\"Name\":\"ResetImmediately\",\"Value\":\"VerifyTask\"},{\"Name\":\"CPMStatus\",\"Value\":\"failure\"},{\"Name\":\"RetriesCount\",\"Value\":\"0\"},{\"Name\":\"LastFailDate\",\"Value\":\"1615814397\"},{\"Name\":\"LastTask\",\"Value\":\"VerifyTask\"},{\"Name\":\"LogonDomain\",\"Value\":\"34.66.114.180\"},{\"Name\":\"CPMErrorDetails\",\"Value\":\"Error in verifypass to user 34.66.114.180\\\\ELASTIC\\\\bart on domain 34.66.114.180(\\\\\\\\34.66.114.180). Reason: The specified username is invalid. (winRc=2202). \"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"}]}}}}", "code": "38", "kind": "event", @@ -226,7 +226,7 @@ "event": { "severity": 7, "reason": "Error in verifypass to user 34.66.114.180\\bart on domain 34.66.114.180(\\\\34.66.114.180). Reason: The network name cannot be found. (winRc=67). ", - "ingested": "2021-05-31T15:30:22.703448900Z", + "ingested": "2021-06-04T11:33:14.919437700Z", "original": "\u003c7\u003e1 2021-03-15T13:25:32Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 15 06:25:32\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-15T13:25:32Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e38\u003c/MessageID\u003e\\n \u003cDesc\u003eCPM Verify Password Failed\u003c/Desc\u003e\\n \u003cSeverity\u003eError\u003c/Severity\u003e\\n \u003cIssuer\u003ePasswordManager\u003c/Issuer\u003e\\n \u003cAction\u003eCPM Verify Password Failed\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003epartner\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Operating System-WinDomain-35.192.121.42-ELASTICbart\u003c/File\u003e\\n \u003cStation\u003e10.0.1.20\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003eImmediateTask. Failure Description: CACPM344E Verifying Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-35.192.121.42-ELASTICbart failed (try #0). Code: 2101, Error: Error in verifypass to user 34.66.114.180\\\\bart on domain 34.66.114.180(\\\\\\\\34.66.114.180). Reason: The network name cannot be found. (winRc=67). \\n\u003c/Reason\u003e\\n \u003cExtraDetails\u003eaddress=34.66.114.180;username=bart;\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eCPM Verify Password Failed\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"WinDomain\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"bart\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"34.66.114.180\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"ResetImmediately\\\" Value=\\\"VerifyTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMStatus\\\" Value=\\\"failure\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"RetriesCount\\\" Value=\\\"0\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastFailDate\\\" Value=\\\"1615814709\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastTask\\\" Value=\\\"VerifyTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserDN\\\" Value=\\\"ELASTIC.local\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LogonDomain\\\" Value=\\\"34.66.114.180\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMErrorDetails\\\" Value=\\\"Error in verifypass to user 34.66.114.180\\\\bart on domain 34.66.114.180(\\\\\\\\34.66.114.180). Reason: The network name cannot be found. (winRc=67). \\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Operating System\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 15 06:25:32\",\"IsoTimestamp\":\"2021-03-15T13:25:32Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"38\",\"Desc\":\"CPM Verify Password Failed\",\"Severity\":\"Error\",\"Issuer\":\"PasswordManager\",\"Action\":\"CPM Verify Password Failed\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"partner\",\"File\":\"Root\\\\Operating System-WinDomain-35.192.121.42-ELASTICbart\",\"Station\":\"10.0.1.20\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"ImmediateTask. Failure Description: CACPM344E Verifying Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-35.192.121.42-ELASTICbart failed (try #0). Code: 2101, Error: Error in verifypass to user 34.66.114.180\\\\bart on domain 34.66.114.180(\\\\\\\\34.66.114.180). Reason: The network name cannot be found. (winRc=67). \\n\",\"ExtraDetails\":\"address=34.66.114.180;username=bart;\",\"Message\":\"CPM Verify Password Failed\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"WinDomain\"},{\"Name\":\"UserName\",\"Value\":\"bart\"},{\"Name\":\"Address\",\"Value\":\"34.66.114.180\"},{\"Name\":\"ResetImmediately\",\"Value\":\"VerifyTask\"},{\"Name\":\"CPMStatus\",\"Value\":\"failure\"},{\"Name\":\"RetriesCount\",\"Value\":\"0\"},{\"Name\":\"LastFailDate\",\"Value\":\"1615814709\"},{\"Name\":\"LastTask\",\"Value\":\"VerifyTask\"},{\"Name\":\"UserDN\",\"Value\":\"ELASTIC.local\"},{\"Name\":\"LogonDomain\",\"Value\":\"34.66.114.180\"},{\"Name\":\"CPMErrorDetails\",\"Value\":\"Error in verifypass to user 34.66.114.180\\\\bart on domain 34.66.114.180(\\\\\\\\34.66.114.180). Reason: The network name cannot be found. (winRc=67). \"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"}]}}}}", "code": "38", "kind": "event", @@ -347,7 +347,7 @@ "event": { "severity": 7, "reason": "Error in verifypass to user 34.66.114.180\\ELASTIC.local\\bart on domain 34.66.114.180(\\\\34.66.114.180). Reason: The specified username is invalid. (winRc=2202). ", - "ingested": "2021-05-31T15:30:22.703451800Z", + "ingested": "2021-06-04T11:33:14.919440500Z", "original": "\u003c7\u003e1 2021-03-15T13:33:26Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 15 06:33:26\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-15T13:33:26Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e38\u003c/MessageID\u003e\\n \u003cDesc\u003eCPM Verify Password Failed\u003c/Desc\u003e\\n \u003cSeverity\u003eError\u003c/Severity\u003e\\n \u003cIssuer\u003ePasswordManager\u003c/Issuer\u003e\\n \u003cAction\u003eCPM Verify Password Failed\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003epartner\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Operating System-WinDomain-34.66.114.180-ELASTICbart\u003c/File\u003e\\n \u003cStation\u003e10.0.1.20\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003eImmediateTask. Failure Description: CACPM344E Verifying Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-34.66.114.180-ELASTICbart failed (try #0). Code: 2101, Error: Error in verifypass to user 34.66.114.180\\\\ELASTIC.local\\\\bart on domain 34.66.114.180(\\\\\\\\34.66.114.180). Reason: The specified username is invalid. (winRc=2202). \\n\u003c/Reason\u003e\\n \u003cExtraDetails\u003eaddress=34.66.114.180;username=ELASTIC.local\\\\bart;\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eCPM Verify Password Failed\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"WinDomain\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"ELASTIC.local\\\\bart\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"34.66.114.180\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"ResetImmediately\\\" Value=\\\"VerifyTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMStatus\\\" Value=\\\"failure\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"RetriesCount\\\" Value=\\\"0\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastFailDate\\\" Value=\\\"1615815206\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastTask\\\" Value=\\\"VerifyTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LogonDomain\\\" Value=\\\"34.66.114.180\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMErrorDetails\\\" Value=\\\"Error in verifypass to user 34.66.114.180\\\\ELASTIC.local\\\\bart on domain 34.66.114.180(\\\\\\\\34.66.114.180). Reason: The specified username is invalid. (winRc=2202). \\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Operating System\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 15 06:33:26\",\"IsoTimestamp\":\"2021-03-15T13:33:26Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"38\",\"Desc\":\"CPM Verify Password Failed\",\"Severity\":\"Error\",\"Issuer\":\"PasswordManager\",\"Action\":\"CPM Verify Password Failed\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"partner\",\"File\":\"Root\\\\Operating System-WinDomain-34.66.114.180-ELASTICbart\",\"Station\":\"10.0.1.20\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"ImmediateTask. Failure Description: CACPM344E Verifying Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-34.66.114.180-ELASTICbart failed (try #0). Code: 2101, Error: Error in verifypass to user 34.66.114.180\\\\ELASTIC.local\\\\bart on domain 34.66.114.180(\\\\\\\\34.66.114.180). Reason: The specified username is invalid. (winRc=2202). \\n\",\"ExtraDetails\":\"address=34.66.114.180;username=ELASTIC.local\\\\bart;\",\"Message\":\"CPM Verify Password Failed\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"WinDomain\"},{\"Name\":\"UserName\",\"Value\":\"ELASTIC.local\\\\bart\"},{\"Name\":\"Address\",\"Value\":\"34.66.114.180\"},{\"Name\":\"ResetImmediately\",\"Value\":\"VerifyTask\"},{\"Name\":\"CPMStatus\",\"Value\":\"failure\"},{\"Name\":\"RetriesCount\",\"Value\":\"0\"},{\"Name\":\"LastFailDate\",\"Value\":\"1615815206\"},{\"Name\":\"LastTask\",\"Value\":\"VerifyTask\"},{\"Name\":\"LogonDomain\",\"Value\":\"34.66.114.180\"},{\"Name\":\"CPMErrorDetails\",\"Value\":\"Error in verifypass to user 34.66.114.180\\\\ELASTIC.local\\\\bart on domain 34.66.114.180(\\\\\\\\34.66.114.180). Reason: The specified username is invalid. (winRc=2202). \"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"}]}}}}", "code": "38", "kind": "event", @@ -469,7 +469,7 @@ "event": { "severity": 7, "reason": "Error in verifypass to user 34.66.114.180\\ELASTIC.local\\bart on domain 34.66.114.180(\\\\34.66.114.180). Reason: The specified username is invalid. (winRc=2202). ", - "ingested": "2021-05-31T15:30:22.703454400Z", + "ingested": "2021-06-04T11:33:14.919442800Z", "original": "\u003c7\u003e1 2021-03-15T15:04:11Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 15 08:04:11\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-15T15:04:11Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e38\u003c/MessageID\u003e\\n \u003cDesc\u003eCPM Verify Password Failed\u003c/Desc\u003e\\n \u003cSeverity\u003eError\u003c/Severity\u003e\\n \u003cIssuer\u003ePasswordManager\u003c/Issuer\u003e\\n \u003cAction\u003eCPM Verify Password Failed\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003epartner\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Operating System-WinDomain-34.66.114.180-ELASTICbart\u003c/File\u003e\\n \u003cStation\u003e10.0.1.20\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003eImmediateTask,Failure. Failure Description: CACPM344E Verifying Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-34.66.114.180-ELASTICbart failed (try #1). Code: 2101, Error: Error in verifypass to user 34.66.114.180\\\\ELASTIC.local\\\\bart on domain 34.66.114.180(\\\\\\\\34.66.114.180). Reason: The specified username is invalid. (winRc=2202). \\n\u003c/Reason\u003e\\n \u003cExtraDetails\u003eaddress=34.66.114.180;retriescount=1;username=ELASTIC.local\\\\bart;\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eCPM Verify Password Failed\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"WinDomain\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"ELASTIC.local\\\\bart\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"34.66.114.180\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"ResetImmediately\\\" Value=\\\"VerifyTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMStatus\\\" Value=\\\"failure\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"RetriesCount\\\" Value=\\\"1\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastFailDate\\\" Value=\\\"1615820651\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastTask\\\" Value=\\\"VerifyTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LogonDomain\\\" Value=\\\"34.66.114.180\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMErrorDetails\\\" Value=\\\"Error in verifypass to user 34.66.114.180\\\\ELASTIC.local\\\\bart on domain 34.66.114.180(\\\\\\\\34.66.114.180). Reason: The specified username is invalid. (winRc=2202). \\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Operating System\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 15 08:04:11\",\"IsoTimestamp\":\"2021-03-15T15:04:11Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"38\",\"Desc\":\"CPM Verify Password Failed\",\"Severity\":\"Error\",\"Issuer\":\"PasswordManager\",\"Action\":\"CPM Verify Password Failed\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"partner\",\"File\":\"Root\\\\Operating System-WinDomain-34.66.114.180-ELASTICbart\",\"Station\":\"10.0.1.20\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"ImmediateTask,Failure. Failure Description: CACPM344E Verifying Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-34.66.114.180-ELASTICbart failed (try #1). Code: 2101, Error: Error in verifypass to user 34.66.114.180\\\\ELASTIC.local\\\\bart on domain 34.66.114.180(\\\\\\\\34.66.114.180). Reason: The specified username is invalid. (winRc=2202). \\n\",\"ExtraDetails\":\"address=34.66.114.180;retriescount=1;username=ELASTIC.local\\\\bart;\",\"Message\":\"CPM Verify Password Failed\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"WinDomain\"},{\"Name\":\"UserName\",\"Value\":\"ELASTIC.local\\\\bart\"},{\"Name\":\"Address\",\"Value\":\"34.66.114.180\"},{\"Name\":\"ResetImmediately\",\"Value\":\"VerifyTask\"},{\"Name\":\"CPMStatus\",\"Value\":\"failure\"},{\"Name\":\"RetriesCount\",\"Value\":\"1\"},{\"Name\":\"LastFailDate\",\"Value\":\"1615820651\"},{\"Name\":\"LastTask\",\"Value\":\"VerifyTask\"},{\"Name\":\"LogonDomain\",\"Value\":\"34.66.114.180\"},{\"Name\":\"CPMErrorDetails\",\"Value\":\"Error in verifypass to user 34.66.114.180\\\\ELASTIC.local\\\\bart on domain 34.66.114.180(\\\\\\\\34.66.114.180). Reason: The specified username is invalid. (winRc=2202). \"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"}]}}}}", "code": "38", "kind": "event", @@ -591,7 +591,7 @@ "event": { "severity": 7, "reason": "Error in verifypass to user 34.66.114.180\\ELASTIC.local\\bart on domain 34.66.114.180(\\\\34.66.114.180). Reason: The specified username is invalid. (winRc=2202). ", - "ingested": "2021-05-31T15:30:22.703456800Z", + "ingested": "2021-06-04T11:33:14.919444900Z", "original": "\u003c7\u003e1 2021-03-15T16:35:01Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 15 09:35:01\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-15T16:35:01Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e38\u003c/MessageID\u003e\\n \u003cDesc\u003eCPM Verify Password Failed\u003c/Desc\u003e\\n \u003cSeverity\u003eError\u003c/Severity\u003e\\n \u003cIssuer\u003ePasswordManager\u003c/Issuer\u003e\\n \u003cAction\u003eCPM Verify Password Failed\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003epartner\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Operating System-WinDomain-34.66.114.180-ELASTICbart\u003c/File\u003e\\n \u003cStation\u003e10.0.1.20\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003eImmediateTask,Failure. Failure Description: CACPM344E Verifying Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-34.66.114.180-ELASTICbart failed (try #2). Code: 2101, Error: Error in verifypass to user 34.66.114.180\\\\ELASTIC.local\\\\bart on domain 34.66.114.180(\\\\\\\\34.66.114.180). Reason: The specified username is invalid. (winRc=2202). \\n\u003c/Reason\u003e\\n \u003cExtraDetails\u003eaddress=34.66.114.180;retriescount=2;username=ELASTIC.local\\\\bart;\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eCPM Verify Password Failed\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"WinDomain\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"ELASTIC.local\\\\bart\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"34.66.114.180\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"ResetImmediately\\\" Value=\\\"VerifyTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMStatus\\\" Value=\\\"failure\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"RetriesCount\\\" Value=\\\"2\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastFailDate\\\" Value=\\\"1615826099\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastTask\\\" Value=\\\"VerifyTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LogonDomain\\\" Value=\\\"34.66.114.180\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMErrorDetails\\\" Value=\\\"Error in verifypass to user 34.66.114.180\\\\ELASTIC.local\\\\bart on domain 34.66.114.180(\\\\\\\\34.66.114.180). Reason: The specified username is invalid. (winRc=2202). \\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Operating System\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 15 09:35:01\",\"IsoTimestamp\":\"2021-03-15T16:35:01Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"38\",\"Desc\":\"CPM Verify Password Failed\",\"Severity\":\"Error\",\"Issuer\":\"PasswordManager\",\"Action\":\"CPM Verify Password Failed\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"partner\",\"File\":\"Root\\\\Operating System-WinDomain-34.66.114.180-ELASTICbart\",\"Station\":\"10.0.1.20\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"ImmediateTask,Failure. Failure Description: CACPM344E Verifying Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-34.66.114.180-ELASTICbart failed (try #2). Code: 2101, Error: Error in verifypass to user 34.66.114.180\\\\ELASTIC.local\\\\bart on domain 34.66.114.180(\\\\\\\\34.66.114.180). Reason: The specified username is invalid. (winRc=2202). \\n\",\"ExtraDetails\":\"address=34.66.114.180;retriescount=2;username=ELASTIC.local\\\\bart;\",\"Message\":\"CPM Verify Password Failed\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"WinDomain\"},{\"Name\":\"UserName\",\"Value\":\"ELASTIC.local\\\\bart\"},{\"Name\":\"Address\",\"Value\":\"34.66.114.180\"},{\"Name\":\"ResetImmediately\",\"Value\":\"VerifyTask\"},{\"Name\":\"CPMStatus\",\"Value\":\"failure\"},{\"Name\":\"RetriesCount\",\"Value\":\"2\"},{\"Name\":\"LastFailDate\",\"Value\":\"1615826099\"},{\"Name\":\"LastTask\",\"Value\":\"VerifyTask\"},{\"Name\":\"LogonDomain\",\"Value\":\"34.66.114.180\"},{\"Name\":\"CPMErrorDetails\",\"Value\":\"Error in verifypass to user 34.66.114.180\\\\ELASTIC.local\\\\bart on domain 34.66.114.180(\\\\\\\\34.66.114.180). Reason: The specified username is invalid. (winRc=2202). \"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"}]}}}}", "code": "38", "kind": "event", @@ -699,7 +699,7 @@ "event": { "severity": 7, "reason": "Error when verifypass to User root on Server 10.0.1.20. State: IM002 Native error: 0 Message: [Microsoft][ODBC Driver Manager] Data source name not found and no default driver specified", - "ingested": "2021-05-31T15:30:22.703459Z", + "ingested": "2021-06-04T11:33:14.919447500Z", "original": "\u003c7\u003e1 2021-03-15T16:56:29Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 15 09:56:29\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-15T16:56:29Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e38\u003c/MessageID\u003e\\n \u003cDesc\u003eCPM Verify Password Failed\u003c/Desc\u003e\\n \u003cSeverity\u003eError\u003c/Severity\u003e\\n \u003cIssuer\u003ePasswordManager\u003c/Issuer\u003e\\n \u003cAction\u003eCPM Verify Password Failed\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003epartner\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Database-MySQL-10.0.1.20-root\u003c/File\u003e\\n \u003cStation\u003e10.0.1.20\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003eImmediateTask. Failure Description: CACPM344E Verifying Password Safe: partner, Folder: Root, Object: Database-MySQL-10.0.1.20-root failed (try #0). Code: 2103, Error: Error when verifypass to User root on Server 10.0.1.20. State: IM002 Native error: 0 Message: [Microsoft][ODBC Driver Manager] Data source name not found and no default driver specified\\n\u003c/Reason\u003e\\n \u003cExtraDetails\u003eaddress=10.0.1.20;username=root;\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eCPM Verify Password Failed\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"MySQL\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"root\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"10.0.1.20\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"ResetImmediately\\\" Value=\\\"VerifyTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMStatus\\\" Value=\\\"failure\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"RetriesCount\\\" Value=\\\"0\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastFailDate\\\" Value=\\\"1615827245\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastTask\\\" Value=\\\"VerifyTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMErrorDetails\\\" Value=\\\"Error when verifypass to User root on Server 10.0.1.20. State: IM002 Native error: 0 Message: [Microsoft][ODBC Driver Manager] Data source name not found and no default driver specified\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Database\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 15 09:56:29\",\"IsoTimestamp\":\"2021-03-15T16:56:29Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"38\",\"Desc\":\"CPM Verify Password Failed\",\"Severity\":\"Error\",\"Issuer\":\"PasswordManager\",\"Action\":\"CPM Verify Password Failed\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"partner\",\"File\":\"Root\\\\Database-MySQL-10.0.1.20-root\",\"Station\":\"10.0.1.20\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"ImmediateTask. Failure Description: CACPM344E Verifying Password Safe: partner, Folder: Root, Object: Database-MySQL-10.0.1.20-root failed (try #0). Code: 2103, Error: Error when verifypass to User root on Server 10.0.1.20. State: IM002 Native error: 0 Message: [Microsoft][ODBC Driver Manager] Data source name not found and no default driver specified\\n\",\"ExtraDetails\":\"address=10.0.1.20;username=root;\",\"Message\":\"CPM Verify Password Failed\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"MySQL\"},{\"Name\":\"UserName\",\"Value\":\"root\"},{\"Name\":\"Address\",\"Value\":\"10.0.1.20\"},{\"Name\":\"ResetImmediately\",\"Value\":\"VerifyTask\"},{\"Name\":\"CPMStatus\",\"Value\":\"failure\"},{\"Name\":\"RetriesCount\",\"Value\":\"0\"},{\"Name\":\"LastFailDate\",\"Value\":\"1615827245\"},{\"Name\":\"LastTask\",\"Value\":\"VerifyTask\"},{\"Name\":\"CPMErrorDetails\",\"Value\":\"Error when verifypass to User root on Server 10.0.1.20. State: IM002 Native error: 0 Message: [Microsoft][ODBC Driver Manager] Data source name not found and no default driver specified\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Database\"}]}}}}", "code": "38", "kind": "event", @@ -809,7 +809,7 @@ "event": { "severity": 7, "reason": "Error when verifypass to User root on Server . State: IM014 Native error: 0 Message: [Microsoft][ODBC Driver Manager] The specified DSN contains an architecture mismatch between the Driver and Application", - "ingested": "2021-05-31T15:30:22.703461400Z", + "ingested": "2021-06-04T11:33:14.919449600Z", "original": "\u003c7\u003e1 2021-03-15T17:01:07Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 15 10:01:07\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-15T17:01:07Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e38\u003c/MessageID\u003e\\n \u003cDesc\u003eCPM Verify Password Failed\u003c/Desc\u003e\\n \u003cSeverity\u003eError\u003c/Severity\u003e\\n \u003cIssuer\u003ePasswordManager\u003c/Issuer\u003e\\n \u003cAction\u003eCPM Verify Password Failed\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003epartner\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Database-MySQL-10.0.1.20-root\u003c/File\u003e\\n \u003cStation\u003e10.0.1.20\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003eImmediateTask. Failure Description: CACPM344E Verifying Password Safe: partner, Folder: Root, Object: Database-MySQL-10.0.1.20-root failed (try #0). Code: 2103, Error: Error when verifypass to User root on Server . State: IM014 Native error: 0 Message: [Microsoft][ODBC Driver Manager] The specified DSN contains an architecture mismatch between the Driver and Application\\n\u003c/Reason\u003e\\n \u003cExtraDetails\u003eaddress=10.0.1.20;username=root;\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eCPM Verify Password Failed\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"MySQL\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"root\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"10.0.1.20\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"ResetImmediately\\\" Value=\\\"VerifyTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMStatus\\\" Value=\\\"failure\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"RetriesCount\\\" Value=\\\"0\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastFailDate\\\" Value=\\\"1615827554\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastTask\\\" Value=\\\"VerifyTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DSN\\\" Value=\\\"mariadb\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMErrorDetails\\\" Value=\\\"Error when verifypass to User root on Server . State: IM014 Native error: 0 Message: [Microsoft][ODBC Driver Manager] The specified DSN contains an architecture mismatch between the Driver and Application\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Database\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 15 10:01:07\",\"IsoTimestamp\":\"2021-03-15T17:01:07Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"38\",\"Desc\":\"CPM Verify Password Failed\",\"Severity\":\"Error\",\"Issuer\":\"PasswordManager\",\"Action\":\"CPM Verify Password Failed\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"partner\",\"File\":\"Root\\\\Database-MySQL-10.0.1.20-root\",\"Station\":\"10.0.1.20\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"ImmediateTask. Failure Description: CACPM344E Verifying Password Safe: partner, Folder: Root, Object: Database-MySQL-10.0.1.20-root failed (try #0). Code: 2103, Error: Error when verifypass to User root on Server . State: IM014 Native error: 0 Message: [Microsoft][ODBC Driver Manager] The specified DSN contains an architecture mismatch between the Driver and Application\\n\",\"ExtraDetails\":\"address=10.0.1.20;username=root;\",\"Message\":\"CPM Verify Password Failed\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"MySQL\"},{\"Name\":\"UserName\",\"Value\":\"root\"},{\"Name\":\"Address\",\"Value\":\"10.0.1.20\"},{\"Name\":\"ResetImmediately\",\"Value\":\"VerifyTask\"},{\"Name\":\"CPMStatus\",\"Value\":\"failure\"},{\"Name\":\"RetriesCount\",\"Value\":\"0\"},{\"Name\":\"LastFailDate\",\"Value\":\"1615827554\"},{\"Name\":\"LastTask\",\"Value\":\"VerifyTask\"},{\"Name\":\"DSN\",\"Value\":\"mariadb\"},{\"Name\":\"CPMErrorDetails\",\"Value\":\"Error when verifypass to User root on Server . State: IM014 Native error: 0 Message: [Microsoft][ODBC Driver Manager] The specified DSN contains an architecture mismatch between the Driver and Application\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Database\"}]}}}}", "code": "38", "kind": "event", @@ -919,7 +919,7 @@ "event": { "severity": 7, "reason": "Error when verifypass to User root on Server . State: HY090 Native error: 0 Message: [Microsoft][ODBC Driver Manager] Invalid string or buffer length", - "ingested": "2021-05-31T15:30:22.703464200Z", + "ingested": "2021-06-04T11:33:14.919451800Z", "original": "\u003c7\u003e1 2021-03-15T17:05:47Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 15 10:05:47\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-15T17:05:47Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e38\u003c/MessageID\u003e\\n \u003cDesc\u003eCPM Verify Password Failed\u003c/Desc\u003e\\n \u003cSeverity\u003eError\u003c/Severity\u003e\\n \u003cIssuer\u003ePasswordManager\u003c/Issuer\u003e\\n \u003cAction\u003eCPM Verify Password Failed\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003epartner\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Database-MySQL-10.0.1.20-root\u003c/File\u003e\\n \u003cStation\u003e10.0.1.20\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003eImmediateTask. Failure Description: CACPM344E Verifying Password Safe: partner, Folder: Root, Object: Database-MySQL-10.0.1.20-root failed (try #0). Code: 2103, Error: Error when verifypass to User root on Server . State: HY090 Native error: 0 Message: [Microsoft][ODBC Driver Manager] Invalid string or buffer length\\n\u003c/Reason\u003e\\n \u003cExtraDetails\u003eaddress=10.0.1.20;username=root;\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eCPM Verify Password Failed\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"MySQL\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"root\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"10.0.1.20\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"ResetImmediately\\\" Value=\\\"VerifyTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMStatus\\\" Value=\\\"failure\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"RetriesCount\\\" Value=\\\"0\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastFailDate\\\" Value=\\\"1615827864\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastTask\\\" Value=\\\"VerifyTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DSN\\\" Value=\\\"DRIVER={MariaDB ODBC 3.1 Driver};TCPIP=1;SERVER=localhost;UID=root;PWD=1234;DATABASE=test\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMErrorDetails\\\" Value=\\\"Error when verifypass to User root on Server . State: HY090 Native error: 0 Message: [Microsoft][ODBC Driver Manager] Invalid string or buffer length\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Database\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 15 10:05:47\",\"IsoTimestamp\":\"2021-03-15T17:05:47Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"38\",\"Desc\":\"CPM Verify Password Failed\",\"Severity\":\"Error\",\"Issuer\":\"PasswordManager\",\"Action\":\"CPM Verify Password Failed\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"partner\",\"File\":\"Root\\\\Database-MySQL-10.0.1.20-root\",\"Station\":\"10.0.1.20\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"ImmediateTask. Failure Description: CACPM344E Verifying Password Safe: partner, Folder: Root, Object: Database-MySQL-10.0.1.20-root failed (try #0). Code: 2103, Error: Error when verifypass to User root on Server . State: HY090 Native error: 0 Message: [Microsoft][ODBC Driver Manager] Invalid string or buffer length\\n\",\"ExtraDetails\":\"address=10.0.1.20;username=root;\",\"Message\":\"CPM Verify Password Failed\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"MySQL\"},{\"Name\":\"UserName\",\"Value\":\"root\"},{\"Name\":\"Address\",\"Value\":\"10.0.1.20\"},{\"Name\":\"ResetImmediately\",\"Value\":\"VerifyTask\"},{\"Name\":\"CPMStatus\",\"Value\":\"failure\"},{\"Name\":\"RetriesCount\",\"Value\":\"0\"},{\"Name\":\"LastFailDate\",\"Value\":\"1615827864\"},{\"Name\":\"LastTask\",\"Value\":\"VerifyTask\"},{\"Name\":\"DSN\",\"Value\":\"DRIVER={MariaDB ODBC 3.1 Driver};TCPIP=1;SERVER=localhost;UID=root;PWD=1234;DATABASE=test\"},{\"Name\":\"CPMErrorDetails\",\"Value\":\"Error when verifypass to User root on Server . State: HY090 Native error: 0 Message: [Microsoft][ODBC Driver Manager] Invalid string or buffer length\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Database\"}]}}}}", "code": "38", "kind": "event", @@ -1029,7 +1029,7 @@ "event": { "severity": 7, "reason": "Error when verifypass to User root on Server . State: HY090 Native error: 0 Message: [Microsoft][ODBC Driver Manager] Invalid string or buffer length", - "ingested": "2021-05-31T15:30:22.703466700Z", + "ingested": "2021-06-04T11:33:14.919454Z", "original": "\u003c7\u003e1 2021-03-15T17:10:25Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 15 10:10:25\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-15T17:10:25Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e38\u003c/MessageID\u003e\\n \u003cDesc\u003eCPM Verify Password Failed\u003c/Desc\u003e\\n \u003cSeverity\u003eError\u003c/Severity\u003e\\n \u003cIssuer\u003ePasswordManager\u003c/Issuer\u003e\\n \u003cAction\u003eCPM Verify Password Failed\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003epartner\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Database-MySQL-10.0.1.20-root\u003c/File\u003e\\n \u003cStation\u003e10.0.1.20\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003eImmediateTask. Failure Description: CACPM344E Verifying Password Safe: partner, Folder: Root, Object: Database-MySQL-10.0.1.20-root failed (try #0). Code: 2103, Error: Error when verifypass to User root on Server . State: HY090 Native error: 0 Message: [Microsoft][ODBC Driver Manager] Invalid string or buffer length\\n\u003c/Reason\u003e\\n \u003cExtraDetails\u003eaddress=10.0.1.20;username=root;\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eCPM Verify Password Failed\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"MySQL\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"root\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"10.0.1.20\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"ResetImmediately\\\" Value=\\\"VerifyTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMStatus\\\" Value=\\\"failure\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"RetriesCount\\\" Value=\\\"0\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastFailDate\\\" Value=\\\"1615828174\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastTask\\\" Value=\\\"VerifyTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DSN\\\" Value=\\\"DSN=mariadb;TCPIP=1;SERVER=localhost;UID=root;PWD=1234;DATABASE=test\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMErrorDetails\\\" Value=\\\"Error when verifypass to User root on Server . State: HY090 Native error: 0 Message: [Microsoft][ODBC Driver Manager] Invalid string or buffer length\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Database\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 15 10:10:25\",\"IsoTimestamp\":\"2021-03-15T17:10:25Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"38\",\"Desc\":\"CPM Verify Password Failed\",\"Severity\":\"Error\",\"Issuer\":\"PasswordManager\",\"Action\":\"CPM Verify Password Failed\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"partner\",\"File\":\"Root\\\\Database-MySQL-10.0.1.20-root\",\"Station\":\"10.0.1.20\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"ImmediateTask. Failure Description: CACPM344E Verifying Password Safe: partner, Folder: Root, Object: Database-MySQL-10.0.1.20-root failed (try #0). Code: 2103, Error: Error when verifypass to User root on Server . State: HY090 Native error: 0 Message: [Microsoft][ODBC Driver Manager] Invalid string or buffer length\\n\",\"ExtraDetails\":\"address=10.0.1.20;username=root;\",\"Message\":\"CPM Verify Password Failed\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"MySQL\"},{\"Name\":\"UserName\",\"Value\":\"root\"},{\"Name\":\"Address\",\"Value\":\"10.0.1.20\"},{\"Name\":\"ResetImmediately\",\"Value\":\"VerifyTask\"},{\"Name\":\"CPMStatus\",\"Value\":\"failure\"},{\"Name\":\"RetriesCount\",\"Value\":\"0\"},{\"Name\":\"LastFailDate\",\"Value\":\"1615828174\"},{\"Name\":\"LastTask\",\"Value\":\"VerifyTask\"},{\"Name\":\"DSN\",\"Value\":\"DSN=mariadb;TCPIP=1;SERVER=localhost;UID=root;PWD=1234;DATABASE=test\"},{\"Name\":\"CPMErrorDetails\",\"Value\":\"Error when verifypass to User root on Server . State: HY090 Native error: 0 Message: [Microsoft][ODBC Driver Manager] Invalid string or buffer length\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Database\"}]}}}}", "code": "38", "kind": "event", @@ -1140,7 +1140,7 @@ "event": { "severity": 7, "reason": "Error when verifypass to User root on Server 127.0.0.1. State: IM002 Native error: 0 Message: [Microsoft][ODBC Driver Manager] Data source name not found and no default driver specified", - "ingested": "2021-05-31T15:30:22.703469Z", + "ingested": "2021-06-04T11:33:14.919456100Z", "original": "\u003c7\u003e1 2021-03-15T17:28:07Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 15 10:28:07\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-15T17:28:07Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e38\u003c/MessageID\u003e\\n \u003cDesc\u003eCPM Verify Password Failed\u003c/Desc\u003e\\n \u003cSeverity\u003eError\u003c/Severity\u003e\\n \u003cIssuer\u003ePasswordManager\u003c/Issuer\u003e\\n \u003cAction\u003eCPM Verify Password Failed\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003epartner\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Database-MySQL-10.0.1.20-root\u003c/File\u003e\\n \u003cStation\u003e10.0.1.20\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003eImmediateTask. Failure Description: CACPM344E Verifying Password Safe: partner, Folder: Root, Object: Database-MySQL-10.0.1.20-root failed (try #0). Code: 2103, Error: Error when verifypass to User root on Server 127.0.0.1. State: IM002 Native error: 0 Message: [Microsoft][ODBC Driver Manager] Data source name not found and no default driver specified\\n\u003c/Reason\u003e\\n \u003cExtraDetails\u003eaddress=127.0.0.1;username=root;\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eCPM Verify Password Failed\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"MySQL\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"root\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"127.0.0.1\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"ResetImmediately\\\" Value=\\\"VerifyTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMStatus\\\" Value=\\\"failure\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"RetriesCount\\\" Value=\\\"0\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastFailDate\\\" Value=\\\"1615829287\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastTask\\\" Value=\\\"VerifyTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Port\\\" Value=\\\"3306\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Database\\\" Value=\\\"test\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMErrorDetails\\\" Value=\\\"Error when verifypass to User root on Server 127.0.0.1. State: IM002 Native error: 0 Message: [Microsoft][ODBC Driver Manager] Data source name not found and no default driver specified\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Database\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 15 10:28:07\",\"IsoTimestamp\":\"2021-03-15T17:28:07Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"38\",\"Desc\":\"CPM Verify Password Failed\",\"Severity\":\"Error\",\"Issuer\":\"PasswordManager\",\"Action\":\"CPM Verify Password Failed\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"partner\",\"File\":\"Root\\\\Database-MySQL-10.0.1.20-root\",\"Station\":\"10.0.1.20\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"ImmediateTask. Failure Description: CACPM344E Verifying Password Safe: partner, Folder: Root, Object: Database-MySQL-10.0.1.20-root failed (try #0). Code: 2103, Error: Error when verifypass to User root on Server 127.0.0.1. State: IM002 Native error: 0 Message: [Microsoft][ODBC Driver Manager] Data source name not found and no default driver specified\\n\",\"ExtraDetails\":\"address=127.0.0.1;username=root;\",\"Message\":\"CPM Verify Password Failed\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"MySQL\"},{\"Name\":\"UserName\",\"Value\":\"root\"},{\"Name\":\"Address\",\"Value\":\"127.0.0.1\"},{\"Name\":\"ResetImmediately\",\"Value\":\"VerifyTask\"},{\"Name\":\"CPMStatus\",\"Value\":\"failure\"},{\"Name\":\"RetriesCount\",\"Value\":\"0\"},{\"Name\":\"LastFailDate\",\"Value\":\"1615829287\"},{\"Name\":\"LastTask\",\"Value\":\"VerifyTask\"},{\"Name\":\"Port\",\"Value\":\"3306\"},{\"Name\":\"Database\",\"Value\":\"test\"},{\"Name\":\"CPMErrorDetails\",\"Value\":\"Error when verifypass to User root on Server 127.0.0.1. State: IM002 Native error: 0 Message: [Microsoft][ODBC Driver Manager] Data source name not found and no default driver specified\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Database\"}]}}}}", "code": "38", "kind": "event", @@ -1253,7 +1253,7 @@ "event": { "severity": 7, "reason": "Error when verifypass to User root on Server . State: IM002 Native error: 0 Message: [Microsoft][ODBC Driver Manager] Data source name not found and no default driver specified", - "ingested": "2021-05-31T15:30:22.703471300Z", + "ingested": "2021-06-04T11:33:14.919458200Z", "original": "\u003c7\u003e1 2021-03-15T17:33:17Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 15 10:33:17\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-15T17:33:17Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e38\u003c/MessageID\u003e\\n \u003cDesc\u003eCPM Verify Password Failed\u003c/Desc\u003e\\n \u003cSeverity\u003eError\u003c/Severity\u003e\\n \u003cIssuer\u003ePasswordManager\u003c/Issuer\u003e\\n \u003cAction\u003eCPM Verify Password Failed\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003epartner\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Database-MySQL-10.0.1.20-root\u003c/File\u003e\\n \u003cStation\u003e10.0.1.20\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003eImmediateTask. Failure Description: CACPM344E Verifying Password Safe: partner, Folder: Root, Object: Database-MySQL-10.0.1.20-root failed (try #0). Code: 2103, Error: Error when verifypass to User root on Server . State: IM002 Native error: 0 Message: [Microsoft][ODBC Driver Manager] Data source name not found and no default driver specified\\n\u003c/Reason\u003e\\n \u003cExtraDetails\u003eaddress=127.0.0.1;username=root;\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eCPM Verify Password Failed\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"MySQL\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"root\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"127.0.0.1\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"ResetImmediately\\\" Value=\\\"VerifyTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMStatus\\\" Value=\\\"failure\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"RetriesCount\\\" Value=\\\"0\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastFailDate\\\" Value=\\\"1615829597\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastTask\\\" Value=\\\"VerifyTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Port\\\" Value=\\\"3306\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Database\\\" Value=\\\"test\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DSN\\\" Value=\\\"mysql\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMErrorDetails\\\" Value=\\\"Error when verifypass to User root on Server . State: IM002 Native error: 0 Message: [Microsoft][ODBC Driver Manager] Data source name not found and no default driver specified\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Database\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 15 10:33:17\",\"IsoTimestamp\":\"2021-03-15T17:33:17Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"38\",\"Desc\":\"CPM Verify Password Failed\",\"Severity\":\"Error\",\"Issuer\":\"PasswordManager\",\"Action\":\"CPM Verify Password Failed\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"partner\",\"File\":\"Root\\\\Database-MySQL-10.0.1.20-root\",\"Station\":\"10.0.1.20\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"ImmediateTask. Failure Description: CACPM344E Verifying Password Safe: partner, Folder: Root, Object: Database-MySQL-10.0.1.20-root failed (try #0). Code: 2103, Error: Error when verifypass to User root on Server . State: IM002 Native error: 0 Message: [Microsoft][ODBC Driver Manager] Data source name not found and no default driver specified\\n\",\"ExtraDetails\":\"address=127.0.0.1;username=root;\",\"Message\":\"CPM Verify Password Failed\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"MySQL\"},{\"Name\":\"UserName\",\"Value\":\"root\"},{\"Name\":\"Address\",\"Value\":\"127.0.0.1\"},{\"Name\":\"ResetImmediately\",\"Value\":\"VerifyTask\"},{\"Name\":\"CPMStatus\",\"Value\":\"failure\"},{\"Name\":\"RetriesCount\",\"Value\":\"0\"},{\"Name\":\"LastFailDate\",\"Value\":\"1615829597\"},{\"Name\":\"LastTask\",\"Value\":\"VerifyTask\"},{\"Name\":\"Port\",\"Value\":\"3306\"},{\"Name\":\"Database\",\"Value\":\"test\"},{\"Name\":\"DSN\",\"Value\":\"mysql\"},{\"Name\":\"CPMErrorDetails\",\"Value\":\"Error when verifypass to User root on Server . State: IM002 Native error: 0 Message: [Microsoft][ODBC Driver Manager] Data source name not found and no default driver specified\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Database\"}]}}}}", "code": "38", "kind": "event", @@ -1366,7 +1366,7 @@ "event": { "severity": 7, "reason": "Error when verifypass to User root on Server . State: HY090 Native error: 0 Message: [Microsoft][ODBC Driver Manager] Invalid string or buffer length", - "ingested": "2021-05-31T15:30:22.703473600Z", + "ingested": "2021-06-04T11:33:14.919460600Z", "original": "\u003c7\u003e1 2021-03-15T17:38:27Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 15 10:38:27\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-15T17:38:27Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e38\u003c/MessageID\u003e\\n \u003cDesc\u003eCPM Verify Password Failed\u003c/Desc\u003e\\n \u003cSeverity\u003eError\u003c/Severity\u003e\\n \u003cIssuer\u003ePasswordManager\u003c/Issuer\u003e\\n \u003cAction\u003eCPM Verify Password Failed\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003epartner\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Database-MySQL-10.0.1.20-root\u003c/File\u003e\\n \u003cStation\u003e10.0.1.20\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003eImmediateTask. Failure Description: CACPM344E Verifying Password Safe: partner, Folder: Root, Object: Database-MySQL-10.0.1.20-root failed (try #0). Code: 2103, Error: Error when verifypass to User root on Server . State: HY090 Native error: 0 Message: [Microsoft][ODBC Driver Manager] Invalid string or buffer length\\n\u003c/Reason\u003e\\n \u003cExtraDetails\u003eaddress=127.0.0.1;username=root;\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eCPM Verify Password Failed\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"MySQL\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"root\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"127.0.0.1\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"ResetImmediately\\\" Value=\\\"VerifyTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMStatus\\\" Value=\\\"failure\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"RetriesCount\\\" Value=\\\"0\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastFailDate\\\" Value=\\\"1615829907\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastTask\\\" Value=\\\"VerifyTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Port\\\" Value=\\\"3306\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Database\\\" Value=\\\"test\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DSN\\\" Value=\\\"Driver={MySQL ODBC 5.3 Unicode Driver};server=%ADDRESS%;user=%USER%;option=3;port=%PORT%;Password=%LOGONPASSWORD%\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMErrorDetails\\\" Value=\\\"Error when verifypass to User root on Server . State: HY090 Native error: 0 Message: [Microsoft][ODBC Driver Manager] Invalid string or buffer length\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Database\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 15 10:38:27\",\"IsoTimestamp\":\"2021-03-15T17:38:27Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"38\",\"Desc\":\"CPM Verify Password Failed\",\"Severity\":\"Error\",\"Issuer\":\"PasswordManager\",\"Action\":\"CPM Verify Password Failed\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"partner\",\"File\":\"Root\\\\Database-MySQL-10.0.1.20-root\",\"Station\":\"10.0.1.20\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"ImmediateTask. Failure Description: CACPM344E Verifying Password Safe: partner, Folder: Root, Object: Database-MySQL-10.0.1.20-root failed (try #0). Code: 2103, Error: Error when verifypass to User root on Server . State: HY090 Native error: 0 Message: [Microsoft][ODBC Driver Manager] Invalid string or buffer length\\n\",\"ExtraDetails\":\"address=127.0.0.1;username=root;\",\"Message\":\"CPM Verify Password Failed\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"MySQL\"},{\"Name\":\"UserName\",\"Value\":\"root\"},{\"Name\":\"Address\",\"Value\":\"127.0.0.1\"},{\"Name\":\"ResetImmediately\",\"Value\":\"VerifyTask\"},{\"Name\":\"CPMStatus\",\"Value\":\"failure\"},{\"Name\":\"RetriesCount\",\"Value\":\"0\"},{\"Name\":\"LastFailDate\",\"Value\":\"1615829907\"},{\"Name\":\"LastTask\",\"Value\":\"VerifyTask\"},{\"Name\":\"Port\",\"Value\":\"3306\"},{\"Name\":\"Database\",\"Value\":\"test\"},{\"Name\":\"DSN\",\"Value\":\"Driver={MySQL ODBC 5.3 Unicode Driver};server=%ADDRESS%;user=%USER%;option=3;port=%PORT%;Password=%LOGONPASSWORD%\"},{\"Name\":\"CPMErrorDetails\",\"Value\":\"Error when verifypass to User root on Server . State: HY090 Native error: 0 Message: [Microsoft][ODBC Driver Manager] Invalid string or buffer length\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Database\"}]}}}}", "code": "38", "kind": "event", @@ -1475,7 +1475,7 @@ "event": { "severity": 7, "reason": "Error when verifypass to User root on Server . State: IM002 Native error: 0 Message: [Microsoft][ODBC Driver Manager] Data source name not found and no default driver specified", - "ingested": "2021-05-31T15:30:22.703476Z", + "ingested": "2021-06-04T11:33:14.919462600Z", "original": "\u003c7\u003e1 2021-03-15T18:00:07Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 15 11:00:07\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-15T18:00:07Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e38\u003c/MessageID\u003e\\n \u003cDesc\u003eCPM Verify Password Failed\u003c/Desc\u003e\\n \u003cSeverity\u003eError\u003c/Severity\u003e\\n \u003cIssuer\u003ePasswordManager\u003c/Issuer\u003e\\n \u003cAction\u003eCPM Verify Password Failed\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003epartner\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Database-MySQL-10.0.1.20-root\u003c/File\u003e\\n \u003cStation\u003e10.0.1.20\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003eImmediateTask. Failure Description: CACPM344E Verifying Password Safe: partner, Folder: Root, Object: Database-MySQL-10.0.1.20-root failed (try #0). Code: 2103, Error: Error when verifypass to User root on Server . State: IM002 Native error: 0 Message: [Microsoft][ODBC Driver Manager] Data source name not found and no default driver specified\\n\u003c/Reason\u003e\\n \u003cExtraDetails\u003eaddress=Driver\\\\={MySQL ODBC 5.3 Unicode Driver}\\\\;server\\\\=127.0.0.1\\\\;user\\\\=root\\\\;option\\\\=3\\\\;port\\\\=3306\\\\;Password\\\\=1234;username=root;\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eCPM Verify Password Failed\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"MySQL\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"root\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"Driver={MySQL ODBC 5.3 Unicode Driver};server=127.0.0.1;user=root;option=3;port=3306;Password=1234\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"ResetImmediately\\\" Value=\\\"VerifyTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMStatus\\\" Value=\\\"failure\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"RetriesCount\\\" Value=\\\"0\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastFailDate\\\" Value=\\\"1615831206\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastTask\\\" Value=\\\"VerifyTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Port\\\" Value=\\\"3306\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Database\\\" Value=\\\"test\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DSN\\\" Value=\\\"mysql\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMErrorDetails\\\" Value=\\\"Error when verifypass to User root on Server . State: IM002 Native error: 0 Message: [Microsoft][ODBC Driver Manager] Data source name not found and no default driver specified\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Database\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 15 11:00:07\",\"IsoTimestamp\":\"2021-03-15T18:00:07Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"38\",\"Desc\":\"CPM Verify Password Failed\",\"Severity\":\"Error\",\"Issuer\":\"PasswordManager\",\"Action\":\"CPM Verify Password Failed\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"partner\",\"File\":\"Root\\\\Database-MySQL-10.0.1.20-root\",\"Station\":\"10.0.1.20\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"ImmediateTask. Failure Description: CACPM344E Verifying Password Safe: partner, Folder: Root, Object: Database-MySQL-10.0.1.20-root failed (try #0). Code: 2103, Error: Error when verifypass to User root on Server . State: IM002 Native error: 0 Message: [Microsoft][ODBC Driver Manager] Data source name not found and no default driver specified\\n\",\"ExtraDetails\":\"address=Driver\\\\={MySQL ODBC 5.3 Unicode Driver}\\\\;server\\\\=127.0.0.1\\\\;user\\\\=root\\\\;option\\\\=3\\\\;port\\\\=3306\\\\;Password\\\\=1234;username=root;\",\"Message\":\"CPM Verify Password Failed\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"MySQL\"},{\"Name\":\"UserName\",\"Value\":\"root\"},{\"Name\":\"Address\",\"Value\":\"Driver={MySQL ODBC 5.3 Unicode Driver};server=127.0.0.1;user=root;option=3;port=3306;Password=1234\"},{\"Name\":\"ResetImmediately\",\"Value\":\"VerifyTask\"},{\"Name\":\"CPMStatus\",\"Value\":\"failure\"},{\"Name\":\"RetriesCount\",\"Value\":\"0\"},{\"Name\":\"LastFailDate\",\"Value\":\"1615831206\"},{\"Name\":\"LastTask\",\"Value\":\"VerifyTask\"},{\"Name\":\"Port\",\"Value\":\"3306\"},{\"Name\":\"Database\",\"Value\":\"test\"},{\"Name\":\"DSN\",\"Value\":\"mysql\"},{\"Name\":\"CPMErrorDetails\",\"Value\":\"Error when verifypass to User root on Server . State: IM002 Native error: 0 Message: [Microsoft][ODBC Driver Manager] Data source name not found and no default driver specified\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Database\"}]}}}}", "code": "38", "kind": "event", @@ -1597,7 +1597,7 @@ "event": { "severity": 7, "reason": "Error in verifypass to user 34.66.114.180\\ELASTIC.local\\bart on domain 34.66.114.180(\\\\34.66.114.180). Reason: The specified username is invalid. (winRc=2202). ", - "ingested": "2021-05-31T15:30:22.703478200Z", + "ingested": "2021-06-04T11:33:14.919464700Z", "original": "\u003c7\u003e1 2021-03-15T18:05:16Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 15 11:05:16\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-15T18:05:16Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e38\u003c/MessageID\u003e\\n \u003cDesc\u003eCPM Verify Password Failed\u003c/Desc\u003e\\n \u003cSeverity\u003eError\u003c/Severity\u003e\\n \u003cIssuer\u003ePasswordManager\u003c/Issuer\u003e\\n \u003cAction\u003eCPM Verify Password Failed\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003epartner\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Operating System-WinDomain-34.66.114.180-ELASTICbart\u003c/File\u003e\\n \u003cStation\u003e10.0.1.20\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003eImmediateTask,Failure. Failure Description: CACPM344E Verifying Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-34.66.114.180-ELASTICbart failed (try #3). Code: 2101, Error: Error in verifypass to user 34.66.114.180\\\\ELASTIC.local\\\\bart on domain 34.66.114.180(\\\\\\\\34.66.114.180). Reason: The specified username is invalid. (winRc=2202). \\n\u003c/Reason\u003e\\n \u003cExtraDetails\u003eaddress=34.66.114.180;retriescount=3;username=ELASTIC.local\\\\bart;\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eCPM Verify Password Failed\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"WinDomain\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"ELASTIC.local\\\\bart\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"34.66.114.180\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"ResetImmediately\\\" Value=\\\"VerifyTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMStatus\\\" Value=\\\"failure\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"RetriesCount\\\" Value=\\\"3\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastFailDate\\\" Value=\\\"1615831516\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastTask\\\" Value=\\\"VerifyTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LogonDomain\\\" Value=\\\"34.66.114.180\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMErrorDetails\\\" Value=\\\"Error in verifypass to user 34.66.114.180\\\\ELASTIC.local\\\\bart on domain 34.66.114.180(\\\\\\\\34.66.114.180). Reason: The specified username is invalid. (winRc=2202). \\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Operating System\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 15 11:05:16\",\"IsoTimestamp\":\"2021-03-15T18:05:16Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"38\",\"Desc\":\"CPM Verify Password Failed\",\"Severity\":\"Error\",\"Issuer\":\"PasswordManager\",\"Action\":\"CPM Verify Password Failed\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"partner\",\"File\":\"Root\\\\Operating System-WinDomain-34.66.114.180-ELASTICbart\",\"Station\":\"10.0.1.20\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"ImmediateTask,Failure. Failure Description: CACPM344E Verifying Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-34.66.114.180-ELASTICbart failed (try #3). Code: 2101, Error: Error in verifypass to user 34.66.114.180\\\\ELASTIC.local\\\\bart on domain 34.66.114.180(\\\\\\\\34.66.114.180). Reason: The specified username is invalid. (winRc=2202). \\n\",\"ExtraDetails\":\"address=34.66.114.180;retriescount=3;username=ELASTIC.local\\\\bart;\",\"Message\":\"CPM Verify Password Failed\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"WinDomain\"},{\"Name\":\"UserName\",\"Value\":\"ELASTIC.local\\\\bart\"},{\"Name\":\"Address\",\"Value\":\"34.66.114.180\"},{\"Name\":\"ResetImmediately\",\"Value\":\"VerifyTask\"},{\"Name\":\"CPMStatus\",\"Value\":\"failure\"},{\"Name\":\"RetriesCount\",\"Value\":\"3\"},{\"Name\":\"LastFailDate\",\"Value\":\"1615831516\"},{\"Name\":\"LastTask\",\"Value\":\"VerifyTask\"},{\"Name\":\"LogonDomain\",\"Value\":\"34.66.114.180\"},{\"Name\":\"CPMErrorDetails\",\"Value\":\"Error in verifypass to user 34.66.114.180\\\\ELASTIC.local\\\\bart on domain 34.66.114.180(\\\\\\\\34.66.114.180). Reason: The specified username is invalid. (winRc=2202). \"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"}]}}}}", "code": "38", "kind": "event", @@ -1719,7 +1719,7 @@ "event": { "severity": 7, "reason": "Error in verifypass to user 34.66.114.180\\ELASTIC.local\\bart on domain 34.66.114.180(\\\\34.66.114.180). Reason: The specified username is invalid. (winRc=2202). ", - "ingested": "2021-05-31T15:30:22.703480400Z", + "ingested": "2021-06-04T11:33:14.919466800Z", "original": "\u003c7\u003e1 2021-03-16T09:50:19Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 16 02:50:19\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-16T09:50:19Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e38\u003c/MessageID\u003e\\n \u003cDesc\u003eCPM Verify Password Failed\u003c/Desc\u003e\\n \u003cSeverity\u003eError\u003c/Severity\u003e\\n \u003cIssuer\u003ePasswordManager\u003c/Issuer\u003e\\n \u003cAction\u003eCPM Verify Password Failed\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003epartner\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Operating System-WinDomain-34.66.114.180-ELASTICbart\u003c/File\u003e\\n \u003cStation\u003e10.0.1.20\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003eImmediateTask,Failure. Failure Description: CACPM344E Verifying Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-34.66.114.180-ELASTICbart failed (try #4). Code: 2101, Error: Error in verifypass to user 34.66.114.180\\\\ELASTIC.local\\\\bart on domain 34.66.114.180(\\\\\\\\34.66.114.180). Reason: The specified username is invalid. (winRc=2202). \\n\u003c/Reason\u003e\\n \u003cExtraDetails\u003eaddress=34.66.114.180;retriescount=4;username=ELASTIC.local\\\\bart;\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eCPM Verify Password Failed\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"WinDomain\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"ELASTIC.local\\\\bart\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"34.66.114.180\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"ResetImmediately\\\" Value=\\\"VerifyTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMStatus\\\" Value=\\\"failure\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"RetriesCount\\\" Value=\\\"4\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastFailDate\\\" Value=\\\"1615888216\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastTask\\\" Value=\\\"VerifyTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LogonDomain\\\" Value=\\\"34.66.114.180\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMErrorDetails\\\" Value=\\\"Error in verifypass to user 34.66.114.180\\\\ELASTIC.local\\\\bart on domain 34.66.114.180(\\\\\\\\34.66.114.180). Reason: The specified username is invalid. (winRc=2202). \\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Operating System\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 16 02:50:19\",\"IsoTimestamp\":\"2021-03-16T09:50:19Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"38\",\"Desc\":\"CPM Verify Password Failed\",\"Severity\":\"Error\",\"Issuer\":\"PasswordManager\",\"Action\":\"CPM Verify Password Failed\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"partner\",\"File\":\"Root\\\\Operating System-WinDomain-34.66.114.180-ELASTICbart\",\"Station\":\"10.0.1.20\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"ImmediateTask,Failure. Failure Description: CACPM344E Verifying Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-34.66.114.180-ELASTICbart failed (try #4). Code: 2101, Error: Error in verifypass to user 34.66.114.180\\\\ELASTIC.local\\\\bart on domain 34.66.114.180(\\\\\\\\34.66.114.180). Reason: The specified username is invalid. (winRc=2202). \\n\",\"ExtraDetails\":\"address=34.66.114.180;retriescount=4;username=ELASTIC.local\\\\bart;\",\"Message\":\"CPM Verify Password Failed\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"WinDomain\"},{\"Name\":\"UserName\",\"Value\":\"ELASTIC.local\\\\bart\"},{\"Name\":\"Address\",\"Value\":\"34.66.114.180\"},{\"Name\":\"ResetImmediately\",\"Value\":\"VerifyTask\"},{\"Name\":\"CPMStatus\",\"Value\":\"failure\"},{\"Name\":\"RetriesCount\",\"Value\":\"4\"},{\"Name\":\"LastFailDate\",\"Value\":\"1615888216\"},{\"Name\":\"LastTask\",\"Value\":\"VerifyTask\"},{\"Name\":\"LogonDomain\",\"Value\":\"34.66.114.180\"},{\"Name\":\"CPMErrorDetails\",\"Value\":\"Error in verifypass to user 34.66.114.180\\\\ELASTIC.local\\\\bart on domain 34.66.114.180(\\\\\\\\34.66.114.180). Reason: The specified username is invalid. (winRc=2202). \"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"}]}}}}", "code": "38", "kind": "event", diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-385-blservice-audit-record.log-config.yml b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-385-blservice-audit-record.log-config.yml deleted file mode 100644 index 5622947e4b8..00000000000 --- a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-385-blservice-audit-record.log-config.yml +++ /dev/null @@ -1,5 +0,0 @@ -dynamic_fields: - event.ingested: ".*" -fields: - tags: - - preserve_original_event diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-385-blservice-audit-record.log-expected.json b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-385-blservice-audit-record.log-expected.json index 8f03448be8c..5aacddab4c3 100644 --- a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-385-blservice-audit-record.log-expected.json +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-385-blservice-audit-record.log-expected.json @@ -58,7 +58,7 @@ "event": { "severity": 2, "action": "blservice audit record", - "ingested": "2021-05-31T15:30:23.237084300Z", + "ingested": "2021-06-04T11:33:15.446535600Z", "original": "\u003c5\u003e1 2021-03-11T16:31:13Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 11 08:31:13\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-11T16:31:13Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e385\u003c/MessageID\u003e\\n \u003cDesc\u003eBLService Audit Record\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003eBLService Audit Record\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003e\u003c/Safe\u003e\\n \u003cFile\u003e\u003c/File\u003e\\n \u003cStation\u003e127.0.0.1\u003c/Station\u003e\\n \u003cLocation\u003e\u003cVaultCommandAuditApplicativeHeader z:Id=\\\"1\\\" xmlns=\\\"CyberArk.AppServices.LogicContainer.Audit\\\" xmlns:i=\\\"http://www.w3.org/2001/XMLSchema-instance\\\" xmlns:z=\\\"http://schemas.microsoft.com/2003/10/Serialization/\\\"\u003e\u003cRuleAuditComponent z:Id=\\\"2\\\"\u003e\u003cAction z:Id=\\\"3\\\"\u003eUpdate\u003c/Action\u003e\u003cContainerName z:Id=\\\"4\\\"/\u003e\u003cIsAdvanced\u003etrue\u003c/IsAdvanced\u003e\u003cNewValue z:Id=\\\"5\\\"\u003eEnforceExclusiveAccess: False; EnforceOneTimePasswords: False; AllowOPMAccess: True; RecordSessions: False; EnforceExpirationPeriod: 90; EnforceVerificationPeriod: 7; AuditRetentionPeriod: 90; PSMEnabled: True; RequireReason: AllowFreeTextReason: True, BasicValue: True; AllowTransparentConnection: AllowViewingPasswords: True, BasicValue: True; DualControl: BasicValue: False, DualControlRequireMultilevelApproval: False, DualControlRequireManagerialApproval: False, DualControlRequiredConfirmers: 1\u003c/NewValue\u003e\u003cOldValue z:Id=\\\"6\\\"\u003eN/A\u003c/OldValue\u003e\u003cPropertyName z:Id=\\\"7\\\"\u003eMaster Policy\u003c/PropertyName\u003e\u003c/RuleAuditComponent\u003e\u003c/VaultCommandAuditApplicativeHeader\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eBLService Audit Record\u003c/Message\u003e\\n \u003cGatewayStation\u003e10.0.1.20\u003c/GatewayStation\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 11 08:31:13\",\"IsoTimestamp\":\"2021-03-11T16:31:13Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"385\",\"Desc\":\"BLService Audit Record\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"BLService Audit Record\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"127.0.0.1\",\"Location\":\"\u003cVaultCommandAuditApplicativeHeader z:Id=\\\"1\\\" xmlns=\\\"CyberArk.AppServices.LogicContainer.Audit\\\" xmlns:i=\\\"http://www.w3.org/2001/XMLSchema-instance\\\" xmlns:z=\\\"http://schemas.microsoft.com/2003/10/Serialization/\\\"\u003e\u003cRuleAuditComponent z:Id=\\\"2\\\"\u003e\u003cAction z:Id=\\\"3\\\"\u003eUpdate\u003c/Action\u003e\u003cContainerName z:Id=\\\"4\\\"/\u003e\u003cIsAdvanced\u003etrue\u003c/IsAdvanced\u003e\u003cNewValue z:Id=\\\"5\\\"\u003eEnforceExclusiveAccess: False; EnforceOneTimePasswords: False; AllowOPMAccess: True; RecordSessions: False; EnforceExpirationPeriod: 90; EnforceVerificationPeriod: 7; AuditRetentionPeriod: 90; PSMEnabled: True; RequireReason: AllowFreeTextReason: True, BasicValue: True; AllowTransparentConnection: AllowViewingPasswords: True, BasicValue: True; DualControl: BasicValue: False, DualControlRequireMultilevelApproval: False, DualControlRequireManagerialApproval: False, DualControlRequiredConfirmers: 1\u003c/NewValue\u003e\u003cOldValue z:Id=\\\"6\\\"\u003eN/A\u003c/OldValue\u003e\u003cPropertyName z:Id=\\\"7\\\"\u003eMaster Policy\u003c/PropertyName\u003e\u003c/RuleAuditComponent\u003e\u003c/VaultCommandAuditApplicativeHeader\u003e\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"BLService Audit Record\",\"GatewayStation\":\"10.0.1.20\"}}}", "code": "385", "kind": "event" @@ -122,7 +122,7 @@ "event": { "severity": 2, "action": "blservice audit record", - "ingested": "2021-05-31T15:30:23.237097700Z", + "ingested": "2021-06-04T11:33:15.446548700Z", "original": "\u003c5\u003e1 2021-03-11T16:31:23Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 11 08:31:23\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-11T16:31:23Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e385\u003c/MessageID\u003e\\n \u003cDesc\u003eBLService Audit Record\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003eBLService Audit Record\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003e\u003c/Safe\u003e\\n \u003cFile\u003e\u003c/File\u003e\\n \u003cStation\u003e127.0.0.1\u003c/Station\u003e\\n \u003cLocation\u003e\u003cVaultCommandAuditApplicativeHeader z:Id=\\\"1\\\" xmlns=\\\"CyberArk.AppServices.LogicContainer.Audit\\\" xmlns:i=\\\"http://www.w3.org/2001/XMLSchema-instance\\\" xmlns:z=\\\"http://schemas.microsoft.com/2003/10/Serialization/\\\"\u003e\u003cRuleAuditComponent z:Id=\\\"2\\\"\u003e\u003cAction z:Id=\\\"3\\\"\u003eUpdate\u003c/Action\u003e\u003cContainerName z:Id=\\\"4\\\"/\u003e\u003cIsAdvanced\u003etrue\u003c/IsAdvanced\u003e\u003cNewValue z:Id=\\\"5\\\"\u003eEnforceExclusiveAccess: False; EnforceOneTimePasswords: False; AllowOPMAccess: True; RecordSessions: True; EnforceExpirationPeriod: 90; EnforceVerificationPeriod: 7; AuditRetentionPeriod: 90; PSMEnabled: True; RequireReason: AllowFreeTextReason: True, BasicValue: True; AllowTransparentConnection: AllowViewingPasswords: True, BasicValue: True; DualControl: BasicValue: False, DualControlRequireMultilevelApproval: False, DualControlRequireManagerialApproval: False, DualControlRequiredConfirmers: 1\u003c/NewValue\u003e\u003cOldValue z:Id=\\\"6\\\"\u003eN/A\u003c/OldValue\u003e\u003cPropertyName z:Id=\\\"7\\\"\u003eMaster Policy\u003c/PropertyName\u003e\u003c/RuleAuditComponent\u003e\u003c/VaultCommandAuditApplicativeHeader\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eBLService Audit Record\u003c/Message\u003e\\n \u003cGatewayStation\u003e10.0.1.20\u003c/GatewayStation\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 11 08:31:23\",\"IsoTimestamp\":\"2021-03-11T16:31:23Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"385\",\"Desc\":\"BLService Audit Record\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"BLService Audit Record\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"127.0.0.1\",\"Location\":\"\u003cVaultCommandAuditApplicativeHeader z:Id=\\\"1\\\" xmlns=\\\"CyberArk.AppServices.LogicContainer.Audit\\\" xmlns:i=\\\"http://www.w3.org/2001/XMLSchema-instance\\\" xmlns:z=\\\"http://schemas.microsoft.com/2003/10/Serialization/\\\"\u003e\u003cRuleAuditComponent z:Id=\\\"2\\\"\u003e\u003cAction z:Id=\\\"3\\\"\u003eUpdate\u003c/Action\u003e\u003cContainerName z:Id=\\\"4\\\"/\u003e\u003cIsAdvanced\u003etrue\u003c/IsAdvanced\u003e\u003cNewValue z:Id=\\\"5\\\"\u003eEnforceExclusiveAccess: False; EnforceOneTimePasswords: False; AllowOPMAccess: True; RecordSessions: True; EnforceExpirationPeriod: 90; EnforceVerificationPeriod: 7; AuditRetentionPeriod: 90; PSMEnabled: True; RequireReason: AllowFreeTextReason: True, BasicValue: True; AllowTransparentConnection: AllowViewingPasswords: True, BasicValue: True; DualControl: BasicValue: False, DualControlRequireMultilevelApproval: False, DualControlRequireManagerialApproval: False, DualControlRequiredConfirmers: 1\u003c/NewValue\u003e\u003cOldValue z:Id=\\\"6\\\"\u003eN/A\u003c/OldValue\u003e\u003cPropertyName z:Id=\\\"7\\\"\u003eMaster Policy\u003c/PropertyName\u003e\u003c/RuleAuditComponent\u003e\u003c/VaultCommandAuditApplicativeHeader\u003e\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"BLService Audit Record\",\"GatewayStation\":\"10.0.1.20\"}}}", "code": "385", "kind": "event" @@ -186,7 +186,7 @@ "event": { "severity": 2, "action": "blservice audit record", - "ingested": "2021-05-31T15:30:23.237100800Z", + "ingested": "2021-06-04T11:33:15.446551500Z", "original": "\u003c5\u003e1 2021-03-11T19:40:52Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 11 11:40:52\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-11T19:40:52Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e385\u003c/MessageID\u003e\\n \u003cDesc\u003eBLService Audit Record\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003eBLService Audit Record\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003e\u003c/Safe\u003e\\n \u003cFile\u003e\u003c/File\u003e\\n \u003cStation\u003e127.0.0.1\u003c/Station\u003e\\n \u003cLocation\u003e\u003cVaultCommandAuditApplicativeHeader z:Id=\\\"1\\\" xmlns=\\\"CyberArk.AppServices.LogicContainer.Audit\\\" xmlns:i=\\\"http://www.w3.org/2001/XMLSchema-instance\\\" xmlns:z=\\\"http://schemas.microsoft.com/2003/10/Serialization/\\\"\u003e\u003cRuleAuditComponent z:Id=\\\"2\\\"\u003e\u003cAction z:Id=\\\"3\\\"\u003eUpdate\u003c/Action\u003e\u003cContainerName z:Id=\\\"4\\\"/\u003e\u003cIsAdvanced\u003etrue\u003c/IsAdvanced\u003e\u003cNewValue z:Id=\\\"5\\\"\u003eEnforceExclusiveAccess: False; EnforceOneTimePasswords: False; AllowOPMAccess: True; RecordSessions: True; EnforceExpirationPeriod: 90; EnforceVerificationPeriod: 7; AuditRetentionPeriod: 90; PSMEnabled: False; RequireReason: AllowFreeTextReason: True, BasicValue: True; AllowTransparentConnection: AllowViewingPasswords: True, BasicValue: True; DualControl: BasicValue: False, DualControlRequireMultilevelApproval: False, DualControlRequireManagerialApproval: False, DualControlRequiredConfirmers: 1\u003c/NewValue\u003e\u003cOldValue z:Id=\\\"6\\\"\u003eN/A\u003c/OldValue\u003e\u003cPropertyName z:Id=\\\"7\\\"\u003eMaster Policy\u003c/PropertyName\u003e\u003c/RuleAuditComponent\u003e\u003c/VaultCommandAuditApplicativeHeader\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eBLService Audit Record\u003c/Message\u003e\\n \u003cGatewayStation\u003e10.0.1.20\u003c/GatewayStation\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 11 11:40:52\",\"IsoTimestamp\":\"2021-03-11T19:40:52Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"385\",\"Desc\":\"BLService Audit Record\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"BLService Audit Record\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"127.0.0.1\",\"Location\":\"\u003cVaultCommandAuditApplicativeHeader z:Id=\\\"1\\\" xmlns=\\\"CyberArk.AppServices.LogicContainer.Audit\\\" xmlns:i=\\\"http://www.w3.org/2001/XMLSchema-instance\\\" xmlns:z=\\\"http://schemas.microsoft.com/2003/10/Serialization/\\\"\u003e\u003cRuleAuditComponent z:Id=\\\"2\\\"\u003e\u003cAction z:Id=\\\"3\\\"\u003eUpdate\u003c/Action\u003e\u003cContainerName z:Id=\\\"4\\\"/\u003e\u003cIsAdvanced\u003etrue\u003c/IsAdvanced\u003e\u003cNewValue z:Id=\\\"5\\\"\u003eEnforceExclusiveAccess: False; EnforceOneTimePasswords: False; AllowOPMAccess: True; RecordSessions: True; EnforceExpirationPeriod: 90; EnforceVerificationPeriod: 7; AuditRetentionPeriod: 90; PSMEnabled: False; RequireReason: AllowFreeTextReason: True, BasicValue: True; AllowTransparentConnection: AllowViewingPasswords: True, BasicValue: True; DualControl: BasicValue: False, DualControlRequireMultilevelApproval: False, DualControlRequireManagerialApproval: False, DualControlRequiredConfirmers: 1\u003c/NewValue\u003e\u003cOldValue z:Id=\\\"6\\\"\u003eN/A\u003c/OldValue\u003e\u003cPropertyName z:Id=\\\"7\\\"\u003eMaster Policy\u003c/PropertyName\u003e\u003c/RuleAuditComponent\u003e\u003c/VaultCommandAuditApplicativeHeader\u003e\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"BLService Audit Record\",\"GatewayStation\":\"10.0.1.20\"}}}", "code": "385", "kind": "event" @@ -250,7 +250,7 @@ "event": { "severity": 2, "action": "blservice audit record", - "ingested": "2021-05-31T15:30:23.237103500Z", + "ingested": "2021-06-04T11:33:15.446554300Z", "original": "\u003c5\u003e1 2021-03-14T12:04:35Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 14 05:04:35\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-14T12:04:35Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e385\u003c/MessageID\u003e\\n \u003cDesc\u003eBLService Audit Record\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003eBLService Audit Record\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003e\u003c/Safe\u003e\\n \u003cFile\u003e\u003c/File\u003e\\n \u003cStation\u003e127.0.0.1\u003c/Station\u003e\\n \u003cLocation\u003e\u003cVaultCommandAuditApplicativeHeader z:Id=\\\"1\\\" xmlns=\\\"CyberArk.AppServices.LogicContainer.Audit\\\" xmlns:i=\\\"http://www.w3.org/2001/XMLSchema-instance\\\" xmlns:z=\\\"http://schemas.microsoft.com/2003/10/Serialization/\\\"\u003e\u003cRuleAuditComponent z:Id=\\\"2\\\"\u003e\u003cAction z:Id=\\\"3\\\"\u003eUpdate\u003c/Action\u003e\u003cContainerName z:Id=\\\"4\\\"/\u003e\u003cIsAdvanced\u003etrue\u003c/IsAdvanced\u003e\u003cNewValue z:Id=\\\"5\\\"\u003eEnforceExclusiveAccess: False; EnforceOneTimePasswords: False; AllowOPMAccess: True; RecordSessions: True; EnforceExpirationPeriod: 90; EnforceVerificationPeriod: 7; AuditRetentionPeriod: 90; PSMEnabled: False; RequireReason: AllowFreeTextReason: True, BasicValue: False; AllowTransparentConnection: AllowViewingPasswords: True, BasicValue: True; DualControl: BasicValue: False, DualControlRequireMultilevelApproval: False, DualControlRequireManagerialApproval: False, DualControlRequiredConfirmers: 1\u003c/NewValue\u003e\u003cOldValue z:Id=\\\"6\\\"\u003eN/A\u003c/OldValue\u003e\u003cPropertyName z:Id=\\\"7\\\"\u003eMaster Policy\u003c/PropertyName\u003e\u003c/RuleAuditComponent\u003e\u003c/VaultCommandAuditApplicativeHeader\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eBLService Audit Record\u003c/Message\u003e\\n \u003cGatewayStation\u003e10.0.1.20\u003c/GatewayStation\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 14 05:04:35\",\"IsoTimestamp\":\"2021-03-14T12:04:35Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"385\",\"Desc\":\"BLService Audit Record\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"BLService Audit Record\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"127.0.0.1\",\"Location\":\"\u003cVaultCommandAuditApplicativeHeader z:Id=\\\"1\\\" xmlns=\\\"CyberArk.AppServices.LogicContainer.Audit\\\" xmlns:i=\\\"http://www.w3.org/2001/XMLSchema-instance\\\" xmlns:z=\\\"http://schemas.microsoft.com/2003/10/Serialization/\\\"\u003e\u003cRuleAuditComponent z:Id=\\\"2\\\"\u003e\u003cAction z:Id=\\\"3\\\"\u003eUpdate\u003c/Action\u003e\u003cContainerName z:Id=\\\"4\\\"/\u003e\u003cIsAdvanced\u003etrue\u003c/IsAdvanced\u003e\u003cNewValue z:Id=\\\"5\\\"\u003eEnforceExclusiveAccess: False; EnforceOneTimePasswords: False; AllowOPMAccess: True; RecordSessions: True; EnforceExpirationPeriod: 90; EnforceVerificationPeriod: 7; AuditRetentionPeriod: 90; PSMEnabled: False; RequireReason: AllowFreeTextReason: True, BasicValue: False; AllowTransparentConnection: AllowViewingPasswords: True, BasicValue: True; DualControl: BasicValue: False, DualControlRequireMultilevelApproval: False, DualControlRequireManagerialApproval: False, DualControlRequiredConfirmers: 1\u003c/NewValue\u003e\u003cOldValue z:Id=\\\"6\\\"\u003eN/A\u003c/OldValue\u003e\u003cPropertyName z:Id=\\\"7\\\"\u003eMaster Policy\u003c/PropertyName\u003e\u003c/RuleAuditComponent\u003e\u003c/VaultCommandAuditApplicativeHeader\u003e\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"BLService Audit Record\",\"GatewayStation\":\"10.0.1.20\"}}}", "code": "385", "kind": "event" @@ -314,7 +314,7 @@ "event": { "severity": 2, "action": "blservice audit record", - "ingested": "2021-05-31T15:30:23.237105900Z", + "ingested": "2021-06-04T11:33:15.446556600Z", "original": "\u003c5\u003e1 2021-03-14T12:04:53Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 14 05:04:53\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-14T12:04:53Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e385\u003c/MessageID\u003e\\n \u003cDesc\u003eBLService Audit Record\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003eBLService Audit Record\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003e\u003c/Safe\u003e\\n \u003cFile\u003e\u003c/File\u003e\\n \u003cStation\u003e127.0.0.1\u003c/Station\u003e\\n \u003cLocation\u003e\u003cVaultCommandAuditApplicativeHeader z:Id=\\\"1\\\" xmlns=\\\"CyberArk.AppServices.LogicContainer.Audit\\\" xmlns:i=\\\"http://www.w3.org/2001/XMLSchema-instance\\\" xmlns:z=\\\"http://schemas.microsoft.com/2003/10/Serialization/\\\"\u003e\u003cRuleAuditComponent z:Id=\\\"2\\\"\u003e\u003cAction z:Id=\\\"3\\\"\u003eUpdate\u003c/Action\u003e\u003cContainerName z:Id=\\\"4\\\"/\u003e\u003cIsAdvanced\u003etrue\u003c/IsAdvanced\u003e\u003cNewValue z:Id=\\\"5\\\"\u003eEnforceExclusiveAccess: False; EnforceOneTimePasswords: False; AllowOPMAccess: True; RecordSessions: True; EnforceExpirationPeriod: 500; EnforceVerificationPeriod: 7; AuditRetentionPeriod: 90; PSMEnabled: False; RequireReason: AllowFreeTextReason: True, BasicValue: False; AllowTransparentConnection: AllowViewingPasswords: True, BasicValue: True; DualControl: BasicValue: False, DualControlRequireMultilevelApproval: False, DualControlRequireManagerialApproval: False, DualControlRequiredConfirmers: 1\u003c/NewValue\u003e\u003cOldValue z:Id=\\\"6\\\"\u003eN/A\u003c/OldValue\u003e\u003cPropertyName z:Id=\\\"7\\\"\u003eMaster Policy\u003c/PropertyName\u003e\u003c/RuleAuditComponent\u003e\u003c/VaultCommandAuditApplicativeHeader\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eBLService Audit Record\u003c/Message\u003e\\n \u003cGatewayStation\u003e10.0.1.20\u003c/GatewayStation\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 14 05:04:53\",\"IsoTimestamp\":\"2021-03-14T12:04:53Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"385\",\"Desc\":\"BLService Audit Record\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"BLService Audit Record\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"127.0.0.1\",\"Location\":\"\u003cVaultCommandAuditApplicativeHeader z:Id=\\\"1\\\" xmlns=\\\"CyberArk.AppServices.LogicContainer.Audit\\\" xmlns:i=\\\"http://www.w3.org/2001/XMLSchema-instance\\\" xmlns:z=\\\"http://schemas.microsoft.com/2003/10/Serialization/\\\"\u003e\u003cRuleAuditComponent z:Id=\\\"2\\\"\u003e\u003cAction z:Id=\\\"3\\\"\u003eUpdate\u003c/Action\u003e\u003cContainerName z:Id=\\\"4\\\"/\u003e\u003cIsAdvanced\u003etrue\u003c/IsAdvanced\u003e\u003cNewValue z:Id=\\\"5\\\"\u003eEnforceExclusiveAccess: False; EnforceOneTimePasswords: False; AllowOPMAccess: True; RecordSessions: True; EnforceExpirationPeriod: 500; EnforceVerificationPeriod: 7; AuditRetentionPeriod: 90; PSMEnabled: False; RequireReason: AllowFreeTextReason: True, BasicValue: False; AllowTransparentConnection: AllowViewingPasswords: True, BasicValue: True; DualControl: BasicValue: False, DualControlRequireMultilevelApproval: False, DualControlRequireManagerialApproval: False, DualControlRequiredConfirmers: 1\u003c/NewValue\u003e\u003cOldValue z:Id=\\\"6\\\"\u003eN/A\u003c/OldValue\u003e\u003cPropertyName z:Id=\\\"7\\\"\u003eMaster Policy\u003c/PropertyName\u003e\u003c/RuleAuditComponent\u003e\u003c/VaultCommandAuditApplicativeHeader\u003e\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"BLService Audit Record\",\"GatewayStation\":\"10.0.1.20\"}}}", "code": "385", "kind": "event" diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-4-user-authentication.log-config.yml b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-4-user-authentication.log-config.yml deleted file mode 100644 index 5622947e4b8..00000000000 --- a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-4-user-authentication.log-config.yml +++ /dev/null @@ -1,5 +0,0 @@ -dynamic_fields: - event.ingested: ".*" -fields: - tags: - - preserve_original_event diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-4-user-authentication.log-expected.json b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-4-user-authentication.log-expected.json index 9ff035d4e0c..bda5a06ad15 100644 --- a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-4-user-authentication.log-expected.json +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-4-user-authentication.log-expected.json @@ -61,7 +61,7 @@ }, "event": { "severity": 7, - "ingested": "2021-05-31T15:30:23.396901Z", + "ingested": "2021-06-04T11:33:15.552396Z", "original": "\u003c7\u003e1 2021-03-10T18:42:36Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 10:42:36\",\"IsoTimestamp\":\"2021-03-10T18:42:36Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"4\",\"Desc\":\"User Authentication\",\"Severity\":\"Error\",\"Issuer\":\"Administrator\",\"Action\":\"User Authentication\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"81.32.170.205\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"User Authentication\",\"GatewayStation\":\"\"}}}", "code": "4", "kind": "event", @@ -137,7 +137,7 @@ }, "event": { "severity": 7, - "ingested": "2021-05-31T15:30:23.396914300Z", + "ingested": "2021-06-04T11:33:15.552408900Z", "original": "\u003c7\u003e1 2021-03-11T18:03:43Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 11 10:03:43\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-11T18:03:43Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e4\u003c/MessageID\u003e\\n \u003cDesc\u003eUser Authentication\u003c/Desc\u003e\\n \u003cSeverity\u003eError\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003eUser Authentication\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003e\u003c/Safe\u003e\\n \u003cFile\u003e\u003c/File\u003e\\n \u003cStation\u003e127.0.0.1\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eUser Authentication\u003c/Message\u003e\\n \u003cGatewayStation\u003e10.0.1.20\u003c/GatewayStation\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 11 10:03:43\",\"IsoTimestamp\":\"2021-03-11T18:03:43Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"4\",\"Desc\":\"User Authentication\",\"Severity\":\"Error\",\"Issuer\":\"Administrator\",\"Action\":\"User Authentication\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"127.0.0.1\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"User Authentication\",\"GatewayStation\":\"10.0.1.20\"}}}", "code": "4", "kind": "event", diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-411-window-title.log-config.yml b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-411-window-title.log-config.yml deleted file mode 100644 index 5622947e4b8..00000000000 --- a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-411-window-title.log-config.yml +++ /dev/null @@ -1,5 +0,0 @@ -dynamic_fields: - event.ingested: ".*" -fields: - tags: - - preserve_original_event diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-411-window-title.log-expected.json b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-411-window-title.log-expected.json index f42d68d561c..4fa6ccc9820 100644 --- a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-411-window-title.log-expected.json +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-411-window-title.log-expected.json @@ -95,7 +95,7 @@ }, "event": { "severity": 2, - "ingested": "2021-05-31T15:30:23.446758100Z", + "ingested": "2021-06-04T11:33:15.600235100Z", "original": "{\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eno\u003c/Rfc5424\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.6.0000\u003c/Version\u003e\\n \u003cMessageID\u003e411\u003c/MessageID\u003e\\n \u003cDesc\u003eWindow Title\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eadm2\u003c/Issuer\u003e\\n \u003cAction\u003eWindow Title\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003eWindows\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Operating System-WIN-SERVER-LOCAL-dbserver.cyberark.local-Administrator2\u003c/File\u003e\\n \u003cStation\u003e10.2.0.5\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003eCommand=shutdown.exe, Shutdown Event Tracker;ConnectionComponentId=PSM-RDP;DstHost=dbserver.cyberark.local;ProcessId=4144;ProcessName=shutdown.exe;Protocol=RDP;PSMID=PSMServer_88f6598;RDPOffset=218B;SessionID=a1f46060-1de4-4f56-a8ba-71fdf3140ac1;SrcHost=10.2.0.6;User=Administrator2;VIDOffset=12T;\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eWindow Title\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"WIN-SERVER-LOCAL\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"Administrator2\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"dbserver.cyberark.local\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Operating System\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LogonDomain\\\" Value=\\\"DBServer\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"SequenceID\\\" Value=\\\"1\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"RetriesCount\\\" Value=\\\"-1\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastTask\\\" Value=\\\"ReconcileTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMStatus\\\" Value=\\\"success\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastSuccessReconciliation\\\" Value=\\\"1604944215\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Customer\\\" Value=\\\"EvilCorp\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"no\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.6.0000\",\"MessageID\":\"411\",\"Desc\":\"Window Title\",\"Severity\":\"Info\",\"Issuer\":\"adm2\",\"Action\":\"Window Title\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"Windows\",\"File\":\"Root\\\\Operating System-WIN-SERVER-LOCAL-dbserver.cyberark.local-Administrator2\",\"Station\":\"10.2.0.5\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"Command=shutdown.exe, Shutdown Event Tracker;ConnectionComponentId=PSM-RDP;DstHost=dbserver.cyberark.local;ProcessId=4144;ProcessName=shutdown.exe;Protocol=RDP;PSMID=PSMServer_88f6598;RDPOffset=218B;SessionID=a1f46060-1de4-4f56-a8ba-71fdf3140ac1;SrcHost=10.2.0.6;User=Administrator2;VIDOffset=12T;\",\"IsoTimestamp\":\"2021-03-16T17:11:42Z\",\"Message\":\"Window Title\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"WIN-SERVER-LOCAL\"},{\"Name\":\"UserName\",\"Value\":\"Administrator2\"},{\"Name\":\"Address\",\"Value\":\"dbserver.cyberark.local\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"},{\"Name\":\"LogonDomain\",\"Value\":\"DBServer\"},{\"Name\":\"SequenceID\",\"Value\":\"1\"},{\"Name\":\"RetriesCount\",\"Value\":\"-1\"},{\"Name\":\"LastTask\",\"Value\":\"ReconcileTask\"},{\"Name\":\"CPMStatus\",\"Value\":\"success\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"LastSuccessReconciliation\",\"Value\":\"1604944215\"},{\"Name\":\"Customer\",\"Value\":\"EvilCorp\"}]}}}}", "code": "411", "kind": "event", diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-412-keystroke-logging.log-config.yml b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-412-keystroke-logging.log-config.yml deleted file mode 100644 index 5622947e4b8..00000000000 --- a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-412-keystroke-logging.log-config.yml +++ /dev/null @@ -1,5 +0,0 @@ -dynamic_fields: - event.ingested: ".*" -fields: - tags: - - preserve_original_event diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-412-keystroke-logging.log-expected.json b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-412-keystroke-logging.log-expected.json index 69f630a6fca..d50b1374b43 100644 --- a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-412-keystroke-logging.log-expected.json +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-412-keystroke-logging.log-expected.json @@ -101,7 +101,7 @@ }, "event": { "severity": 2, - "ingested": "2021-05-31T15:30:23.493895300Z", + "ingested": "2021-06-04T11:33:15.643035900Z", "original": "\u003c5\u003e1 2021-03-25T11:29:37Z VLT01 {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 25 07:29:37\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-25T11:29:37Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVLT01\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e12.0.0000\u003c/Version\u003e\\n \u003cMessageID\u003e412\u003c/MessageID\u003e\\n \u003cDesc\u003eKeystroke logging\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003eKeystroke logging\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003eMSSQL\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Database-MSSql-epmsvr01.cybr.com-sa\u003c/File\u003e\\n \u003cStation\u003e10.0.0.15\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003eCommand=SHOW DATABASES\\\\;;ConnectionComponentId=PSM-SQLServerMgmtStudio;DataBase=master;DstHost=tgtsvr01.cybr.com;Protocol=SQLNet;PSMID=PSMServer;SessionID=975edc19-ad10-4b42-8098-f26afab40fac;SrcHost=127.0.0.1;TXTOffset=702B;User=sa;VIDOffset=33T;\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eKeystroke logging\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"MSSql\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"sa\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"tgtsvr01.cybr.com\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Database\\\" Value=\\\"master\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Database\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMStatus\\\" Value=\\\"success\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"RetriesCount\\\" Value=\\\"-1\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastTask\\\" Value=\\\"VerifyTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastSuccessVerification\\\" Value=\\\"1616580240\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastSuccessChange\\\" Value=\\\"1616011980\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Tags\\\" Value=\\\"SQL;DB\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Privcloud\\\" Value=\\\"privcloud\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 25 07:29:37\",\"IsoTimestamp\":\"2021-03-25T11:29:37Z\",\"Hostname\":\"VLT01\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"12.0.0000\",\"MessageID\":\"412\",\"Desc\":\"Keystroke logging\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Keystroke logging\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"MSSQL\",\"File\":\"Root\\\\Database-MSSql-epmsvr01.cybr.com-sa\",\"Station\":\"10.0.0.15\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"Command=SHOW DATABASES\\\\;;ConnectionComponentId=PSM-SQLServerMgmtStudio;DataBase=master;DstHost=tgtsvr01.cybr.com;Protocol=SQLNet;PSMID=PSMServer;SessionID=975edc19-ad10-4b42-8098-f26afab40fac;SrcHost=127.0.0.1;TXTOffset=702B;User=sa;VIDOffset=33T;\",\"Message\":\"Keystroke logging\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"MSSql\"},{\"Name\":\"UserName\",\"Value\":\"sa\"},{\"Name\":\"Address\",\"Value\":\"tgtsvr01.cybr.com\"},{\"Name\":\"Database\",\"Value\":\"master\"},{\"Name\":\"DeviceType\",\"Value\":\"Database\"},{\"Name\":\"CPMStatus\",\"Value\":\"success\"},{\"Name\":\"RetriesCount\",\"Value\":\"-1\"},{\"Name\":\"LastTask\",\"Value\":\"VerifyTask\"},{\"Name\":\"LastSuccessVerification\",\"Value\":\"1616580240\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"LastSuccessChange\",\"Value\":\"1616011980\"},{\"Name\":\"Tags\",\"Value\":\"SQL;DB\"},{\"Name\":\"Privcloud\",\"Value\":\"privcloud\"}]}}}}", "code": "412", "kind": "event", diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-414-cpm-verify-ssh-key.log-config.yml b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-414-cpm-verify-ssh-key.log-config.yml deleted file mode 100644 index 5622947e4b8..00000000000 --- a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-414-cpm-verify-ssh-key.log-config.yml +++ /dev/null @@ -1,5 +0,0 @@ -dynamic_fields: - event.ingested: ".*" -fields: - tags: - - preserve_original_event diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-414-cpm-verify-ssh-key.log-expected.json b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-414-cpm-verify-ssh-key.log-expected.json index 6dcba955a6c..f56b75c3726 100644 --- a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-414-cpm-verify-ssh-key.log-expected.json +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-414-cpm-verify-ssh-key.log-expected.json @@ -93,7 +93,7 @@ }, "event": { "severity": 2, - "ingested": "2021-05-31T15:30:23.543045Z", + "ingested": "2021-06-04T11:33:15.689852800Z", "original": "\u003c5\u003e1 2021-03-25T10:04:06Z VLT01 {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 25 06:04:06\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-25T10:04:06Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVLT01\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e12.0.0000\u003c/Version\u003e\\n \u003cMessageID\u003e414\u003c/MessageID\u003e\\n \u003cDesc\u003eCPM Verify SSH Key\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003ePasswordManager\u003c/Issuer\u003e\\n \u003cAction\u003eCPM Verify SSH Key\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003eLinux SSH Keys\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Operating System-UnixSSHKeys-rhel7.cybr.com-firecall1\u003c/File\u003e\\n \u003cStation\u003e10.0.0.15\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003eVerificationPeriod\u003c/Reason\u003e\\n \u003cExtraDetails\u003eaddress=rhel7.cybr.com;username=firecall1;\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eCPM Verify SSH Key\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"UnixSSHKeys\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"firecall1\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"rhel7.cybr.com\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Operating System\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"SequenceID\\\" Value=\\\"2\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMStatus\\\" Value=\\\"success\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"ExtraPass3Name\\\" Value=\\\"Operating System-UnixSSH-rhel7.cybr.com-root\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"ExtraPass3Folder\\\" Value=\\\"Root\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"ExtraPass3Safe\\\" Value=\\\"Linux Root\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"RetriesCount\\\" Value=\\\"-1\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastTask\\\" Value=\\\"VerifyTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastSuccessVerification\\\" Value=\\\"1616666646\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastSuccessChange\\\" Value=\\\"1582315464\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Tags\\\" Value=\\\"SSH\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Privcloud\\\" Value=\\\"privcloud\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 25 06:04:06\",\"IsoTimestamp\":\"2021-03-25T10:04:06Z\",\"Hostname\":\"VLT01\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"12.0.0000\",\"MessageID\":\"414\",\"Desc\":\"CPM Verify SSH Key\",\"Severity\":\"Info\",\"Issuer\":\"PasswordManager\",\"Action\":\"CPM Verify SSH Key\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"Linux SSH Keys\",\"File\":\"Root\\\\Operating System-UnixSSHKeys-rhel7.cybr.com-firecall1\",\"Station\":\"10.0.0.15\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"VerificationPeriod\",\"ExtraDetails\":\"address=rhel7.cybr.com;username=firecall1;\",\"Message\":\"CPM Verify SSH Key\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"UnixSSHKeys\"},{\"Name\":\"UserName\",\"Value\":\"firecall1\"},{\"Name\":\"Address\",\"Value\":\"rhel7.cybr.com\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"},{\"Name\":\"SequenceID\",\"Value\":\"2\"},{\"Name\":\"CPMStatus\",\"Value\":\"success\"},{\"Name\":\"ExtraPass3Name\",\"Value\":\"Operating System-UnixSSH-rhel7.cybr.com-root\"},{\"Name\":\"ExtraPass3Folder\",\"Value\":\"Root\"},{\"Name\":\"ExtraPass3Safe\",\"Value\":\"Linux Root\"},{\"Name\":\"RetriesCount\",\"Value\":\"-1\"},{\"Name\":\"LastTask\",\"Value\":\"VerifyTask\"},{\"Name\":\"LastSuccessVerification\",\"Value\":\"1616666646\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"LastSuccessChange\",\"Value\":\"1582315464\"},{\"Name\":\"Tags\",\"Value\":\"SSH\"},{\"Name\":\"Privcloud\",\"Value\":\"privcloud\"}]}}}}", "code": "414", "kind": "event", diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-427-store-ssh-key.log-config.yml b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-427-store-ssh-key.log-config.yml deleted file mode 100644 index 5622947e4b8..00000000000 --- a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-427-store-ssh-key.log-config.yml +++ /dev/null @@ -1,5 +0,0 @@ -dynamic_fields: - event.ingested: ".*" -fields: - tags: - - preserve_original_event diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-427-store-ssh-key.log-expected.json b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-427-store-ssh-key.log-expected.json index 7071205acee..713aaf53992 100644 --- a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-427-store-ssh-key.log-expected.json +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-427-store-ssh-key.log-expected.json @@ -62,7 +62,7 @@ "event": { "severity": 2, "action": "store ssh key", - "ingested": "2021-05-31T15:30:23.589116500Z", + "ingested": "2021-06-04T11:33:15.739741800Z", "original": "\u003c5\u003e1 2021-03-11T16:50:17Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 11 08:50:17\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-11T16:50:17Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e427\u003c/MessageID\u003e\\n \u003cDesc\u003eStore SSH Key\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003eStore SSH Key\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003ePSM\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Operating System-UnixSSHKeys-34.123.103.115-adrian\u003c/File\u003e\\n \u003cStation\u003e127.0.0.1\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eStore SSH Key\u003c/Message\u003e\\n \u003cGatewayStation\u003e10.0.1.20\u003c/GatewayStation\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 11 08:50:17\",\"IsoTimestamp\":\"2021-03-11T16:50:17Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"427\",\"Desc\":\"Store SSH Key\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Store SSH Key\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"PSM\",\"File\":\"Root\\\\Operating System-UnixSSHKeys-34.123.103.115-adrian\",\"Station\":\"127.0.0.1\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Store SSH Key\",\"GatewayStation\":\"10.0.1.20\"}}}", "code": "427", "kind": "event" diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-428-retrieve-ssh-key.log-config.yml b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-428-retrieve-ssh-key.log-config.yml deleted file mode 100644 index 5622947e4b8..00000000000 --- a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-428-retrieve-ssh-key.log-config.yml +++ /dev/null @@ -1,5 +0,0 @@ -dynamic_fields: - event.ingested: ".*" -fields: - tags: - - preserve_original_event diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-428-retrieve-ssh-key.log-expected.json b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-428-retrieve-ssh-key.log-expected.json index fb38e0157cc..b5996b7eacd 100644 --- a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-428-retrieve-ssh-key.log-expected.json +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-428-retrieve-ssh-key.log-expected.json @@ -99,7 +99,7 @@ "event": { "severity": 2, "reason": "(Action: Retrieve SSH key)for fun and profit", - "ingested": "2021-05-31T15:30:23.619584600Z", + "ingested": "2021-06-04T11:33:15.770419Z", "original": "\u003c5\u003e1 2021-03-11T17:43:44Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 11 09:43:44\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-11T17:43:44Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e428\u003c/MessageID\u003e\\n \u003cDesc\u003eRetrieve SSH Key\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003eRetrieve SSH Key\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003ePSM\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Operating System-UnixSSHKeys-34.123.103.115-adrian\u003c/File\u003e\\n \u003cStation\u003e127.0.0.1\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e(Action: Retrieve SSH key)for fun and profit\u003c/Reason\u003e\\n \u003cPvwaDetails\u003e\u003cRetrieveReason\u003e\\n \u003cGeneral\u003e\\n \u003cUserReason\u003efor fun and profit\u003c/UserReason\u003e\\n \u003cRetrieveAction\u003eRetrieve SSH key\u003c/RetrieveAction\u003e\\n \u003c/General\u003e\\n\u003c/RetrieveReason\u003e\u003c/PvwaDetails\u003e\\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eRetrieve SSH Key\u003c/Message\u003e\\n \u003cGatewayStation\u003e10.0.1.20\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"UnixSSHKeys\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"adrian\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"34.123.103.115\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Operating System\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 11 09:43:44\",\"IsoTimestamp\":\"2021-03-11T17:43:44Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"428\",\"Desc\":\"Retrieve SSH Key\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Retrieve SSH Key\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"PSM\",\"File\":\"Root\\\\Operating System-UnixSSHKeys-34.123.103.115-adrian\",\"Station\":\"127.0.0.1\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"(Action: Retrieve SSH key)for fun and profit\",\"PvwaDetails\":{\"RetrieveReason\":{\"General\":{\"UserReason\":\"for fun and profit\",\"RetrieveAction\":\"Retrieve SSH key\"}}},\"ExtraDetails\":\"\",\"Message\":\"Retrieve SSH Key\",\"GatewayStation\":\"10.0.1.20\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"UnixSSHKeys\"},{\"Name\":\"UserName\",\"Value\":\"adrian\"},{\"Name\":\"Address\",\"Value\":\"34.123.103.115\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"}]}}}}", "code": "428", "kind": "event", @@ -219,7 +219,7 @@ "event": { "severity": 2, "reason": "(Action: Connect)testing(Connection to address: 34.123.103.115)", - "ingested": "2021-05-31T15:30:23.619597800Z", + "ingested": "2021-06-04T11:33:15.770430400Z", "original": "\u003c5\u003e1 2021-03-11T21:08:48Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 11 13:08:48\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-11T21:08:48Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e428\u003c/MessageID\u003e\\n \u003cDesc\u003eRetrieve SSH Key\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003eRetrieve SSH Key\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003ePSM\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Operating System-UnixSSHKeys-34.123.103.115-adrian\u003c/File\u003e\\n \u003cStation\u003e127.0.0.1\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e(Action: Connect)testing(Connection to address: 34.123.103.115)\u003c/Reason\u003e\\n \u003cPvwaDetails\u003e\u003cRetrieveReason\u003e\\n \u003cGeneral\u003e\\n \u003cUserReason\u003etesting\u003c/UserReason\u003e\\n \u003cRetrieveAction\u003eConnect\u003c/RetrieveAction\u003e\\n \u003c/General\u003e\\n \u003cConnectionDetails\u003e\\n \u003cConnectionAddress\u003e34.123.103.115\u003c/ConnectionAddress\u003e\\n \u003c/ConnectionDetails\u003e\\n\u003c/RetrieveReason\u003e\u003c/PvwaDetails\u003e\\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eRetrieve SSH Key\u003c/Message\u003e\\n \u003cGatewayStation\u003e10.0.1.20\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"UnixSSHKeys\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"adrian\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"34.123.103.115\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Operating System\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 11 13:08:48\",\"IsoTimestamp\":\"2021-03-11T21:08:48Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"428\",\"Desc\":\"Retrieve SSH Key\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Retrieve SSH Key\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"PSM\",\"File\":\"Root\\\\Operating System-UnixSSHKeys-34.123.103.115-adrian\",\"Station\":\"127.0.0.1\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"(Action: Connect)testing(Connection to address: 34.123.103.115)\",\"PvwaDetails\":{\"RetrieveReason\":{\"General\":{\"UserReason\":\"testing\",\"RetrieveAction\":\"Connect\"},\"ConnectionDetails\":{\"ConnectionAddress\":\"34.123.103.115\"}}},\"ExtraDetails\":\"\",\"Message\":\"Retrieve SSH Key\",\"GatewayStation\":\"10.0.1.20\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"UnixSSHKeys\"},{\"Name\":\"UserName\",\"Value\":\"adrian\"},{\"Name\":\"Address\",\"Value\":\"34.123.103.115\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"}]}}}}", "code": "428", "kind": "event", @@ -335,7 +335,7 @@ "event": { "severity": 2, "reason": "(Action: Retrieve SSH key)", - "ingested": "2021-05-31T15:30:23.619600800Z", + "ingested": "2021-06-04T11:33:15.770433Z", "original": "\u003c5\u003e1 2021-03-15T13:18:52Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 15 06:18:52\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-15T13:18:52Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e428\u003c/MessageID\u003e\\n \u003cDesc\u003eRetrieve SSH Key\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003eRetrieve SSH Key\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003ePSM\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Operating System-UnixSSHKeys-34.123.103.115-adrian\u003c/File\u003e\\n \u003cStation\u003e127.0.0.1\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e(Action: Retrieve SSH key)\u003c/Reason\u003e\\n \u003cPvwaDetails\u003e\u003cRetrieveReason\u003e\\n \u003cGeneral\u003e\\n \u003cRetrieveAction\u003eRetrieve SSH key\u003c/RetrieveAction\u003e\\n \u003c/General\u003e\\n\u003c/RetrieveReason\u003e\u003c/PvwaDetails\u003e\\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eRetrieve SSH Key\u003c/Message\u003e\\n \u003cGatewayStation\u003e10.0.1.20\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"UnixSSHKeys\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"adrian\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"34.123.103.115\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Operating System\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 15 06:18:52\",\"IsoTimestamp\":\"2021-03-15T13:18:52Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"428\",\"Desc\":\"Retrieve SSH Key\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Retrieve SSH Key\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"PSM\",\"File\":\"Root\\\\Operating System-UnixSSHKeys-34.123.103.115-adrian\",\"Station\":\"127.0.0.1\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"(Action: Retrieve SSH key)\",\"PvwaDetails\":{\"RetrieveReason\":{\"General\":{\"RetrieveAction\":\"Retrieve SSH key\"}}},\"ExtraDetails\":\"\",\"Message\":\"Retrieve SSH Key\",\"GatewayStation\":\"10.0.1.20\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"UnixSSHKeys\"},{\"Name\":\"UserName\",\"Value\":\"adrian\"},{\"Name\":\"Address\",\"Value\":\"34.123.103.115\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"}]}}}}", "code": "428", "kind": "event", diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-449-create-discovery-succeeded.log-config.yml b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-449-create-discovery-succeeded.log-config.yml deleted file mode 100644 index 5622947e4b8..00000000000 --- a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-449-create-discovery-succeeded.log-config.yml +++ /dev/null @@ -1,5 +0,0 @@ -dynamic_fields: - event.ingested: ".*" -fields: - tags: - - preserve_original_event diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-449-create-discovery-succeeded.log-expected.json b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-449-create-discovery-succeeded.log-expected.json index 823d207d5b4..bfa1614b861 100644 --- a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-449-create-discovery-succeeded.log-expected.json +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-449-create-discovery-succeeded.log-expected.json @@ -49,7 +49,7 @@ "event": { "severity": 2, "action": "create discovery succeeded", - "ingested": "2021-05-31T15:30:23.724918400Z", + "ingested": "2021-06-04T11:33:15.879035200Z", "original": "\u003c5\u003e1 2021-03-14T12:06:35Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 14 05:06:35\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-14T12:06:35Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e449\u003c/MessageID\u003e\\n \u003cDesc\u003eCreate Discovery Succeeded\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003eCreate Discovery Succeeded\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003e\u003c/Safe\u003e\\n \u003cFile\u003e\u003c/File\u003e\\n \u003cStation\u003e10.0.1.20\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003eStatus:Success; Discovery:\u003cWindows discovery from ELASTIC.local\u003e; Reason:;\u003c/Reason\u003e\\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eCreate Discovery Succeeded\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 14 05:06:35\",\"IsoTimestamp\":\"2021-03-14T12:06:35Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"449\",\"Desc\":\"Create Discovery Succeeded\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Create Discovery Succeeded\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"10.0.1.20\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"Status:Success; Discovery:\u003cWindows discovery from ELASTIC.local\u003e; Reason:;\",\"ExtraDetails\":\"\",\"Message\":\"Create Discovery Succeeded\",\"GatewayStation\":\"\"}}}", "code": "449", "kind": "event" diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-459-general-audit.log-config.yml b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-459-general-audit.log-config.yml deleted file mode 100644 index 5622947e4b8..00000000000 --- a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-459-general-audit.log-config.yml +++ /dev/null @@ -1,5 +0,0 @@ -dynamic_fields: - event.ingested: ".*" -fields: - tags: - - preserve_original_event diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-459-general-audit.log-expected.json b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-459-general-audit.log-expected.json index 382f0300634..4b2d293b4b4 100644 --- a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-459-general-audit.log-expected.json +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-459-general-audit.log-expected.json @@ -76,7 +76,7 @@ "event": { "severity": 2, "action": "general audit", - "ingested": "2021-05-31T15:30:23.751750400Z", + "ingested": "2021-06-04T11:33:15.903375500Z", "original": "\u003c5\u003e1 2021-03-08T10:19:42Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 08 02:19:42\",\"IsoTimestamp\":\"2021-03-08T10:19:42Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"459\",\"Desc\":\"General Audit\",\"Severity\":\"Info\",\"Issuer\":\"PasswordManager\",\"Action\":\"General Audit\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"Test\",\"File\":\"Root\\\\Operating System-WindowsDesktopLocalAccountsRotationalPolicy-10.0.1.20-x_accountB\",\"Station\":\"10.0.1.20\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"Dual account rotation\",\"ExtraDetails\":\"DualAccountStatus=Active;Index=2;\",\"Message\":\"General Audit\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"WinDesktopLocal\"},{\"Name\":\"UserName\",\"Value\":\"x_accountB\"},{\"Name\":\"Address\",\"Value\":\"components\"},{\"Name\":\"SequenceID\",\"Value\":\"24\"},{\"Name\":\"CPMStatus\",\"Value\":\"success\"},{\"Name\":\"RetriesCount\",\"Value\":\"-1\"},{\"Name\":\"LastTask\",\"Value\":\"ChangeTask\"},{\"Name\":\"GroupName\",\"Value\":\"WindowsGroup\"},{\"Name\":\"LastSuccessChange\",\"Value\":\"1614868762\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"},{\"Name\":\"Index\",\"Value\":\"2\"},{\"Name\":\"DualAccountStatus\",\"Value\":\"Active\"},{\"Name\":\"VirtualUsername\",\"Value\":\"virtual\"}]}}}}", "code": "459", "kind": "event" @@ -158,7 +158,7 @@ "event": { "severity": 2, "action": "general audit", - "ingested": "2021-05-31T15:30:23.751764100Z", + "ingested": "2021-06-04T11:33:15.903386300Z", "original": "\u003c5\u003e1 2021-03-10T14:38:57Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 06:38:57\",\"IsoTimestamp\":\"2021-03-10T14:38:57Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"459\",\"Desc\":\"General Audit\",\"Severity\":\"Info\",\"Issuer\":\"PasswordManager\",\"Action\":\"General Audit\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"Test\",\"File\":\"Root\\\\Operating System-WindowsDesktopLocalAccountsRotationalPolicy-10.0.1.20-x_accountA\",\"Station\":\"10.0.1.20\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"Dual account rotation\",\"ExtraDetails\":\"DualAccountStatus=Active;Index=1;\",\"Message\":\"General Audit\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"WinDesktopLocal\"},{\"Name\":\"UserName\",\"Value\":\"x_accountA\"},{\"Name\":\"Address\",\"Value\":\"components\"},{\"Name\":\"SequenceID\",\"Value\":\"27\"},{\"Name\":\"CPMStatus\",\"Value\":\"success\"},{\"Name\":\"RetriesCount\",\"Value\":\"-1\"},{\"Name\":\"LastTask\",\"Value\":\"ChangeTask\"},{\"Name\":\"GroupName\",\"Value\":\"WindowsGroup\"},{\"Name\":\"LastSuccessChange\",\"Value\":\"1615231204\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"},{\"Name\":\"Index\",\"Value\":\"1\"},{\"Name\":\"DualAccountStatus\",\"Value\":\"Active\"},{\"Name\":\"VirtualUsername\",\"Value\":\"virtual\"}]}}}}", "code": "459", "kind": "event" @@ -241,7 +241,7 @@ "event": { "severity": 2, "action": "general audit", - "ingested": "2021-05-31T15:30:23.751767300Z", + "ingested": "2021-06-04T11:33:15.903389Z", "original": "\u003c5\u003e1 2021-03-14T11:48:26Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 14 04:48:26\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-14T11:48:26Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e459\u003c/MessageID\u003e\\n \u003cDesc\u003eGeneral Audit\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003ePasswordManager\u003c/Issuer\u003e\\n \u003cAction\u003eGeneral Audit\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003eTest\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Operating System-WindowsDesktopLocalAccountsRotationalPolicy-10.0.1.20-x_accountB\u003c/File\u003e\\n \u003cStation\u003e10.0.1.20\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003eDual account rotation\u003c/Reason\u003e\\n \u003cExtraDetails\u003eDualAccountStatus=Active;Index=2;\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eGeneral Audit\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"WinDesktopLocal\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"x_accountB\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"components\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"SequenceID\\\" Value=\\\"25\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMStatus\\\" Value=\\\"success\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"RetriesCount\\\" Value=\\\"-1\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastTask\\\" Value=\\\"ChangeTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"GroupName\\\" Value=\\\"WindowsGroup\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastSuccessChange\\\" Value=\\\"1615419568\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Operating System\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Index\\\" Value=\\\"2\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DualAccountStatus\\\" Value=\\\"Active\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"VirtualUsername\\\" Value=\\\"virtual\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 14 04:48:26\",\"IsoTimestamp\":\"2021-03-14T11:48:26Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"459\",\"Desc\":\"General Audit\",\"Severity\":\"Info\",\"Issuer\":\"PasswordManager\",\"Action\":\"General Audit\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"Test\",\"File\":\"Root\\\\Operating System-WindowsDesktopLocalAccountsRotationalPolicy-10.0.1.20-x_accountB\",\"Station\":\"10.0.1.20\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"Dual account rotation\",\"ExtraDetails\":\"DualAccountStatus=Active;Index=2;\",\"Message\":\"General Audit\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"WinDesktopLocal\"},{\"Name\":\"UserName\",\"Value\":\"x_accountB\"},{\"Name\":\"Address\",\"Value\":\"components\"},{\"Name\":\"SequenceID\",\"Value\":\"25\"},{\"Name\":\"CPMStatus\",\"Value\":\"success\"},{\"Name\":\"RetriesCount\",\"Value\":\"-1\"},{\"Name\":\"LastTask\",\"Value\":\"ChangeTask\"},{\"Name\":\"GroupName\",\"Value\":\"WindowsGroup\"},{\"Name\":\"LastSuccessChange\",\"Value\":\"1615419568\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"},{\"Name\":\"Index\",\"Value\":\"2\"},{\"Name\":\"DualAccountStatus\",\"Value\":\"Active\"},{\"Name\":\"VirtualUsername\",\"Value\":\"virtual\"}]}}}}", "code": "459", "kind": "event" diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-467-the-component-public-key-for-jwt-authentication-was-updated.log-config.yml b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-467-the-component-public-key-for-jwt-authentication-was-updated.log-config.yml deleted file mode 100644 index 5622947e4b8..00000000000 --- a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-467-the-component-public-key-for-jwt-authentication-was-updated.log-config.yml +++ /dev/null @@ -1,5 +0,0 @@ -dynamic_fields: - event.ingested: ".*" -fields: - tags: - - preserve_original_event diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-467-the-component-public-key-for-jwt-authentication-was-updated.log-expected.json b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-467-the-component-public-key-for-jwt-authentication-was-updated.log-expected.json index c059ed33cad..5eef1d615c6 100644 --- a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-467-the-component-public-key-for-jwt-authentication-was-updated.log-expected.json +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-467-the-component-public-key-for-jwt-authentication-was-updated.log-expected.json @@ -47,7 +47,7 @@ "event": { "severity": 2, "action": "the component public key for jwt authentication was updated", - "ingested": "2021-05-31T15:30:23.858441200Z", + "ingested": "2021-06-04T11:33:16.011617100Z", "original": "\u003c5\u003e1 2021-03-10T18:14:35Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 10:14:35\",\"IsoTimestamp\":\"2021-03-10T18:14:35Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"467\",\"Desc\":\"The component public key for JWT authentication was updated\",\"Severity\":\"Info\",\"Issuer\":\"PasswordManager\",\"Action\":\"The component public key for JWT authentication was updated\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"10.0.1.20\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"The component public key for JWT authentication was updated\",\"GatewayStation\":\"\"}}}", "code": "467", "kind": "event" diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-479-security-warning-the-signature-hash-algorithm-of-the-vault-certificate-is-sha1.log-config.yml b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-479-security-warning-the-signature-hash-algorithm-of-the-vault-certificate-is-sha1.log-config.yml deleted file mode 100644 index 5622947e4b8..00000000000 --- a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-479-security-warning-the-signature-hash-algorithm-of-the-vault-certificate-is-sha1.log-config.yml +++ /dev/null @@ -1,5 +0,0 @@ -dynamic_fields: - event.ingested: ".*" -fields: - tags: - - preserve_original_event diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-479-security-warning-the-signature-hash-algorithm-of-the-vault-certificate-is-sha1.log-expected.json b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-479-security-warning-the-signature-hash-algorithm-of-the-vault-certificate-is-sha1.log-expected.json index 17b24e97cb2..e765697b5a5 100644 --- a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-479-security-warning-the-signature-hash-algorithm-of-the-vault-certificate-is-sha1.log-expected.json +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-479-security-warning-the-signature-hash-algorithm-of-the-vault-certificate-is-sha1.log-expected.json @@ -46,7 +46,7 @@ }, "event": { "severity": 7, - "ingested": "2021-05-31T15:30:23.885181600Z", + "ingested": "2021-06-04T11:33:16.037606600Z", "original": "\u003c7\u003e1 2021-03-04T19:10:01Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 04 11:10:01\",\"IsoTimestamp\":\"2021-03-04T19:10:01Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"479\",\"Desc\":\"Security warning - The Signature Hash Algorithm of the Vault certificate is SHA1.\",\"Severity\":\"Error\",\"Issuer\":\"Builtin\",\"Action\":\"Security warning - The Signature Hash Algorithm of the Vault certificate is SHA1.\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"0.0.0.0\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Security warning - The Signature Hash Algorithm of the Vault certificate is SHA1.\",\"GatewayStation\":\"\"}}}", "code": "479", "kind": "event", @@ -90,7 +90,7 @@ }, "event": { "severity": 7, - "ingested": "2021-05-31T15:30:23.885195Z", + "ingested": "2021-06-04T11:33:16.037616900Z", "original": "Mar 08 07:46:54 VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"no\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"479\",\"Desc\":\"Security warning - The Signature Hash Algorithm of the Vault certificate is SHA1.\",\"Severity\":\"Error\",\"Issuer\":\"Builtin\",\"Action\":\"Security warning - The Signature Hash Algorithm of the Vault certificate is SHA1.\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"0.0.0.0\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Security warning - The Signature Hash Algorithm of the Vault certificate is SHA1.\",\"GatewayStation\":\"\"}}}", "code": "479", "kind": "event", diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-482-update-existing-add-account-bulk-operation-succeeded.log-config.yml b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-482-update-existing-add-account-bulk-operation-succeeded.log-config.yml deleted file mode 100644 index 5622947e4b8..00000000000 --- a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-482-update-existing-add-account-bulk-operation-succeeded.log-config.yml +++ /dev/null @@ -1,5 +0,0 @@ -dynamic_fields: - event.ingested: ".*" -fields: - tags: - - preserve_original_event diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-482-update-existing-add-account-bulk-operation-succeeded.log-expected.json b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-482-update-existing-add-account-bulk-operation-succeeded.log-expected.json index 423d8006e67..7dcdf96f11f 100644 --- a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-482-update-existing-add-account-bulk-operation-succeeded.log-expected.json +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-482-update-existing-add-account-bulk-operation-succeeded.log-expected.json @@ -47,7 +47,7 @@ "event": { "severity": 2, "action": "update existing add account bulk operation succeeded", - "ingested": "2021-05-31T15:30:23.925378700Z", + "ingested": "2021-06-04T11:33:16.084734300Z", "original": "\u003c5\u003e1 2021-03-10T08:31:49Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 00:31:49\",\"IsoTimestamp\":\"2021-03-10T08:31:49Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"482\",\"Desc\":\"Update existing Add Account Bulk Operation succeeded\",\"Severity\":\"Info\",\"Issuer\":\"PVWAAppUser\",\"Action\":\"Update existing Add Account Bulk Operation succeeded\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"10.0.1.20\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Update existing Add Account Bulk Operation succeeded\",\"GatewayStation\":\"\"}}}", "code": "482", "kind": "event" diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-50-store-file.log-config.yml b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-50-store-file.log-config.yml deleted file mode 100644 index 5622947e4b8..00000000000 --- a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-50-store-file.log-config.yml +++ /dev/null @@ -1,5 +0,0 @@ -dynamic_fields: - event.ingested: ".*" -fields: - tags: - - preserve_original_event diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-50-store-file.log-expected.json b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-50-store-file.log-expected.json index 3358e5fa1e5..527d38ff4ee 100644 --- a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-50-store-file.log-expected.json +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-50-store-file.log-expected.json @@ -52,7 +52,7 @@ "event": { "severity": 2, "action": "store file", - "ingested": "2021-05-31T15:30:23.954026800Z", + "ingested": "2021-06-04T11:33:16.110786300Z", "original": "\u003c5\u003e1 2021-03-08T18:24:50Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 08 10:24:50\",\"IsoTimestamp\":\"2021-03-08T18:24:50Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"50\",\"Desc\":\"Store File\",\"Severity\":\"Info\",\"Issuer\":\"PVWAAppUser\",\"Action\":\"Store File\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"PVWAPrivateUserPrefs\",\"File\":\"Root\\\\YWRtaW5pc3RyYXRvcg==\",\"Station\":\"10.0.1.20\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Store File\",\"GatewayStation\":\"\"}}}", "code": "50", "kind": "event" @@ -122,7 +122,7 @@ "event": { "severity": 2, "action": "store file", - "ingested": "2021-05-31T15:30:23.954042300Z", + "ingested": "2021-06-04T11:33:16.110796900Z", "original": "\u003c5\u003e1 2021-03-10T09:11:21Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 01:11:21\",\"IsoTimestamp\":\"2021-03-10T09:11:21Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"50\",\"Desc\":\"Store File\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Store File\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"PSMPConf\",\"File\":\"Root\\\\syntaxparser-conf.json.1.1\",\"Station\":\"81.32.170.205\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Store File\",\"GatewayStation\":\"\"}}}", "code": "50", "kind": "event" @@ -180,7 +180,7 @@ "event": { "severity": 2, "action": "store file", - "ingested": "2021-05-31T15:30:23.954063900Z", + "ingested": "2021-06-04T11:33:16.110813100Z", "original": "\u003c5\u003e1 2021-03-10T18:36:22Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 10:36:22\",\"IsoTimestamp\":\"2021-03-10T18:36:22Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"50\",\"Desc\":\"Store File\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Store File\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"PVWAConfig\",\"File\":\"Root\\\\PVConfiguration.xml\",\"Station\":\"127.0.0.1\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Store File\",\"GatewayStation\":\"\"}}}", "code": "50", "kind": "event" @@ -249,7 +249,7 @@ "event": { "severity": 2, "action": "store file", - "ingested": "2021-05-31T15:30:23.954068800Z", + "ingested": "2021-06-04T11:33:16.110817200Z", "original": "\u003c5\u003e1 2021-03-10T22:17:56Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 14:17:56\",\"IsoTimestamp\":\"2021-03-10T22:17:56Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"50\",\"Desc\":\"Store File\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Store File\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"PVWAConfig\",\"File\":\"ROOT\\\\PVConfiguration.xml\",\"Station\":\"35.192.121.42\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Store File\",\"GatewayStation\":\"\"}}}", "code": "50", "kind": "event" @@ -320,7 +320,7 @@ "event": { "severity": 2, "action": "store file", - "ingested": "2021-05-31T15:30:23.954072100Z", + "ingested": "2021-06-04T11:33:16.110820200Z", "original": "\u003c5\u003e1 2021-03-11T17:38:27Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 11 09:38:27\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-11T17:38:27Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e50\u003c/MessageID\u003e\\n \u003cDesc\u003eStore File\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003ePSMPApp_VAGRANT\u003c/Issuer\u003e\\n \u003cAction\u003eStore File\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003ePSMRecordings\u003c/Safe\u003e\\n \u003cFile\u003eroot\\\\87012dcc-8290-11eb-949e-080027efd402.SSH.txt\u003c/File\u003e\\n \u003cStation\u003e81.32.170.205\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eStore File\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 11 09:38:27\",\"IsoTimestamp\":\"2021-03-11T17:38:27Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"50\",\"Desc\":\"Store File\",\"Severity\":\"Info\",\"Issuer\":\"PSMPApp_VAGRANT\",\"Action\":\"Store File\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"PSMRecordings\",\"File\":\"root\\\\87012dcc-8290-11eb-949e-080027efd402.SSH.txt\",\"Station\":\"81.32.170.205\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Store File\",\"GatewayStation\":\"\"}}}", "code": "50", "kind": "event" @@ -388,7 +388,7 @@ "event": { "severity": 2, "action": "store file", - "ingested": "2021-05-31T15:30:23.954075100Z", + "ingested": "2021-06-04T11:33:16.110822500Z", "original": "\u003c5\u003e1 2021-03-11T19:45:26Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 11 11:45:26\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-11T19:45:26Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e50\u003c/MessageID\u003e\\n \u003cDesc\u003eStore File\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003eStore File\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003ePVWAConfig\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\PVConfiguration.xml\u003c/File\u003e\\n \u003cStation\u003e127.0.0.1\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eStore File\u003c/Message\u003e\\n \u003cGatewayStation\u003e10.0.1.20\u003c/GatewayStation\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 11 11:45:26\",\"IsoTimestamp\":\"2021-03-11T19:45:26Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"50\",\"Desc\":\"Store File\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Store File\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"PVWAConfig\",\"File\":\"Root\\\\PVConfiguration.xml\",\"Station\":\"127.0.0.1\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Store File\",\"GatewayStation\":\"10.0.1.20\"}}}", "code": "50", "kind": "event" diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-51-retrieve-file.log-config.yml b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-51-retrieve-file.log-config.yml deleted file mode 100644 index 5622947e4b8..00000000000 --- a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-51-retrieve-file.log-config.yml +++ /dev/null @@ -1,5 +0,0 @@ -dynamic_fields: - event.ingested: ".*" -fields: - tags: - - preserve_original_event diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-51-retrieve-file.log-expected.json b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-51-retrieve-file.log-expected.json index e3cbd6e2b22..b2cd019b151 100644 --- a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-51-retrieve-file.log-expected.json +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-51-retrieve-file.log-expected.json @@ -52,7 +52,7 @@ "event": { "severity": 2, "action": "retrieve file", - "ingested": "2021-05-31T15:30:24.089609500Z", + "ingested": "2021-06-04T11:33:16.253471100Z", "original": "\u003c5\u003e1 2021-03-04T19:10:05Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 04 11:10:05\",\"IsoTimestamp\":\"2021-03-04T19:10:05Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"51\",\"Desc\":\"Retrieve File\",\"Severity\":\"Info\",\"Issuer\":\"PasswordManager\",\"Action\":\"Retrieve File\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"PasswordManagerShared\",\"File\":\"Root\\\\Policies\\\\Policy-GenericWebApp.ini\",\"Station\":\"10.0.1.20\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Retrieve File\",\"GatewayStation\":\"\"}}}", "code": "51", "kind": "event" @@ -110,7 +110,7 @@ "event": { "severity": 2, "action": "retrieve file", - "ingested": "2021-05-31T15:30:24.089622800Z", + "ingested": "2021-06-04T11:33:16.253485900Z", "original": "\u003c5\u003e1 2021-03-04T19:11:23Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 04 11:11:23\",\"IsoTimestamp\":\"2021-03-04T19:11:23Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"51\",\"Desc\":\"Retrieve File\",\"Severity\":\"Info\",\"Issuer\":\"Prov_COMPONENTS\",\"Action\":\"Retrieve File\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"AppProviderConf\",\"File\":\"Root\\\\main_appprovider.conf.Win64.11.04\",\"Station\":\"10.0.1.20\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Retrieve File\",\"GatewayStation\":\"\"}}}", "code": "51", "kind": "event" diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-52-delete-file.log-config.yml b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-52-delete-file.log-config.yml deleted file mode 100644 index 5622947e4b8..00000000000 --- a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-52-delete-file.log-config.yml +++ /dev/null @@ -1,5 +0,0 @@ -dynamic_fields: - event.ingested: ".*" -fields: - tags: - - preserve_original_event diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-52-delete-file.log-expected.json b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-52-delete-file.log-expected.json index 7f677bcec88..ee264404885 100644 --- a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-52-delete-file.log-expected.json +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-52-delete-file.log-expected.json @@ -69,7 +69,7 @@ "event": { "severity": 2, "action": "delete file", - "ingested": "2021-05-31T15:30:24.137889900Z", + "ingested": "2021-06-04T11:33:16.296182900Z", "original": "\u003c5\u003e1 2021-03-08T18:32:43Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 08 10:32:43\",\"IsoTimestamp\":\"2021-03-08T18:32:43Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"52\",\"Desc\":\"Delete File\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Delete File\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"Test\",\"File\":\"Root\\\\Operating System-WinDesktopLocal-Address-adriansr\",\"Station\":\"127.0.0.1\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Delete File\",\"GatewayStation\":\"10.0.1.20\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"WinDesktopLocal\"},{\"Name\":\"UserName\",\"Value\":\"adriansr\"},{\"Name\":\"Address\",\"Value\":\"components\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"}]}}}}", "code": "52", "kind": "event" @@ -145,7 +145,7 @@ "event": { "severity": 2, "action": "delete file", - "ingested": "2021-05-31T15:30:24.137909200Z", + "ingested": "2021-06-04T11:33:16.296200600Z", "original": "\u003c5\u003e1 2021-03-08T18:38:21Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 08 10:38:21\",\"IsoTimestamp\":\"2021-03-08T18:38:21Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"52\",\"Desc\":\"Delete File\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Delete File\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"VaultInternal\",\"File\":\"Root\\\\Operating System-WinServerLocal-components-adriansr\",\"Station\":\"127.0.0.1\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Delete File\",\"GatewayStation\":\"10.0.1.20\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"WinServerLocal\"},{\"Name\":\"UserName\",\"Value\":\"adriansr\"},{\"Name\":\"Address\",\"Value\":\"components\"},{\"Name\":\"LogonDomain\",\"Value\":\"COMPONENTS\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"}]}}}}", "code": "52", "kind": "event" @@ -203,7 +203,7 @@ "event": { "severity": 2, "action": "delete file", - "ingested": "2021-05-31T15:30:24.137911400Z", + "ingested": "2021-06-04T11:33:16.296202900Z", "original": "\u003c5\u003e1 2021-03-08T19:20:04Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 08 11:20:04\",\"IsoTimestamp\":\"2021-03-08T19:20:04Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"52\",\"Desc\":\"Delete File\",\"Severity\":\"Info\",\"Issuer\":\"PasswordManager\",\"Action\":\"Delete File\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"PasswordManager_workspace\",\"File\":\"Root\\\\Test_4\",\"Station\":\"10.0.1.20\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Delete File\",\"GatewayStation\":\"\"}}}", "code": "52", "kind": "event" @@ -273,7 +273,7 @@ "event": { "severity": 2, "action": "delete file", - "ingested": "2021-05-31T15:30:24.137913100Z", + "ingested": "2021-06-04T11:33:16.296204700Z", "original": "\u003c5\u003e1 2021-03-11T18:59:57Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 11 10:59:57\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-11T18:59:57Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e52\u003c/MessageID\u003e\\n \u003cDesc\u003eDelete File\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003ePSMApp_ASR-WIN\u003c/Issuer\u003e\\n \u003cAction\u003eDelete File\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003ePSMSessions\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\c89ca3ba9c76f820fdc58e86f2c854f99d232fcd\u003c/File\u003e\\n \u003cStation\u003e35.192.121.42\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eDelete File\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 11 10:59:57\",\"IsoTimestamp\":\"2021-03-11T18:59:57Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"52\",\"Desc\":\"Delete File\",\"Severity\":\"Info\",\"Issuer\":\"PSMApp_ASR-WIN\",\"Action\":\"Delete File\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"PSMSessions\",\"File\":\"Root\\\\c89ca3ba9c76f820fdc58e86f2c854f99d232fcd\",\"Station\":\"35.192.121.42\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Delete File\",\"GatewayStation\":\"\"}}}", "code": "52", "kind": "event" @@ -341,7 +341,7 @@ "event": { "severity": 2, "action": "delete file", - "ingested": "2021-05-31T15:30:24.137914500Z", + "ingested": "2021-06-04T11:33:16.296206800Z", "original": "\u003c5\u003e1 2021-03-11T19:32:12Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 11 11:32:12\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-11T19:32:12Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e52\u003c/MessageID\u003e\\n \u003cDesc\u003eDelete File\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003eDelete File\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003ePSMPLiveSessions\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\PSMPApp_VAGRANT.LiveSessions\u003c/File\u003e\\n \u003cStation\u003e127.0.0.1\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eDelete File\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"_PSMLiveSessions_1\\\" Value=\\\"\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"_PSMLiveSessions_2\\\" Value=\\\"\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"_PSMLiveSessions_3\\\" Value=\\\"\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"_PSMLiveSessions_4\\\" Value=\\\"\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"_PSMLiveSessions_5\\\" Value=\\\"\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 11 11:32:12\",\"IsoTimestamp\":\"2021-03-11T19:32:12Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"52\",\"Desc\":\"Delete File\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Delete File\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"PSMPLiveSessions\",\"File\":\"Root\\\\PSMPApp_VAGRANT.LiveSessions\",\"Station\":\"127.0.0.1\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Delete File\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"_PSMLiveSessions_1\",\"Value\":\"\"},{\"Name\":\"_PSMLiveSessions_2\",\"Value\":\"\"},{\"Name\":\"_PSMLiveSessions_3\",\"Value\":\"\"},{\"Name\":\"_PSMLiveSessions_4\",\"Value\":\"\"},{\"Name\":\"_PSMLiveSessions_5\",\"Value\":\"\"}]}}}}", "code": "52", "kind": "event" @@ -417,7 +417,7 @@ "event": { "severity": 2, "action": "delete file", - "ingested": "2021-05-31T15:30:24.137916500Z", + "ingested": "2021-06-04T11:33:16.296208300Z", "original": "\u003c5\u003e1 2021-03-11T21:06:40Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 11 13:06:40\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-11T21:06:40Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e52\u003c/MessageID\u003e\\n \u003cDesc\u003eDelete File\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003eDelete File\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003ePSM\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Operating System-WinDomain-35.192.121.42-PSMConnect\u003c/File\u003e\\n \u003cStation\u003e127.0.0.1\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eDelete File\u003c/Message\u003e\\n \u003cGatewayStation\u003e10.0.1.20\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"WinDomain\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"PSMConnect\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"35.192.121.42\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Operating System\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 11 13:06:40\",\"IsoTimestamp\":\"2021-03-11T21:06:40Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"52\",\"Desc\":\"Delete File\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Delete File\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"PSM\",\"File\":\"Root\\\\Operating System-WinDomain-35.192.121.42-PSMConnect\",\"Station\":\"127.0.0.1\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Delete File\",\"GatewayStation\":\"10.0.1.20\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"WinDomain\"},{\"Name\":\"UserName\",\"Value\":\"PSMConnect\"},{\"Name\":\"Address\",\"Value\":\"35.192.121.42\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"}]}}}}", "code": "52", "kind": "event" @@ -491,7 +491,7 @@ "event": { "severity": 2, "action": "delete file", - "ingested": "2021-05-31T15:30:24.137945Z", + "ingested": "2021-06-04T11:33:16.296232200Z", "original": "\u003c5\u003e1 2021-03-11T21:06:50Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 11 13:06:50\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-11T21:06:50Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e52\u003c/MessageID\u003e\\n \u003cDesc\u003eDelete File\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003eDelete File\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003ePSM\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\PSM-ASR-CYBERARK-WI\u003c/File\u003e\\n \u003cStation\u003e127.0.0.1\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eDelete File\u003c/Message\u003e\\n \u003cGatewayStation\u003e10.0.1.20\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"PSMConnect\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"10.128.0.65\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LogonDomain\\\" Value=\\\"ASR-CYBERARK-WI\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 11 13:06:50\",\"IsoTimestamp\":\"2021-03-11T21:06:50Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"52\",\"Desc\":\"Delete File\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Delete File\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"PSM\",\"File\":\"Root\\\\PSM-ASR-CYBERARK-WI\",\"Station\":\"127.0.0.1\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Delete File\",\"GatewayStation\":\"10.0.1.20\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"UserName\",\"Value\":\"PSMConnect\"},{\"Name\":\"Address\",\"Value\":\"10.128.0.65\"},{\"Name\":\"LogonDomain\",\"Value\":\"ASR-CYBERARK-WI\"}]}}}}", "code": "52", "kind": "event" @@ -565,7 +565,7 @@ "event": { "severity": 2, "action": "delete file", - "ingested": "2021-05-31T15:30:24.137947100Z", + "ingested": "2021-06-04T11:33:16.296234400Z", "original": "\u003c5\u003e1 2021-03-14T12:10:17Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 14 05:10:17\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-14T12:10:17Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e52\u003c/MessageID\u003e\\n \u003cDesc\u003eDelete File\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003eDelete File\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003ePSM\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\PSMAdmin\u003c/File\u003e\\n \u003cStation\u003e127.0.0.1\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eDelete File\u003c/Message\u003e\\n \u003cGatewayStation\u003e10.0.1.20\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"PSMAdminConnect\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"169.254.180.25\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LogonDomain\\\" Value=\\\"VAGRANT-2012-R2\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 14 05:10:17\",\"IsoTimestamp\":\"2021-03-14T12:10:17Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"52\",\"Desc\":\"Delete File\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Delete File\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"PSM\",\"File\":\"Root\\\\PSMAdmin\",\"Station\":\"127.0.0.1\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Delete File\",\"GatewayStation\":\"10.0.1.20\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"UserName\",\"Value\":\"PSMAdminConnect\"},{\"Name\":\"Address\",\"Value\":\"169.254.180.25\"},{\"Name\":\"LogonDomain\",\"Value\":\"VAGRANT-2012-R2\"}]}}}}", "code": "52", "kind": "event" @@ -643,7 +643,7 @@ "event": { "severity": 2, "action": "delete file", - "ingested": "2021-05-31T15:30:24.137948800Z", + "ingested": "2021-06-04T11:33:16.296236100Z", "original": "\u003c5\u003e1 2021-03-15T15:09:00Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 15 08:09:00\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-15T15:09:00Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e52\u003c/MessageID\u003e\\n \u003cDesc\u003eDelete File\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003eDelete File\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003epartner\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Database-Oracle-10.128.0.7-adrian\u003c/File\u003e\\n \u003cStation\u003e127.0.0.1\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eDelete File\u003c/Message\u003e\\n \u003cGatewayStation\u003e10.0.1.20\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"Oracle\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"adrian\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"10.128.0.7\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Port\\\" Value=\\\"3306\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Database\\\" Value=\\\"test\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Database\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 15 08:09:00\",\"IsoTimestamp\":\"2021-03-15T15:09:00Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"52\",\"Desc\":\"Delete File\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Delete File\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"partner\",\"File\":\"Root\\\\Database-Oracle-10.128.0.7-adrian\",\"Station\":\"127.0.0.1\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Delete File\",\"GatewayStation\":\"10.0.1.20\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"Oracle\"},{\"Name\":\"UserName\",\"Value\":\"adrian\"},{\"Name\":\"Address\",\"Value\":\"10.128.0.7\"},{\"Name\":\"Port\",\"Value\":\"3306\"},{\"Name\":\"Database\",\"Value\":\"test\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Database\"}]}}}}", "code": "52", "kind": "event" @@ -721,7 +721,7 @@ "event": { "severity": 2, "action": "delete file", - "ingested": "2021-05-31T15:30:24.137950300Z", + "ingested": "2021-06-04T11:33:16.296237600Z", "original": "\u003c5\u003e1 2021-03-15T15:13:59Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 15 08:13:59\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-15T15:13:59Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e52\u003c/MessageID\u003e\\n \u003cDesc\u003eDelete File\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003eDelete File\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003epartner\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Database-MySQL-10.128.0.7-adrian\u003c/File\u003e\\n \u003cStation\u003e127.0.0.1\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eDelete File\u003c/Message\u003e\\n \u003cGatewayStation\u003e10.0.1.20\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"MySQL\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"adrian\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"10.128.0.7\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Port\\\" Value=\\\"3306\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Database\\\" Value=\\\"test\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Database\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 15 08:13:59\",\"IsoTimestamp\":\"2021-03-15T15:13:59Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"52\",\"Desc\":\"Delete File\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Delete File\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"partner\",\"File\":\"Root\\\\Database-MySQL-10.128.0.7-adrian\",\"Station\":\"127.0.0.1\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Delete File\",\"GatewayStation\":\"10.0.1.20\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"MySQL\"},{\"Name\":\"UserName\",\"Value\":\"adrian\"},{\"Name\":\"Address\",\"Value\":\"10.128.0.7\"},{\"Name\":\"Port\",\"Value\":\"3306\"},{\"Name\":\"Database\",\"Value\":\"test\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Database\"}]}}}}", "code": "52", "kind": "event" diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-57-cpm-change-password-failed.log-config.yml b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-57-cpm-change-password-failed.log-config.yml deleted file mode 100644 index 5622947e4b8..00000000000 --- a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-57-cpm-change-password-failed.log-config.yml +++ /dev/null @@ -1,5 +0,0 @@ -dynamic_fields: - event.ingested: ".*" -fields: - tags: - - preserve_original_event diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-57-cpm-change-password-failed.log-expected.json b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-57-cpm-change-password-failed.log-expected.json index 4b63c08aa34..e74b3e19ee1 100644 --- a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-57-cpm-change-password-failed.log-expected.json +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-57-cpm-change-password-failed.log-expected.json @@ -92,7 +92,7 @@ "event": { "severity": 7, "reason": "Execution error. EXT01::A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond. Error code:9002", - "ingested": "2021-05-31T15:30:24.402124100Z", + "ingested": "2021-06-04T11:33:16.538837800Z", "original": "\u003c7\u003e1 2021-03-25T12:00:08Z VLT01 {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 25 08:00:08\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-25T12:00:08Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVLT01\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e12.0.0000\u003c/Version\u003e\\n \u003cMessageID\u003e57\u003c/MessageID\u003e\\n \u003cDesc\u003eCPM Change Password Failed\u003c/Desc\u003e\\n \u003cSeverity\u003eError\u003c/Severity\u003e\\n \u003cIssuer\u003ePasswordManager\u003c/Issuer\u003e\\n \u003cAction\u003eCPM Change Password Failed\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003eLinux Accounts\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Operating System-UnixSSH-rhel7.cybr.com-firecall2\u003c/File\u003e\\n \u003cStation\u003e10.0.0.15\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003eImmediateTask. Failure Description: Execution error. EXT01::A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond. Error code:9002\u003c/Reason\u003e\\n \u003cExtraDetails\u003eaddress=rhel7.cybr.com;username=firecall2;\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eCPM Change Password Failed\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"UnixSSH\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"firecall2\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"rhel7.cybr.com\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Operating System\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"ResetImmediately\\\" Value=\\\"ChangeTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMStatus\\\" Value=\\\"failure\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"ExtraPass3Name\\\" Value=\\\"Operating System-UnixSSH-rhel7.cybr.com-root\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"ExtraPass3Folder\\\" Value=\\\"Root\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"ExtraPass3Safe\\\" Value=\\\"Linux Root\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"RetriesCount\\\" Value=\\\"0\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastFailDate\\\" Value=\\\"1616673608\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastTask\\\" Value=\\\"ChangeTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastSuccessVerification\\\" Value=\\\"1616580255\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMErrorDetails\\\" Value=\\\"Execution error. EXT01::A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond. Error code:9002\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastSuccessChange\\\" Value=\\\"1616011989\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastSuccessReconciliation\\\" Value=\\\"1576120341\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UseSudoOnReconcile\\\" Value=\\\"No\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Tags\\\" Value=\\\"SSH\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Privcloud\\\" Value=\\\"privcloud\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 25 08:00:08\",\"IsoTimestamp\":\"2021-03-25T12:00:08Z\",\"Hostname\":\"VLT01\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"12.0.0000\",\"MessageID\":\"57\",\"Desc\":\"CPM Change Password Failed\",\"Severity\":\"Error\",\"Issuer\":\"PasswordManager\",\"Action\":\"CPM Change Password Failed\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"Linux Accounts\",\"File\":\"Root\\\\Operating System-UnixSSH-rhel7.cybr.com-firecall2\",\"Station\":\"10.0.0.15\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"ImmediateTask. Failure Description: Execution error. EXT01::A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond. Error code:9002\",\"ExtraDetails\":\"address=rhel7.cybr.com;username=firecall2;\",\"Message\":\"CPM Change Password Failed\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"UnixSSH\"},{\"Name\":\"UserName\",\"Value\":\"firecall2\"},{\"Name\":\"Address\",\"Value\":\"rhel7.cybr.com\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"},{\"Name\":\"ResetImmediately\",\"Value\":\"ChangeTask\"},{\"Name\":\"CPMStatus\",\"Value\":\"failure\"},{\"Name\":\"ExtraPass3Name\",\"Value\":\"Operating System-UnixSSH-rhel7.cybr.com-root\"},{\"Name\":\"ExtraPass3Folder\",\"Value\":\"Root\"},{\"Name\":\"ExtraPass3Safe\",\"Value\":\"Linux Root\"},{\"Name\":\"RetriesCount\",\"Value\":\"0\"},{\"Name\":\"LastFailDate\",\"Value\":\"1616673608\"},{\"Name\":\"LastTask\",\"Value\":\"ChangeTask\"},{\"Name\":\"LastSuccessVerification\",\"Value\":\"1616580255\"},{\"Name\":\"CPMErrorDetails\",\"Value\":\"Execution error. EXT01::A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond. Error code:9002\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"LastSuccessChange\",\"Value\":\"1616011989\"},{\"Name\":\"LastSuccessReconciliation\",\"Value\":\"1576120341\"},{\"Name\":\"UseSudoOnReconcile\",\"Value\":\"No\"},{\"Name\":\"Tags\",\"Value\":\"SSH\"},{\"Name\":\"Privcloud\",\"Value\":\"privcloud\"}]}}}}", "code": "57", "kind": "event", diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-59-clear-safe-history.log-config.yml b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-59-clear-safe-history.log-config.yml deleted file mode 100644 index 5622947e4b8..00000000000 --- a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-59-clear-safe-history.log-config.yml +++ /dev/null @@ -1,5 +0,0 @@ -dynamic_fields: - event.ingested: ".*" -fields: - tags: - - preserve_original_event diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-59-clear-safe-history.log-expected.json b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-59-clear-safe-history.log-expected.json index ce48a789ba2..c742e99c24d 100644 --- a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-59-clear-safe-history.log-expected.json +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-59-clear-safe-history.log-expected.json @@ -48,7 +48,7 @@ "event": { "severity": 2, "action": "clear safe history", - "ingested": "2021-05-31T15:30:24.448403800Z", + "ingested": "2021-06-04T11:33:16.582439400Z", "original": "\u003c5\u003e1 2021-03-04T19:25:02Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 04 11:25:02\",\"IsoTimestamp\":\"2021-03-04T19:25:02Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"59\",\"Desc\":\"Clear Safe History\",\"Severity\":\"Info\",\"Issuer\":\"PasswordManager\",\"Action\":\"Clear Safe History\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"PasswordManager_workspace\",\"File\":\"\",\"Station\":\"10.0.1.20\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Clear Safe History\",\"GatewayStation\":\"\"}}}", "code": "59", "kind": "event" @@ -92,7 +92,7 @@ "event": { "severity": 2, "action": "clear safe history", - "ingested": "2021-05-31T15:30:24.448416200Z", + "ingested": "2021-06-04T11:33:16.582449Z", "original": "Mar 08 03:10:31 VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"no\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"59\",\"Desc\":\"Clear Safe History\",\"Severity\":\"Info\",\"Issuer\":\"PasswordManager\",\"Action\":\"Clear Safe History\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"PasswordManager_workspace\",\"File\":\"\",\"Station\":\"10.0.1.20\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Clear Safe History\",\"GatewayStation\":\"\"}}}", "code": "59", "kind": "event" @@ -149,7 +149,7 @@ "event": { "severity": 2, "action": "clear safe history", - "ingested": "2021-05-31T15:30:24.448418700Z", + "ingested": "2021-06-04T11:33:16.582450700Z", "original": "\u003c5\u003e1 2021-03-09T09:00:47Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 09 01:00:47\",\"IsoTimestamp\":\"2021-03-09T09:00:47Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"59\",\"Desc\":\"Clear Safe History\",\"Severity\":\"Info\",\"Issuer\":\"Batch\",\"Action\":\"Clear Safe History\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"System\",\"File\":\"\",\"Station\":\"0.0.0.0\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Clear Safe History\",\"GatewayStation\":\"\"}}}", "code": "59", "kind": "event" diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-60-cpm-reconcile-password-failed.log-config.yml b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-60-cpm-reconcile-password-failed.log-config.yml deleted file mode 100644 index 5622947e4b8..00000000000 --- a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-60-cpm-reconcile-password-failed.log-config.yml +++ /dev/null @@ -1,5 +0,0 @@ -dynamic_fields: - event.ingested: ".*" -fields: - tags: - - preserve_original_event diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-60-cpm-reconcile-password-failed.log-expected.json b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-60-cpm-reconcile-password-failed.log-expected.json index 4cb588b72af..8934490ef21 100644 --- a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-60-cpm-reconcile-password-failed.log-expected.json +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-60-cpm-reconcile-password-failed.log-expected.json @@ -98,7 +98,7 @@ "event": { "severity": 7, "reason": "Parameter Reconcile account is mandatory but has an empty value or is not defined", - "ingested": "2021-05-31T15:30:24.507716700Z", + "ingested": "2021-06-04T11:33:16.635874300Z", "original": "\u003c7\u003e1 2021-03-11T21:12:22Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 11 13:12:22\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-11T21:12:22Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e60\u003c/MessageID\u003e\\n \u003cDesc\u003eCPM Reconcile Password Failed\u003c/Desc\u003e\\n \u003cSeverity\u003eError\u003c/Severity\u003e\\n \u003cIssuer\u003ePasswordManager\u003c/Issuer\u003e\\n \u003cAction\u003eCPM Reconcile Password Failed\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003epartner\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Operating System-WinDomain-35.192.121.42-ELASTICbart\u003c/File\u003e\\n \u003cStation\u003e10.0.1.20\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003eImmediateTask. Failure Description: CACPM406E Reconciling Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-35.192.121.42-ELASTICbart failed (try #0). Code: 2101, Error: Parameter Reconcile account is mandatory but has an empty value or is not defined\\n\u003c/Reason\u003e\\n \u003cExtraDetails\u003eaddress=34.66.114.180;username=ELASTIC\\\\bart;\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eCPM Reconcile Password Failed\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"WinDomain\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"ELASTIC\\\\bart\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"34.66.114.180\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"ResetImmediately\\\" Value=\\\"ReconcileTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMStatus\\\" Value=\\\"failure\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"RetriesCount\\\" Value=\\\"0\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastFailDate\\\" Value=\\\"1615497142\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastTask\\\" Value=\\\"ReconcileTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LogonDomain\\\" Value=\\\"34.66.114.180\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMErrorDetails\\\" Value=\\\"Parameter Reconcile account is mandatory but has an empty value or is not defined\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Operating System\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 11 13:12:22\",\"IsoTimestamp\":\"2021-03-11T21:12:22Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"60\",\"Desc\":\"CPM Reconcile Password Failed\",\"Severity\":\"Error\",\"Issuer\":\"PasswordManager\",\"Action\":\"CPM Reconcile Password Failed\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"partner\",\"File\":\"Root\\\\Operating System-WinDomain-35.192.121.42-ELASTICbart\",\"Station\":\"10.0.1.20\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"ImmediateTask. Failure Description: CACPM406E Reconciling Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-35.192.121.42-ELASTICbart failed (try #0). Code: 2101, Error: Parameter Reconcile account is mandatory but has an empty value or is not defined\\n\",\"ExtraDetails\":\"address=34.66.114.180;username=ELASTIC\\\\bart;\",\"Message\":\"CPM Reconcile Password Failed\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"WinDomain\"},{\"Name\":\"UserName\",\"Value\":\"ELASTIC\\\\bart\"},{\"Name\":\"Address\",\"Value\":\"34.66.114.180\"},{\"Name\":\"ResetImmediately\",\"Value\":\"ReconcileTask\"},{\"Name\":\"CPMStatus\",\"Value\":\"failure\"},{\"Name\":\"RetriesCount\",\"Value\":\"0\"},{\"Name\":\"LastFailDate\",\"Value\":\"1615497142\"},{\"Name\":\"LastTask\",\"Value\":\"ReconcileTask\"},{\"Name\":\"LogonDomain\",\"Value\":\"34.66.114.180\"},{\"Name\":\"CPMErrorDetails\",\"Value\":\"Parameter Reconcile account is mandatory but has an empty value or is not defined\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"}]}}}}", "code": "60", "kind": "event", @@ -219,7 +219,7 @@ "event": { "severity": 7, "reason": "Parameter Reconcile account is mandatory but has an empty value or is not defined", - "ingested": "2021-05-31T15:30:24.507726800Z", + "ingested": "2021-06-04T11:33:16.635884300Z", "original": "\u003c7\u003e1 2021-03-14T13:18:15Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 14 06:18:15\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-14T13:18:15Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e60\u003c/MessageID\u003e\\n \u003cDesc\u003eCPM Reconcile Password Failed\u003c/Desc\u003e\\n \u003cSeverity\u003eError\u003c/Severity\u003e\\n \u003cIssuer\u003ePasswordManager\u003c/Issuer\u003e\\n \u003cAction\u003eCPM Reconcile Password Failed\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003epartner\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Operating System-WinDomain-35.192.121.42-ELASTICbart\u003c/File\u003e\\n \u003cStation\u003e10.0.1.20\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003eImmediateTask. Failure Description: CACPM406E Reconciling Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-35.192.121.42-ELASTICbart failed (try #2). Code: 2101, Error: Parameter Reconcile account is mandatory but has an empty value or is not defined\\n\u003c/Reason\u003e\\n \u003cExtraDetails\u003eaddress=34.66.114.180;retriescount=2;username=ELASTIC\\\\bart;\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eCPM Reconcile Password Failed\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"WinDomain\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"ELASTIC\\\\bart\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"34.66.114.180\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"ResetImmediately\\\" Value=\\\"ReconcileTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMStatus\\\" Value=\\\"failure\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"RetriesCount\\\" Value=\\\"2\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastFailDate\\\" Value=\\\"1615727895\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastTask\\\" Value=\\\"ReconcileTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LogonDomain\\\" Value=\\\"34.66.114.180\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMErrorDetails\\\" Value=\\\"Parameter Reconcile account is mandatory but has an empty value or is not defined\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Operating System\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 14 06:18:15\",\"IsoTimestamp\":\"2021-03-14T13:18:15Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"60\",\"Desc\":\"CPM Reconcile Password Failed\",\"Severity\":\"Error\",\"Issuer\":\"PasswordManager\",\"Action\":\"CPM Reconcile Password Failed\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"partner\",\"File\":\"Root\\\\Operating System-WinDomain-35.192.121.42-ELASTICbart\",\"Station\":\"10.0.1.20\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"ImmediateTask. Failure Description: CACPM406E Reconciling Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-35.192.121.42-ELASTICbart failed (try #2). Code: 2101, Error: Parameter Reconcile account is mandatory but has an empty value or is not defined\\n\",\"ExtraDetails\":\"address=34.66.114.180;retriescount=2;username=ELASTIC\\\\bart;\",\"Message\":\"CPM Reconcile Password Failed\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"WinDomain\"},{\"Name\":\"UserName\",\"Value\":\"ELASTIC\\\\bart\"},{\"Name\":\"Address\",\"Value\":\"34.66.114.180\"},{\"Name\":\"ResetImmediately\",\"Value\":\"ReconcileTask\"},{\"Name\":\"CPMStatus\",\"Value\":\"failure\"},{\"Name\":\"RetriesCount\",\"Value\":\"2\"},{\"Name\":\"LastFailDate\",\"Value\":\"1615727895\"},{\"Name\":\"LastTask\",\"Value\":\"ReconcileTask\"},{\"Name\":\"LogonDomain\",\"Value\":\"34.66.114.180\"},{\"Name\":\"CPMErrorDetails\",\"Value\":\"Parameter Reconcile account is mandatory but has an empty value or is not defined\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"}]}}}}", "code": "60", "kind": "event", @@ -336,7 +336,7 @@ "event": { "severity": 7, "reason": "First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031", - "ingested": "2021-05-31T15:30:24.507728800Z", + "ingested": "2021-06-04T11:33:16.635886200Z", "original": "\u003c7\u003e1 2021-03-14T13:46:13Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 14 06:46:13\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-14T13:46:13Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e60\u003c/MessageID\u003e\\n \u003cDesc\u003eCPM Reconcile Password Failed\u003c/Desc\u003e\\n \u003cSeverity\u003eError\u003c/Severity\u003e\\n \u003cIssuer\u003ePasswordManager\u003c/Issuer\u003e\\n \u003cAction\u003eCPM Reconcile Password Failed\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003epartner\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Operating System-UnixSSH-34.123.103.115-testark\u003c/File\u003e\\n \u003cStation\u003e10.0.1.20\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003eImmediateTask. Failure Description: CACPM406E Reconciling Password Safe: partner, Folder: Root, Object: Operating System-UnixSSH-34.123.103.115-testark failed (try #0). Code: 8031, Error: First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031\\n\u003c/Reason\u003e\\n \u003cExtraDetails\u003eaddress=34.123.103.115;username=testark;\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eCPM Reconcile Password Failed\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"UnixSSH\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"testark\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"34.123.103.115\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"ResetImmediately\\\" Value=\\\"ReconcileTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMStatus\\\" Value=\\\"failure\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"RetriesCount\\\" Value=\\\"0\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastFailDate\\\" Value=\\\"1615729572\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastTask\\\" Value=\\\"ReconcileTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMErrorDetails\\\" Value=\\\"First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Operating System\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 14 06:46:13\",\"IsoTimestamp\":\"2021-03-14T13:46:13Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"60\",\"Desc\":\"CPM Reconcile Password Failed\",\"Severity\":\"Error\",\"Issuer\":\"PasswordManager\",\"Action\":\"CPM Reconcile Password Failed\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"partner\",\"File\":\"Root\\\\Operating System-UnixSSH-34.123.103.115-testark\",\"Station\":\"10.0.1.20\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"ImmediateTask. Failure Description: CACPM406E Reconciling Password Safe: partner, Folder: Root, Object: Operating System-UnixSSH-34.123.103.115-testark failed (try #0). Code: 8031, Error: First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031\\n\",\"ExtraDetails\":\"address=34.123.103.115;username=testark;\",\"Message\":\"CPM Reconcile Password Failed\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"UnixSSH\"},{\"Name\":\"UserName\",\"Value\":\"testark\"},{\"Name\":\"Address\",\"Value\":\"34.123.103.115\"},{\"Name\":\"ResetImmediately\",\"Value\":\"ReconcileTask\"},{\"Name\":\"CPMStatus\",\"Value\":\"failure\"},{\"Name\":\"RetriesCount\",\"Value\":\"0\"},{\"Name\":\"LastFailDate\",\"Value\":\"1615729572\"},{\"Name\":\"LastTask\",\"Value\":\"ReconcileTask\"},{\"Name\":\"CPMErrorDetails\",\"Value\":\"First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"}]}}}}", "code": "60", "kind": "event", @@ -457,7 +457,7 @@ "event": { "severity": 7, "reason": "Parameter Reconcile account is mandatory but has an empty value or is not defined", - "ingested": "2021-05-31T15:30:24.507730200Z", + "ingested": "2021-06-04T11:33:16.635887600Z", "original": "\u003c7\u003e1 2021-03-14T14:49:11Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 14 07:49:11\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-14T14:49:11Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e60\u003c/MessageID\u003e\\n \u003cDesc\u003eCPM Reconcile Password Failed\u003c/Desc\u003e\\n \u003cSeverity\u003eError\u003c/Severity\u003e\\n \u003cIssuer\u003ePasswordManager\u003c/Issuer\u003e\\n \u003cAction\u003eCPM Reconcile Password Failed\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003epartner\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Operating System-WinDomain-35.192.121.42-ELASTICbart\u003c/File\u003e\\n \u003cStation\u003e10.0.1.20\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003eImmediateTask,Failure. Failure Description: CACPM406E Reconciling Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-35.192.121.42-ELASTICbart failed (try #3). Code: 2101, Error: Parameter Reconcile account is mandatory but has an empty value or is not defined\\n\u003c/Reason\u003e\\n \u003cExtraDetails\u003eaddress=34.66.114.180;retriescount=3;username=ELASTIC\\\\bart;\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eCPM Reconcile Password Failed\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"WinDomain\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"ELASTIC\\\\bart\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"34.66.114.180\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"ResetImmediately\\\" Value=\\\"ReconcileTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMStatus\\\" Value=\\\"failure\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"RetriesCount\\\" Value=\\\"3\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastFailDate\\\" Value=\\\"1615733350\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastTask\\\" Value=\\\"ReconcileTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LogonDomain\\\" Value=\\\"34.66.114.180\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMErrorDetails\\\" Value=\\\"Parameter Reconcile account is mandatory but has an empty value or is not defined\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Operating System\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 14 07:49:11\",\"IsoTimestamp\":\"2021-03-14T14:49:11Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"60\",\"Desc\":\"CPM Reconcile Password Failed\",\"Severity\":\"Error\",\"Issuer\":\"PasswordManager\",\"Action\":\"CPM Reconcile Password Failed\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"partner\",\"File\":\"Root\\\\Operating System-WinDomain-35.192.121.42-ELASTICbart\",\"Station\":\"10.0.1.20\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"ImmediateTask,Failure. Failure Description: CACPM406E Reconciling Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-35.192.121.42-ELASTICbart failed (try #3). Code: 2101, Error: Parameter Reconcile account is mandatory but has an empty value or is not defined\\n\",\"ExtraDetails\":\"address=34.66.114.180;retriescount=3;username=ELASTIC\\\\bart;\",\"Message\":\"CPM Reconcile Password Failed\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"WinDomain\"},{\"Name\":\"UserName\",\"Value\":\"ELASTIC\\\\bart\"},{\"Name\":\"Address\",\"Value\":\"34.66.114.180\"},{\"Name\":\"ResetImmediately\",\"Value\":\"ReconcileTask\"},{\"Name\":\"CPMStatus\",\"Value\":\"failure\"},{\"Name\":\"RetriesCount\",\"Value\":\"3\"},{\"Name\":\"LastFailDate\",\"Value\":\"1615733350\"},{\"Name\":\"LastTask\",\"Value\":\"ReconcileTask\"},{\"Name\":\"LogonDomain\",\"Value\":\"34.66.114.180\"},{\"Name\":\"CPMErrorDetails\",\"Value\":\"Parameter Reconcile account is mandatory but has an empty value or is not defined\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"}]}}}}", "code": "60", "kind": "event", @@ -578,7 +578,7 @@ "event": { "severity": 7, "reason": "Parameter Reconcile account is mandatory but has an empty value or is not defined", - "ingested": "2021-05-31T15:30:24.507731600Z", + "ingested": "2021-06-04T11:33:16.635888900Z", "original": "\u003c7\u003e1 2021-03-15T10:12:18Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 15 03:12:18\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-15T10:12:18Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e60\u003c/MessageID\u003e\\n \u003cDesc\u003eCPM Reconcile Password Failed\u003c/Desc\u003e\\n \u003cSeverity\u003eError\u003c/Severity\u003e\\n \u003cIssuer\u003ePasswordManager\u003c/Issuer\u003e\\n \u003cAction\u003eCPM Reconcile Password Failed\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003epartner\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Operating System-WinDomain-35.192.121.42-ELASTICbart\u003c/File\u003e\\n \u003cStation\u003e10.0.1.20\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003eImmediateTask,Failure. Failure Description: CACPM406E Reconciling Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-35.192.121.42-ELASTICbart failed (try #4). Code: 2101, Error: Parameter Reconcile account is mandatory but has an empty value or is not defined\\n\u003c/Reason\u003e\\n \u003cExtraDetails\u003eaddress=34.66.114.180;retriescount=4;username=ELASTIC\\\\bart;\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eCPM Reconcile Password Failed\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"WinDomain\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"ELASTIC\\\\bart\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"34.66.114.180\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"ResetImmediately\\\" Value=\\\"ReconcileTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMStatus\\\" Value=\\\"failure\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"RetriesCount\\\" Value=\\\"4\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastFailDate\\\" Value=\\\"1615803137\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastTask\\\" Value=\\\"ReconcileTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LogonDomain\\\" Value=\\\"34.66.114.180\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMErrorDetails\\\" Value=\\\"Parameter Reconcile account is mandatory but has an empty value or is not defined\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Operating System\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 15 03:12:18\",\"IsoTimestamp\":\"2021-03-15T10:12:18Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"60\",\"Desc\":\"CPM Reconcile Password Failed\",\"Severity\":\"Error\",\"Issuer\":\"PasswordManager\",\"Action\":\"CPM Reconcile Password Failed\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"partner\",\"File\":\"Root\\\\Operating System-WinDomain-35.192.121.42-ELASTICbart\",\"Station\":\"10.0.1.20\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"ImmediateTask,Failure. Failure Description: CACPM406E Reconciling Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-35.192.121.42-ELASTICbart failed (try #4). Code: 2101, Error: Parameter Reconcile account is mandatory but has an empty value or is not defined\\n\",\"ExtraDetails\":\"address=34.66.114.180;retriescount=4;username=ELASTIC\\\\bart;\",\"Message\":\"CPM Reconcile Password Failed\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"WinDomain\"},{\"Name\":\"UserName\",\"Value\":\"ELASTIC\\\\bart\"},{\"Name\":\"Address\",\"Value\":\"34.66.114.180\"},{\"Name\":\"ResetImmediately\",\"Value\":\"ReconcileTask\"},{\"Name\":\"CPMStatus\",\"Value\":\"failure\"},{\"Name\":\"RetriesCount\",\"Value\":\"4\"},{\"Name\":\"LastFailDate\",\"Value\":\"1615803137\"},{\"Name\":\"LastTask\",\"Value\":\"ReconcileTask\"},{\"Name\":\"LogonDomain\",\"Value\":\"34.66.114.180\"},{\"Name\":\"CPMErrorDetails\",\"Value\":\"Parameter Reconcile account is mandatory but has an empty value or is not defined\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"}]}}}}", "code": "60", "kind": "event", @@ -696,7 +696,7 @@ "event": { "severity": 7, "reason": "First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031", - "ingested": "2021-05-31T15:30:24.507733Z", + "ingested": "2021-06-04T11:33:16.635890200Z", "original": "\u003c7\u003e1 2021-03-15T10:12:19Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 15 03:12:19\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-15T10:12:19Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e60\u003c/MessageID\u003e\\n \u003cDesc\u003eCPM Reconcile Password Failed\u003c/Desc\u003e\\n \u003cSeverity\u003eError\u003c/Severity\u003e\\n \u003cIssuer\u003ePasswordManager\u003c/Issuer\u003e\\n \u003cAction\u003eCPM Reconcile Password Failed\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003epartner\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Operating System-UnixSSH-34.123.103.115-testark\u003c/File\u003e\\n \u003cStation\u003e10.0.1.20\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003eImmediateTask,Failure. Failure Description: CACPM406E Reconciling Password Safe: partner, Folder: Root, Object: Operating System-UnixSSH-34.123.103.115-testark failed (try #1). Code: 8031, Error: First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031\\n\u003c/Reason\u003e\\n \u003cExtraDetails\u003eaddress=34.123.103.115;retriescount=1;username=testark;\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eCPM Reconcile Password Failed\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"UnixSSH\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"testark\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"34.123.103.115\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"ResetImmediately\\\" Value=\\\"ReconcileTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMStatus\\\" Value=\\\"failure\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"RetriesCount\\\" Value=\\\"1\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastFailDate\\\" Value=\\\"1615803137\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastTask\\\" Value=\\\"ReconcileTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMErrorDetails\\\" Value=\\\"First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Operating System\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 15 03:12:19\",\"IsoTimestamp\":\"2021-03-15T10:12:19Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"60\",\"Desc\":\"CPM Reconcile Password Failed\",\"Severity\":\"Error\",\"Issuer\":\"PasswordManager\",\"Action\":\"CPM Reconcile Password Failed\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"partner\",\"File\":\"Root\\\\Operating System-UnixSSH-34.123.103.115-testark\",\"Station\":\"10.0.1.20\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"ImmediateTask,Failure. Failure Description: CACPM406E Reconciling Password Safe: partner, Folder: Root, Object: Operating System-UnixSSH-34.123.103.115-testark failed (try #1). Code: 8031, Error: First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031\\n\",\"ExtraDetails\":\"address=34.123.103.115;retriescount=1;username=testark;\",\"Message\":\"CPM Reconcile Password Failed\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"UnixSSH\"},{\"Name\":\"UserName\",\"Value\":\"testark\"},{\"Name\":\"Address\",\"Value\":\"34.123.103.115\"},{\"Name\":\"ResetImmediately\",\"Value\":\"ReconcileTask\"},{\"Name\":\"CPMStatus\",\"Value\":\"failure\"},{\"Name\":\"RetriesCount\",\"Value\":\"1\"},{\"Name\":\"LastFailDate\",\"Value\":\"1615803137\"},{\"Name\":\"LastTask\",\"Value\":\"ReconcileTask\"},{\"Name\":\"CPMErrorDetails\",\"Value\":\"First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"}]}}}}", "code": "60", "kind": "event", @@ -818,7 +818,7 @@ "event": { "severity": 7, "reason": "Parameter Reconcile account is mandatory but has an empty value or is not defined", - "ingested": "2021-05-31T15:30:24.507734300Z", + "ingested": "2021-06-04T11:33:16.635891500Z", "original": "\u003c7\u003e1 2021-03-15T12:57:13Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 15 05:57:13\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-15T12:57:13Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e60\u003c/MessageID\u003e\\n \u003cDesc\u003eCPM Reconcile Password Failed\u003c/Desc\u003e\\n \u003cSeverity\u003eError\u003c/Severity\u003e\\n \u003cIssuer\u003ePasswordManager\u003c/Issuer\u003e\\n \u003cAction\u003eCPM Reconcile Password Failed\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003epartner\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Operating System-WinDomain-35.192.121.42-ELASTICbart\u003c/File\u003e\\n \u003cStation\u003e10.0.1.20\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003eImmediateTask,Failure. Failure Description: CACPM406E Reconciling Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-35.192.121.42-ELASTICbart failed (try #5). Code: 2101, Error: Parameter Reconcile account is mandatory but has an empty value or is not defined\\n\u003c/Reason\u003e\\n \u003cExtraDetails\u003eaddress=34.66.114.180;retriescount=5;username=ELASTIC\\\\bart;\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eCPM Reconcile Password Failed\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"WinDomain\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"ELASTIC\\\\bart\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"34.66.114.180\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"ResetImmediately\\\" Value=\\\"ReconcileTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMStatus\\\" Value=\\\"failure\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMDisabled\\\" Value=\\\"(CPM)MaxRetries\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"RetriesCount\\\" Value=\\\"5\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastFailDate\\\" Value=\\\"1615813031\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastTask\\\" Value=\\\"ReconcileTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LogonDomain\\\" Value=\\\"34.66.114.180\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMErrorDetails\\\" Value=\\\"Parameter Reconcile account is mandatory but has an empty value or is not defined\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Operating System\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 15 05:57:13\",\"IsoTimestamp\":\"2021-03-15T12:57:13Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"60\",\"Desc\":\"CPM Reconcile Password Failed\",\"Severity\":\"Error\",\"Issuer\":\"PasswordManager\",\"Action\":\"CPM Reconcile Password Failed\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"partner\",\"File\":\"Root\\\\Operating System-WinDomain-35.192.121.42-ELASTICbart\",\"Station\":\"10.0.1.20\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"ImmediateTask,Failure. Failure Description: CACPM406E Reconciling Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-35.192.121.42-ELASTICbart failed (try #5). Code: 2101, Error: Parameter Reconcile account is mandatory but has an empty value or is not defined\\n\",\"ExtraDetails\":\"address=34.66.114.180;retriescount=5;username=ELASTIC\\\\bart;\",\"Message\":\"CPM Reconcile Password Failed\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"WinDomain\"},{\"Name\":\"UserName\",\"Value\":\"ELASTIC\\\\bart\"},{\"Name\":\"Address\",\"Value\":\"34.66.114.180\"},{\"Name\":\"ResetImmediately\",\"Value\":\"ReconcileTask\"},{\"Name\":\"CPMStatus\",\"Value\":\"failure\"},{\"Name\":\"CPMDisabled\",\"Value\":\"(CPM)MaxRetries\"},{\"Name\":\"RetriesCount\",\"Value\":\"5\"},{\"Name\":\"LastFailDate\",\"Value\":\"1615813031\"},{\"Name\":\"LastTask\",\"Value\":\"ReconcileTask\"},{\"Name\":\"LogonDomain\",\"Value\":\"34.66.114.180\"},{\"Name\":\"CPMErrorDetails\",\"Value\":\"Parameter Reconcile account is mandatory but has an empty value or is not defined\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"}]}}}}", "code": "60", "kind": "event", @@ -936,7 +936,7 @@ "event": { "severity": 7, "reason": "First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031", - "ingested": "2021-05-31T15:30:24.507735700Z", + "ingested": "2021-06-04T11:33:16.635892800Z", "original": "\u003c7\u003e1 2021-03-15T13:04:27Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 15 06:04:27\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-15T13:04:27Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e60\u003c/MessageID\u003e\\n \u003cDesc\u003eCPM Reconcile Password Failed\u003c/Desc\u003e\\n \u003cSeverity\u003eError\u003c/Severity\u003e\\n \u003cIssuer\u003ePasswordManager\u003c/Issuer\u003e\\n \u003cAction\u003eCPM Reconcile Password Failed\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003epartner\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Operating System-UnixSSH-34.123.103.115-testark\u003c/File\u003e\\n \u003cStation\u003e10.0.1.20\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003eImmediateTask. Failure Description: CACPM406E Reconciling Password Safe: partner, Folder: Root, Object: Operating System-UnixSSH-34.123.103.115-testark failed (try #0). Code: 8031, Error: First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031\\n\u003c/Reason\u003e\\n \u003cExtraDetails\u003eaddress=34.123.103.115;username=testark;\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eCPM Reconcile Password Failed\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"UnixSSH\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"testark\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"34.123.103.115\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"ResetImmediately\\\" Value=\\\"ReconcileTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMStatus\\\" Value=\\\"failure\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"RetriesCount\\\" Value=\\\"0\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastFailDate\\\" Value=\\\"1615813465\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastTask\\\" Value=\\\"ReconcileTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastSuccessVerification\\\" Value=\\\"1615803764\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMErrorDetails\\\" Value=\\\"First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Operating System\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 15 06:04:27\",\"IsoTimestamp\":\"2021-03-15T13:04:27Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"60\",\"Desc\":\"CPM Reconcile Password Failed\",\"Severity\":\"Error\",\"Issuer\":\"PasswordManager\",\"Action\":\"CPM Reconcile Password Failed\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"partner\",\"File\":\"Root\\\\Operating System-UnixSSH-34.123.103.115-testark\",\"Station\":\"10.0.1.20\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"ImmediateTask. Failure Description: CACPM406E Reconciling Password Safe: partner, Folder: Root, Object: Operating System-UnixSSH-34.123.103.115-testark failed (try #0). Code: 8031, Error: First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031\\n\",\"ExtraDetails\":\"address=34.123.103.115;username=testark;\",\"Message\":\"CPM Reconcile Password Failed\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"UnixSSH\"},{\"Name\":\"UserName\",\"Value\":\"testark\"},{\"Name\":\"Address\",\"Value\":\"34.123.103.115\"},{\"Name\":\"ResetImmediately\",\"Value\":\"ReconcileTask\"},{\"Name\":\"CPMStatus\",\"Value\":\"failure\"},{\"Name\":\"RetriesCount\",\"Value\":\"0\"},{\"Name\":\"LastFailDate\",\"Value\":\"1615813465\"},{\"Name\":\"LastTask\",\"Value\":\"ReconcileTask\"},{\"Name\":\"LastSuccessVerification\",\"Value\":\"1615803764\"},{\"Name\":\"CPMErrorDetails\",\"Value\":\"First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"}]}}}}", "code": "60", "kind": "event", @@ -1057,7 +1057,7 @@ "event": { "severity": 7, "reason": "First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031", - "ingested": "2021-05-31T15:30:24.507737100Z", + "ingested": "2021-06-04T11:33:16.635894200Z", "original": "\u003c7\u003e1 2021-03-15T14:44:37Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 15 07:44:37\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-15T14:44:37Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e60\u003c/MessageID\u003e\\n \u003cDesc\u003eCPM Reconcile Password Failed\u003c/Desc\u003e\\n \u003cSeverity\u003eError\u003c/Severity\u003e\\n \u003cIssuer\u003ePasswordManager\u003c/Issuer\u003e\\n \u003cAction\u003eCPM Reconcile Password Failed\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003epartner\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Operating System-UnixSSH-34.123.103.115-testark\u003c/File\u003e\\n \u003cStation\u003e10.0.1.20\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003eImmediateTask. Failure Description: CACPM406E Reconciling Password Safe: partner, Folder: Root, Object: Operating System-UnixSSH-34.123.103.115-testark failed (try #1). Code: 8031, Error: First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031\\n\u003c/Reason\u003e\\n \u003cExtraDetails\u003eaddress=34.123.103.115;retriescount=1;username=testark;\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eCPM Reconcile Password Failed\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"UnixSSH\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"testark\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"34.123.103.115\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"ResetImmediately\\\" Value=\\\"ReconcileTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMStatus\\\" Value=\\\"failure\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"RetriesCount\\\" Value=\\\"1\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastFailDate\\\" Value=\\\"1615819476\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastTask\\\" Value=\\\"ReconcileTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastSuccessVerification\\\" Value=\\\"1615803764\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMErrorDetails\\\" Value=\\\"First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Operating System\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UseSudoOnReconcile\\\" Value=\\\"Yes\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 15 07:44:37\",\"IsoTimestamp\":\"2021-03-15T14:44:37Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"60\",\"Desc\":\"CPM Reconcile Password Failed\",\"Severity\":\"Error\",\"Issuer\":\"PasswordManager\",\"Action\":\"CPM Reconcile Password Failed\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"partner\",\"File\":\"Root\\\\Operating System-UnixSSH-34.123.103.115-testark\",\"Station\":\"10.0.1.20\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"ImmediateTask. Failure Description: CACPM406E Reconciling Password Safe: partner, Folder: Root, Object: Operating System-UnixSSH-34.123.103.115-testark failed (try #1). Code: 8031, Error: First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031\\n\",\"ExtraDetails\":\"address=34.123.103.115;retriescount=1;username=testark;\",\"Message\":\"CPM Reconcile Password Failed\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"UnixSSH\"},{\"Name\":\"UserName\",\"Value\":\"testark\"},{\"Name\":\"Address\",\"Value\":\"34.123.103.115\"},{\"Name\":\"ResetImmediately\",\"Value\":\"ReconcileTask\"},{\"Name\":\"CPMStatus\",\"Value\":\"failure\"},{\"Name\":\"RetriesCount\",\"Value\":\"1\"},{\"Name\":\"LastFailDate\",\"Value\":\"1615819476\"},{\"Name\":\"LastTask\",\"Value\":\"ReconcileTask\"},{\"Name\":\"LastSuccessVerification\",\"Value\":\"1615803764\"},{\"Name\":\"CPMErrorDetails\",\"Value\":\"First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"},{\"Name\":\"UseSudoOnReconcile\",\"Value\":\"Yes\"}]}}}}", "code": "60", "kind": "event", diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-62-create-file-version.log-config.yml b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-62-create-file-version.log-config.yml deleted file mode 100644 index 5622947e4b8..00000000000 --- a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-62-create-file-version.log-config.yml +++ /dev/null @@ -1,5 +0,0 @@ -dynamic_fields: - event.ingested: ".*" -fields: - tags: - - preserve_original_event diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-62-create-file-version.log-expected.json b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-62-create-file-version.log-expected.json index 60732e02d75..4344cb47a71 100644 --- a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-62-create-file-version.log-expected.json +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-62-create-file-version.log-expected.json @@ -64,7 +64,7 @@ "event": { "severity": 2, "action": "create file version", - "ingested": "2021-05-31T15:30:24.863283Z", + "ingested": "2021-06-04T11:33:16.981431Z", "original": "\u003c5\u003e1 2021-03-10T09:11:54Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 01:11:54\",\"IsoTimestamp\":\"2021-03-10T09:11:54Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"62\",\"Desc\":\"Create File Version\",\"Severity\":\"Info\",\"Issuer\":\"PSMPApp_localhost.localdomain\",\"Action\":\"Create File Version\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"PSMPLiveSessions\",\"File\":\"Root\\\\PSMPApp_localhost.localdomain.LiveSessions\",\"Station\":\"81.32.170.205\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Create File Version\",\"GatewayStation\":\"\"}}}", "code": "62", "kind": "event" @@ -134,7 +134,7 @@ "event": { "severity": 2, "action": "create file version", - "ingested": "2021-05-31T15:30:24.863293900Z", + "ingested": "2021-06-04T11:33:16.981440700Z", "original": "\u003c5\u003e1 2021-03-10T17:58:05Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 09:58:05\",\"IsoTimestamp\":\"2021-03-10T17:58:05Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"62\",\"Desc\":\"Create File Version\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Create File Version\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"PSMNotifications\",\"File\":\"Root\\\\SessionControl\",\"Station\":\"81.32.170.205\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Create File Version\",\"GatewayStation\":\"\"}}}", "code": "62", "kind": "event" @@ -204,7 +204,7 @@ "event": { "severity": 2, "action": "create file version", - "ingested": "2021-05-31T15:30:24.863296600Z", + "ingested": "2021-06-04T11:33:16.981442400Z", "original": "\u003c5\u003e1 2021-03-10T18:46:47Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 10:46:47\",\"IsoTimestamp\":\"2021-03-10T18:46:47Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"62\",\"Desc\":\"Create File Version\",\"Severity\":\"Info\",\"Issuer\":\"PSMApp_VAGRANT\",\"Action\":\"Create File Version\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"PSMLiveSessions\",\"File\":\"Root\\\\PSMServer.LiveSessions\",\"Station\":\"81.32.170.205\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Create File Version\",\"GatewayStation\":\"\"}}}", "code": "62", "kind": "event" @@ -273,7 +273,7 @@ "event": { "severity": 2, "action": "create file version", - "ingested": "2021-05-31T15:30:24.863298800Z", + "ingested": "2021-06-04T11:33:16.981443700Z", "original": "\u003c5\u003e1 2021-03-10T22:20:12Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 14:20:12\",\"IsoTimestamp\":\"2021-03-10T22:20:12Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"62\",\"Desc\":\"Create File Version\",\"Severity\":\"Info\",\"Issuer\":\"PSMApp_ASR-WIN\",\"Action\":\"Create File Version\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"PSMLiveSessions\",\"File\":\"Root\\\\PSM-ASR-CYBERARK-WI.LiveSessions\",\"Station\":\"35.192.121.42\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Create File Version\",\"GatewayStation\":\"\"}}}", "code": "62", "kind": "event" @@ -332,7 +332,7 @@ "event": { "severity": 2, "action": "create file version", - "ingested": "2021-05-31T15:30:24.863300600Z", + "ingested": "2021-06-04T11:33:16.981445Z", "original": "\u003c5\u003e1 2021-03-11T16:50:29Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 11 08:50:29\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-11T16:50:29Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e62\u003c/MessageID\u003e\\n \u003cDesc\u003eCreate File Version\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003ePVWAAppUser\u003c/Issuer\u003e\\n \u003cAction\u003eCreate File Version\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003ePSMSessions\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\ec7c3e3bd11069dd20a491a6b11bbe293bf4780b\u003c/File\u003e\\n \u003cStation\u003e10.0.1.20\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eCreate File Version\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 11 08:50:29\",\"IsoTimestamp\":\"2021-03-11T16:50:29Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"62\",\"Desc\":\"Create File Version\",\"Severity\":\"Info\",\"Issuer\":\"PVWAAppUser\",\"Action\":\"Create File Version\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"PSMSessions\",\"File\":\"Root\\\\ec7c3e3bd11069dd20a491a6b11bbe293bf4780b\",\"Station\":\"10.0.1.20\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Create File Version\",\"GatewayStation\":\"\"}}}", "code": "62", "kind": "event" @@ -403,7 +403,7 @@ "event": { "severity": 2, "action": "create file version", - "ingested": "2021-05-31T15:30:24.863302100Z", + "ingested": "2021-06-04T11:33:16.981446500Z", "original": "\u003c5\u003e1 2021-03-11T16:59:58Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 11 08:59:58\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-11T16:59:58Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e62\u003c/MessageID\u003e\\n \u003cDesc\u003eCreate File Version\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003ePSMPApp_VAGRANT\u003c/Issuer\u003e\\n \u003cAction\u003eCreate File Version\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003ePSMPLiveSessions\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\PSMPApp_VAGRANT.LiveSessions\u003c/File\u003e\\n \u003cStation\u003e81.32.170.205\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eCreate File Version\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 11 08:59:58\",\"IsoTimestamp\":\"2021-03-11T16:59:58Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"62\",\"Desc\":\"Create File Version\",\"Severity\":\"Info\",\"Issuer\":\"PSMPApp_VAGRANT\",\"Action\":\"Create File Version\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"PSMPLiveSessions\",\"File\":\"Root\\\\PSMPApp_VAGRANT.LiveSessions\",\"Station\":\"81.32.170.205\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Create File Version\",\"GatewayStation\":\"\"}}}", "code": "62", "kind": "event" @@ -470,7 +470,7 @@ "event": { "severity": 2, "action": "create file version", - "ingested": "2021-05-31T15:30:24.863304100Z", + "ingested": "2021-06-04T11:33:16.981447800Z", "original": "\u003c5\u003e1 2021-03-14T12:07:32Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 14 05:07:32\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-14T12:07:32Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e62\u003c/MessageID\u003e\\n \u003cDesc\u003eCreate File Version\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003ePasswordManager\u003c/Issuer\u003e\\n \u003cAction\u003eCreate File Version\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003eAccountsFeedDiscoveryLogs\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Windows discovery from ELASTIC.local_PasswordManager_UID1.log\u003c/File\u003e\\n \u003cStation\u003e10.0.1.20\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eCreate File Version\u003c/Message\u003e\\n \u003cGatewayStation\u003e10.0.1.20\u003c/GatewayStation\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 14 05:07:32\",\"IsoTimestamp\":\"2021-03-14T12:07:32Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"62\",\"Desc\":\"Create File Version\",\"Severity\":\"Info\",\"Issuer\":\"PasswordManager\",\"Action\":\"Create File Version\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"AccountsFeedDiscoveryLogs\",\"File\":\"Root\\\\Windows discovery from ELASTIC.local_PasswordManager_UID1.log\",\"Station\":\"10.0.1.20\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Create File Version\",\"GatewayStation\":\"10.0.1.20\"}}}", "code": "62", "kind": "event" @@ -538,7 +538,7 @@ "event": { "severity": 2, "action": "create file version", - "ingested": "2021-05-31T15:30:24.863306100Z", + "ingested": "2021-06-04T11:33:16.981449Z", "original": "\u003c5\u003e1 2021-03-14T12:57:27Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 14 05:57:27\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-14T12:57:27Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e62\u003c/MessageID\u003e\\n \u003cDesc\u003eCreate File Version\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003ePSMPApp_SSH\u003c/Issuer\u003e\\n \u003cAction\u003eCreate File Version\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003ePSMPLiveSessions\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\PSMPApp_SSH.LiveSessions\u003c/File\u003e\\n \u003cStation\u003e34.71.250.247\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eCreate File Version\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 14 05:57:27\",\"IsoTimestamp\":\"2021-03-14T12:57:27Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"62\",\"Desc\":\"Create File Version\",\"Severity\":\"Info\",\"Issuer\":\"PSMPApp_SSH\",\"Action\":\"Create File Version\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"PSMPLiveSessions\",\"File\":\"Root\\\\PSMPApp_SSH.LiveSessions\",\"Station\":\"34.71.250.247\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Create File Version\",\"GatewayStation\":\"\"}}}", "code": "62", "kind": "event" diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-7-logon.log-config.yml b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-7-logon.log-config.yml deleted file mode 100644 index 5622947e4b8..00000000000 --- a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-7-logon.log-config.yml +++ /dev/null @@ -1,5 +0,0 @@ -dynamic_fields: - event.ingested: ".*" -fields: - tags: - - preserve_original_event diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-7-logon.log-expected.json b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-7-logon.log-expected.json index 88083163c86..736c614acac 100644 --- a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-7-logon.log-expected.json +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-7-logon.log-expected.json @@ -49,7 +49,7 @@ }, "event": { "severity": 2, - "ingested": "2021-05-31T15:30:25.058675700Z", + "ingested": "2021-06-04T11:33:17.158021Z", "original": "{\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eno\u003c/Rfc5424\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.6.0000\u003c/Version\u003e\\n \u003cMessageID\u003e7\u003c/MessageID\u003e\\n \u003cDesc\u003eLogon\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eadm2\u003c/Issuer\u003e\\n \u003cAction\u003eLogon\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003e\u003c/Safe\u003e\\n \u003cFile\u003e\u003c/File\u003e\\n \u003cStation\u003e10.2.0.6\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eLogon\u003c/Message\u003e\\n \u003cGatewayStation\u003e10.2.0.3\u003c/GatewayStation\u003e\\n \u003c/audit_record\u003e\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"no\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.6.0000\",\"MessageID\":\"7\",\"Desc\":\"Logon\",\"Severity\":\"Info\",\"Issuer\":\"adm2\",\"Action\":\"Logon\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"10.2.0.6\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Logon\",\"GatewayStation\":\"10.2.0.3\",\"IsoTimestamp\":\"2021-03-16T15:01:00Z\"}}}", "code": "7", "kind": "event", @@ -116,7 +116,7 @@ }, "event": { "severity": 2, - "ingested": "2021-05-31T15:30:25.058686100Z", + "ingested": "2021-06-04T11:33:17.158032100Z", "original": "\u003c5\u003e1 2021-03-04T19:10:05Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 04 11:10:05\",\"IsoTimestamp\":\"2021-03-04T19:10:05Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"7\",\"Desc\":\"Logon\",\"Severity\":\"Info\",\"Issuer\":\"PasswordManager\",\"Action\":\"Logon\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"10.0.1.20\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Logon\",\"GatewayStation\":\"\"}}}", "code": "7", "kind": "event", @@ -183,7 +183,7 @@ }, "event": { "severity": 2, - "ingested": "2021-05-31T15:30:25.058687900Z", + "ingested": "2021-06-04T11:33:17.158034Z", "original": "\u003c5\u003e1 2021-03-04T19:10:20Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 04 11:10:20\",\"IsoTimestamp\":\"2021-03-04T19:10:20Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"7\",\"Desc\":\"Logon\",\"Severity\":\"Info\",\"Issuer\":\"SCIM-user\",\"Action\":\"Logon\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"10.0.1.20\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Logon\",\"GatewayStation\":\"\"}}}", "code": "7", "kind": "event", @@ -250,7 +250,7 @@ }, "event": { "severity": 2, - "ingested": "2021-05-31T15:30:25.058689300Z", + "ingested": "2021-06-04T11:33:17.158036200Z", "original": "\u003c5\u003e1 2021-03-04T19:11:20Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 04 11:11:20\",\"IsoTimestamp\":\"2021-03-04T19:11:20Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"7\",\"Desc\":\"Logon\",\"Severity\":\"Info\",\"Issuer\":\"PVWAGWUser\",\"Action\":\"Logon\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"10.0.1.20\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Logon\",\"GatewayStation\":\"\"}}}", "code": "7", "kind": "event", @@ -317,7 +317,7 @@ }, "event": { "severity": 2, - "ingested": "2021-05-31T15:30:25.058690800Z", + "ingested": "2021-06-04T11:33:17.158037600Z", "original": "\u003c5\u003e1 2021-03-04T19:11:23Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 04 11:11:23\",\"IsoTimestamp\":\"2021-03-04T19:11:23Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"7\",\"Desc\":\"Logon\",\"Severity\":\"Info\",\"Issuer\":\"Prov_COMPONENTS\",\"Action\":\"Logon\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"10.0.1.20\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Logon\",\"GatewayStation\":\"\"}}}", "code": "7", "kind": "event", @@ -384,7 +384,7 @@ }, "event": { "severity": 2, - "ingested": "2021-05-31T15:30:25.058692100Z", + "ingested": "2021-06-04T11:33:17.158038900Z", "original": "\u003c5\u003e1 2021-03-05T10:18:50Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 05 02:18:50\",\"IsoTimestamp\":\"2021-03-05T10:18:50Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"7\",\"Desc\":\"Logon\",\"Severity\":\"Info\",\"Issuer\":\"PVWAAppUser\",\"Action\":\"Logon\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"10.0.1.20\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Logon\",\"GatewayStation\":\"\"}}}", "code": "7", "kind": "event", @@ -460,7 +460,7 @@ }, "event": { "severity": 2, - "ingested": "2021-05-31T15:30:25.058693500Z", + "ingested": "2021-06-04T11:33:17.158040100Z", "original": "\u003c5\u003e1 2021-03-08T18:07:51Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 08 10:07:51\",\"IsoTimestamp\":\"2021-03-08T18:07:51Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"7\",\"Desc\":\"Logon\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Logon\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"127.0.0.1\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Logon\",\"GatewayStation\":\"10.0.1.20\"}}}", "code": "7", "kind": "event", @@ -548,7 +548,7 @@ }, "event": { "severity": 2, - "ingested": "2021-05-31T15:30:25.058694800Z", + "ingested": "2021-06-04T11:33:17.158041400Z", "original": "\u003c5\u003e1 2021-03-09T08:32:51Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 09 00:32:51\",\"IsoTimestamp\":\"2021-03-09T08:32:51Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"7\",\"Desc\":\"Logon\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Logon\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"81.32.170.205\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Logon\",\"GatewayStation\":\"10.0.1.20\"}}}", "code": "7", "kind": "event", @@ -636,7 +636,7 @@ }, "event": { "severity": 2, - "ingested": "2021-05-31T15:30:25.058696200Z", + "ingested": "2021-06-04T11:33:17.158042700Z", "original": "\u003c5\u003e1 2021-03-09T10:14:58Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 09 02:14:58\",\"IsoTimestamp\":\"2021-03-09T10:14:58Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"7\",\"Desc\":\"Logon\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Logon\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"37.223.7.45\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Logon\",\"GatewayStation\":\"10.0.1.20\"}}}", "code": "7", "kind": "event", @@ -715,7 +715,7 @@ }, "event": { "severity": 2, - "ingested": "2021-05-31T15:30:25.058697600Z", + "ingested": "2021-06-04T11:33:17.158044100Z", "original": "\u003c5\u003e1 2021-03-10T09:11:48Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 01:11:48\",\"IsoTimestamp\":\"2021-03-10T09:11:48Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"7\",\"Desc\":\"Logon\",\"Severity\":\"Info\",\"Issuer\":\"PSMP_ADB_localhost.localdomain\",\"Action\":\"Logon\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"81.32.170.205\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Logon\",\"GatewayStation\":\"\"}}}", "code": "7", "kind": "event", @@ -794,7 +794,7 @@ }, "event": { "severity": 2, - "ingested": "2021-05-31T15:30:25.058699200Z", + "ingested": "2021-06-04T11:33:17.158045400Z", "original": "\u003c5\u003e1 2021-03-10T09:11:48Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 01:11:48\",\"IsoTimestamp\":\"2021-03-10T09:11:48Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"7\",\"Desc\":\"Logon\",\"Severity\":\"Info\",\"Issuer\":\"PSMPApp_localhost.localdomain\",\"Action\":\"Logon\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"81.32.170.205\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Logon\",\"GatewayStation\":\"\"}}}", "code": "7", "kind": "event", @@ -873,7 +873,7 @@ }, "event": { "severity": 2, - "ingested": "2021-05-31T15:30:25.058700800Z", + "ingested": "2021-06-04T11:33:17.158046800Z", "original": "\u003c5\u003e1 2021-03-10T09:11:49Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 01:11:49\",\"IsoTimestamp\":\"2021-03-10T09:11:49Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"7\",\"Desc\":\"Logon\",\"Severity\":\"Info\",\"Issuer\":\"PSMPGW_localhost.localdomain\",\"Action\":\"Logon\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"81.32.170.205\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Logon\",\"GatewayStation\":\"\"}}}", "code": "7", "kind": "event", diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-8-logoff.log-config.yml b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-8-logoff.log-config.yml deleted file mode 100644 index 5622947e4b8..00000000000 --- a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-8-logoff.log-config.yml +++ /dev/null @@ -1,5 +0,0 @@ -dynamic_fields: - event.ingested: ".*" -fields: - tags: - - preserve_original_event diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-8-logoff.log-expected.json b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-8-logoff.log-expected.json index 77fb528c0fc..9bc3363f904 100644 --- a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-8-logoff.log-expected.json +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-8-logoff.log-expected.json @@ -49,7 +49,7 @@ }, "event": { "severity": 2, - "ingested": "2021-05-31T15:30:25.316787700Z", + "ingested": "2021-06-04T11:33:17.393067Z", "original": "\u003c5\u003e1 2021-03-08T18:19:15Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 08 10:19:15\",\"IsoTimestamp\":\"2021-03-08T18:19:15Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"8\",\"Desc\":\"Logoff\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Logoff\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"10.0.1.20\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Logoff\",\"GatewayStation\":\"\"}}}", "code": "8", "kind": "event", @@ -116,7 +116,7 @@ }, "event": { "severity": 2, - "ingested": "2021-05-31T15:30:25.316798700Z", + "ingested": "2021-06-04T11:33:17.393075100Z", "original": "\u003c5\u003e1 2021-03-08T18:59:23Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 08 10:59:23\",\"IsoTimestamp\":\"2021-03-08T18:59:23Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"8\",\"Desc\":\"Logoff\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Logoff\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"127.0.0.1\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Logoff\",\"GatewayStation\":\"\"}}}", "code": "8", "kind": "event", @@ -183,7 +183,7 @@ }, "event": { "severity": 2, - "ingested": "2021-05-31T15:30:25.316800500Z", + "ingested": "2021-06-04T11:33:17.393076700Z", "original": "\u003c5\u003e1 2021-03-10T08:28:28Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 00:28:28\",\"IsoTimestamp\":\"2021-03-10T08:28:28Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"8\",\"Desc\":\"Logoff\",\"Severity\":\"Info\",\"Issuer\":\"PasswordManager\",\"Action\":\"Logoff\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"10.0.1.20\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Logoff\",\"GatewayStation\":\"\"}}}", "code": "8", "kind": "event", @@ -250,7 +250,7 @@ }, "event": { "severity": 2, - "ingested": "2021-05-31T15:30:25.316802300Z", + "ingested": "2021-06-04T11:33:17.393078200Z", "original": "\u003c5\u003e1 2021-03-10T08:28:29Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 00:28:29\",\"IsoTimestamp\":\"2021-03-10T08:28:29Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"8\",\"Desc\":\"Logoff\",\"Severity\":\"Info\",\"Issuer\":\"Prov_COMPONENTS\",\"Action\":\"Logoff\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"10.0.1.20\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Logoff\",\"GatewayStation\":\"\"}}}", "code": "8", "kind": "event", @@ -317,7 +317,7 @@ }, "event": { "severity": 2, - "ingested": "2021-05-31T15:30:25.316804300Z", + "ingested": "2021-06-04T11:33:17.393079600Z", "original": "\u003c5\u003e1 2021-03-10T08:28:30Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 00:28:30\",\"IsoTimestamp\":\"2021-03-10T08:28:30Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"8\",\"Desc\":\"Logoff\",\"Severity\":\"Info\",\"Issuer\":\"PVWAGWUser\",\"Action\":\"Logoff\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"10.0.1.20\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Logoff\",\"GatewayStation\":\"\"}}}", "code": "8", "kind": "event", @@ -384,7 +384,7 @@ }, "event": { "severity": 2, - "ingested": "2021-05-31T15:30:25.316805700Z", + "ingested": "2021-06-04T11:33:17.393081Z", "original": "\u003c5\u003e1 2021-03-10T08:28:30Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 00:28:30\",\"IsoTimestamp\":\"2021-03-10T08:28:30Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"8\",\"Desc\":\"Logoff\",\"Severity\":\"Info\",\"Issuer\":\"PVWAAppUser\",\"Action\":\"Logoff\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"10.0.1.20\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Logoff\",\"GatewayStation\":\"\"}}}", "code": "8", "kind": "event", @@ -463,7 +463,7 @@ }, "event": { "severity": 2, - "ingested": "2021-05-31T15:30:25.316806900Z", + "ingested": "2021-06-04T11:33:17.393082200Z", "original": "\u003c5\u003e1 2021-03-10T09:11:33Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 01:11:33\",\"IsoTimestamp\":\"2021-03-10T09:11:33Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"8\",\"Desc\":\"Logoff\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Logoff\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"81.32.170.205\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Logoff\",\"GatewayStation\":\"\"}}}", "code": "8", "kind": "event", @@ -542,7 +542,7 @@ }, "event": { "severity": 2, - "ingested": "2021-05-31T15:30:25.316808400Z", + "ingested": "2021-06-04T11:33:17.393083500Z", "original": "\u003c5\u003e1 2021-03-10T09:12:20Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 01:12:20\",\"IsoTimestamp\":\"2021-03-10T09:12:20Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"8\",\"Desc\":\"Logoff\",\"Severity\":\"Info\",\"Issuer\":\"PSMP_ADB_localhost.localdomain\",\"Action\":\"Logoff\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"81.32.170.205\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Logoff\",\"GatewayStation\":\"\"}}}", "code": "8", "kind": "event", @@ -621,7 +621,7 @@ }, "event": { "severity": 2, - "ingested": "2021-05-31T15:30:25.316810100Z", + "ingested": "2021-06-04T11:33:17.393084800Z", "original": "\u003c5\u003e1 2021-03-10T09:12:27Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 01:12:27\",\"IsoTimestamp\":\"2021-03-10T09:12:27Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"8\",\"Desc\":\"Logoff\",\"Severity\":\"Info\",\"Issuer\":\"PSMPGW_localhost.localdomain\",\"Action\":\"Logoff\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"81.32.170.205\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Logoff\",\"GatewayStation\":\"\"}}}", "code": "8", "kind": "event", @@ -699,7 +699,7 @@ }, "event": { "severity": 2, - "ingested": "2021-05-31T15:30:25.316849900Z", + "ingested": "2021-06-04T11:33:17.393086100Z", "original": "\u003c5\u003e1 2021-03-10T22:17:27Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 14:17:27\",\"IsoTimestamp\":\"2021-03-10T22:17:27Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"8\",\"Desc\":\"Logoff\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Logoff\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"35.192.121.42\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Logoff\",\"GatewayStation\":\"\"}}}", "code": "8", "kind": "event", @@ -788,7 +788,7 @@ }, "event": { "severity": 2, - "ingested": "2021-05-31T15:30:25.316852100Z", + "ingested": "2021-06-04T11:33:17.393087400Z", "original": "\u003c5\u003e1 2021-03-11T17:38:13Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 11 09:38:13\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-11T17:38:13Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e8\u003c/MessageID\u003e\\n \u003cDesc\u003eLogoff\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003eLogoff\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003e\u003c/Safe\u003e\\n \u003cFile\u003e\u003c/File\u003e\\n \u003cStation\u003e127.0.0.1\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eLogoff\u003c/Message\u003e\\n \u003cGatewayStation\u003e81.32.170.205\u003c/GatewayStation\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 11 09:38:13\",\"IsoTimestamp\":\"2021-03-11T17:38:13Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"8\",\"Desc\":\"Logoff\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Logoff\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"127.0.0.1\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Logoff\",\"GatewayStation\":\"81.32.170.205\"}}}", "code": "8", "kind": "event", @@ -877,7 +877,7 @@ }, "event": { "severity": 2, - "ingested": "2021-05-31T15:30:25.316854Z", + "ingested": "2021-06-04T11:33:17.393088800Z", "original": "\u003c5\u003e1 2021-03-11T17:48:28Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 11 09:48:28\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-11T17:48:28Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e8\u003c/MessageID\u003e\\n \u003cDesc\u003eLogoff\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003eLogoff\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003e\u003c/Safe\u003e\\n \u003cFile\u003e\u003c/File\u003e\\n \u003cStation\u003e10.0.2.2\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eLogoff\u003c/Message\u003e\\n \u003cGatewayStation\u003e81.32.170.205\u003c/GatewayStation\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 11 09:48:28\",\"IsoTimestamp\":\"2021-03-11T17:48:28Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"8\",\"Desc\":\"Logoff\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Logoff\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"10.0.2.2\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Logoff\",\"GatewayStation\":\"81.32.170.205\"}}}", "code": "8", "kind": "event", @@ -957,7 +957,7 @@ }, "event": { "severity": 2, - "ingested": "2021-05-31T15:30:25.316855600Z", + "ingested": "2021-06-04T11:33:17.393090100Z", "original": "\u003c5\u003e1 2021-03-11T17:49:06Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 11 09:49:06\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-11T17:49:06Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e8\u003c/MessageID\u003e\\n \u003cDesc\u003eLogoff\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003ePSMPGW_VAGRANT\u003c/Issuer\u003e\\n \u003cAction\u003eLogoff\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003e\u003c/Safe\u003e\\n \u003cFile\u003e\u003c/File\u003e\\n \u003cStation\u003e81.32.170.205\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eLogoff\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 11 09:49:06\",\"IsoTimestamp\":\"2021-03-11T17:49:06Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"8\",\"Desc\":\"Logoff\",\"Severity\":\"Info\",\"Issuer\":\"PSMPGW_VAGRANT\",\"Action\":\"Logoff\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"81.32.170.205\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Logoff\",\"GatewayStation\":\"\"}}}", "code": "8", "kind": "event", @@ -1034,7 +1034,7 @@ }, "event": { "severity": 2, - "ingested": "2021-05-31T15:30:25.316857100Z", + "ingested": "2021-06-04T11:33:17.393091300Z", "original": "\u003c5\u003e1 2021-03-14T12:57:20Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 14 05:57:20\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-14T12:57:20Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e8\u003c/MessageID\u003e\\n \u003cDesc\u003eLogoff\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003eLogoff\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003e\u003c/Safe\u003e\\n \u003cFile\u003e\u003c/File\u003e\\n \u003cStation\u003e34.71.250.247\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eLogoff\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 14 05:57:20\",\"IsoTimestamp\":\"2021-03-14T12:57:20Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"8\",\"Desc\":\"Logoff\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Logoff\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"34.71.250.247\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Logoff\",\"GatewayStation\":\"\"}}}", "code": "8", "kind": "event", @@ -1132,7 +1132,7 @@ }, "event": { "severity": 2, - "ingested": "2021-05-31T15:30:25.316859100Z", + "ingested": "2021-06-04T11:33:17.393092500Z", "original": "\u003c5\u003e1 2021-03-14T13:49:36Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 14 06:49:36\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-14T13:49:36Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e8\u003c/MessageID\u003e\\n \u003cDesc\u003eLogoff\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003eLogoff\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003e\u003c/Safe\u003e\\n \u003cFile\u003e\u003c/File\u003e\\n \u003cStation\u003e81.32.170.205\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eLogoff\u003c/Message\u003e\\n \u003cGatewayStation\u003e34.71.250.247\u003c/GatewayStation\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 14 06:49:36\",\"IsoTimestamp\":\"2021-03-14T13:49:36Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"8\",\"Desc\":\"Logoff\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Logoff\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"81.32.170.205\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Logoff\",\"GatewayStation\":\"34.71.250.247\"}}}", "code": "8", "kind": "event", diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-88-set-password.log-config.yml b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-88-set-password.log-config.yml deleted file mode 100644 index 5622947e4b8..00000000000 --- a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-88-set-password.log-config.yml +++ /dev/null @@ -1,5 +0,0 @@ -dynamic_fields: - event.ingested: ".*" -fields: - tags: - - preserve_original_event diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-88-set-password.log-expected.json b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-88-set-password.log-expected.json index 792892968c0..f892d711355 100644 --- a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-88-set-password.log-expected.json +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-88-set-password.log-expected.json @@ -47,7 +47,7 @@ "event": { "severity": 2, "action": "set password", - "ingested": "2021-05-31T15:30:25.635427900Z", + "ingested": "2021-06-04T11:33:17.696325800Z", "original": "\u003c5\u003e1 2021-03-04T19:16:19Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 04 11:16:19\",\"IsoTimestamp\":\"2021-03-04T19:16:19Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"88\",\"Desc\":\"Set Password\",\"Severity\":\"Info\",\"Issuer\":\"PVWAGWUser\",\"Action\":\"Set Password\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"10.0.1.20\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Set Password\",\"GatewayStation\":\"\"}}}", "code": "88", "kind": "event" @@ -100,7 +100,7 @@ "event": { "severity": 2, "action": "set password", - "ingested": "2021-05-31T15:30:25.635437500Z", + "ingested": "2021-06-04T11:33:17.696335700Z", "original": "\u003c5\u003e1 2021-03-04T19:16:19Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 04 11:16:19\",\"IsoTimestamp\":\"2021-03-04T19:16:19Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"88\",\"Desc\":\"Set Password\",\"Severity\":\"Info\",\"Issuer\":\"PVWAAppUser\",\"Action\":\"Set Password\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"10.0.1.20\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Set Password\",\"GatewayStation\":\"\"}}}", "code": "88", "kind": "event" @@ -143,7 +143,7 @@ "event": { "severity": 2, "action": "set password", - "ingested": "2021-05-31T15:30:25.635439300Z", + "ingested": "2021-06-04T11:33:17.696337400Z", "original": "Mar 08 02:54:46 VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"no\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"88\",\"Desc\":\"Set Password\",\"Severity\":\"Info\",\"Issuer\":\"PVWAGWUser\",\"Action\":\"Set Password\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"10.0.1.20\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Set Password\",\"GatewayStation\":\"\"}}}", "code": "88", "kind": "event" @@ -199,7 +199,7 @@ "event": { "severity": 2, "action": "set password", - "ingested": "2021-05-31T15:30:25.635440700Z", + "ingested": "2021-06-04T11:33:17.696338600Z", "original": "\u003c5\u003e1 2021-03-10T08:29:19Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 00:29:19\",\"IsoTimestamp\":\"2021-03-10T08:29:19Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"88\",\"Desc\":\"Set Password\",\"Severity\":\"Info\",\"Issuer\":\"Prov_COMPONENTS\",\"Action\":\"Set Password\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"10.0.1.20\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Set Password\",\"GatewayStation\":\"\"}}}", "code": "88", "kind": "event" @@ -252,7 +252,7 @@ "event": { "severity": 2, "action": "set password", - "ingested": "2021-05-31T15:30:25.635442Z", + "ingested": "2021-06-04T11:33:17.696339900Z", "original": "\u003c5\u003e1 2021-03-10T08:29:28Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 00:29:28\",\"IsoTimestamp\":\"2021-03-10T08:29:28Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"88\",\"Desc\":\"Set Password\",\"Severity\":\"Info\",\"Issuer\":\"PasswordManager\",\"Action\":\"Set Password\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"10.0.1.20\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Set Password\",\"GatewayStation\":\"\"}}}", "code": "88", "kind": "event" @@ -317,7 +317,7 @@ "event": { "severity": 2, "action": "set password", - "ingested": "2021-05-31T15:30:25.635443500Z", + "ingested": "2021-06-04T11:33:17.696341100Z", "original": "\u003c5\u003e1 2021-03-10T09:11:52Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 01:11:52\",\"IsoTimestamp\":\"2021-03-10T09:11:52Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"88\",\"Desc\":\"Set Password\",\"Severity\":\"Info\",\"Issuer\":\"PSMPApp_localhost.localdomain\",\"Action\":\"Set Password\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"81.32.170.205\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Set Password\",\"GatewayStation\":\"\"}}}", "code": "88", "kind": "event" @@ -382,7 +382,7 @@ "event": { "severity": 2, "action": "set password", - "ingested": "2021-05-31T15:30:25.635445200Z", + "ingested": "2021-06-04T11:33:17.696342400Z", "original": "\u003c5\u003e1 2021-03-10T09:11:52Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 01:11:52\",\"IsoTimestamp\":\"2021-03-10T09:11:52Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"88\",\"Desc\":\"Set Password\",\"Severity\":\"Info\",\"Issuer\":\"PSMPGW_localhost.localdomain\",\"Action\":\"Set Password\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"81.32.170.205\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Set Password\",\"GatewayStation\":\"\"}}}", "code": "88", "kind": "event" @@ -447,7 +447,7 @@ "event": { "severity": 2, "action": "set password", - "ingested": "2021-05-31T15:30:25.635447Z", + "ingested": "2021-06-04T11:33:17.696343700Z", "original": "\u003c5\u003e1 2021-03-10T09:11:55Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 01:11:55\",\"IsoTimestamp\":\"2021-03-10T09:11:55Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"88\",\"Desc\":\"Set Password\",\"Severity\":\"Info\",\"Issuer\":\"PSMP_ADB_localhost.localdomain\",\"Action\":\"Set Password\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"81.32.170.205\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Set Password\",\"GatewayStation\":\"\"}}}", "code": "88", "kind": "event" @@ -512,7 +512,7 @@ "event": { "severity": 2, "action": "set password", - "ingested": "2021-05-31T15:30:25.635448400Z", + "ingested": "2021-06-04T11:33:17.696345100Z", "original": "\u003c5\u003e1 2021-03-10T18:46:47Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 10:46:47\",\"IsoTimestamp\":\"2021-03-10T18:46:47Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"88\",\"Desc\":\"Set Password\",\"Severity\":\"Info\",\"Issuer\":\"PSMApp_VAGRANT\",\"Action\":\"Set Password\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"81.32.170.205\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Set Password\",\"GatewayStation\":\"\"}}}", "code": "88", "kind": "event" @@ -577,7 +577,7 @@ "event": { "severity": 2, "action": "set password", - "ingested": "2021-05-31T15:30:25.635449700Z", + "ingested": "2021-06-04T11:33:17.696346200Z", "original": "\u003c5\u003e1 2021-03-10T18:46:47Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 10:46:47\",\"IsoTimestamp\":\"2021-03-10T18:46:47Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"88\",\"Desc\":\"Set Password\",\"Severity\":\"Info\",\"Issuer\":\"PSMGw_VAGRANT\",\"Action\":\"Set Password\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"81.32.170.205\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Set Password\",\"GatewayStation\":\"\"}}}", "code": "88", "kind": "event" @@ -641,7 +641,7 @@ "event": { "severity": 2, "action": "set password", - "ingested": "2021-05-31T15:30:25.635451Z", + "ingested": "2021-06-04T11:33:17.696347600Z", "original": "\u003c5\u003e1 2021-03-10T22:20:12Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 14:20:12\",\"IsoTimestamp\":\"2021-03-10T22:20:12Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"88\",\"Desc\":\"Set Password\",\"Severity\":\"Info\",\"Issuer\":\"PSMApp_ASR-WIN\",\"Action\":\"Set Password\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"35.192.121.42\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Set Password\",\"GatewayStation\":\"\"}}}", "code": "88", "kind": "event" @@ -705,7 +705,7 @@ "event": { "severity": 2, "action": "set password", - "ingested": "2021-05-31T15:30:25.635453Z", + "ingested": "2021-06-04T11:33:17.696349100Z", "original": "\u003c5\u003e1 2021-03-10T22:20:12Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 14:20:12\",\"IsoTimestamp\":\"2021-03-10T22:20:12Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"88\",\"Desc\":\"Set Password\",\"Severity\":\"Info\",\"Issuer\":\"PSMGw_ASR-WIN\",\"Action\":\"Set Password\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"35.192.121.42\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Set Password\",\"GatewayStation\":\"\"}}}", "code": "88", "kind": "event" @@ -771,7 +771,7 @@ "event": { "severity": 2, "action": "set password", - "ingested": "2021-05-31T15:30:25.635454600Z", + "ingested": "2021-06-04T11:33:17.696350400Z", "original": "\u003c5\u003e1 2021-03-11T16:59:54Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 11 08:59:54\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-11T16:59:54Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e88\u003c/MessageID\u003e\\n \u003cDesc\u003eSet Password\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003ePSMPApp_VAGRANT\u003c/Issuer\u003e\\n \u003cAction\u003eSet Password\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003e\u003c/Safe\u003e\\n \u003cFile\u003e\u003c/File\u003e\\n \u003cStation\u003e81.32.170.205\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eSet Password\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 11 08:59:54\",\"IsoTimestamp\":\"2021-03-11T16:59:54Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"88\",\"Desc\":\"Set Password\",\"Severity\":\"Info\",\"Issuer\":\"PSMPApp_VAGRANT\",\"Action\":\"Set Password\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"81.32.170.205\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Set Password\",\"GatewayStation\":\"\"}}}", "code": "88", "kind": "event" @@ -837,7 +837,7 @@ "event": { "severity": 2, "action": "set password", - "ingested": "2021-05-31T15:30:25.635456Z", + "ingested": "2021-06-04T11:33:17.696351700Z", "original": "\u003c5\u003e1 2021-03-11T16:59:55Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 11 08:59:55\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-11T16:59:55Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e88\u003c/MessageID\u003e\\n \u003cDesc\u003eSet Password\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003ePSMPGW_VAGRANT\u003c/Issuer\u003e\\n \u003cAction\u003eSet Password\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003e\u003c/Safe\u003e\\n \u003cFile\u003e\u003c/File\u003e\\n \u003cStation\u003e81.32.170.205\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eSet Password\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 11 08:59:55\",\"IsoTimestamp\":\"2021-03-11T16:59:55Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"88\",\"Desc\":\"Set Password\",\"Severity\":\"Info\",\"Issuer\":\"PSMPGW_VAGRANT\",\"Action\":\"Set Password\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"81.32.170.205\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Set Password\",\"GatewayStation\":\"\"}}}", "code": "88", "kind": "event" @@ -902,7 +902,7 @@ "event": { "severity": 2, "action": "set password", - "ingested": "2021-05-31T15:30:25.635457300Z", + "ingested": "2021-06-04T11:33:17.696352900Z", "original": "\u003c5\u003e1 2021-03-11T20:10:33Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 11 12:10:33\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-11T20:10:33Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e88\u003c/MessageID\u003e\\n \u003cDesc\u003eSet Password\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003ePSMApp_ASR-WIN\u003c/Issuer\u003e\\n \u003cAction\u003eSet Password\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003e\u003c/Safe\u003e\\n \u003cFile\u003e\u003c/File\u003e\\n \u003cStation\u003e34.66.114.180\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eSet Password\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 11 12:10:33\",\"IsoTimestamp\":\"2021-03-11T20:10:33Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"88\",\"Desc\":\"Set Password\",\"Severity\":\"Info\",\"Issuer\":\"PSMApp_ASR-WIN\",\"Action\":\"Set Password\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"34.66.114.180\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Set Password\",\"GatewayStation\":\"\"}}}", "code": "88", "kind": "event" @@ -965,7 +965,7 @@ "event": { "severity": 2, "action": "set password", - "ingested": "2021-05-31T15:30:25.635458700Z", + "ingested": "2021-06-04T11:33:17.696393Z", "original": "\u003c5\u003e1 2021-03-14T12:57:25Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 14 05:57:25\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-14T12:57:25Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e88\u003c/MessageID\u003e\\n \u003cDesc\u003eSet Password\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003ePSMPGW_SSH\u003c/Issuer\u003e\\n \u003cAction\u003eSet Password\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003e\u003c/Safe\u003e\\n \u003cFile\u003e\u003c/File\u003e\\n \u003cStation\u003e34.71.250.247\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eSet Password\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 14 05:57:25\",\"IsoTimestamp\":\"2021-03-14T12:57:25Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"88\",\"Desc\":\"Set Password\",\"Severity\":\"Info\",\"Issuer\":\"PSMPGW_SSH\",\"Action\":\"Set Password\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"34.71.250.247\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Set Password\",\"GatewayStation\":\"\"}}}", "code": "88", "kind": "event" @@ -1028,7 +1028,7 @@ "event": { "severity": 2, "action": "set password", - "ingested": "2021-05-31T15:30:25.635473600Z", + "ingested": "2021-06-04T11:33:17.696395200Z", "original": "\u003c5\u003e1 2021-03-14T12:57:25Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 14 05:57:25\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-14T12:57:25Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e88\u003c/MessageID\u003e\\n \u003cDesc\u003eSet Password\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003ePSMPApp_SSH\u003c/Issuer\u003e\\n \u003cAction\u003eSet Password\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003e\u003c/Safe\u003e\\n \u003cFile\u003e\u003c/File\u003e\\n \u003cStation\u003e34.71.250.247\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eSet Password\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 14 05:57:25\",\"IsoTimestamp\":\"2021-03-14T12:57:25Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"88\",\"Desc\":\"Set Password\",\"Severity\":\"Info\",\"Issuer\":\"PSMPApp_SSH\",\"Action\":\"Set Password\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"34.71.250.247\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Set Password\",\"GatewayStation\":\"\"}}}", "code": "88", "kind": "event" @@ -1091,7 +1091,7 @@ "event": { "severity": 2, "action": "set password", - "ingested": "2021-05-31T15:30:25.635476100Z", + "ingested": "2021-06-04T11:33:17.696408200Z", "original": "\u003c5\u003e1 2021-03-14T12:57:25Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 14 05:57:25\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-14T12:57:25Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e88\u003c/MessageID\u003e\\n \u003cDesc\u003eSet Password\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003ePSMP_ADB_asr-cyberark-psm-ssh\u003c/Issuer\u003e\\n \u003cAction\u003eSet Password\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003e\u003c/Safe\u003e\\n \u003cFile\u003e\u003c/File\u003e\\n \u003cStation\u003e34.71.250.247\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eSet Password\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 14 05:57:25\",\"IsoTimestamp\":\"2021-03-14T12:57:25Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"88\",\"Desc\":\"Set Password\",\"Severity\":\"Info\",\"Issuer\":\"PSMP_ADB_asr-cyberark-psm-ssh\",\"Action\":\"Set Password\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"34.71.250.247\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Set Password\",\"GatewayStation\":\"\"}}}", "code": "88", "kind": "event" diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-98-open-file-write-only.log-config.yml b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-98-open-file-write-only.log-config.yml deleted file mode 100644 index 5622947e4b8..00000000000 --- a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-98-open-file-write-only.log-config.yml +++ /dev/null @@ -1,5 +0,0 @@ -dynamic_fields: - event.ingested: ".*" -fields: - tags: - - preserve_original_event diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-98-open-file-write-only.log-expected.json b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-98-open-file-write-only.log-expected.json index 66f2f9ef62b..a559eb368cf 100644 --- a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-98-open-file-write-only.log-expected.json +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-98-open-file-write-only.log-expected.json @@ -52,7 +52,7 @@ "event": { "severity": 2, "action": "open file (write only)", - "ingested": "2021-05-31T15:30:25.983717900Z", + "ingested": "2021-06-04T11:33:18.042698900Z", "original": "\u003c5\u003e1 2021-03-08T18:24:50Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 08 10:24:50\",\"IsoTimestamp\":\"2021-03-08T18:24:50Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"98\",\"Desc\":\"Open File (Write Only)\",\"Severity\":\"Info\",\"Issuer\":\"PVWAAppUser\",\"Action\":\"Open File (Write Only)\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"PVWAPrivateUserPrefs\",\"File\":\"Root\\\\YWRtaW5pc3RyYXRvcg==\",\"Station\":\"10.0.1.20\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Open File (Write Only)\",\"GatewayStation\":\"\"}}}", "code": "98", "kind": "event" @@ -122,7 +122,7 @@ "event": { "severity": 2, "action": "open file (write only)", - "ingested": "2021-05-31T15:30:25.983724200Z", + "ingested": "2021-06-04T11:33:18.042705100Z", "original": "\u003c5\u003e1 2021-03-10T18:44:08Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 10:44:08\",\"IsoTimestamp\":\"2021-03-10T18:44:08Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"98\",\"Desc\":\"Open File (Write Only)\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Open File (Write Only)\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"PVWAConfig\",\"File\":\"ROOT\\\\PVConfiguration.xml\",\"Station\":\"81.32.170.205\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Open File (Write Only)\",\"GatewayStation\":\"\"}}}", "code": "98", "kind": "event" @@ -191,7 +191,7 @@ "event": { "severity": 2, "action": "open file (write only)", - "ingested": "2021-05-31T15:30:25.983725500Z", + "ingested": "2021-06-04T11:33:18.042706300Z", "original": "\u003c5\u003e1 2021-03-10T22:17:40Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 14:17:40\",\"IsoTimestamp\":\"2021-03-10T22:17:40Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"98\",\"Desc\":\"Open File (Write Only)\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Open File (Write Only)\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"PVWAConfig\",\"File\":\"ROOT\\\\PVConfiguration.xml\",\"Station\":\"35.192.121.42\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Open File (Write Only)\",\"GatewayStation\":\"\"}}}", "code": "98", "kind": "event" @@ -259,7 +259,7 @@ "event": { "severity": 2, "action": "open file (write only)", - "ingested": "2021-05-31T15:30:25.983726500Z", + "ingested": "2021-06-04T11:33:18.042707300Z", "original": "\u003c5\u003e1 2021-03-11T19:45:26Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 11 11:45:26\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-11T19:45:26Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e98\u003c/MessageID\u003e\\n \u003cDesc\u003eOpen File (Write Only)\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003eOpen File (Write Only)\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003ePVWAConfig\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\PVConfiguration.xml\u003c/File\u003e\\n \u003cStation\u003e127.0.0.1\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eOpen File (Write Only)\u003c/Message\u003e\\n \u003cGatewayStation\u003e10.0.1.20\u003c/GatewayStation\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 11 11:45:26\",\"IsoTimestamp\":\"2021-03-11T19:45:26Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"98\",\"Desc\":\"Open File (Write Only)\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Open File (Write Only)\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"PVWAConfig\",\"File\":\"Root\\\\PVConfiguration.xml\",\"Station\":\"127.0.0.1\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Open File (Write Only)\",\"GatewayStation\":\"10.0.1.20\"}}}", "code": "98", "kind": "event" diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-99-open-file.log-config.yml b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-99-open-file.log-config.yml deleted file mode 100644 index 5622947e4b8..00000000000 --- a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-99-open-file.log-config.yml +++ /dev/null @@ -1,5 +0,0 @@ -dynamic_fields: - event.ingested: ".*" -fields: - tags: - - preserve_original_event diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-99-open-file.log-expected.json b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-99-open-file.log-expected.json index 34780332958..85de37d4230 100644 --- a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-99-open-file.log-expected.json +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-99-open-file.log-expected.json @@ -52,7 +52,7 @@ "event": { "severity": 2, "action": "open file", - "ingested": "2021-05-31T15:30:26.082470500Z", + "ingested": "2021-06-04T11:33:18.139337400Z", "original": "\u003c5\u003e1 2021-03-04T19:10:05Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 04 11:10:05\",\"IsoTimestamp\":\"2021-03-04T19:10:05Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"99\",\"Desc\":\"Open File\",\"Severity\":\"Info\",\"Issuer\":\"PVWAAppUser\",\"Action\":\"Open File\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"PVWAConfig\",\"File\":\"Root\\\\EPMConfiguration.xml\",\"Station\":\"10.0.1.20\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Open File\",\"GatewayStation\":\"\"}}}", "code": "99", "kind": "event" diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-105-add-file-category.log-config.yml b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-common-config.yml similarity index 100% rename from packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-105-add-file-category.log-config.yml rename to packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-common-config.yml diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-legacysyslog.log-config.yml b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-legacysyslog.log-config.yml deleted file mode 100644 index 5622947e4b8..00000000000 --- a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-legacysyslog.log-config.yml +++ /dev/null @@ -1,5 +0,0 @@ -dynamic_fields: - event.ingested: ".*" -fields: - tags: - - preserve_original_event diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-legacysyslog.log-expected.json b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-legacysyslog.log-expected.json index 798a75633e1..e26eecd48c1 100644 --- a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-legacysyslog.log-expected.json +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-legacysyslog.log-expected.json @@ -45,7 +45,7 @@ "event": { "severity": 2, "action": "retrieve file", - "ingested": "2021-05-31T15:30:26.111474600Z", + "ingested": "2021-06-04T11:33:18.162541200Z", "original": "Mar 08 03:41:01 VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"no\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"51\",\"Desc\":\"Retrieve File\",\"Severity\":\"Info\",\"Issuer\":\"PasswordManager\",\"Action\":\"Retrieve File\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"PasswordManagerShared\",\"File\":\"Root\\\\Policies\\\\Policy-BusinessWebsite.ini\",\"Station\":\"10.0.1.20\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Retrieve File\",\"GatewayStation\":\"\"}}}", "code": "51", "kind": "event" diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-rfc5424syslog.log-config.yml b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-rfc5424syslog.log-config.yml deleted file mode 100644 index 5622947e4b8..00000000000 --- a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-rfc5424syslog.log-config.yml +++ /dev/null @@ -1,5 +0,0 @@ -dynamic_fields: - event.ingested: ".*" -fields: - tags: - - preserve_original_event diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-rfc5424syslog.log-expected.json b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-rfc5424syslog.log-expected.json index 8ef6ddc91ed..38c3510ac35 100644 --- a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-rfc5424syslog.log-expected.json +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-rfc5424syslog.log-expected.json @@ -49,7 +49,7 @@ }, "event": { "severity": 2, - "ingested": "2021-05-31T15:30:26.139988800Z", + "ingested": "2021-06-04T11:33:18.183258200Z", "original": "\u003c5\u003e1 2021-03-04T17:27:14Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 04 09:27:14\",\"IsoTimestamp\":\"2021-03-04T17:27:14Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"7\",\"Desc\":\"Logon\",\"Severity\":\"Info\",\"Issuer\":\"PVWAGWUser\",\"Action\":\"Logon\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"10.0.1.20\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Logon\",\"GatewayStation\":\"\"}}}", "code": "7", "kind": "event", @@ -116,7 +116,7 @@ }, "event": { "severity": 2, - "ingested": "2021-05-31T15:30:26.139995200Z", + "ingested": "2021-06-04T11:33:18.183264800Z", "original": "\u003c5\u003e1 2021-03-04T17:27:21Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 04 09:27:21\",\"IsoTimestamp\":\"2021-03-04T17:27:21Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"7\",\"Desc\":\"Logon\",\"Severity\":\"Info\",\"Issuer\":\"PasswordManager\",\"Action\":\"Logon\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"10.0.1.20\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Logon\",\"GatewayStation\":\"\"}}}", "code": "7", "kind": "event", @@ -186,7 +186,7 @@ "event": { "severity": 2, "action": "retrieve file", - "ingested": "2021-05-31T15:30:26.139996500Z", + "ingested": "2021-06-04T11:33:18.183266300Z", "original": "\u003c5\u003e1 2021-03-04T17:27:21Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 04 09:27:21\",\"IsoTimestamp\":\"2021-03-04T17:27:21Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"51\",\"Desc\":\"Retrieve File\",\"Severity\":\"Info\",\"Issuer\":\"PasswordManager\",\"Action\":\"Retrieve File\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"PasswordManagerShared\",\"File\":\"Root\\\\Policies\\\\Policy-GenericWebApp.ini\",\"Station\":\"10.0.1.20\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Retrieve File\",\"GatewayStation\":\"\"}}}", "code": "51", "kind": "event" @@ -241,7 +241,7 @@ }, "event": { "severity": 2, - "ingested": "2021-05-31T15:30:26.139997600Z", + "ingested": "2021-06-04T11:33:18.183267400Z", "original": "\u003c5\u003e1 2021-03-04T17:27:33Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 04 09:27:33\",\"IsoTimestamp\":\"2021-03-04T17:27:33Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"7\",\"Desc\":\"Logon\",\"Severity\":\"Info\",\"Issuer\":\"PVWAAppUser\",\"Action\":\"Logon\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"10.0.1.20\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Logon\",\"GatewayStation\":\"\"}}}", "code": "7", "kind": "event", diff --git a/packages/cyberarkpas/data_stream/audit/agent/stream/log.yml.hbs b/packages/cyberarkpas/data_stream/audit/agent/stream/log.yml.hbs index 9db68564e00..0e4fc0cec44 100644 --- a/packages/cyberarkpas/data_stream/audit/agent/stream/log.yml.hbs +++ b/packages/cyberarkpas/data_stream/audit/agent/stream/log.yml.hbs @@ -15,3 +15,6 @@ publisher_pipeline.disable_host: true {{/contains}} processors: - add_locale: ~ +{{#if processors}} + {{processors}} +{{/if}} \ No newline at end of file diff --git a/packages/cyberarkpas/data_stream/audit/agent/stream/tcp.yml.hbs b/packages/cyberarkpas/data_stream/audit/agent/stream/tcp.yml.hbs index 4696b727631..9b9b8e0c750 100644 --- a/packages/cyberarkpas/data_stream/audit/agent/stream/tcp.yml.hbs +++ b/packages/cyberarkpas/data_stream/audit/agent/stream/tcp.yml.hbs @@ -15,3 +15,6 @@ ssl: {{ssl}} {{/if}} processors: - add_locale: ~ +{{#if processors}} + {{processors}} +{{/if}} diff --git a/packages/cyberarkpas/data_stream/audit/agent/stream/udp.yml.hbs b/packages/cyberarkpas/data_stream/audit/agent/stream/udp.yml.hbs index ab3984248c4..78c261806f4 100644 --- a/packages/cyberarkpas/data_stream/audit/agent/stream/udp.yml.hbs +++ b/packages/cyberarkpas/data_stream/audit/agent/stream/udp.yml.hbs @@ -12,3 +12,6 @@ publisher_pipeline.disable_host: true {{/contains}} processors: - add_locale: ~ +{{#if processors}} + {{processors}} +{{/if}} diff --git a/packages/cyberarkpas/data_stream/audit/elasticsearch/ingest_pipeline/default.yml b/packages/cyberarkpas/data_stream/audit/elasticsearch/ingest_pipeline/default.yml index 551e0d22aa0..3f366ee85db 100644 --- a/packages/cyberarkpas/data_stream/audit/elasticsearch/ingest_pipeline/default.yml +++ b/packages/cyberarkpas/data_stream/audit/elasticsearch/ingest_pipeline/default.yml @@ -1161,28 +1161,23 @@ processors: selected['other'] = base; audit[lst.getKey()] = selected; }); - # # Cleanup # - remove: field: _tmp ignore_missing: true - - remove: field: event.original ignore_missing: true if: 'ctx.tags == null || !ctx.tags.contains("preserve_original_event")' - on_failure: - append: field: error.message value: '{{{_ingest.on_failure_message}}}' - - remove: field: _tmp ignore_missing: true - - set: field: event.kind value: pipeline_error diff --git a/packages/cyberarkpas/data_stream/audit/manifest.yml b/packages/cyberarkpas/data_stream/audit/manifest.yml index c44f2cc6e24..a06e15e66c4 100644 --- a/packages/cyberarkpas/data_stream/audit/manifest.yml +++ b/packages/cyberarkpas/data_stream/audit/manifest.yml @@ -14,6 +14,31 @@ streams: multi: false required: false show_user: true + - name: tags + type: text + title: Tags + multi: true + required: true + show_user: false + default: + - forwarded + - name: processors + type: yaml + title: Processors + multi: false + required: false + show_user: false + description: > + Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. + + - name: preserve_original_event + required: true + show_user: true + title: Preserve original event + description: Preserves a raw copy of the original event, added to the field `event.original` + type: bool + multi: false + default: false - input: tcp enabled: true template_path: tcp.yml.hbs @@ -39,9 +64,9 @@ streams: title: Tags multi: true required: true - show_user: true + show_user: false default: - - cyberarkpas.audit + - cyberarkpas-audit - forwarded - name: preserve_original_event type: bool @@ -57,6 +82,15 @@ streams: required: false show_user: true description: Options for enabling TLS mode. See the [documentation](https://www.elastic.co/guide/en/beats/filebeat/current/configuration-ssl.html) for a list of all options. + - name: processors + type: yaml + title: Processors + multi: false + required: false + show_user: false + description: > + Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. + - input: udp enabled: true template_path: udp.yml.hbs @@ -82,9 +116,9 @@ streams: title: Tags multi: true required: true - show_user: true + show_user: false default: - - cyberarkpas.audit + - cyberarkpas-audit - forwarded - name: preserve_original_event type: bool @@ -93,3 +127,11 @@ streams: required: true show_user: true default: false + - name: processors + type: yaml + title: Processors + multi: false + required: false + show_user: false + description: >- + Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. diff --git a/packages/cyberarkpas/docs/README.md b/packages/cyberarkpas/docs/README.md index b97f6dd8837..1e54f562e08 100644 --- a/packages/cyberarkpas/docs/README.md +++ b/packages/cyberarkpas/docs/README.md @@ -31,7 +31,7 @@ For proper timestamping of events, it's recommended to use the newer RFC5424 Sys An example event for `audit` looks as following: -```$json +```json { "@timestamp": "2021-03-04T17:27:14.000Z", "cyberarkpas": { diff --git a/packages/cyberarkpas/manifest.yml b/packages/cyberarkpas/manifest.yml index a07210f456e..651460c17a7 100644 --- a/packages/cyberarkpas/manifest.yml +++ b/packages/cyberarkpas/manifest.yml @@ -1,6 +1,6 @@ name: cyberarkpas title: CyberArk Privileged Access Security -version: 1.0.0 +version: 1.0.1 release: beta description: CyberArk Privileged Access Security Integration type: integration From 5f620f069e425714409db962aa3c84c49e97f478 Mon Sep 17 00:00:00 2001 From: Marius Iversen Date: Fri, 4 Jun 2021 14:32:23 +0200 Subject: [PATCH 4/7] Linting processors --- .../cyberarkpas/data_stream/audit/agent/stream/log.yml.hbs | 4 ++-- .../cyberarkpas/data_stream/audit/agent/stream/tcp.yml.hbs | 4 ++-- .../cyberarkpas/data_stream/audit/agent/stream/udp.yml.hbs | 4 ++-- 3 files changed, 6 insertions(+), 6 deletions(-) diff --git a/packages/cyberarkpas/data_stream/audit/agent/stream/log.yml.hbs b/packages/cyberarkpas/data_stream/audit/agent/stream/log.yml.hbs index 0e4fc0cec44..084013f521d 100644 --- a/packages/cyberarkpas/data_stream/audit/agent/stream/log.yml.hbs +++ b/packages/cyberarkpas/data_stream/audit/agent/stream/log.yml.hbs @@ -14,7 +14,7 @@ tags: publisher_pipeline.disable_host: true {{/contains}} processors: - - add_locale: ~ +- add_locale: ~ {{#if processors}} - {{processors}} +{{processors}} {{/if}} \ No newline at end of file diff --git a/packages/cyberarkpas/data_stream/audit/agent/stream/tcp.yml.hbs b/packages/cyberarkpas/data_stream/audit/agent/stream/tcp.yml.hbs index 9b9b8e0c750..f7ee04a3979 100644 --- a/packages/cyberarkpas/data_stream/audit/agent/stream/tcp.yml.hbs +++ b/packages/cyberarkpas/data_stream/audit/agent/stream/tcp.yml.hbs @@ -14,7 +14,7 @@ publisher_pipeline.disable_host: true ssl: {{ssl}} {{/if}} processors: - - add_locale: ~ +- add_locale: ~ {{#if processors}} - {{processors}} +{{processors}} {{/if}} diff --git a/packages/cyberarkpas/data_stream/audit/agent/stream/udp.yml.hbs b/packages/cyberarkpas/data_stream/audit/agent/stream/udp.yml.hbs index 78c261806f4..6a2b02e2a3e 100644 --- a/packages/cyberarkpas/data_stream/audit/agent/stream/udp.yml.hbs +++ b/packages/cyberarkpas/data_stream/audit/agent/stream/udp.yml.hbs @@ -11,7 +11,7 @@ tags: publisher_pipeline.disable_host: true {{/contains}} processors: - - add_locale: ~ +- add_locale: ~ {{#if processors}} - {{processors}} +{{processors}} {{/if}} From f186f0f1b871a868287d6a7ad5d8140d9dd9cb7f Mon Sep 17 00:00:00 2001 From: Marius Iversen Date: Mon, 7 Jun 2021 13:40:40 +0200 Subject: [PATCH 5/7] updating docs --- packages/cyberarkpas/docs/README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/packages/cyberarkpas/docs/README.md b/packages/cyberarkpas/docs/README.md index 1e54f562e08..b97f6dd8837 100644 --- a/packages/cyberarkpas/docs/README.md +++ b/packages/cyberarkpas/docs/README.md @@ -31,7 +31,7 @@ For proper timestamping of events, it's recommended to use the newer RFC5424 Sys An example event for `audit` looks as following: -```json +```$json { "@timestamp": "2021-03-04T17:27:14.000Z", "cyberarkpas": { From 398626ff13389f2c58757642123f23b54cdb0bd5 Mon Sep 17 00:00:00 2001 From: Marius Iversen Date: Wed, 9 Jun 2021 12:25:19 +0200 Subject: [PATCH 6/7] linting --- ...st-105-add-file-category.log-expected.json | 12 +++--- ...106-update-file-category.log-expected.json | 12 +++--- ...107-delete-file-category.log-expected.json | 2 +- .../test-124-rename-file.log-expected.json | 2 +- ...est-125-rename-file-cont.log-expected.json | 2 +- .../test-126-unlock-file.log-expected.json | 2 +- ...130-cpm-disable-password.log-expected.json | 2 +- ...t-178-get-user-s-details.log-expected.json | 2 +- .../test-180-add-user.log-expected.json | 24 +++++------ .../test-181-update-safe.log-expected.json | 2 +- .../test-185-add-safe.log-expected.json | 4 +- .../test-187-add-folder.log-expected.json | 4 +- ...-full-gateway-connection.log-expected.json | 18 ++++----- ...rtial-gateway-connection.log-expected.json | 2 +- ...kup-files-deletion-start.log-expected.json | 2 +- ...ackup-files-deletion-end.log-expected.json | 2 +- ...t-22-cpm-verify-password.log-expected.json | 4 +- ...23-action-on-closed-safe.log-expected.json | 6 +-- ...t-24-cpm-change-password.log-expected.json | 8 ++-- ...est-259-add-update-group.log-expected.json | 8 ++-- ...est-265-add-group-member.log-expected.json | 28 ++++++------- ...-266-remove-group-member.log-expected.json | 4 +- .../test-273-remove-owner.log-expected.json | 2 +- .../test-278-add-rule.log-expected.json | 2 +- ...lear-users-history-start.log-expected.json | 4 +- ...-clear-users-history-end.log-expected.json | 4 +- ...lear-safes-history-start.log-expected.json | 2 +- ...-clear-safes-history-end.log-expected.json | 2 +- .../test-294-store-password.log-expected.json | 20 +++++----- ...st-295-retrieve-password.log-expected.json | 26 ++++++------ .../test-300-psm-connect.log-expected.json | 34 ++++++++-------- .../test-302-psm-disconnect.log-expected.json | 32 +++++++-------- ...304-psm-upload-recording.log-expected.json | 2 +- .../test-308-use-password.log-expected.json | 22 +++++----- ...309-undefined-user-logon.log-expected.json | 10 ++--- ...1-cpm-reconcile-password.log-expected.json | 2 +- ...tor-dr-replication-start.log-expected.json | 4 +- ...nitor-dr-replication-end.log-expected.json | 4 +- ...ord-detailed-information.log-expected.json | 2 +- ...-317-reset-user-password.log-expected.json | 2 +- .../test-32-add-owner.log-expected.json | 32 +++++++-------- ...cpm-auto-detection-start.log-expected.json | 2 +- ...7-cpm-auto-detection-end.log-expected.json | 2 +- .../test-33-update-owner.log-expected.json | 14 +++---- ...se-expiration-date-start.log-expected.json | 2 +- ...ense-expiration-date-end.log-expected.json | 2 +- ...7-monitor-fw-rules-start.log-expected.json | 4 +- ...358-monitor-fw-rules-end.log-expected.json | 4 +- .../test-359-sql-command.log-expected.json | 20 +++++----- ...st-361-keystroke-logging.log-expected.json | 14 +++---- ...m-verify-password-failed.log-expected.json | 30 +++++++------- ...5-blservice-audit-record.log-expected.json | 10 ++--- ...st-4-user-authentication.log-expected.json | 4 +- .../test-411-window-title.log-expected.json | 2 +- ...st-412-keystroke-logging.log-expected.json | 2 +- ...t-414-cpm-verify-ssh-key.log-expected.json | 2 +- .../test-427-store-ssh-key.log-expected.json | 2 +- ...est-428-retrieve-ssh-key.log-expected.json | 6 +-- ...eate-discovery-succeeded.log-expected.json | 2 +- .../test-459-general-audit.log-expected.json | 6 +-- ...thentication-was-updated.log-expected.json | 2 +- ...ault-certificate-is-sha1.log-expected.json | 4 +- ...bulk-operation-succeeded.log-expected.json | 2 +- .../test-50-store-file.log-expected.json | 12 +++--- .../test-51-retrieve-file.log-expected.json | 4 +- .../test-52-delete-file.log-expected.json | 20 +++++----- ...m-change-password-failed.log-expected.json | 2 +- ...st-59-clear-safe-history.log-expected.json | 6 +-- ...econcile-password-failed.log-expected.json | 18 ++++----- ...t-62-create-file-version.log-expected.json | 16 ++++---- .../pipeline/test-7-logon.log-expected.json | 24 +++++------ .../pipeline/test-8-logoff.log-expected.json | 30 +++++++------- .../test-88-set-password.log-expected.json | 36 ++++++++--------- ...-98-open-file-write-only.log-expected.json | 8 ++-- .../test-99-open-file.log-expected.json | 2 +- .../test-legacysyslog.log-expected.json | 2 +- .../test-rfc5424syslog.log-expected.json | 8 ++-- .../elasticsearch/ingest_pipeline/default.yml | 7 ++-- .../data_stream/audit/manifest.yml | 40 ++++++++++--------- packages/cyberarkpas/docs/README.md | 2 +- 80 files changed, 369 insertions(+), 366 deletions(-) diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-105-add-file-category.log-expected.json b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-105-add-file-category.log-expected.json index a95bfa4aaaf..ec965a5224f 100644 --- a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-105-add-file-category.log-expected.json +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-105-add-file-category.log-expected.json @@ -63,7 +63,7 @@ "event": { "severity": 2, "action": "add file category", - "ingested": "2021-06-04T11:33:08.385128900Z", + "ingested": "2021-06-09T10:24:27.789413200Z", "original": "\u003c5\u003e1 2021-03-08T18:24:49Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 08 10:24:49\",\"IsoTimestamp\":\"2021-03-08T18:24:49Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"105\",\"Desc\":\"Add File Category\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Add File Category\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"Test\",\"File\":\"Root\\\\Operating System-WinDesktopLocal-Address-adriansr\",\"Station\":\"127.0.0.1\",\"Location\":\"\",\"Category\":\"Address\",\"RequestId\":\"\",\"Reason\":\"Value=[Address]\",\"ExtraDetails\":\"\",\"Message\":\"Add File Category\",\"GatewayStation\":\"10.0.1.20\"}}}", "code": "105", "kind": "event" @@ -134,7 +134,7 @@ "event": { "severity": 2, "action": "add file category", - "ingested": "2021-06-04T11:33:08.385153600Z", + "ingested": "2021-06-09T10:24:27.789440300Z", "original": "\u003c5\u003e1 2021-03-10T09:11:54Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 01:11:54\",\"IsoTimestamp\":\"2021-03-10T09:11:54Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"105\",\"Desc\":\"Add File Category\",\"Severity\":\"Info\",\"Issuer\":\"PSMPApp_localhost.localdomain\",\"Action\":\"Add File Category\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"PSMPLiveSessions\",\"File\":\"Root\\\\PSMPApp_localhost.localdomain.LiveSessions\",\"Station\":\"81.32.170.205\",\"Location\":\"\",\"Category\":\"_PSMLiveSessions_1\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Add File Category\",\"GatewayStation\":\"\"}}}", "code": "105", "kind": "event" @@ -205,7 +205,7 @@ "event": { "severity": 2, "action": "add file category", - "ingested": "2021-06-04T11:33:08.385164Z", + "ingested": "2021-06-09T10:24:27.789448Z", "original": "\u003c5\u003e1 2021-03-10T18:46:48Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 10:46:48\",\"IsoTimestamp\":\"2021-03-10T18:46:48Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"105\",\"Desc\":\"Add File Category\",\"Severity\":\"Info\",\"Issuer\":\"PSMApp_VAGRANT\",\"Action\":\"Add File Category\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"PSMLiveSessions\",\"File\":\"Root\\\\PSMServer.LiveSessions\",\"Station\":\"81.32.170.205\",\"Location\":\"\",\"Category\":\"_PSMLiveSessions_1\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Add File Category\",\"GatewayStation\":\"\"}}}", "code": "105", "kind": "event" @@ -276,7 +276,7 @@ "event": { "severity": 2, "action": "add file category", - "ingested": "2021-06-04T11:33:08.385170400Z", + "ingested": "2021-06-09T10:24:27.789478800Z", "original": "\u003c5\u003e1 2021-03-10T22:17:26Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 14:17:26\",\"IsoTimestamp\":\"2021-03-10T22:17:26Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"105\",\"Desc\":\"Add File Category\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Add File Category\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"PSM\",\"File\":\"Root\\\\PSM-ASR-CYBERARK-WI\",\"Station\":\"35.192.121.42\",\"Location\":\"\",\"Category\":\"LogonDomain\",\"RequestId\":\"\",\"Reason\":\"Value=[ASR-CYBERARK-WI]\",\"ExtraDetails\":\"\",\"Message\":\"Add File Category\",\"GatewayStation\":\"\"}}}", "code": "105", "kind": "event" @@ -346,7 +346,7 @@ "event": { "severity": 2, "action": "add file category", - "ingested": "2021-06-04T11:33:08.385176400Z", + "ingested": "2021-06-09T10:24:27.789486200Z", "original": "\u003c5\u003e1 2021-03-10T22:20:12Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 14:20:12\",\"IsoTimestamp\":\"2021-03-10T22:20:12Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"105\",\"Desc\":\"Add File Category\",\"Severity\":\"Info\",\"Issuer\":\"PSMApp_ASR-WIN\",\"Action\":\"Add File Category\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"PSMLiveSessions\",\"File\":\"Root\\\\PSM-ASR-CYBERARK-WI.LiveSessions\",\"Station\":\"35.192.121.42\",\"Location\":\"\",\"Category\":\"_PSMLiveSessions_1\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Add File Category\",\"GatewayStation\":\"\"}}}", "code": "105", "kind": "event" @@ -418,7 +418,7 @@ "event": { "severity": 2, "action": "add file category", - "ingested": "2021-06-04T11:33:08.385182600Z", + "ingested": "2021-06-09T10:24:27.789492200Z", "original": "\u003c5\u003e1 2021-03-11T16:59:58Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 11 08:59:58\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-11T16:59:58Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e105\u003c/MessageID\u003e\\n \u003cDesc\u003eAdd File Category\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003ePSMPApp_VAGRANT\u003c/Issuer\u003e\\n \u003cAction\u003eAdd File Category\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003ePSMPLiveSessions\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\PSMPApp_VAGRANT.LiveSessions\u003c/File\u003e\\n \u003cStation\u003e81.32.170.205\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e_PSMLiveSessions_1\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eAdd File Category\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 11 08:59:58\",\"IsoTimestamp\":\"2021-03-11T16:59:58Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"105\",\"Desc\":\"Add File Category\",\"Severity\":\"Info\",\"Issuer\":\"PSMPApp_VAGRANT\",\"Action\":\"Add File Category\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"PSMPLiveSessions\",\"File\":\"Root\\\\PSMPApp_VAGRANT.LiveSessions\",\"Station\":\"81.32.170.205\",\"Location\":\"\",\"Category\":\"_PSMLiveSessions_1\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Add File Category\",\"GatewayStation\":\"\"}}}", "code": "105", "kind": "event" diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-106-update-file-category.log-expected.json b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-106-update-file-category.log-expected.json index 20a4d3b064c..e6f36bbe3c1 100644 --- a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-106-update-file-category.log-expected.json +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-106-update-file-category.log-expected.json @@ -63,7 +63,7 @@ "event": { "severity": 2, "action": "update file category", - "ingested": "2021-06-04T11:33:08.742124Z", + "ingested": "2021-06-09T10:24:28.164116100Z", "original": "\u003c5\u003e1 2021-03-08T18:25:52Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 08 10:25:52\",\"IsoTimestamp\":\"2021-03-08T18:25:52Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"106\",\"Desc\":\"Update File Category\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Update File Category\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"Test\",\"File\":\"Root\\\\Operating System-WinDesktopLocal-Address-adriansr\",\"Station\":\"127.0.0.1\",\"Location\":\"\",\"Category\":\"Address\",\"RequestId\":\"\",\"Reason\":\"Value=[components] Old Value=[Address]\",\"ExtraDetails\":\"\",\"Message\":\"Update File Category\",\"GatewayStation\":\"10.0.1.20\"}}}", "code": "106", "kind": "event" @@ -134,7 +134,7 @@ "event": { "severity": 2, "action": "update file category", - "ingested": "2021-06-04T11:33:08.742155800Z", + "ingested": "2021-06-09T10:24:28.164140400Z", "original": "\u003c5\u003e1 2021-03-10T18:46:48Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 10:46:48\",\"IsoTimestamp\":\"2021-03-10T18:46:48Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"106\",\"Desc\":\"Update File Category\",\"Severity\":\"Info\",\"Issuer\":\"PSMApp_VAGRANT\",\"Action\":\"Update File Category\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"PSMLiveSessions\",\"File\":\"Root\\\\PSMServer.LiveSessions\",\"Station\":\"81.32.170.205\",\"Location\":\"\",\"Category\":\"_PSMLiveSessions_1\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Update File Category\",\"GatewayStation\":\"\"}}}", "code": "106", "kind": "event" @@ -204,7 +204,7 @@ "event": { "severity": 2, "action": "update file category", - "ingested": "2021-06-04T11:33:08.742200500Z", + "ingested": "2021-06-09T10:24:28.164146400Z", "original": "\u003c5\u003e1 2021-03-10T22:20:12Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 14:20:12\",\"IsoTimestamp\":\"2021-03-10T22:20:12Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"106\",\"Desc\":\"Update File Category\",\"Severity\":\"Info\",\"Issuer\":\"PSMApp_ASR-WIN\",\"Action\":\"Update File Category\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"PSMLiveSessions\",\"File\":\"Root\\\\PSM-ASR-CYBERARK-WI.LiveSessions\",\"Station\":\"35.192.121.42\",\"Location\":\"\",\"Category\":\"_PSMLiveSessions_1\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Update File Category\",\"GatewayStation\":\"\"}}}", "code": "106", "kind": "event" @@ -276,7 +276,7 @@ "event": { "severity": 2, "action": "update file category", - "ingested": "2021-06-04T11:33:08.742207700Z", + "ingested": "2021-06-09T10:24:28.164169900Z", "original": "\u003c5\u003e1 2021-03-11T17:38:26Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 11 09:38:26\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-11T17:38:26Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e106\u003c/MessageID\u003e\\n \u003cDesc\u003eUpdate File Category\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003ePSMPApp_VAGRANT\u003c/Issuer\u003e\\n \u003cAction\u003eUpdate File Category\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003ePSMRecordings\u003c/Safe\u003e\\n \u003cFile\u003eroot\\\\87012dcc-8290-11eb-949e-080027efd402.session\u003c/File\u003e\\n \u003cStation\u003e81.32.170.205\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003ePSMStatus\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eUpdate File Category\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 11 09:38:26\",\"IsoTimestamp\":\"2021-03-11T17:38:26Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"106\",\"Desc\":\"Update File Category\",\"Severity\":\"Info\",\"Issuer\":\"PSMPApp_VAGRANT\",\"Action\":\"Update File Category\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"PSMRecordings\",\"File\":\"root\\\\87012dcc-8290-11eb-949e-080027efd402.session\",\"Station\":\"81.32.170.205\",\"Location\":\"\",\"Category\":\"PSMStatus\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Update File Category\",\"GatewayStation\":\"\"}}}", "code": "106", "kind": "event" @@ -347,7 +347,7 @@ "event": { "severity": 2, "action": "update file category", - "ingested": "2021-06-04T11:33:08.742212500Z", + "ingested": "2021-06-09T10:24:28.164177600Z", "original": "\u003c5\u003e1 2021-03-11T20:10:33Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 11 12:10:33\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-11T20:10:33Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e106\u003c/MessageID\u003e\\n \u003cDesc\u003eUpdate File Category\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003ePSMApp_ASR-WIN\u003c/Issuer\u003e\\n \u003cAction\u003eUpdate File Category\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003ePSMLiveSessions\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\PSM-ASR-CYBERARK-WI.LiveSessions\u003c/File\u003e\\n \u003cStation\u003e34.66.114.180\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e_PSMLiveSessions_1\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eUpdate File Category\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 11 12:10:33\",\"IsoTimestamp\":\"2021-03-11T20:10:33Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"106\",\"Desc\":\"Update File Category\",\"Severity\":\"Info\",\"Issuer\":\"PSMApp_ASR-WIN\",\"Action\":\"Update File Category\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"PSMLiveSessions\",\"File\":\"Root\\\\PSM-ASR-CYBERARK-WI.LiveSessions\",\"Station\":\"34.66.114.180\",\"Location\":\"\",\"Category\":\"_PSMLiveSessions_1\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Update File Category\",\"GatewayStation\":\"\"}}}", "code": "106", "kind": "event" @@ -416,7 +416,7 @@ "event": { "severity": 2, "action": "update file category", - "ingested": "2021-06-04T11:33:08.742217200Z", + "ingested": "2021-06-09T10:24:28.164182400Z", "original": "\u003c5\u003e1 2021-03-14T13:49:38Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 14 06:49:38\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-14T13:49:38Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e106\u003c/MessageID\u003e\\n \u003cDesc\u003eUpdate File Category\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003ePSMPApp_SSH\u003c/Issuer\u003e\\n \u003cAction\u003eUpdate File Category\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003ePSMPLiveSessions\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\PSMPApp_SSH.LiveSessions\u003c/File\u003e\\n \u003cStation\u003e34.71.250.247\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e_PSMLiveSessions_1\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eUpdate File Category\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 14 06:49:38\",\"IsoTimestamp\":\"2021-03-14T13:49:38Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"106\",\"Desc\":\"Update File Category\",\"Severity\":\"Info\",\"Issuer\":\"PSMPApp_SSH\",\"Action\":\"Update File Category\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"PSMPLiveSessions\",\"File\":\"Root\\\\PSMPApp_SSH.LiveSessions\",\"Station\":\"34.71.250.247\",\"Location\":\"\",\"Category\":\"_PSMLiveSessions_1\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Update File Category\",\"GatewayStation\":\"\"}}}", "code": "106", "kind": "event" diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-107-delete-file-category.log-expected.json b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-107-delete-file-category.log-expected.json index d00fe44a368..0c07cb86bcf 100644 --- a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-107-delete-file-category.log-expected.json +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-107-delete-file-category.log-expected.json @@ -64,7 +64,7 @@ "event": { "severity": 2, "action": "delete file category", - "ingested": "2021-06-04T11:33:08.888766Z", + "ingested": "2021-06-09T10:24:28.339321900Z", "original": "\u003c5\u003e1 2021-03-15T10:22:24Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 15 03:22:24\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-15T10:22:24Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e107\u003c/MessageID\u003e\\n \u003cDesc\u003eDelete File Category\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003eDelete File Category\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003epartner\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Operating System-UnixSSH-34.123.103.115-testark\u003c/File\u003e\\n \u003cStation\u003e127.0.0.1\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003eLastFailDate\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003eOld Value=[1615803137]\u003c/Reason\u003e\\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eDelete File Category\u003c/Message\u003e\\n \u003cGatewayStation\u003e10.0.1.20\u003c/GatewayStation\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 15 03:22:24\",\"IsoTimestamp\":\"2021-03-15T10:22:24Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"107\",\"Desc\":\"Delete File Category\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Delete File Category\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"partner\",\"File\":\"Root\\\\Operating System-UnixSSH-34.123.103.115-testark\",\"Station\":\"127.0.0.1\",\"Location\":\"\",\"Category\":\"LastFailDate\",\"RequestId\":\"\",\"Reason\":\"Old Value=[1615803137]\",\"ExtraDetails\":\"\",\"Message\":\"Delete File Category\",\"GatewayStation\":\"10.0.1.20\"}}}", "code": "107", "kind": "event" diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-124-rename-file.log-expected.json b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-124-rename-file.log-expected.json index cf88343b908..02b5d794871 100644 --- a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-124-rename-file.log-expected.json +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-124-rename-file.log-expected.json @@ -62,7 +62,7 @@ "event": { "severity": 2, "action": "rename file", - "ingested": "2021-06-04T11:33:08.919553200Z", + "ingested": "2021-06-09T10:24:28.383885400Z", "original": "\u003c5\u003e1 2021-03-14T13:42:20Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 14 06:42:20\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-14T13:42:20Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e124\u003c/MessageID\u003e\\n \u003cDesc\u003eRename File\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003eRename File\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003ePSM\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Operating System-UnixSSH-34.123.103.115-PSMConnect\u003c/File\u003e\\n \u003cStation\u003e127.0.0.1\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eRename File\u003c/Message\u003e\\n \u003cGatewayStation\u003e10.0.1.20\u003c/GatewayStation\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 14 06:42:20\",\"IsoTimestamp\":\"2021-03-14T13:42:20Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"124\",\"Desc\":\"Rename File\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Rename File\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"PSM\",\"File\":\"Root\\\\Operating System-UnixSSH-34.123.103.115-PSMConnect\",\"Station\":\"127.0.0.1\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Rename File\",\"GatewayStation\":\"10.0.1.20\"}}}", "code": "124", "kind": "event" diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-125-rename-file-cont.log-expected.json b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-125-rename-file-cont.log-expected.json index 2597af743ef..35b71d5b2a2 100644 --- a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-125-rename-file-cont.log-expected.json +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-125-rename-file-cont.log-expected.json @@ -62,7 +62,7 @@ "event": { "severity": 2, "action": "rename file (cont.)", - "ingested": "2021-06-04T11:33:08.947968800Z", + "ingested": "2021-06-09T10:24:28.428911400Z", "original": "\u003c5\u003e1 2021-03-14T13:42:20Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 14 06:42:20\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-14T13:42:20Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e125\u003c/MessageID\u003e\\n \u003cDesc\u003eRename File (Cont.)\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003eRename File (Cont.)\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003ePSM\u003c/Safe\u003e\\n \u003cFile\u003eOperating System-UnixSSH-34.71.250.247-PSMConnect\u003c/File\u003e\\n \u003cStation\u003e127.0.0.1\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eRename File (Cont.)\u003c/Message\u003e\\n \u003cGatewayStation\u003e10.0.1.20\u003c/GatewayStation\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 14 06:42:20\",\"IsoTimestamp\":\"2021-03-14T13:42:20Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"125\",\"Desc\":\"Rename File (Cont.)\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Rename File (Cont.)\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"PSM\",\"File\":\"Operating System-UnixSSH-34.71.250.247-PSMConnect\",\"Station\":\"127.0.0.1\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Rename File (Cont.)\",\"GatewayStation\":\"10.0.1.20\"}}}", "code": "125", "kind": "event" diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-126-unlock-file.log-expected.json b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-126-unlock-file.log-expected.json index 3390e9f0315..3a3025baf61 100644 --- a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-126-unlock-file.log-expected.json +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-126-unlock-file.log-expected.json @@ -52,7 +52,7 @@ "event": { "severity": 2, "action": "unlock file", - "ingested": "2021-06-04T11:33:08.975976300Z", + "ingested": "2021-06-09T10:24:28.461269100Z", "original": "\u003c5\u003e1 2021-03-10T18:33:34Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 10:33:34\",\"IsoTimestamp\":\"2021-03-10T18:33:34Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"126\",\"Desc\":\"Unlock File\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Unlock File\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"PVWAConfig\",\"File\":\"Root\\\\PVConfiguration.xml\",\"Station\":\"127.0.0.1\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Unlock File\",\"GatewayStation\":\"\"}}}", "code": "126", "kind": "event" diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-130-cpm-disable-password.log-expected.json b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-130-cpm-disable-password.log-expected.json index 3edb40d92e9..ceb27a8c198 100644 --- a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-130-cpm-disable-password.log-expected.json +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-130-cpm-disable-password.log-expected.json @@ -81,7 +81,7 @@ "event": { "severity": 7, "reason": "Parameter Reconcile account is mandatory but has an empty value or is not defined", - "ingested": "2021-06-04T11:33:09.001670800Z", + "ingested": "2021-06-09T10:24:28.504981Z", "original": "\u003c7\u003e1 2021-03-15T12:57:13Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 15 05:57:13\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-15T12:57:13Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e130\u003c/MessageID\u003e\\n \u003cDesc\u003eCPM Disable Password\u003c/Desc\u003e\\n \u003cSeverity\u003eError\u003c/Severity\u003e\\n \u003cIssuer\u003ePasswordManager\u003c/Issuer\u003e\\n \u003cAction\u003eCPM Disable Password\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003epartner\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Operating System-WinDomain-35.192.121.42-ELASTICbart\u003c/File\u003e\\n \u003cStation\u003e10.0.1.20\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003eMaxRetries. Failure Description: CACPM406E Reconciling Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-35.192.121.42-ELASTICbart failed (try #5). Code: 2101, Error: Parameter Reconcile account is mandatory but has an empty value or is not defined\\n\u003c/Reason\u003e\\n \u003cExtraDetails\u003eaddress=34.66.114.180;retriescount=5;username=ELASTIC\\\\bart;\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eCPM Disable Password\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"WinDomain\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"ELASTIC\\\\bart\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"34.66.114.180\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"ResetImmediately\\\" Value=\\\"ReconcileTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMStatus\\\" Value=\\\"failure\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMDisabled\\\" Value=\\\"(CPM)MaxRetries\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"RetriesCount\\\" Value=\\\"5\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastFailDate\\\" Value=\\\"1615813031\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastTask\\\" Value=\\\"ReconcileTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LogonDomain\\\" Value=\\\"34.66.114.180\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMErrorDetails\\\" Value=\\\"Parameter Reconcile account is mandatory but has an empty value or is not defined\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Operating System\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 15 05:57:13\",\"IsoTimestamp\":\"2021-03-15T12:57:13Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"130\",\"Desc\":\"CPM Disable Password\",\"Severity\":\"Error\",\"Issuer\":\"PasswordManager\",\"Action\":\"CPM Disable Password\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"partner\",\"File\":\"Root\\\\Operating System-WinDomain-35.192.121.42-ELASTICbart\",\"Station\":\"10.0.1.20\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"MaxRetries. Failure Description: CACPM406E Reconciling Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-35.192.121.42-ELASTICbart failed (try #5). Code: 2101, Error: Parameter Reconcile account is mandatory but has an empty value or is not defined\\n\",\"ExtraDetails\":\"address=34.66.114.180;retriescount=5;username=ELASTIC\\\\bart;\",\"Message\":\"CPM Disable Password\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"WinDomain\"},{\"Name\":\"UserName\",\"Value\":\"ELASTIC\\\\bart\"},{\"Name\":\"Address\",\"Value\":\"34.66.114.180\"},{\"Name\":\"ResetImmediately\",\"Value\":\"ReconcileTask\"},{\"Name\":\"CPMStatus\",\"Value\":\"failure\"},{\"Name\":\"CPMDisabled\",\"Value\":\"(CPM)MaxRetries\"},{\"Name\":\"RetriesCount\",\"Value\":\"5\"},{\"Name\":\"LastFailDate\",\"Value\":\"1615813031\"},{\"Name\":\"LastTask\",\"Value\":\"ReconcileTask\"},{\"Name\":\"LogonDomain\",\"Value\":\"34.66.114.180\"},{\"Name\":\"CPMErrorDetails\",\"Value\":\"Parameter Reconcile account is mandatory but has an empty value or is not defined\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"}]}}}}", "code": "130", "kind": "event", diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-178-get-user-s-details.log-expected.json b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-178-get-user-s-details.log-expected.json index 790372de445..281ae899443 100644 --- a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-178-get-user-s-details.log-expected.json +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-178-get-user-s-details.log-expected.json @@ -48,7 +48,7 @@ }, "event": { "severity": 7, - "ingested": "2021-06-04T11:33:09.053529200Z", + "ingested": "2021-06-09T10:24:28.561257100Z", "original": "\u003c7\u003e1 2021-03-11T18:45:23Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 11 10:45:23\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-11T18:45:23Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e178\u003c/MessageID\u003e\\n \u003cDesc\u003eGet User's Details\u003c/Desc\u003e\\n \u003cSeverity\u003eError\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003eGet User's Details\u003c/Action\u003e\\n \u003cSourceUser\u003eMaster\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003e\u003c/Safe\u003e\\n \u003cFile\u003e\u003c/File\u003e\\n \u003cStation\u003e127.0.0.1\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eGet User's Details\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 11 10:45:23\",\"IsoTimestamp\":\"2021-03-11T18:45:23Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"178\",\"Desc\":\"Get User's Details\",\"Severity\":\"Error\",\"Issuer\":\"Administrator\",\"Action\":\"Get User's Details\",\"SourceUser\":\"Master\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"127.0.0.1\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Get User's Details\",\"GatewayStation\":\"\"}}}", "code": "178", "kind": "event", diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-180-add-user.log-expected.json b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-180-add-user.log-expected.json index 1d01a1e2bc8..7f4b752e725 100644 --- a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-180-add-user.log-expected.json +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-180-add-user.log-expected.json @@ -62,7 +62,7 @@ }, "event": { "severity": 2, - "ingested": "2021-06-04T11:33:09.081082100Z", + "ingested": "2021-06-09T10:24:28.586584800Z", "original": "\u003c5\u003e1 2021-03-10T09:11:20Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 01:11:20\",\"IsoTimestamp\":\"2021-03-10T09:11:20Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"180\",\"Desc\":\"Add User\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Add User\",\"SourceUser\":\"PSMPApp_localhost.localdomain\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"81.32.170.205\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Add User\",\"GatewayStation\":\"\"}}}", "code": "180", "kind": "event", @@ -144,7 +144,7 @@ }, "event": { "severity": 2, - "ingested": "2021-06-04T11:33:09.081103200Z", + "ingested": "2021-06-09T10:24:28.586611Z", "original": "\u003c5\u003e1 2021-03-10T09:11:20Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 01:11:20\",\"IsoTimestamp\":\"2021-03-10T09:11:20Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"180\",\"Desc\":\"Add User\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Add User\",\"SourceUser\":\"PSMPGW_localhost.localdomain\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"81.32.170.205\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Add User\",\"GatewayStation\":\"\"}}}", "code": "180", "kind": "event", @@ -226,7 +226,7 @@ }, "event": { "severity": 2, - "ingested": "2021-06-04T11:33:09.081109600Z", + "ingested": "2021-06-09T10:24:28.586616900Z", "original": "\u003c5\u003e1 2021-03-10T09:11:35Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 01:11:35\",\"IsoTimestamp\":\"2021-03-10T09:11:35Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"180\",\"Desc\":\"Add User\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Add User\",\"SourceUser\":\"PSMP_ADB_localhost.localdomain\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"81.32.170.205\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Add User\",\"GatewayStation\":\"\"}}}", "code": "180", "kind": "event", @@ -308,7 +308,7 @@ }, "event": { "severity": 2, - "ingested": "2021-06-04T11:33:09.081115600Z", + "ingested": "2021-06-09T10:24:28.586621300Z", "original": "\u003c5\u003e1 2021-03-10T17:59:19Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 09:59:19\",\"IsoTimestamp\":\"2021-03-10T17:59:19Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"180\",\"Desc\":\"Add User\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Add User\",\"SourceUser\":\"PSMApp_VAGRANT\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"81.32.170.205\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Add User\",\"GatewayStation\":\"\"}}}", "code": "180", "kind": "event", @@ -390,7 +390,7 @@ }, "event": { "severity": 2, - "ingested": "2021-06-04T11:33:09.081120Z", + "ingested": "2021-06-09T10:24:28.586625300Z", "original": "\u003c5\u003e1 2021-03-10T17:59:27Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 09:59:27\",\"IsoTimestamp\":\"2021-03-10T17:59:27Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"180\",\"Desc\":\"Add User\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Add User\",\"SourceUser\":\"PSMGw_VAGRANT\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"81.32.170.205\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Add User\",\"GatewayStation\":\"\"}}}", "code": "180", "kind": "event", @@ -471,7 +471,7 @@ }, "event": { "severity": 2, - "ingested": "2021-06-04T11:33:09.081123900Z", + "ingested": "2021-06-09T10:24:28.586629Z", "original": "\u003c5\u003e1 2021-03-10T22:19:06Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 14:19:06\",\"IsoTimestamp\":\"2021-03-10T22:19:06Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"180\",\"Desc\":\"Add User\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Add User\",\"SourceUser\":\"PSMApp_ASR-WIN\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"35.192.121.42\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Add User\",\"GatewayStation\":\"\"}}}", "code": "180", "kind": "event", @@ -552,7 +552,7 @@ }, "event": { "severity": 2, - "ingested": "2021-06-04T11:33:09.081127800Z", + "ingested": "2021-06-09T10:24:28.586632600Z", "original": "\u003c5\u003e1 2021-03-10T22:19:15Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 14:19:15\",\"IsoTimestamp\":\"2021-03-10T22:19:15Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"180\",\"Desc\":\"Add User\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Add User\",\"SourceUser\":\"PSMGw_ASR-WIN\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"35.192.121.42\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Add User\",\"GatewayStation\":\"\"}}}", "code": "180", "kind": "event", @@ -635,7 +635,7 @@ }, "event": { "severity": 2, - "ingested": "2021-06-04T11:33:09.081132Z", + "ingested": "2021-06-09T10:24:28.586636200Z", "original": "\u003c5\u003e1 2021-03-11T16:59:36Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 11 08:59:36\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-11T16:59:36Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e180\u003c/MessageID\u003e\\n \u003cDesc\u003eAdd User\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003eAdd User\u003c/Action\u003e\\n \u003cSourceUser\u003ePSMPApp_VAGRANT\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003e\u003c/Safe\u003e\\n \u003cFile\u003e\u003c/File\u003e\\n \u003cStation\u003e81.32.170.205\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eAdd User\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 11 08:59:36\",\"IsoTimestamp\":\"2021-03-11T16:59:36Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"180\",\"Desc\":\"Add User\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Add User\",\"SourceUser\":\"PSMPApp_VAGRANT\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"81.32.170.205\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Add User\",\"GatewayStation\":\"\"}}}", "code": "180", "kind": "event", @@ -718,7 +718,7 @@ }, "event": { "severity": 2, - "ingested": "2021-06-04T11:33:09.081136Z", + "ingested": "2021-06-09T10:24:28.586639700Z", "original": "\u003c5\u003e1 2021-03-11T16:59:36Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 11 08:59:36\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-11T16:59:36Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e180\u003c/MessageID\u003e\\n \u003cDesc\u003eAdd User\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003eAdd User\u003c/Action\u003e\\n \u003cSourceUser\u003ePSMPGW_VAGRANT\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003e\u003c/Safe\u003e\\n \u003cFile\u003e\u003c/File\u003e\\n \u003cStation\u003e81.32.170.205\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eAdd User\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 11 08:59:36\",\"IsoTimestamp\":\"2021-03-11T16:59:36Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"180\",\"Desc\":\"Add User\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Add User\",\"SourceUser\":\"PSMPGW_VAGRANT\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"81.32.170.205\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Add User\",\"GatewayStation\":\"\"}}}", "code": "180", "kind": "event", @@ -798,7 +798,7 @@ }, "event": { "severity": 2, - "ingested": "2021-06-04T11:33:09.081139900Z", + "ingested": "2021-06-09T10:24:28.586643200Z", "original": "\u003c5\u003e1 2021-03-14T12:57:16Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 14 05:57:16\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-14T12:57:16Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e180\u003c/MessageID\u003e\\n \u003cDesc\u003eAdd User\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003eAdd User\u003c/Action\u003e\\n \u003cSourceUser\u003ePSMPGW_SSH\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003e\u003c/Safe\u003e\\n \u003cFile\u003e\u003c/File\u003e\\n \u003cStation\u003e34.71.250.247\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eAdd User\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 14 05:57:16\",\"IsoTimestamp\":\"2021-03-14T12:57:16Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"180\",\"Desc\":\"Add User\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Add User\",\"SourceUser\":\"PSMPGW_SSH\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"34.71.250.247\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Add User\",\"GatewayStation\":\"\"}}}", "code": "180", "kind": "event", @@ -878,7 +878,7 @@ }, "event": { "severity": 2, - "ingested": "2021-06-04T11:33:09.081144200Z", + "ingested": "2021-06-09T10:24:28.586646900Z", "original": "\u003c5\u003e1 2021-03-14T12:57:16Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 14 05:57:16\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-14T12:57:16Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e180\u003c/MessageID\u003e\\n \u003cDesc\u003eAdd User\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003eAdd User\u003c/Action\u003e\\n \u003cSourceUser\u003ePSMPApp_SSH\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003e\u003c/Safe\u003e\\n \u003cFile\u003e\u003c/File\u003e\\n \u003cStation\u003e34.71.250.247\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eAdd User\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 14 05:57:16\",\"IsoTimestamp\":\"2021-03-14T12:57:16Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"180\",\"Desc\":\"Add User\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Add User\",\"SourceUser\":\"PSMPApp_SSH\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"34.71.250.247\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Add User\",\"GatewayStation\":\"\"}}}", "code": "180", "kind": "event", @@ -958,7 +958,7 @@ }, "event": { "severity": 2, - "ingested": "2021-06-04T11:33:09.081148300Z", + "ingested": "2021-06-09T10:24:28.586650500Z", "original": "\u003c5\u003e1 2021-03-14T12:57:21Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 14 05:57:21\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-14T12:57:21Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e180\u003c/MessageID\u003e\\n \u003cDesc\u003eAdd User\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003eAdd User\u003c/Action\u003e\\n \u003cSourceUser\u003ePSMP_ADB_asr-cyberark-psm-ssh\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003e\u003c/Safe\u003e\\n \u003cFile\u003e\u003c/File\u003e\\n \u003cStation\u003e34.71.250.247\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eAdd User\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 14 05:57:21\",\"IsoTimestamp\":\"2021-03-14T12:57:21Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"180\",\"Desc\":\"Add User\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Add User\",\"SourceUser\":\"PSMP_ADB_asr-cyberark-psm-ssh\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"34.71.250.247\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Add User\",\"GatewayStation\":\"\"}}}", "code": "180", "kind": "event", diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-181-update-safe.log-expected.json b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-181-update-safe.log-expected.json index ed0c4a8a041..74e7a370e40 100644 --- a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-181-update-safe.log-expected.json +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-181-update-safe.log-expected.json @@ -60,7 +60,7 @@ "event": { "severity": 2, "action": "update safe", - "ingested": "2021-06-04T11:33:09.372305700Z", + "ingested": "2021-06-09T10:24:28.899514900Z", "original": "\u003c5\u003e1 2021-03-10T18:15:44Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 10:15:44\",\"IsoTimestamp\":\"2021-03-10T18:15:44Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"181\",\"Desc\":\"Update Safe\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Update Safe\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"PSM\",\"File\":\"\",\"Station\":\"81.32.170.205\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Update Safe\",\"GatewayStation\":\"\"}}}", "code": "181", "kind": "event" diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-185-add-safe.log-expected.json b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-185-add-safe.log-expected.json index 7ac53217e7c..3fdba0def6b 100644 --- a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-185-add-safe.log-expected.json +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-185-add-safe.log-expected.json @@ -60,7 +60,7 @@ "event": { "severity": 2, "action": "add safe", - "ingested": "2021-06-04T11:33:09.401099Z", + "ingested": "2021-06-09T10:24:28.925889300Z", "original": "\u003c5\u003e1 2021-03-10T09:11:20Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 01:11:20\",\"IsoTimestamp\":\"2021-03-10T09:11:20Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"185\",\"Desc\":\"Add Safe\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Add Safe\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"PSMPConf\",\"File\":\"\",\"Station\":\"81.32.170.205\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Add Safe\",\"GatewayStation\":\"\"}}}", "code": "185", "kind": "event" @@ -127,7 +127,7 @@ "event": { "severity": 2, "action": "add safe", - "ingested": "2021-06-04T11:33:09.401119Z", + "ingested": "2021-06-09T10:24:28.925919900Z", "original": "\u003c5\u003e1 2021-03-11T17:38:13Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 11 09:38:13\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-11T17:38:13Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e185\u003c/MessageID\u003e\\n \u003cDesc\u003eAdd Safe\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003ePSMPApp_VAGRANT\u003c/Issuer\u003e\\n \u003cAction\u003eAdd Safe\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003ePSMRecordings\u003c/Safe\u003e\\n \u003cFile\u003e\u003c/File\u003e\\n \u003cStation\u003e81.32.170.205\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eAdd Safe\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 11 09:38:13\",\"IsoTimestamp\":\"2021-03-11T17:38:13Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"185\",\"Desc\":\"Add Safe\",\"Severity\":\"Info\",\"Issuer\":\"PSMPApp_VAGRANT\",\"Action\":\"Add Safe\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"PSMRecordings\",\"File\":\"\",\"Station\":\"81.32.170.205\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Add Safe\",\"GatewayStation\":\"\"}}}", "code": "185", "kind": "event" diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-187-add-folder.log-expected.json b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-187-add-folder.log-expected.json index e6903db306f..21af051a36b 100644 --- a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-187-add-folder.log-expected.json +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-187-add-folder.log-expected.json @@ -64,7 +64,7 @@ "event": { "severity": 2, "action": "add folder", - "ingested": "2021-06-04T11:33:09.460126100Z", + "ingested": "2021-06-09T10:24:28.978084Z", "original": "\u003c5\u003e1 2021-03-10T09:11:40Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 01:11:40\",\"IsoTimestamp\":\"2021-03-10T09:11:40Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"187\",\"Desc\":\"Add Folder\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Add Folder\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"PSMPADBridgeConf\",\"File\":\"Root\\\\Scripts\\\\\",\"Station\":\"81.32.170.205\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Add Folder\",\"GatewayStation\":\"\"}}}", "code": "187", "kind": "event" @@ -123,7 +123,7 @@ "event": { "severity": 2, "action": "add folder", - "ingested": "2021-06-04T11:33:09.460145Z", + "ingested": "2021-06-09T10:24:28.978100500Z", "original": "\u003c5\u003e1 2021-03-11T18:01:14Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 11 10:01:14\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-11T18:01:14Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e187\u003c/MessageID\u003e\\n \u003cDesc\u003eAdd Folder\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003ePVWAAppUser\u003c/Issuer\u003e\\n \u003cAction\u003eAdd Folder\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003ePSMUnmanagedSessionAccounts\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\2\\\\\u003c/File\u003e\\n \u003cStation\u003e10.0.1.20\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eAdd Folder\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 11 10:01:14\",\"IsoTimestamp\":\"2021-03-11T18:01:14Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"187\",\"Desc\":\"Add Folder\",\"Severity\":\"Info\",\"Issuer\":\"PVWAAppUser\",\"Action\":\"Add Folder\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"PSMUnmanagedSessionAccounts\",\"File\":\"Root\\\\2\\\\\",\"Station\":\"10.0.1.20\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Add Folder\",\"GatewayStation\":\"\"}}}", "code": "187", "kind": "event" diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-19-full-gateway-connection.log-expected.json b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-19-full-gateway-connection.log-expected.json index 8ab0f5085c5..9f85e150cc2 100644 --- a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-19-full-gateway-connection.log-expected.json +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-19-full-gateway-connection.log-expected.json @@ -66,7 +66,7 @@ }, "event": { "severity": 2, - "ingested": "2021-06-04T11:33:09.530592300Z", + "ingested": "2021-06-09T10:24:29.025103300Z", "original": "\u003c5\u003e1 2021-03-08T18:07:51Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 08 10:07:51\",\"IsoTimestamp\":\"2021-03-08T18:07:51Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"19\",\"Desc\":\"Full Gateway Connection\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Full Gateway Connection\",\"SourceUser\":\"PVWAGWUser\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"127.0.0.1\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Full Gateway Connection\",\"GatewayStation\":\"10.0.1.20\"}}}", "code": "19", "kind": "event", @@ -161,7 +161,7 @@ }, "event": { "severity": 2, - "ingested": "2021-06-04T11:33:09.530611100Z", + "ingested": "2021-06-09T10:24:29.025119800Z", "original": "\u003c5\u003e1 2021-03-09T08:32:51Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 09 00:32:51\",\"IsoTimestamp\":\"2021-03-09T08:32:51Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"19\",\"Desc\":\"Full Gateway Connection\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Full Gateway Connection\",\"SourceUser\":\"PVWAGWUser\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"81.32.170.205\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Full Gateway Connection\",\"GatewayStation\":\"10.0.1.20\"}}}", "code": "19", "kind": "event", @@ -256,7 +256,7 @@ }, "event": { "severity": 2, - "ingested": "2021-06-04T11:33:09.530615800Z", + "ingested": "2021-06-09T10:24:29.025124900Z", "original": "\u003c5\u003e1 2021-03-09T10:14:58Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 09 02:14:58\",\"IsoTimestamp\":\"2021-03-09T10:14:58Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"19\",\"Desc\":\"Full Gateway Connection\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Full Gateway Connection\",\"SourceUser\":\"PVWAGWUser\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"37.223.7.45\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Full Gateway Connection\",\"GatewayStation\":\"10.0.1.20\"}}}", "code": "19", "kind": "event", @@ -338,7 +338,7 @@ }, "event": { "severity": 2, - "ingested": "2021-06-04T11:33:09.530619600Z", + "ingested": "2021-06-09T10:24:29.025129Z", "original": "\u003c5\u003e1 2021-03-10T08:31:50Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 00:31:50\",\"IsoTimestamp\":\"2021-03-10T08:31:50Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"19\",\"Desc\":\"Full Gateway Connection\",\"Severity\":\"Info\",\"Issuer\":\"PasswordManager\",\"Action\":\"Full Gateway Connection\",\"SourceUser\":\"PVWAGWUser\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"10.0.1.20\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Full Gateway Connection\",\"GatewayStation\":\"10.0.1.20\"}}}", "code": "19", "kind": "event", @@ -421,7 +421,7 @@ }, "event": { "severity": 2, - "ingested": "2021-06-04T11:33:09.530623300Z", + "ingested": "2021-06-09T10:24:29.025132600Z", "original": "\u003c5\u003e1 2021-03-10T22:37:00Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 14:37:00\",\"IsoTimestamp\":\"2021-03-10T22:37:00Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"19\",\"Desc\":\"Full Gateway Connection\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Full Gateway Connection\",\"SourceUser\":\"PVWAGWUser\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"10.0.1.10\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Full Gateway Connection\",\"GatewayStation\":\"10.0.1.20\"}}}", "code": "19", "kind": "event", @@ -517,7 +517,7 @@ }, "event": { "severity": 2, - "ingested": "2021-06-04T11:33:09.530626800Z", + "ingested": "2021-06-09T10:24:29.025136100Z", "original": "\u003c5\u003e1 2021-03-11T17:38:05Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 11 09:38:05\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-11T17:38:05Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e19\u003c/MessageID\u003e\\n \u003cDesc\u003eFull Gateway Connection\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003eFull Gateway Connection\u003c/Action\u003e\\n \u003cSourceUser\u003ePSMPGW_VAGRANT\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003e\u003c/Safe\u003e\\n \u003cFile\u003e\u003c/File\u003e\\n \u003cStation\u003e127.0.0.1\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eFull Gateway Connection\u003c/Message\u003e\\n \u003cGatewayStation\u003e81.32.170.205\u003c/GatewayStation\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 11 09:38:05\",\"IsoTimestamp\":\"2021-03-11T17:38:05Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"19\",\"Desc\":\"Full Gateway Connection\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Full Gateway Connection\",\"SourceUser\":\"PSMPGW_VAGRANT\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"127.0.0.1\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Full Gateway Connection\",\"GatewayStation\":\"81.32.170.205\"}}}", "code": "19", "kind": "event", @@ -613,7 +613,7 @@ }, "event": { "severity": 2, - "ingested": "2021-06-04T11:33:09.530630500Z", + "ingested": "2021-06-09T10:24:29.025139500Z", "original": "\u003c5\u003e1 2021-03-11T17:48:22Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 11 09:48:22\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-11T17:48:22Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e19\u003c/MessageID\u003e\\n \u003cDesc\u003eFull Gateway Connection\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003eFull Gateway Connection\u003c/Action\u003e\\n \u003cSourceUser\u003ePSMPGW_VAGRANT\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003e\u003c/Safe\u003e\\n \u003cFile\u003e\u003c/File\u003e\\n \u003cStation\u003e10.0.2.2\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eFull Gateway Connection\u003c/Message\u003e\\n \u003cGatewayStation\u003e81.32.170.205\u003c/GatewayStation\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 11 09:48:22\",\"IsoTimestamp\":\"2021-03-11T17:48:22Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"19\",\"Desc\":\"Full Gateway Connection\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Full Gateway Connection\",\"SourceUser\":\"PSMPGW_VAGRANT\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"10.0.2.2\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Full Gateway Connection\",\"GatewayStation\":\"81.32.170.205\"}}}", "code": "19", "kind": "event", @@ -708,7 +708,7 @@ }, "event": { "severity": 2, - "ingested": "2021-06-04T11:33:09.530635Z", + "ingested": "2021-06-09T10:24:29.025143600Z", "original": "\u003c5\u003e1 2021-03-11T18:02:57Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 11 10:02:57\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-11T18:02:57Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e19\u003c/MessageID\u003e\\n \u003cDesc\u003eFull Gateway Connection\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003eFull Gateway Connection\u003c/Action\u003e\\n \u003cSourceUser\u003ePVWAGWUser\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003e\u003c/Safe\u003e\\n \u003cFile\u003e\u003c/File\u003e\\n \u003cStation\u003e35.192.121.42\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eFull Gateway Connection\u003c/Message\u003e\\n \u003cGatewayStation\u003e10.0.1.20\u003c/GatewayStation\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 11 10:02:57\",\"IsoTimestamp\":\"2021-03-11T18:02:57Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"19\",\"Desc\":\"Full Gateway Connection\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Full Gateway Connection\",\"SourceUser\":\"PVWAGWUser\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"35.192.121.42\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Full Gateway Connection\",\"GatewayStation\":\"10.0.1.20\"}}}", "code": "19", "kind": "event", @@ -813,7 +813,7 @@ }, "event": { "severity": 2, - "ingested": "2021-06-04T11:33:09.530638500Z", + "ingested": "2021-06-09T10:24:29.025147600Z", "original": "\u003c5\u003e1 2021-03-14T13:49:35Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 14 06:49:35\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-14T13:49:35Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e19\u003c/MessageID\u003e\\n \u003cDesc\u003eFull Gateway Connection\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003eFull Gateway Connection\u003c/Action\u003e\\n \u003cSourceUser\u003ePSMPGW_SSH\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003e\u003c/Safe\u003e\\n \u003cFile\u003e\u003c/File\u003e\\n \u003cStation\u003e81.32.170.205\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eFull Gateway Connection\u003c/Message\u003e\\n \u003cGatewayStation\u003e34.71.250.247\u003c/GatewayStation\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 14 06:49:35\",\"IsoTimestamp\":\"2021-03-14T13:49:35Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"19\",\"Desc\":\"Full Gateway Connection\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Full Gateway Connection\",\"SourceUser\":\"PSMPGW_SSH\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"81.32.170.205\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Full Gateway Connection\",\"GatewayStation\":\"34.71.250.247\"}}}", "code": "19", "kind": "event", diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-20-partial-gateway-connection.log-expected.json b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-20-partial-gateway-connection.log-expected.json index c45f7647b00..e9f9abfb8e1 100644 --- a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-20-partial-gateway-connection.log-expected.json +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-20-partial-gateway-connection.log-expected.json @@ -49,7 +49,7 @@ "event": { "severity": 2, "action": "partial gateway connection", - "ingested": "2021-06-04T11:33:09.762012Z", + "ingested": "2021-06-09T10:24:29.253603900Z", "original": "\u003c5\u003e1 2021-03-25T09:20:07Z VLT01 {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 25 05:20:07\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-25T09:20:07Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVLT01\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e12.0.0000\u003c/Version\u003e\\n \u003cMessageID\u003e20\u003c/MessageID\u003e\\n \u003cDesc\u003ePartial Gateway Connection\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003ePSMGw_COMP01\u003c/Issuer\u003e\\n \u003cAction\u003ePartial Gateway Connection\u003c/Action\u003e\\n \u003cSourceUser\u003eAdministrator\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003e\u003c/Safe\u003e\\n \u003cFile\u003e\u003c/File\u003e\\n \u003cStation\u003e10.0.0.15\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\\n \u003cMessage\u003ePartial Gateway Connection\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 25 05:20:07\",\"IsoTimestamp\":\"2021-03-25T09:20:07Z\",\"Hostname\":\"VLT01\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"12.0.0000\",\"MessageID\":\"20\",\"Desc\":\"Partial Gateway Connection\",\"Severity\":\"Info\",\"Issuer\":\"PSMGw_COMP01\",\"Action\":\"Partial Gateway Connection\",\"SourceUser\":\"Administrator\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"10.0.0.15\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Partial Gateway Connection\",\"GatewayStation\":\"\"}}}", "code": "20", "kind": "event" diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-202-old-backup-files-deletion-start.log-expected.json b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-202-old-backup-files-deletion-start.log-expected.json index 0574fcf3c12..87614cf81e3 100644 --- a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-202-old-backup-files-deletion-start.log-expected.json +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-202-old-backup-files-deletion-start.log-expected.json @@ -47,7 +47,7 @@ "event": { "severity": 2, "action": "old backup files deletion start", - "ingested": "2021-06-04T11:33:09.789639200Z", + "ingested": "2021-06-09T10:24:29.286781700Z", "original": "\u003c5\u003e1 2021-03-09T10:17:54Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 09 02:17:54\",\"IsoTimestamp\":\"2021-03-09T10:17:54Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"202\",\"Desc\":\"Old Backup Files Deletion Start\",\"Severity\":\"Info\",\"Issuer\":\"Batch\",\"Action\":\"Old Backup Files Deletion Start\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"0.0.0.0\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Old Backup Files Deletion Start\",\"GatewayStation\":\"\"}}}", "code": "202", "kind": "event" diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-203-old-backup-files-deletion-end.log-expected.json b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-203-old-backup-files-deletion-end.log-expected.json index fd7425e8c46..3117d0b5493 100644 --- a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-203-old-backup-files-deletion-end.log-expected.json +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-203-old-backup-files-deletion-end.log-expected.json @@ -47,7 +47,7 @@ "event": { "severity": 2, "action": "old backup files deletion end", - "ingested": "2021-06-04T11:33:09.813028800Z", + "ingested": "2021-06-09T10:24:29.314784200Z", "original": "\u003c5\u003e1 2021-03-09T10:17:54Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 09 02:17:54\",\"IsoTimestamp\":\"2021-03-09T10:17:54Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"203\",\"Desc\":\"Old Backup Files Deletion End\",\"Severity\":\"Info\",\"Issuer\":\"Batch\",\"Action\":\"Old Backup Files Deletion End\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"0.0.0.0\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Old Backup Files Deletion End\",\"GatewayStation\":\"\"}}}", "code": "203", "kind": "event" diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-22-cpm-verify-password.log-expected.json b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-22-cpm-verify-password.log-expected.json index ca196852178..f5f0d604e61 100644 --- a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-22-cpm-verify-password.log-expected.json +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-22-cpm-verify-password.log-expected.json @@ -79,7 +79,7 @@ }, "event": { "severity": 2, - "ingested": "2021-06-04T11:33:09.835377500Z", + "ingested": "2021-06-09T10:24:29.336761500Z", "original": "Apr 07 09:51:42 VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eno\u003c/Rfc5424\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.6.0000\u003c/Version\u003e\\n \u003cMessageID\u003e22\u003c/MessageID\u003e\\n \u003cDesc\u003eCPM Verify Password\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003ePasswordManager\u003c/Issuer\u003e\\n \u003cAction\u003eCPM Verify Password\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003eLinux\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Operating System-LINUX-SSH-radiussrv.cyberark.local-test12\u003c/File\u003e\\n \u003cStation\u003e10.2.0.4\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003eImmediateTask\u003c/Reason\u003e\\n \u003cExtraDetails\u003eaddress=radiussrv.cyberark.local;username=test12;\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eCPM Verify Password\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"LINUX-SSH\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"test12\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"radiussrv.cyberark.local\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Operating System\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"RetriesCount\\\" Value=\\\"-1\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastSuccessVerification\\\" Value=\\\"1604943844\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastTask\\\" Value=\\\"VerifyTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMStatus\\\" Value=\\\"success\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"no\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.6.0000\",\"MessageID\":\"22\",\"Desc\":\"CPM Verify Password\",\"Severity\":\"Info\",\"Issuer\":\"PasswordManager\",\"Action\":\"CPM Verify Password\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"IsoTimestamp\":\"2021-03-16T15:01:00Z\",\"Safe\":\"Linux\",\"File\":\"Root\\\\Operating System-LINUX-SSH-radiussrv.cyberark.local-test12\",\"Station\":\"10.2.0.4\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"ImmediateTask\",\"ExtraDetails\":\"address=radiussrv.cyberark.local;username=test12;\",\"Message\":\"CPM Verify Password\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"LINUX-SSH\"},{\"Name\":\"UserName\",\"Value\":\"test12\"},{\"Name\":\"Address\",\"Value\":\"radiussrv.cyberark.local\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"},{\"Name\":\"RetriesCount\",\"Value\":\"-1\"},{\"Name\":\"LastSuccessVerification\",\"Value\":\"1604943844\"},{\"Name\":\"LastTask\",\"Value\":\"VerifyTask\"},{\"Name\":\"CPMStatus\",\"Value\":\"success\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"}]}}}}", "code": "22", "kind": "event", @@ -195,7 +195,7 @@ }, "event": { "severity": 2, - "ingested": "2021-06-04T11:33:09.835393500Z", + "ingested": "2021-06-09T10:24:29.336778300Z", "original": "\u003c5\u003e1 2021-03-15T10:22:44Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 15 03:22:44\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-15T10:22:44Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e22\u003c/MessageID\u003e\\n \u003cDesc\u003eCPM Verify Password\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003ePasswordManager\u003c/Issuer\u003e\\n \u003cAction\u003eCPM Verify Password\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003epartner\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Operating System-UnixSSH-34.123.103.115-testark\u003c/File\u003e\\n \u003cStation\u003e10.0.1.20\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003eImmediateTask\u003c/Reason\u003e\\n \u003cExtraDetails\u003eaddress=34.123.103.115;username=testark;\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eCPM Verify Password\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"UnixSSH\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"testark\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"34.123.103.115\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMStatus\\\" Value=\\\"success\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"RetriesCount\\\" Value=\\\"-1\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastTask\\\" Value=\\\"VerifyTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastSuccessVerification\\\" Value=\\\"1615803764\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Operating System\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 15 03:22:44\",\"IsoTimestamp\":\"2021-03-15T10:22:44Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"22\",\"Desc\":\"CPM Verify Password\",\"Severity\":\"Info\",\"Issuer\":\"PasswordManager\",\"Action\":\"CPM Verify Password\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"partner\",\"File\":\"Root\\\\Operating System-UnixSSH-34.123.103.115-testark\",\"Station\":\"10.0.1.20\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"ImmediateTask\",\"ExtraDetails\":\"address=34.123.103.115;username=testark;\",\"Message\":\"CPM Verify Password\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"UnixSSH\"},{\"Name\":\"UserName\",\"Value\":\"testark\"},{\"Name\":\"Address\",\"Value\":\"34.123.103.115\"},{\"Name\":\"CPMStatus\",\"Value\":\"success\"},{\"Name\":\"RetriesCount\",\"Value\":\"-1\"},{\"Name\":\"LastTask\",\"Value\":\"VerifyTask\"},{\"Name\":\"LastSuccessVerification\",\"Value\":\"1615803764\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"}]}}}}", "code": "22", "kind": "event", diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-23-action-on-closed-safe.log-expected.json b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-23-action-on-closed-safe.log-expected.json index 79a8863d2e6..41556ceba10 100644 --- a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-23-action-on-closed-safe.log-expected.json +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-23-action-on-closed-safe.log-expected.json @@ -59,7 +59,7 @@ }, "event": { "severity": 7, - "ingested": "2021-06-04T11:33:09.910908600Z", + "ingested": "2021-06-09T10:24:29.424500300Z", "original": "\u003c7\u003e1 2021-03-10T09:11:20Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 01:11:20\",\"IsoTimestamp\":\"2021-03-10T09:11:20Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"23\",\"Desc\":\"Action On Closed Safe\",\"Severity\":\"Error\",\"Issuer\":\"Administrator\",\"Action\":\"Action On Closed Safe\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"PSMPConf\",\"File\":\"\",\"Station\":\"81.32.170.205\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Action On Closed Safe\",\"GatewayStation\":\"\"}}}", "code": "23", "kind": "event", @@ -115,7 +115,7 @@ }, "event": { "severity": 7, - "ingested": "2021-06-04T11:33:09.910939200Z", + "ingested": "2021-06-09T10:24:29.424518Z", "original": "\u003c7\u003e1 2021-03-14T12:07:27Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 14 05:07:27\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-14T12:07:27Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e23\u003c/MessageID\u003e\\n \u003cDesc\u003eAction On Closed Safe\u003c/Desc\u003e\\n \u003cSeverity\u003eError\u003c/Severity\u003e\\n \u003cIssuer\u003ePasswordManager\u003c/Issuer\u003e\\n \u003cAction\u003eAction On Closed Safe\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003eAccountsFeedADAccounts\u003c/Safe\u003e\\n \u003cFile\u003e\u003c/File\u003e\\n \u003cStation\u003e10.0.1.20\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eAction On Closed Safe\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 14 05:07:27\",\"IsoTimestamp\":\"2021-03-14T12:07:27Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"23\",\"Desc\":\"Action On Closed Safe\",\"Severity\":\"Error\",\"Issuer\":\"PasswordManager\",\"Action\":\"Action On Closed Safe\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"AccountsFeedADAccounts\",\"File\":\"\",\"Station\":\"10.0.1.20\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Action On Closed Safe\",\"GatewayStation\":\"\"}}}", "code": "23", "kind": "event", @@ -180,7 +180,7 @@ }, "event": { "severity": 7, - "ingested": "2021-06-04T11:33:09.910946400Z", + "ingested": "2021-06-09T10:24:29.424522900Z", "original": "\u003c7\u003e1 2021-03-14T12:57:16Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 14 05:57:16\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-14T12:57:16Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e23\u003c/MessageID\u003e\\n \u003cDesc\u003eAction On Closed Safe\u003c/Desc\u003e\\n \u003cSeverity\u003eError\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003eAction On Closed Safe\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003ePSMPConf\u003c/Safe\u003e\\n \u003cFile\u003e\u003c/File\u003e\\n \u003cStation\u003e34.71.250.247\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eAction On Closed Safe\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 14 05:57:16\",\"IsoTimestamp\":\"2021-03-14T12:57:16Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"23\",\"Desc\":\"Action On Closed Safe\",\"Severity\":\"Error\",\"Issuer\":\"Administrator\",\"Action\":\"Action On Closed Safe\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"PSMPConf\",\"File\":\"\",\"Station\":\"34.71.250.247\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Action On Closed Safe\",\"GatewayStation\":\"\"}}}", "code": "23", "kind": "event", diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-24-cpm-change-password.log-expected.json b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-24-cpm-change-password.log-expected.json index 9e6ff795c80..9ee82f33955 100644 --- a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-24-cpm-change-password.log-expected.json +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-24-cpm-change-password.log-expected.json @@ -70,7 +70,7 @@ }, "event": { "severity": 2, - "ingested": "2021-06-04T11:33:09.979066700Z", + "ingested": "2021-06-09T10:24:29.491218300Z", "original": "{\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eno\u003c/Rfc5424\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.6.0000\u003c/Version\u003e\\n \u003cMessageID\u003e24\u003c/MessageID\u003e\\n \u003cDesc\u003eCPM Change Password\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003ePasswordManager\u003c/Issuer\u003e\\n \u003cAction\u003eCPM Change Password\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003eLinux\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Operating System-LINUX-SSH-radiussrv.cyberark.local-test12\u003c/File\u003e\\n \u003cStation\u003e10.2.0.4\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003eImmediateTask\u003c/Reason\u003e\\n \u003cExtraDetails\u003eaddress=radiussrv.cyberark.local;username=test12;\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eCPM Change Password\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"LINUX-SSH\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"test12\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"radiussrv.cyberark.local\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Operating System\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"RetriesCount\\\" Value=\\\"-1\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastSuccessVerification\\\" Value=\\\"1604943844\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastTask\\\" Value=\\\"ChangeTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMStatus\\\" Value=\\\"success\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastSuccessChange\\\" Value=\\\"1604944158\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"no\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.6.0000\",\"MessageID\":\"24\",\"Desc\":\"CPM Change Password\",\"Severity\":\"Info\",\"IsoTimestamp\":\"2021-03-16T15:01:00Z\",\"Issuer\":\"PasswordManager\",\"Action\":\"CPM Change Password\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"Linux\",\"File\":\"Root\\\\Operating System-LINUX-SSH-radiussrv.cyberark.local-test12\",\"Station\":\"10.2.0.4\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"ImmediateTask\",\"ExtraDetails\":\"address=radiussrv.cyberark.local;username=test12;\",\"Message\":\"CPM Change Password\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"LINUX-SSH\"},{\"Name\":\"UserName\",\"Value\":\"test12\"},{\"Name\":\"Address\",\"Value\":\"radiussrv.cyberark.local\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"},{\"Name\":\"RetriesCount\",\"Value\":\"-1\"},{\"Name\":\"LastSuccessVerification\",\"Value\":\"1604943844\"},{\"Name\":\"LastTask\",\"Value\":\"ChangeTask\"},{\"Name\":\"CPMStatus\",\"Value\":\"success\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"LastSuccessChange\",\"Value\":\"1604944158\"}]}}}}", "code": "24", "kind": "event", @@ -174,7 +174,7 @@ }, "event": { "severity": 2, - "ingested": "2021-06-04T11:33:09.979085300Z", + "ingested": "2021-06-09T10:24:29.491235800Z", "original": "\u003c5\u003e1 2021-03-08T19:20:05Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 08 11:20:05\",\"IsoTimestamp\":\"2021-03-08T19:20:05Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"24\",\"Desc\":\"CPM Change Password\",\"Severity\":\"Info\",\"Issuer\":\"PasswordManager\",\"Action\":\"CPM Change Password\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"Test\",\"File\":\"Root\\\\Operating System-WindowsDesktopLocalAccountsRotationalPolicy-10.0.1.20-x_accountA\",\"Station\":\"10.0.1.20\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"ImmediateTask\",\"ExtraDetails\":\"address=components;username=x_accountA;\",\"Message\":\"CPM Change Password\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"WinDesktopLocal\"},{\"Name\":\"UserName\",\"Value\":\"x_accountA\"},{\"Name\":\"Address\",\"Value\":\"components\"},{\"Name\":\"SequenceID\",\"Value\":\"27\"},{\"Name\":\"CPMStatus\",\"Value\":\"success\"},{\"Name\":\"RetriesCount\",\"Value\":\"-1\"},{\"Name\":\"LastTask\",\"Value\":\"ChangeTask\"},{\"Name\":\"GroupName\",\"Value\":\"WindowsGroup\"},{\"Name\":\"LastSuccessChange\",\"Value\":\"1615231204\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"},{\"Name\":\"Index\",\"Value\":\"1\"},{\"Name\":\"DualAccountStatus\",\"Value\":\"Inactive\"},{\"Name\":\"VirtualUsername\",\"Value\":\"virtual\"}]}}}}", "code": "24", "kind": "event", @@ -278,7 +278,7 @@ }, "event": { "severity": 2, - "ingested": "2021-06-04T11:33:09.979090200Z", + "ingested": "2021-06-09T10:24:29.491240700Z", "original": "\u003c5\u003e1 2021-03-10T23:39:28Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 15:39:28\",\"IsoTimestamp\":\"2021-03-10T23:39:28Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"24\",\"Desc\":\"CPM Change Password\",\"Severity\":\"Info\",\"Issuer\":\"PasswordManager\",\"Action\":\"CPM Change Password\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"Test\",\"File\":\"Root\\\\Operating System-WindowsDesktopLocalAccountsRotationalPolicy-10.0.1.20-x_accountB\",\"Station\":\"10.0.1.20\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"ImmediateTask\",\"ExtraDetails\":\"address=components;username=x_accountB;\",\"Message\":\"CPM Change Password\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"WinDesktopLocal\"},{\"Name\":\"UserName\",\"Value\":\"x_accountB\"},{\"Name\":\"Address\",\"Value\":\"components\"},{\"Name\":\"SequenceID\",\"Value\":\"25\"},{\"Name\":\"CPMStatus\",\"Value\":\"success\"},{\"Name\":\"RetriesCount\",\"Value\":\"-1\"},{\"Name\":\"LastTask\",\"Value\":\"ChangeTask\"},{\"Name\":\"GroupName\",\"Value\":\"WindowsGroup\"},{\"Name\":\"LastSuccessChange\",\"Value\":\"1615419568\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"},{\"Name\":\"Index\",\"Value\":\"2\"},{\"Name\":\"DualAccountStatus\",\"Value\":\"Inactive\"},{\"Name\":\"VirtualUsername\",\"Value\":\"virtual\"}]}}}}", "code": "24", "kind": "event", @@ -383,7 +383,7 @@ }, "event": { "severity": 2, - "ingested": "2021-06-04T11:33:09.979094Z", + "ingested": "2021-06-09T10:24:29.491244900Z", "original": "\u003c5\u003e1 2021-03-15T10:12:24Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 15 03:12:24\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-15T10:12:24Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e24\u003c/MessageID\u003e\\n \u003cDesc\u003eCPM Change Password\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003ePasswordManager\u003c/Issuer\u003e\\n \u003cAction\u003eCPM Change Password\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003eTest\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Operating System-WindowsDesktopLocalAccountsRotationalPolicy-10.0.1.20-x_accountA\u003c/File\u003e\\n \u003cStation\u003e10.0.1.20\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003eImmediateTask\u003c/Reason\u003e\\n \u003cExtraDetails\u003eaddress=components;username=x_accountA;\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eCPM Change Password\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"WinDesktopLocal\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"x_accountA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"components\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"SequenceID\\\" Value=\\\"28\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMStatus\\\" Value=\\\"success\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"RetriesCount\\\" Value=\\\"-1\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastTask\\\" Value=\\\"ChangeTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"GroupName\\\" Value=\\\"WindowsGroup\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastSuccessChange\\\" Value=\\\"1615803143\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Operating System\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Index\\\" Value=\\\"1\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DualAccountStatus\\\" Value=\\\"Inactive\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"VirtualUsername\\\" Value=\\\"virtual\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 15 03:12:24\",\"IsoTimestamp\":\"2021-03-15T10:12:24Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"24\",\"Desc\":\"CPM Change Password\",\"Severity\":\"Info\",\"Issuer\":\"PasswordManager\",\"Action\":\"CPM Change Password\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"Test\",\"File\":\"Root\\\\Operating System-WindowsDesktopLocalAccountsRotationalPolicy-10.0.1.20-x_accountA\",\"Station\":\"10.0.1.20\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"ImmediateTask\",\"ExtraDetails\":\"address=components;username=x_accountA;\",\"Message\":\"CPM Change Password\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"WinDesktopLocal\"},{\"Name\":\"UserName\",\"Value\":\"x_accountA\"},{\"Name\":\"Address\",\"Value\":\"components\"},{\"Name\":\"SequenceID\",\"Value\":\"28\"},{\"Name\":\"CPMStatus\",\"Value\":\"success\"},{\"Name\":\"RetriesCount\",\"Value\":\"-1\"},{\"Name\":\"LastTask\",\"Value\":\"ChangeTask\"},{\"Name\":\"GroupName\",\"Value\":\"WindowsGroup\"},{\"Name\":\"LastSuccessChange\",\"Value\":\"1615803143\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"},{\"Name\":\"Index\",\"Value\":\"1\"},{\"Name\":\"DualAccountStatus\",\"Value\":\"Inactive\"},{\"Name\":\"VirtualUsername\",\"Value\":\"virtual\"}]}}}}", "code": "24", "kind": "event", diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-259-add-update-group.log-expected.json b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-259-add-update-group.log-expected.json index e3153e57b80..893da5935c9 100644 --- a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-259-add-update-group.log-expected.json +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-259-add-update-group.log-expected.json @@ -60,7 +60,7 @@ "event": { "severity": 2, "action": "add/update group", - "ingested": "2021-06-04T11:33:10.118061600Z", + "ingested": "2021-06-09T10:24:29.637782200Z", "original": "\u003c5\u003e1 2021-03-10T09:11:21Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 01:11:21\",\"IsoTimestamp\":\"2021-03-10T09:11:21Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"259\",\"Desc\":\"Add/Update Group\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Add/Update Group\",\"SourceUser\":\"PSMMaster\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"81.32.170.205\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Add/Update Group\",\"GatewayStation\":\"\"}}}", "code": "259", "kind": "event" @@ -126,7 +126,7 @@ "event": { "severity": 2, "action": "add/update group", - "ingested": "2021-06-04T11:33:10.118081300Z", + "ingested": "2021-06-09T10:24:29.637798100Z", "original": "\u003c5\u003e1 2021-03-10T09:11:21Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 01:11:21\",\"IsoTimestamp\":\"2021-03-10T09:11:21Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"259\",\"Desc\":\"Add/Update Group\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Add/Update Group\",\"SourceUser\":\"PSMAppUsers\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"81.32.170.205\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Add/Update Group\",\"GatewayStation\":\"\"}}}", "code": "259", "kind": "event" @@ -192,7 +192,7 @@ "event": { "severity": 2, "action": "add/update group", - "ingested": "2021-06-04T11:33:10.118086Z", + "ingested": "2021-06-09T10:24:29.637803100Z", "original": "\u003c5\u003e1 2021-03-10T09:11:35Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 01:11:35\",\"IsoTimestamp\":\"2021-03-10T09:11:35Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"259\",\"Desc\":\"Add/Update Group\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Add/Update Group\",\"SourceUser\":\"PSMP_ADB_AppUsers\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"81.32.170.205\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Add/Update Group\",\"GatewayStation\":\"\"}}}", "code": "259", "kind": "event" @@ -258,7 +258,7 @@ "event": { "severity": 2, "action": "add/update group", - "ingested": "2021-06-04T11:33:10.118089900Z", + "ingested": "2021-06-09T10:24:29.637807400Z", "original": "\u003c5\u003e1 2021-03-10T17:59:29Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 09:59:29\",\"IsoTimestamp\":\"2021-03-10T17:59:29Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"259\",\"Desc\":\"Add/Update Group\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Add/Update Group\",\"SourceUser\":\"PSMLiveSessionTerminators\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"81.32.170.205\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Add/Update Group\",\"GatewayStation\":\"\"}}}", "code": "259", "kind": "event" diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-265-add-group-member.log-expected.json b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-265-add-group-member.log-expected.json index 4e95f5b893b..2a5e9beaf23 100644 --- a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-265-add-group-member.log-expected.json +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-265-add-group-member.log-expected.json @@ -61,7 +61,7 @@ "event": { "severity": 2, "action": "add group member", - "ingested": "2021-06-04T11:33:10.209076700Z", + "ingested": "2021-06-09T10:24:29.730009500Z", "original": "\u003c5\u003e1 2021-03-10T09:11:22Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 01:11:22\",\"IsoTimestamp\":\"2021-03-10T09:11:22Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"265\",\"Desc\":\"Add Group Member\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Add Group Member\",\"SourceUser\":\"PSMAppUsers\",\"TargetUser\":\"PSMPApp_localhost.localdomain\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"81.32.170.205\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Add Group Member\",\"GatewayStation\":\"\"}}}", "code": "265", "kind": "event" @@ -128,7 +128,7 @@ "event": { "severity": 2, "action": "add group member", - "ingested": "2021-06-04T11:33:10.209095400Z", + "ingested": "2021-06-09T10:24:29.730026800Z", "original": "\u003c5\u003e1 2021-03-10T09:11:22Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 01:11:22\",\"IsoTimestamp\":\"2021-03-10T09:11:22Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"265\",\"Desc\":\"Add Group Member\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Add Group Member\",\"SourceUser\":\"PVWAGWAccounts\",\"TargetUser\":\"PSMPGW_localhost.localdomain\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"81.32.170.205\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Add Group Member\",\"GatewayStation\":\"\"}}}", "code": "265", "kind": "event" @@ -195,7 +195,7 @@ "event": { "severity": 2, "action": "add group member", - "ingested": "2021-06-04T11:33:10.209100200Z", + "ingested": "2021-06-09T10:24:29.730031500Z", "original": "\u003c5\u003e1 2021-03-10T09:11:35Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 01:11:35\",\"IsoTimestamp\":\"2021-03-10T09:11:35Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"265\",\"Desc\":\"Add Group Member\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Add Group Member\",\"SourceUser\":\"PSMP_ADB_AppUsers\",\"TargetUser\":\"PSMP_ADB_localhost.localdomain\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"81.32.170.205\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Add Group Member\",\"GatewayStation\":\"\"}}}", "code": "265", "kind": "event" @@ -262,7 +262,7 @@ "event": { "severity": 2, "action": "add group member", - "ingested": "2021-06-04T11:33:10.209104500Z", + "ingested": "2021-06-09T10:24:29.730035100Z", "original": "\u003c5\u003e1 2021-03-10T17:58:01Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 09:58:01\",\"IsoTimestamp\":\"2021-03-10T17:58:01Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"265\",\"Desc\":\"Add Group Member\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Add Group Member\",\"SourceUser\":\"PSMMaster\",\"TargetUser\":\"Administrator\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"81.32.170.205\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Add Group Member\",\"GatewayStation\":\"\"}}}", "code": "265", "kind": "event" @@ -329,7 +329,7 @@ "event": { "severity": 2, "action": "add group member", - "ingested": "2021-06-04T11:33:10.209108300Z", + "ingested": "2021-06-09T10:24:29.730038300Z", "original": "\u003c5\u003e1 2021-03-10T17:59:29Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 09:59:29\",\"IsoTimestamp\":\"2021-03-10T17:59:29Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"265\",\"Desc\":\"Add Group Member\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Add Group Member\",\"SourceUser\":\"PSMAppUsers\",\"TargetUser\":\"PSMApp_VAGRANT\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"81.32.170.205\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Add Group Member\",\"GatewayStation\":\"\"}}}", "code": "265", "kind": "event" @@ -396,7 +396,7 @@ "event": { "severity": 2, "action": "add group member", - "ingested": "2021-06-04T11:33:10.209111700Z", + "ingested": "2021-06-09T10:24:29.730041500Z", "original": "\u003c5\u003e1 2021-03-10T17:59:30Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 09:59:30\",\"IsoTimestamp\":\"2021-03-10T17:59:30Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"265\",\"Desc\":\"Add Group Member\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Add Group Member\",\"SourceUser\":\"PVWAGWAccounts\",\"TargetUser\":\"PSMGw_VAGRANT\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"81.32.170.205\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Add Group Member\",\"GatewayStation\":\"\"}}}", "code": "265", "kind": "event" @@ -462,7 +462,7 @@ "event": { "severity": 2, "action": "add group member", - "ingested": "2021-06-04T11:33:10.209115100Z", + "ingested": "2021-06-09T10:24:29.730044700Z", "original": "\u003c5\u003e1 2021-03-10T22:17:15Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 14:17:15\",\"IsoTimestamp\":\"2021-03-10T22:17:15Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"265\",\"Desc\":\"Add Group Member\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Add Group Member\",\"SourceUser\":\"PSMMaster\",\"TargetUser\":\"Administrator\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"35.192.121.42\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Add Group Member\",\"GatewayStation\":\"\"}}}", "code": "265", "kind": "event" @@ -528,7 +528,7 @@ "event": { "severity": 2, "action": "add group member", - "ingested": "2021-06-04T11:33:10.209127600Z", + "ingested": "2021-06-09T10:24:29.730047700Z", "original": "\u003c5\u003e1 2021-03-10T22:19:16Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 14:19:16\",\"IsoTimestamp\":\"2021-03-10T22:19:16Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"265\",\"Desc\":\"Add Group Member\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Add Group Member\",\"SourceUser\":\"PSMAppUsers\",\"TargetUser\":\"PSMApp_ASR-WIN\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"35.192.121.42\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Add Group Member\",\"GatewayStation\":\"\"}}}", "code": "265", "kind": "event" @@ -594,7 +594,7 @@ "event": { "severity": 2, "action": "add group member", - "ingested": "2021-06-04T11:33:10.209131100Z", + "ingested": "2021-06-09T10:24:29.730050900Z", "original": "\u003c5\u003e1 2021-03-10T22:19:16Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 14:19:16\",\"IsoTimestamp\":\"2021-03-10T22:19:16Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"265\",\"Desc\":\"Add Group Member\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Add Group Member\",\"SourceUser\":\"PVWAGWAccounts\",\"TargetUser\":\"PSMGw_ASR-WIN\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"35.192.121.42\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Add Group Member\",\"GatewayStation\":\"\"}}}", "code": "265", "kind": "event" @@ -662,7 +662,7 @@ "event": { "severity": 2, "action": "add group member", - "ingested": "2021-06-04T11:33:10.209134600Z", + "ingested": "2021-06-09T10:24:29.730054200Z", "original": "\u003c5\u003e1 2021-03-11T16:59:38Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 11 08:59:38\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-11T16:59:38Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e265\u003c/MessageID\u003e\\n \u003cDesc\u003eAdd Group Member\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003eAdd Group Member\u003c/Action\u003e\\n \u003cSourceUser\u003ePSMAppUsers\u003c/SourceUser\u003e\\n \u003cTargetUser\u003ePSMPApp_VAGRANT\u003c/TargetUser\u003e\\n \u003cSafe\u003e\u003c/Safe\u003e\\n \u003cFile\u003e\u003c/File\u003e\\n \u003cStation\u003e81.32.170.205\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eAdd Group Member\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 11 08:59:38\",\"IsoTimestamp\":\"2021-03-11T16:59:38Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"265\",\"Desc\":\"Add Group Member\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Add Group Member\",\"SourceUser\":\"PSMAppUsers\",\"TargetUser\":\"PSMPApp_VAGRANT\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"81.32.170.205\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Add Group Member\",\"GatewayStation\":\"\"}}}", "code": "265", "kind": "event" @@ -730,7 +730,7 @@ "event": { "severity": 2, "action": "add group member", - "ingested": "2021-06-04T11:33:10.209139300Z", + "ingested": "2021-06-09T10:24:29.730057300Z", "original": "\u003c5\u003e1 2021-03-11T16:59:38Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 11 08:59:38\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-11T16:59:38Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e265\u003c/MessageID\u003e\\n \u003cDesc\u003eAdd Group Member\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003eAdd Group Member\u003c/Action\u003e\\n \u003cSourceUser\u003ePVWAGWAccounts\u003c/SourceUser\u003e\\n \u003cTargetUser\u003ePSMPGW_VAGRANT\u003c/TargetUser\u003e\\n \u003cSafe\u003e\u003c/Safe\u003e\\n \u003cFile\u003e\u003c/File\u003e\\n \u003cStation\u003e81.32.170.205\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eAdd Group Member\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 11 08:59:38\",\"IsoTimestamp\":\"2021-03-11T16:59:38Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"265\",\"Desc\":\"Add Group Member\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Add Group Member\",\"SourceUser\":\"PVWAGWAccounts\",\"TargetUser\":\"PSMPGW_VAGRANT\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"81.32.170.205\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Add Group Member\",\"GatewayStation\":\"\"}}}", "code": "265", "kind": "event" @@ -795,7 +795,7 @@ "event": { "severity": 2, "action": "add group member", - "ingested": "2021-06-04T11:33:10.209143600Z", + "ingested": "2021-06-09T10:24:29.730093300Z", "original": "\u003c5\u003e1 2021-03-14T12:57:17Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 14 05:57:17\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-14T12:57:17Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e265\u003c/MessageID\u003e\\n \u003cDesc\u003eAdd Group Member\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003eAdd Group Member\u003c/Action\u003e\\n \u003cSourceUser\u003ePVWAGWAccounts\u003c/SourceUser\u003e\\n \u003cTargetUser\u003ePSMPGW_SSH\u003c/TargetUser\u003e\\n \u003cSafe\u003e\u003c/Safe\u003e\\n \u003cFile\u003e\u003c/File\u003e\\n \u003cStation\u003e34.71.250.247\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eAdd Group Member\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 14 05:57:17\",\"IsoTimestamp\":\"2021-03-14T12:57:17Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"265\",\"Desc\":\"Add Group Member\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Add Group Member\",\"SourceUser\":\"PVWAGWAccounts\",\"TargetUser\":\"PSMPGW_SSH\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"34.71.250.247\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Add Group Member\",\"GatewayStation\":\"\"}}}", "code": "265", "kind": "event" @@ -860,7 +860,7 @@ "event": { "severity": 2, "action": "add group member", - "ingested": "2021-06-04T11:33:10.209147100Z", + "ingested": "2021-06-09T10:24:29.730110900Z", "original": "\u003c5\u003e1 2021-03-14T12:57:17Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 14 05:57:17\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-14T12:57:17Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e265\u003c/MessageID\u003e\\n \u003cDesc\u003eAdd Group Member\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003eAdd Group Member\u003c/Action\u003e\\n \u003cSourceUser\u003ePSMAppUsers\u003c/SourceUser\u003e\\n \u003cTargetUser\u003ePSMPApp_SSH\u003c/TargetUser\u003e\\n \u003cSafe\u003e\u003c/Safe\u003e\\n \u003cFile\u003e\u003c/File\u003e\\n \u003cStation\u003e34.71.250.247\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eAdd Group Member\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 14 05:57:17\",\"IsoTimestamp\":\"2021-03-14T12:57:17Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"265\",\"Desc\":\"Add Group Member\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Add Group Member\",\"SourceUser\":\"PSMAppUsers\",\"TargetUser\":\"PSMPApp_SSH\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"34.71.250.247\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Add Group Member\",\"GatewayStation\":\"\"}}}", "code": "265", "kind": "event" @@ -925,7 +925,7 @@ "event": { "severity": 2, "action": "add group member", - "ingested": "2021-06-04T11:33:10.209150500Z", + "ingested": "2021-06-09T10:24:29.730116300Z", "original": "\u003c5\u003e1 2021-03-14T12:57:21Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 14 05:57:21\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-14T12:57:21Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e265\u003c/MessageID\u003e\\n \u003cDesc\u003eAdd Group Member\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003eAdd Group Member\u003c/Action\u003e\\n \u003cSourceUser\u003ePSMP_ADB_AppUsers\u003c/SourceUser\u003e\\n \u003cTargetUser\u003ePSMP_ADB_asr-cyberark-psm-ssh\u003c/TargetUser\u003e\\n \u003cSafe\u003e\u003c/Safe\u003e\\n \u003cFile\u003e\u003c/File\u003e\\n \u003cStation\u003e34.71.250.247\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eAdd Group Member\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 14 05:57:21\",\"IsoTimestamp\":\"2021-03-14T12:57:21Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"265\",\"Desc\":\"Add Group Member\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Add Group Member\",\"SourceUser\":\"PSMP_ADB_AppUsers\",\"TargetUser\":\"PSMP_ADB_asr-cyberark-psm-ssh\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"34.71.250.247\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Add Group Member\",\"GatewayStation\":\"\"}}}", "code": "265", "kind": "event" diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-266-remove-group-member.log-expected.json b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-266-remove-group-member.log-expected.json index 33d47ebf847..339797eb161 100644 --- a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-266-remove-group-member.log-expected.json +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-266-remove-group-member.log-expected.json @@ -61,7 +61,7 @@ "event": { "severity": 2, "action": "remove group member", - "ingested": "2021-06-04T11:33:10.530824300Z", + "ingested": "2021-06-09T10:24:30.061938500Z", "original": "\u003c5\u003e1 2021-03-10T17:59:48Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 09:59:48\",\"IsoTimestamp\":\"2021-03-10T17:59:48Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"266\",\"Desc\":\"Remove Group Member\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Remove Group Member\",\"SourceUser\":\"PSMMaster\",\"TargetUser\":\"Administrator\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"81.32.170.205\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Remove Group Member\",\"GatewayStation\":\"\"}}}", "code": "266", "kind": "event" @@ -127,7 +127,7 @@ "event": { "severity": 2, "action": "remove group member", - "ingested": "2021-06-04T11:33:10.530840600Z", + "ingested": "2021-06-09T10:24:30.061959300Z", "original": "\u003c5\u003e1 2021-03-10T22:19:23Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 14:19:23\",\"IsoTimestamp\":\"2021-03-10T22:19:23Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"266\",\"Desc\":\"Remove Group Member\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Remove Group Member\",\"SourceUser\":\"PSMMaster\",\"TargetUser\":\"Administrator\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"35.192.121.42\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Remove Group Member\",\"GatewayStation\":\"\"}}}", "code": "266", "kind": "event" diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-273-remove-owner.log-expected.json b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-273-remove-owner.log-expected.json index 327c21fe6b7..6bd6cf10efc 100644 --- a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-273-remove-owner.log-expected.json +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-273-remove-owner.log-expected.json @@ -61,7 +61,7 @@ "event": { "severity": 2, "action": "remove owner", - "ingested": "2021-06-04T11:33:10.584014600Z", + "ingested": "2021-06-09T10:24:30.109364900Z", "original": "\u003c5\u003e1 2021-03-10T17:59:33Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 09:59:33\",\"IsoTimestamp\":\"2021-03-10T17:59:33Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"273\",\"Desc\":\"Remove Owner\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Remove Owner\",\"SourceUser\":\"Administrator\",\"TargetUser\":\"\",\"Safe\":\"PSMSessions\",\"File\":\"\",\"Station\":\"81.32.170.205\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Remove Owner\",\"GatewayStation\":\"\"}}}", "code": "273", "kind": "event" diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-278-add-rule.log-expected.json b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-278-add-rule.log-expected.json index b3d3fffc259..8a577e804cb 100644 --- a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-278-add-rule.log-expected.json +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-278-add-rule.log-expected.json @@ -55,7 +55,7 @@ "event": { "severity": 2, "action": "add rule", - "ingested": "2021-06-04T11:33:10.630981200Z", + "ingested": "2021-06-09T10:24:30.135488100Z", "original": "\u003c5\u003e1 2021-03-11T18:01:14Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 11 10:01:14\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-11T18:01:14Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e278\u003c/MessageID\u003e\\n \u003cDesc\u003eAdd Rule\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003ePVWAAppUser\u003c/Issuer\u003e\\n \u003cAction\u003eAdd Rule\u003c/Action\u003e\\n \u003cSourceUser\u003eAdministrator\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003ePSMUnmanagedSessionAccounts\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\2\u003c/File\u003e\\n \u003cStation\u003e10.0.1.20\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003eAllow\u003c/Reason\u003e\\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eAdd Rule\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 11 10:01:14\",\"IsoTimestamp\":\"2021-03-11T18:01:14Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"278\",\"Desc\":\"Add Rule\",\"Severity\":\"Info\",\"Issuer\":\"PVWAAppUser\",\"Action\":\"Add Rule\",\"SourceUser\":\"Administrator\",\"TargetUser\":\"\",\"Safe\":\"PSMUnmanagedSessionAccounts\",\"File\":\"Root\\\\2\",\"Station\":\"10.0.1.20\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"Allow\",\"ExtraDetails\":\"\",\"Message\":\"Add Rule\",\"GatewayStation\":\"\"}}}", "code": "278", "kind": "event" diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-288-auto-clear-users-history-start.log-expected.json b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-288-auto-clear-users-history-start.log-expected.json index dc159d439ee..06cad2f1f02 100644 --- a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-288-auto-clear-users-history-start.log-expected.json +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-288-auto-clear-users-history-start.log-expected.json @@ -47,7 +47,7 @@ "event": { "severity": 2, "action": "auto clear users history start", - "ingested": "2021-06-04T11:33:10.659234400Z", + "ingested": "2021-06-09T10:24:30.162223800Z", "original": "\u003c5\u003e1 2021-03-05T11:00:06Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 05 03:00:06\",\"IsoTimestamp\":\"2021-03-05T11:00:06Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"288\",\"Desc\":\"Auto Clear Users History start\",\"Severity\":\"Info\",\"Issuer\":\"Batch\",\"Action\":\"Auto Clear Users History start\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"0.0.0.0\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Auto Clear Users History start\",\"GatewayStation\":\"\"}}}", "code": "288", "kind": "event" @@ -90,7 +90,7 @@ "event": { "severity": 2, "action": "auto clear users history start", - "ingested": "2021-06-04T11:33:10.659257800Z", + "ingested": "2021-06-09T10:24:30.162256200Z", "original": "Mar 08 03:00:20 VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"no\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"288\",\"Desc\":\"Auto Clear Users History start\",\"Severity\":\"Info\",\"Issuer\":\"Batch\",\"Action\":\"Auto Clear Users History start\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"0.0.0.0\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Auto Clear Users History start\",\"GatewayStation\":\"\"}}}", "code": "288", "kind": "event" diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-289-auto-clear-users-history-end.log-expected.json b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-289-auto-clear-users-history-end.log-expected.json index fa2e21660a9..766854bff23 100644 --- a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-289-auto-clear-users-history-end.log-expected.json +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-289-auto-clear-users-history-end.log-expected.json @@ -47,7 +47,7 @@ "event": { "severity": 2, "action": "auto clear users history end", - "ingested": "2021-06-04T11:33:10.700528200Z", + "ingested": "2021-06-09T10:24:30.203966100Z", "original": "\u003c5\u003e1 2021-03-05T11:00:06Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 05 03:00:06\",\"IsoTimestamp\":\"2021-03-05T11:00:06Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"289\",\"Desc\":\"Auto Clear Users History end\",\"Severity\":\"Info\",\"Issuer\":\"Batch\",\"Action\":\"Auto Clear Users History end\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"0.0.0.0\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Auto Clear Users History end\",\"GatewayStation\":\"\"}}}", "code": "289", "kind": "event" @@ -90,7 +90,7 @@ "event": { "severity": 2, "action": "auto clear users history end", - "ingested": "2021-06-04T11:33:10.700542700Z", + "ingested": "2021-06-09T10:24:30.203981100Z", "original": "Mar 08 03:00:20 VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"no\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"289\",\"Desc\":\"Auto Clear Users History end\",\"Severity\":\"Info\",\"Issuer\":\"Batch\",\"Action\":\"Auto Clear Users History end\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"0.0.0.0\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Auto Clear Users History end\",\"GatewayStation\":\"\"}}}", "code": "289", "kind": "event" diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-290-auto-clear-safes-history-start.log-expected.json b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-290-auto-clear-safes-history-start.log-expected.json index d0eb3b68598..2df0e45175f 100644 --- a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-290-auto-clear-safes-history-start.log-expected.json +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-290-auto-clear-safes-history-start.log-expected.json @@ -47,7 +47,7 @@ "event": { "severity": 2, "action": "auto clear safes history start", - "ingested": "2021-06-04T11:33:10.738618500Z", + "ingested": "2021-06-09T10:24:30.239578300Z", "original": "\u003c5\u003e1 2021-03-09T09:00:47Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 09 01:00:47\",\"IsoTimestamp\":\"2021-03-09T09:00:47Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"290\",\"Desc\":\"Auto Clear Safes History start\",\"Severity\":\"Info\",\"Issuer\":\"Batch\",\"Action\":\"Auto Clear Safes History start\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"0.0.0.0\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Auto Clear Safes History start\",\"GatewayStation\":\"\"}}}", "code": "290", "kind": "event" diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-291-auto-clear-safes-history-end.log-expected.json b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-291-auto-clear-safes-history-end.log-expected.json index 86d0b0e33c7..119c8285961 100644 --- a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-291-auto-clear-safes-history-end.log-expected.json +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-291-auto-clear-safes-history-end.log-expected.json @@ -47,7 +47,7 @@ "event": { "severity": 2, "action": "auto clear safes history end", - "ingested": "2021-06-04T11:33:10.762740700Z", + "ingested": "2021-06-09T10:24:30.273314700Z", "original": "\u003c5\u003e1 2021-03-09T09:00:47Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 09 01:00:47\",\"IsoTimestamp\":\"2021-03-09T09:00:47Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"291\",\"Desc\":\"Auto Clear Safes History end\",\"Severity\":\"Info\",\"Issuer\":\"Batch\",\"Action\":\"Auto Clear Safes History end\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"0.0.0.0\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Auto Clear Safes History end\",\"GatewayStation\":\"\"}}}", "code": "291", "kind": "event" diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-294-store-password.log-expected.json b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-294-store-password.log-expected.json index 0d96d994926..87a28a3d076 100644 --- a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-294-store-password.log-expected.json +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-294-store-password.log-expected.json @@ -62,7 +62,7 @@ "event": { "severity": 2, "action": "store password", - "ingested": "2021-06-04T11:33:10.788206700Z", + "ingested": "2021-06-09T10:24:30.301307700Z", "original": "\u003c5\u003e1 2021-03-08T10:19:42Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 08 02:19:42\",\"IsoTimestamp\":\"2021-03-08T10:19:42Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"294\",\"Desc\":\"Store password\",\"Severity\":\"Info\",\"Issuer\":\"PasswordManager\",\"Action\":\"Store password\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"Test\",\"File\":\"Root\\\\Groups\\\\WindowsGroup\",\"Station\":\"10.0.1.20\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Store password\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"WindowsDesktopLocalAccountsRotationalPolicy\"},{\"Name\":\"InProcess\",\"Value\":\"ChangeTask\"},{\"Name\":\"CPMStatus\",\"Value\":\"failure\"},{\"Name\":\"LastTask\",\"Value\":\"ChangeTask\"},{\"Name\":\"LastSuccessChange\",\"Value\":\"1615198782\"},{\"Name\":\"CurrInd\",\"Value\":\"2\"}]}}}}", "code": "294", "kind": "event" @@ -129,7 +129,7 @@ "event": { "severity": 2, "action": "store password", - "ingested": "2021-06-04T11:33:10.788244600Z", + "ingested": "2021-06-09T10:24:30.301339100Z", "original": "\u003c5\u003e1 2021-03-08T18:24:49Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 08 10:24:49\",\"IsoTimestamp\":\"2021-03-08T18:24:49Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"294\",\"Desc\":\"Store password\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Store password\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"Test\",\"File\":\"Root\\\\Operating System-WinDesktopLocal-Address-adriansr\",\"Station\":\"127.0.0.1\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Store password\",\"GatewayStation\":\"10.0.1.20\"}}}", "code": "294", "kind": "event" @@ -208,7 +208,7 @@ "event": { "severity": 2, "action": "store password", - "ingested": "2021-06-04T11:33:10.788252100Z", + "ingested": "2021-06-09T10:24:30.301345400Z", "original": "\u003c5\u003e1 2021-03-08T19:20:02Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 08 11:20:02\",\"IsoTimestamp\":\"2021-03-08T19:20:02Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"294\",\"Desc\":\"Store password\",\"Severity\":\"Info\",\"Issuer\":\"PasswordManager\",\"Action\":\"Store password\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"Test\",\"File\":\"Root\\\\Operating System-WindowsDesktopLocalAccountsRotationalPolicy-10.0.1.20-x_accountA\",\"Station\":\"10.0.1.20\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Store password\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"WinDesktopLocal\"},{\"Name\":\"UserName\",\"Value\":\"x_accountA\"},{\"Name\":\"Address\",\"Value\":\"components\"},{\"Name\":\"ResetImmediately\",\"Value\":\"ChangeTask\"},{\"Name\":\"InProcess\",\"Value\":\"ChangeTask\"},{\"Name\":\"SequenceID\",\"Value\":\"26\"},{\"Name\":\"CPMStatus\",\"Value\":\"failure\"},{\"Name\":\"RetriesCount\",\"Value\":\"0\"},{\"Name\":\"LastTask\",\"Value\":\"ChangeTask\"},{\"Name\":\"StartChangeNotBefore\",\"Value\":\"1615231182\"},{\"Name\":\"GroupName\",\"Value\":\"WindowsGroup\"},{\"Name\":\"LastSuccessChange\",\"Value\":\"1614785704\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"},{\"Name\":\"Index\",\"Value\":\"1\"},{\"Name\":\"DualAccountStatus\",\"Value\":\"Inactive\"},{\"Name\":\"VirtualUsername\",\"Value\":\"virtual\"}]}}}}", "code": "294", "kind": "event" @@ -276,7 +276,7 @@ "event": { "severity": 2, "action": "store password", - "ingested": "2021-06-04T11:33:10.788256200Z", + "ingested": "2021-06-09T10:24:30.301349200Z", "original": "\u003c5\u003e1 2021-03-10T14:38:57Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 06:38:57\",\"IsoTimestamp\":\"2021-03-10T14:38:57Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"294\",\"Desc\":\"Store password\",\"Severity\":\"Info\",\"Issuer\":\"PasswordManager\",\"Action\":\"Store password\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"Test\",\"File\":\"Root\\\\Groups\\\\WindowsGroup\",\"Station\":\"10.0.1.20\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Store password\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"WindowsDesktopLocalAccountsRotationalPolicy\"},{\"Name\":\"InProcess\",\"Value\":\"ChangeTask\"},{\"Name\":\"CPMStatus\",\"Value\":\"failure\"},{\"Name\":\"LastTask\",\"Value\":\"ChangeTask\"},{\"Name\":\"LastSuccessChange\",\"Value\":\"1615387136\"},{\"Name\":\"CurrInd\",\"Value\":\"1\"}]}}}}", "code": "294", "kind": "event" @@ -346,7 +346,7 @@ "event": { "severity": 2, "action": "store password", - "ingested": "2021-06-04T11:33:10.788259600Z", + "ingested": "2021-06-09T10:24:30.301352300Z", "original": "\u003c5\u003e1 2021-03-10T17:58:06Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 09:58:06\",\"IsoTimestamp\":\"2021-03-10T17:58:06Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"294\",\"Desc\":\"Store password\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Store password\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"PSM\",\"File\":\"Root\\\\PSMServer\",\"Station\":\"81.32.170.205\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Store password\",\"GatewayStation\":\"\"}}}", "code": "294", "kind": "event" @@ -415,7 +415,7 @@ "event": { "severity": 2, "action": "store password", - "ingested": "2021-06-04T11:33:10.788262700Z", + "ingested": "2021-06-09T10:24:30.301355Z", "original": "\u003c5\u003e1 2021-03-10T22:17:26Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 14:17:26\",\"IsoTimestamp\":\"2021-03-10T22:17:26Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"294\",\"Desc\":\"Store password\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Store password\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"PSM\",\"File\":\"Root\\\\PSM-ASR-CYBERARK-WI\",\"Station\":\"35.192.121.42\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Store password\",\"GatewayStation\":\"\"}}}", "code": "294", "kind": "event" @@ -494,7 +494,7 @@ "event": { "severity": 2, "action": "store password", - "ingested": "2021-06-04T11:33:10.788265800Z", + "ingested": "2021-06-09T10:24:30.301357800Z", "original": "\u003c5\u003e1 2021-03-10T23:39:25Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 15:39:25\",\"IsoTimestamp\":\"2021-03-10T23:39:25Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"294\",\"Desc\":\"Store password\",\"Severity\":\"Info\",\"Issuer\":\"PasswordManager\",\"Action\":\"Store password\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"Test\",\"File\":\"Root\\\\Operating System-WindowsDesktopLocalAccountsRotationalPolicy-10.0.1.20-x_accountB\",\"Station\":\"10.0.1.20\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Store password\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"WinDesktopLocal\"},{\"Name\":\"UserName\",\"Value\":\"x_accountB\"},{\"Name\":\"Address\",\"Value\":\"components\"},{\"Name\":\"ResetImmediately\",\"Value\":\"ChangeTask\"},{\"Name\":\"InProcess\",\"Value\":\"ChangeTask\"},{\"Name\":\"SequenceID\",\"Value\":\"24\"},{\"Name\":\"CPMStatus\",\"Value\":\"failure\"},{\"Name\":\"RetriesCount\",\"Value\":\"0\"},{\"Name\":\"LastTask\",\"Value\":\"ChangeTask\"},{\"Name\":\"StartChangeNotBefore\",\"Value\":\"1615419536\"},{\"Name\":\"GroupName\",\"Value\":\"WindowsGroup\"},{\"Name\":\"LastSuccessChange\",\"Value\":\"1614868762\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"},{\"Name\":\"Index\",\"Value\":\"2\"},{\"Name\":\"DualAccountStatus\",\"Value\":\"Inactive\"},{\"Name\":\"VirtualUsername\",\"Value\":\"virtual\"}]}}}}", "code": "294", "kind": "event" @@ -563,7 +563,7 @@ "event": { "severity": 2, "action": "store password", - "ingested": "2021-06-04T11:33:10.788268800Z", + "ingested": "2021-06-09T10:24:30.301360600Z", "original": "\u003c5\u003e1 2021-03-14T11:48:26Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 14 04:48:26\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-14T11:48:26Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e294\u003c/MessageID\u003e\\n \u003cDesc\u003eStore password\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003ePasswordManager\u003c/Issuer\u003e\\n \u003cAction\u003eStore password\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003eTest\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Groups\\\\WindowsGroup\u003c/File\u003e\\n \u003cStation\u003e10.0.1.20\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eStore password\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"WindowsDesktopLocalAccountsRotationalPolicy\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"InProcess\\\" Value=\\\"ChangeTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMStatus\\\" Value=\\\"failure\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastTask\\\" Value=\\\"ChangeTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastSuccessChange\\\" Value=\\\"1615722505\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CurrInd\\\" Value=\\\"2\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 14 04:48:26\",\"IsoTimestamp\":\"2021-03-14T11:48:26Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"294\",\"Desc\":\"Store password\",\"Severity\":\"Info\",\"Issuer\":\"PasswordManager\",\"Action\":\"Store password\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"Test\",\"File\":\"Root\\\\Groups\\\\WindowsGroup\",\"Station\":\"10.0.1.20\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Store password\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"WindowsDesktopLocalAccountsRotationalPolicy\"},{\"Name\":\"InProcess\",\"Value\":\"ChangeTask\"},{\"Name\":\"CPMStatus\",\"Value\":\"failure\"},{\"Name\":\"LastTask\",\"Value\":\"ChangeTask\"},{\"Name\":\"LastSuccessChange\",\"Value\":\"1615722505\"},{\"Name\":\"CurrInd\",\"Value\":\"2\"}]}}}}", "code": "294", "kind": "event" @@ -643,7 +643,7 @@ "event": { "severity": 2, "action": "store password", - "ingested": "2021-06-04T11:33:10.788272700Z", + "ingested": "2021-06-09T10:24:30.301363300Z", "original": "\u003c5\u003e1 2021-03-15T10:12:21Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 15 03:12:21\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-15T10:12:21Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e294\u003c/MessageID\u003e\\n \u003cDesc\u003eStore password\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003ePasswordManager\u003c/Issuer\u003e\\n \u003cAction\u003eStore password\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003eTest\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Operating System-WindowsDesktopLocalAccountsRotationalPolicy-10.0.1.20-x_accountA\u003c/File\u003e\\n \u003cStation\u003e10.0.1.20\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eStore password\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"WinDesktopLocal\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"x_accountA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"components\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"ResetImmediately\\\" Value=\\\"ChangeTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"InProcess\\\" Value=\\\"ChangeTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"SequenceID\\\" Value=\\\"27\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMStatus\\\" Value=\\\"failure\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"RetriesCount\\\" Value=\\\"0\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastTask\\\" Value=\\\"ChangeTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"StartChangeNotBefore\\\" Value=\\\"1615754905\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"GroupName\\\" Value=\\\"WindowsGroup\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastSuccessChange\\\" Value=\\\"1615231204\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Operating System\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Index\\\" Value=\\\"1\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DualAccountStatus\\\" Value=\\\"Inactive\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"VirtualUsername\\\" Value=\\\"virtual\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 15 03:12:21\",\"IsoTimestamp\":\"2021-03-15T10:12:21Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"294\",\"Desc\":\"Store password\",\"Severity\":\"Info\",\"Issuer\":\"PasswordManager\",\"Action\":\"Store password\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"Test\",\"File\":\"Root\\\\Operating System-WindowsDesktopLocalAccountsRotationalPolicy-10.0.1.20-x_accountA\",\"Station\":\"10.0.1.20\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Store password\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"WinDesktopLocal\"},{\"Name\":\"UserName\",\"Value\":\"x_accountA\"},{\"Name\":\"Address\",\"Value\":\"components\"},{\"Name\":\"ResetImmediately\",\"Value\":\"ChangeTask\"},{\"Name\":\"InProcess\",\"Value\":\"ChangeTask\"},{\"Name\":\"SequenceID\",\"Value\":\"27\"},{\"Name\":\"CPMStatus\",\"Value\":\"failure\"},{\"Name\":\"RetriesCount\",\"Value\":\"0\"},{\"Name\":\"LastTask\",\"Value\":\"ChangeTask\"},{\"Name\":\"StartChangeNotBefore\",\"Value\":\"1615754905\"},{\"Name\":\"GroupName\",\"Value\":\"WindowsGroup\"},{\"Name\":\"LastSuccessChange\",\"Value\":\"1615231204\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"},{\"Name\":\"Index\",\"Value\":\"1\"},{\"Name\":\"DualAccountStatus\",\"Value\":\"Inactive\"},{\"Name\":\"VirtualUsername\",\"Value\":\"virtual\"}]}}}}", "code": "294", "kind": "event" @@ -726,7 +726,7 @@ "event": { "severity": 2, "action": "store password", - "ingested": "2021-06-04T11:33:10.788277Z", + "ingested": "2021-06-09T10:24:30.301366200Z", "original": "\u003c5\u003e1 2021-03-15T13:13:01Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 15 06:13:01\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-15T13:13:01Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e294\u003c/MessageID\u003e\\n \u003cDesc\u003eStore password\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003eStore password\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003epartner\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Operating System-UnixSSH-34.123.103.115-testark\u003c/File\u003e\\n \u003cStation\u003e127.0.0.1\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eStore password\u003c/Message\u003e\\n \u003cGatewayStation\u003e10.0.1.20\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"UnixSSH\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"testark\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"34.123.103.115\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"ResetImmediately\\\" Value=\\\"ReconcileTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMStatus\\\" Value=\\\"failure\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"RetriesCount\\\" Value=\\\"0\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastFailDate\\\" Value=\\\"1615813465\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastTask\\\" Value=\\\"ReconcileTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastSuccessVerification\\\" Value=\\\"1615803764\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMErrorDetails\\\" Value=\\\"First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Operating System\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 15 06:13:01\",\"IsoTimestamp\":\"2021-03-15T13:13:01Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"294\",\"Desc\":\"Store password\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Store password\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"partner\",\"File\":\"Root\\\\Operating System-UnixSSH-34.123.103.115-testark\",\"Station\":\"127.0.0.1\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Store password\",\"GatewayStation\":\"10.0.1.20\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"UnixSSH\"},{\"Name\":\"UserName\",\"Value\":\"testark\"},{\"Name\":\"Address\",\"Value\":\"34.123.103.115\"},{\"Name\":\"ResetImmediately\",\"Value\":\"ReconcileTask\"},{\"Name\":\"CPMStatus\",\"Value\":\"failure\"},{\"Name\":\"RetriesCount\",\"Value\":\"0\"},{\"Name\":\"LastFailDate\",\"Value\":\"1615813465\"},{\"Name\":\"LastTask\",\"Value\":\"ReconcileTask\"},{\"Name\":\"LastSuccessVerification\",\"Value\":\"1615803764\"},{\"Name\":\"CPMErrorDetails\",\"Value\":\"First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"}]}}}}", "code": "294", "kind": "event" diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-295-retrieve-password.log-expected.json b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-295-retrieve-password.log-expected.json index 12da067a655..604033f0059 100644 --- a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-295-retrieve-password.log-expected.json +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-295-retrieve-password.log-expected.json @@ -68,7 +68,7 @@ "event": { "severity": 2, "reason": "AIM password request", - "ingested": "2021-06-04T11:33:11.050515Z", + "ingested": "2021-06-09T10:24:30.560288800Z", "original": "{\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eno\u003c/Rfc5424\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.6.0000\u003c/Version\u003e\\n \u003cMessageID\u003e295\u003c/MessageID\u003e\\n \u003cDesc\u003eRetrieve password\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eProv_PVWA\u003c/Issuer\u003e\\n \u003cAction\u003eRetrieve password\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003eLinux\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Operating System-LINUX-SSH-radiussrv.cyberark.local-admin2\u003c/File\u003e\\n \u003cStation\u003e10.2.0.3\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003eAIM password request\u003c/Reason\u003e\\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eRetrieve password\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"LINUX-SSH\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"admin2\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"radiussrv.cyberark.local\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Operating System\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMDisabled\\\" Value=\\\"No Reason\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Customer\\\" Value=\\\"Nobody\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"no\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.6.0000\",\"MessageID\":\"295\",\"IsoTimestamp\":\"2021-03-16T15:01:00Z\",\"Desc\":\"Retrieve password\",\"Severity\":\"Info\",\"Issuer\":\"Prov_PVWA\",\"Action\":\"Retrieve password\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"Linux\",\"File\":\"Root\\\\Operating System-LINUX-SSH-radiussrv.cyberark.local-admin2\",\"Station\":\"10.2.0.3\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"AIM password request\",\"ExtraDetails\":\"\",\"Message\":\"Retrieve password\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"LINUX-SSH\"},{\"Name\":\"UserName\",\"Value\":\"admin2\"},{\"Name\":\"Address\",\"Value\":\"radiussrv.cyberark.local\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"},{\"Name\":\"CPMDisabled\",\"Value\":\"No Reason\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"Customer\",\"Value\":\"Nobody\"}]}}}}", "code": "295", "kind": "event", @@ -168,7 +168,7 @@ "event": { "severity": 2, "reason": "(Action: Show Password)", - "ingested": "2021-06-04T11:33:11.050583100Z", + "ingested": "2021-06-09T10:24:30.560304700Z", "original": "{\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eno\u003c/Rfc5424\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.6.0000\u003c/Version\u003e\\n \u003cMessageID\u003e295\u003c/MessageID\u003e\\n \u003cDesc\u003eRetrieve password\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eadm2\u003c/Issuer\u003e\\n \u003cAction\u003eRetrieve password\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003eWindows\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Operating System-WIN-SERVER-LOCAL-dbserver.cyberark.local-Administrator2\u003c/File\u003e\\n \u003cStation\u003e10.2.0.6\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e(Action: Show Password)\u003c/Reason\u003e\\n \u003cPvwaDetails\u003e\u003cRetrieveReason\u003e\\n \u003cGeneral\u003e\\n \u003cRetrieveAction\u003eShow Password\u003c/RetrieveAction\u003e\\n \u003c/General\u003e\\n\u003c/RetrieveReason\u003e\u003c/PvwaDetails\u003e\\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eRetrieve password\u003c/Message\u003e\\n \u003cGatewayStation\u003e10.2.0.3\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"WIN-SERVER-LOCAL\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"Administrator2\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"dbserver.cyberark.local\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Operating System\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LogonDomain\\\" Value=\\\"DBServer\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"SequenceID\\\" Value=\\\"1\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"RetriesCount\\\" Value=\\\"-1\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastTask\\\" Value=\\\"ReconcileTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMStatus\\\" Value=\\\"success\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastSuccessReconciliation\\\" Value=\\\"1604944215\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Customer\\\" Value=\\\"EvilCorp\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"no\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.6.0000\",\"MessageID\":\"295\",\"IsoTimestamp\":\"2021-03-16T15:01:00Z\",\"Desc\":\"Retrieve password\",\"Severity\":\"Info\",\"Issuer\":\"adm2\",\"Action\":\"Retrieve password\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"Windows\",\"File\":\"Root\\\\Operating System-WIN-SERVER-LOCAL-dbserver.cyberark.local-Administrator2\",\"Station\":\"10.2.0.6\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"(Action: Show Password)\",\"PvwaDetails\":{\"RetrieveReason\":{\"General\":{\"RetrieveAction\":\"Show Password\"}}},\"ExtraDetails\":\"\",\"Message\":\"Retrieve password\",\"GatewayStation\":\"10.2.0.3\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"WIN-SERVER-LOCAL\"},{\"Name\":\"UserName\",\"Value\":\"Administrator2\"},{\"Name\":\"Address\",\"Value\":\"dbserver.cyberark.local\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"},{\"Name\":\"LogonDomain\",\"Value\":\"DBServer\"},{\"Name\":\"SequenceID\",\"Value\":\"1\"},{\"Name\":\"RetriesCount\",\"Value\":\"-1\"},{\"Name\":\"LastTask\",\"Value\":\"ReconcileTask\"},{\"Name\":\"CPMStatus\",\"Value\":\"success\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"LastSuccessReconciliation\",\"Value\":\"1604944215\"},{\"Name\":\"Customer\",\"Value\":\"EvilCorp\"}]}}}}", "code": "295", "kind": "event", @@ -262,7 +262,7 @@ "event": { "severity": 2, "reason": "testing", - "ingested": "2021-06-04T11:33:11.050593300Z", + "ingested": "2021-06-09T10:24:30.560341600Z", "original": "\u003c5\u003e1 2021-03-08T18:16:51Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 08 10:16:51\",\"IsoTimestamp\":\"2021-03-08T18:16:51Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"295\",\"Desc\":\"Retrieve password\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Retrieve password\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"Test\",\"File\":\"Root\\\\testobject\",\"Station\":\"10.0.1.20\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"testing\",\"ExtraDetails\":\"\",\"Message\":\"Retrieve password\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"WinDesktopLocal\"},{\"Name\":\"UserName\",\"Value\":\"test\"},{\"Name\":\"Address\",\"Value\":\"test\"},{\"Name\":\"CPMDisabled\",\"Value\":\"testing\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"}]}}}}", "code": "295", "kind": "event", @@ -368,7 +368,7 @@ "event": { "severity": 2, "reason": "CPM", - "ingested": "2021-06-04T11:33:11.050597600Z", + "ingested": "2021-06-09T10:24:30.560350300Z", "original": "\u003c5\u003e1 2021-03-08T19:19:59Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 08 11:19:59\",\"IsoTimestamp\":\"2021-03-08T19:19:59Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"295\",\"Desc\":\"Retrieve password\",\"Severity\":\"Info\",\"Issuer\":\"PasswordManager\",\"Action\":\"Retrieve password\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"Test\",\"File\":\"Root\\\\Operating System-WindowsDesktopLocalAccountsRotationalPolicy-10.0.1.20-x_accountA\",\"Station\":\"10.0.1.20\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"CPM\",\"ExtraDetails\":\"\",\"Message\":\"Retrieve password\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"WinDesktopLocal\"},{\"Name\":\"UserName\",\"Value\":\"x_accountA\"},{\"Name\":\"Address\",\"Value\":\"components\"},{\"Name\":\"ResetImmediately\",\"Value\":\"ChangeTask\"},{\"Name\":\"InProcess\",\"Value\":\"ChangeTask\"},{\"Name\":\"SequenceID\",\"Value\":\"26\"},{\"Name\":\"CPMStatus\",\"Value\":\"failure\"},{\"Name\":\"RetriesCount\",\"Value\":\"0\"},{\"Name\":\"LastTask\",\"Value\":\"ChangeTask\"},{\"Name\":\"StartChangeNotBefore\",\"Value\":\"1615231182\"},{\"Name\":\"GroupName\",\"Value\":\"WindowsGroup\"},{\"Name\":\"LastSuccessChange\",\"Value\":\"1614785704\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"},{\"Name\":\"Index\",\"Value\":\"1\"},{\"Name\":\"DualAccountStatus\",\"Value\":\"Inactive\"},{\"Name\":\"VirtualUsername\",\"Value\":\"virtual\"}]}}}}", "code": "295", "kind": "event", @@ -454,7 +454,7 @@ "event": { "severity": 2, "reason": "CPM", - "ingested": "2021-06-04T11:33:11.050600800Z", + "ingested": "2021-06-09T10:24:30.560354200Z", "original": "\u003c5\u003e1 2021-03-08T19:20:02Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 08 11:20:02\",\"IsoTimestamp\":\"2021-03-08T19:20:02Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"295\",\"Desc\":\"Retrieve password\",\"Severity\":\"Info\",\"Issuer\":\"PasswordManager\",\"Action\":\"Retrieve password\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"Test\",\"File\":\"Root\\\\Groups\\\\WindowsGroup\",\"Station\":\"10.0.1.20\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"CPM\",\"ExtraDetails\":\"\",\"Message\":\"Retrieve password\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"WindowsDesktopLocalAccountsRotationalPolicy\"},{\"Name\":\"CPMStatus\",\"Value\":\"success\"},{\"Name\":\"LastTask\",\"Value\":\"ChangeTask\"},{\"Name\":\"LastSuccessChange\",\"Value\":\"1615198782\"},{\"Name\":\"CurrInd\",\"Value\":\"2\"}]}}}}", "code": "295", "kind": "event", @@ -556,7 +556,7 @@ "event": { "severity": 2, "reason": "Application provider background refresh job", - "ingested": "2021-06-04T11:33:11.050603700Z", + "ingested": "2021-06-09T10:24:30.560357600Z", "original": "\u003c5\u003e1 2021-03-10T14:40:37Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 06:40:37\",\"IsoTimestamp\":\"2021-03-10T14:40:37Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"295\",\"Desc\":\"Retrieve password\",\"Severity\":\"Info\",\"Issuer\":\"Prov_COMPONENTS\",\"Action\":\"Retrieve password\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"Test\",\"File\":\"Root\\\\Operating System-WindowsDesktopLocalAccountsRotationalPolicy-10.0.1.20-x_accountA\",\"Station\":\"10.0.1.20\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"Application provider background refresh job\",\"ExtraDetails\":\"\",\"Message\":\"Retrieve password\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"WinDesktopLocal\"},{\"Name\":\"UserName\",\"Value\":\"x_accountA\"},{\"Name\":\"Address\",\"Value\":\"components\"},{\"Name\":\"SequenceID\",\"Value\":\"27\"},{\"Name\":\"CPMStatus\",\"Value\":\"success\"},{\"Name\":\"RetriesCount\",\"Value\":\"-1\"},{\"Name\":\"LastTask\",\"Value\":\"ChangeTask\"},{\"Name\":\"GroupName\",\"Value\":\"WindowsGroup\"},{\"Name\":\"LastSuccessChange\",\"Value\":\"1615231204\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"},{\"Name\":\"Index\",\"Value\":\"1\"},{\"Name\":\"DualAccountStatus\",\"Value\":\"Active\"},{\"Name\":\"VirtualUsername\",\"Value\":\"virtual\"}]}}}}", "code": "295", "kind": "event", @@ -651,7 +651,7 @@ "event": { "severity": 2, "reason": "test", - "ingested": "2021-06-04T11:33:11.050606600Z", + "ingested": "2021-06-09T10:24:30.560361Z", "original": "\u003c5\u003e1 2021-03-10T18:27:57Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 10:27:57\",\"IsoTimestamp\":\"2021-03-10T18:27:57Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"295\",\"Desc\":\"Retrieve password\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Retrieve password\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"PSM\",\"File\":\"Root\\\\PSMAdmin\",\"Station\":\"127.0.0.1\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"test\",\"ExtraDetails\":\"\",\"Message\":\"Retrieve password\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"UserName\",\"Value\":\"PSMAdminConnect\"},{\"Name\":\"Address\",\"Value\":\"169.254.180.25\"},{\"Name\":\"LogonDomain\",\"Value\":\"VAGRANT-2012-R2\"}]}}}}", "code": "295", "kind": "event", @@ -746,7 +746,7 @@ "event": { "severity": 2, "reason": "test", - "ingested": "2021-06-04T11:33:11.050609500Z", + "ingested": "2021-06-09T10:24:30.560363700Z", "original": "\u003c5\u003e1 2021-03-10T18:28:07Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 10:28:07\",\"IsoTimestamp\":\"2021-03-10T18:28:07Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"295\",\"Desc\":\"Retrieve password\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Retrieve password\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"PSM\",\"File\":\"Root\\\\PSMServer\",\"Station\":\"127.0.0.1\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"test\",\"ExtraDetails\":\"\",\"Message\":\"Retrieve password\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"UserName\",\"Value\":\"PSMConnect\"},{\"Name\":\"Address\",\"Value\":\"169.254.180.25\"},{\"Name\":\"LogonDomain\",\"Value\":\"VAGRANT-2012-R2\"}]}}}}", "code": "295", "kind": "event", @@ -852,7 +852,7 @@ "event": { "severity": 2, "reason": "CPM", - "ingested": "2021-06-04T11:33:11.050612800Z", + "ingested": "2021-06-09T10:24:30.560366500Z", "original": "\u003c5\u003e1 2021-03-10T23:39:22Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 15:39:22\",\"IsoTimestamp\":\"2021-03-10T23:39:22Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"295\",\"Desc\":\"Retrieve password\",\"Severity\":\"Info\",\"Issuer\":\"PasswordManager\",\"Action\":\"Retrieve password\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"Test\",\"File\":\"Root\\\\Operating System-WindowsDesktopLocalAccountsRotationalPolicy-10.0.1.20-x_accountB\",\"Station\":\"10.0.1.20\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"CPM\",\"ExtraDetails\":\"\",\"Message\":\"Retrieve password\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"WinDesktopLocal\"},{\"Name\":\"UserName\",\"Value\":\"x_accountB\"},{\"Name\":\"Address\",\"Value\":\"components\"},{\"Name\":\"ResetImmediately\",\"Value\":\"ChangeTask\"},{\"Name\":\"InProcess\",\"Value\":\"ChangeTask\"},{\"Name\":\"SequenceID\",\"Value\":\"24\"},{\"Name\":\"CPMStatus\",\"Value\":\"failure\"},{\"Name\":\"RetriesCount\",\"Value\":\"0\"},{\"Name\":\"LastTask\",\"Value\":\"ChangeTask\"},{\"Name\":\"StartChangeNotBefore\",\"Value\":\"1615419536\"},{\"Name\":\"GroupName\",\"Value\":\"WindowsGroup\"},{\"Name\":\"LastSuccessChange\",\"Value\":\"1614868762\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"},{\"Name\":\"Index\",\"Value\":\"2\"},{\"Name\":\"DualAccountStatus\",\"Value\":\"Inactive\"},{\"Name\":\"VirtualUsername\",\"Value\":\"virtual\"}]}}}}", "code": "295", "kind": "event", @@ -938,7 +938,7 @@ "event": { "severity": 2, "reason": "CPM", - "ingested": "2021-06-04T11:33:11.050615600Z", + "ingested": "2021-06-09T10:24:30.560369200Z", "original": "\u003c5\u003e1 2021-03-10T23:39:25Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 15:39:25\",\"IsoTimestamp\":\"2021-03-10T23:39:25Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"295\",\"Desc\":\"Retrieve password\",\"Severity\":\"Info\",\"Issuer\":\"PasswordManager\",\"Action\":\"Retrieve password\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"Test\",\"File\":\"Root\\\\Groups\\\\WindowsGroup\",\"Station\":\"10.0.1.20\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"CPM\",\"ExtraDetails\":\"\",\"Message\":\"Retrieve password\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"WindowsDesktopLocalAccountsRotationalPolicy\"},{\"Name\":\"CPMStatus\",\"Value\":\"success\"},{\"Name\":\"LastTask\",\"Value\":\"ChangeTask\"},{\"Name\":\"LastSuccessChange\",\"Value\":\"1615387136\"},{\"Name\":\"CurrInd\",\"Value\":\"1\"}]}}}}", "code": "295", "kind": "event", @@ -1034,7 +1034,7 @@ "event": { "severity": 2, "reason": "lksajdflkasdf", - "ingested": "2021-06-04T11:33:11.050618700Z", + "ingested": "2021-06-09T10:24:30.560371700Z", "original": "\u003c5\u003e1 2021-03-11T16:41:21Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 11 08:41:21\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-11T16:41:21Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e295\u003c/MessageID\u003e\\n \u003cDesc\u003eRetrieve password\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003eRetrieve password\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003ePSM\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\PSMAdmin\u003c/File\u003e\\n \u003cStation\u003e127.0.0.1\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003elksajdflkasdf\u003c/Reason\u003e\\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eRetrieve password\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"PSMAdminConnect\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"169.254.180.25\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LogonDomain\\\" Value=\\\"VAGRANT-2012-R2\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 11 08:41:21\",\"IsoTimestamp\":\"2021-03-11T16:41:21Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"295\",\"Desc\":\"Retrieve password\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Retrieve password\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"PSM\",\"File\":\"Root\\\\PSMAdmin\",\"Station\":\"127.0.0.1\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"lksajdflkasdf\",\"ExtraDetails\":\"\",\"Message\":\"Retrieve password\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"UserName\",\"Value\":\"PSMAdminConnect\"},{\"Name\":\"Address\",\"Value\":\"169.254.180.25\"},{\"Name\":\"LogonDomain\",\"Value\":\"VAGRANT-2012-R2\"}]}}}}", "code": "295", "kind": "event", @@ -1128,7 +1128,7 @@ }, "event": { "severity": 2, - "ingested": "2021-06-04T11:33:11.050621800Z", + "ingested": "2021-06-09T10:24:30.560374500Z", "original": "\u003c5\u003e1 2021-03-11T16:50:28Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 11 08:50:28\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-11T16:50:28Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e295\u003c/MessageID\u003e\\n \u003cDesc\u003eRetrieve password\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003ePVWAAppUser\u003c/Issuer\u003e\\n \u003cAction\u003eRetrieve password\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003ePSM\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\PSMServer\u003c/File\u003e\\n \u003cStation\u003e10.0.1.20\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eRetrieve password\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"PSMConnect\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"169.254.180.25\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LogonDomain\\\" Value=\\\"VAGRANT-2012-R2\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 11 08:50:28\",\"IsoTimestamp\":\"2021-03-11T16:50:28Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"295\",\"Desc\":\"Retrieve password\",\"Severity\":\"Info\",\"Issuer\":\"PVWAAppUser\",\"Action\":\"Retrieve password\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"PSM\",\"File\":\"Root\\\\PSMServer\",\"Station\":\"10.0.1.20\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Retrieve password\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"UserName\",\"Value\":\"PSMConnect\"},{\"Name\":\"Address\",\"Value\":\"169.254.180.25\"},{\"Name\":\"LogonDomain\",\"Value\":\"VAGRANT-2012-R2\"}]}}}}", "code": "295", "kind": "event", @@ -1222,7 +1222,7 @@ "event": { "severity": 2, "reason": "sdfsdf", - "ingested": "2021-06-04T11:33:11.050624500Z", + "ingested": "2021-06-09T10:24:30.560376900Z", "original": "\u003c5\u003e1 2021-03-11T16:54:20Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 11 08:54:20\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-11T16:54:20Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e295\u003c/MessageID\u003e\\n \u003cDesc\u003eRetrieve password\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003eRetrieve password\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003ePSM\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Operating System-UnixSSH-centos8-PSMApp_VAGRANT\u003c/File\u003e\\n \u003cStation\u003e127.0.0.1\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003esdfsdf\u003c/Reason\u003e\\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eRetrieve password\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"UnixSSH\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"PSMApp_VAGRANT\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"centos8\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Operating System\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 11 08:54:20\",\"IsoTimestamp\":\"2021-03-11T16:54:20Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"295\",\"Desc\":\"Retrieve password\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Retrieve password\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"PSM\",\"File\":\"Root\\\\Operating System-UnixSSH-centos8-PSMApp_VAGRANT\",\"Station\":\"127.0.0.1\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"sdfsdf\",\"ExtraDetails\":\"\",\"Message\":\"Retrieve password\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"UnixSSH\"},{\"Name\":\"UserName\",\"Value\":\"PSMApp_VAGRANT\"},{\"Name\":\"Address\",\"Value\":\"centos8\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"}]}}}}", "code": "295", "kind": "event", diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-300-psm-connect.log-expected.json b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-300-psm-connect.log-expected.json index e9bc5866f5b..e2e9addccfa 100644 --- a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-300-psm-connect.log-expected.json +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-300-psm-connect.log-expected.json @@ -82,7 +82,7 @@ }, "event": { "severity": 2, - "ingested": "2021-06-04T11:33:11.439597700Z", + "ingested": "2021-06-09T10:24:30.936250700Z", "original": "{\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eno\u003c/Rfc5424\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.6.0000\u003c/Version\u003e\\n \u003cMessageID\u003e300\u003c/MessageID\u003e\\n \u003cDesc\u003ePSM Connect\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003ePSM Connect\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003eLinux\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Operating System-LINUX-SSH-radiussrv.cyberark.local-admin2\u003c/File\u003e\\n \u003cStation\u003e10.2.0.7\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003eApplicationType=PSMP-SSH;DstHost=radiussrv.cyberark.local;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=35fac41e-22b5-11eb-83ca-000c297aae88;SrcHost=10.2.0.6;User=admin2;\u003c/ExtraDetails\u003e\\n \u003cMessage\u003ePSM Connect\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"LINUX-SSH\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"admin2\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"radiussrv.cyberark.local\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Operating System\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMDisabled\\\" Value=\\\"No Reason\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Customer\\\" Value=\\\"Tesla\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"no\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.6.0000\",\"MessageID\":\"300\",\"IsoTimestamp\":\"2021-03-16T15:01:00Z\",\"Desc\":\"PSM Connect\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"PSM Connect\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"Linux\",\"File\":\"Root\\\\Operating System-LINUX-SSH-radiussrv.cyberark.local-admin2\",\"Station\":\"10.2.0.7\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"ApplicationType=PSMP-SSH;DstHost=radiussrv.cyberark.local;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=35fac41e-22b5-11eb-83ca-000c297aae88;SrcHost=10.2.0.6;User=admin2;\",\"Message\":\"PSM Connect\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"LINUX-SSH\"},{\"Name\":\"UserName\",\"Value\":\"admin2\"},{\"Name\":\"Address\",\"Value\":\"radiussrv.cyberark.local\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"},{\"Name\":\"CPMDisabled\",\"Value\":\"No Reason\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"Customer\",\"Value\":\"Tesla\"}]}}}}", "code": "300", "kind": "event", @@ -200,7 +200,7 @@ }, "event": { "severity": 2, - "ingested": "2021-06-04T11:33:11.439614600Z", + "ingested": "2021-06-09T10:24:30.936265600Z", "original": "\u003c5\u003e1 2021-03-11T17:38:20Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 11 09:38:20\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-11T17:38:20Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e300\u003c/MessageID\u003e\\n \u003cDesc\u003ePSM Connect\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003ePSM Connect\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003ePSM\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Operating System-UnixSSHKeys-34.123.103.115-adrian\u003c/File\u003e\\n \u003cStation\u003e81.32.170.205\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003eApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=ssh;PSMID=PSMServer;SessionID=87012dcc-8290-11eb-949e-080027efd402;SrcHost=127.0.0.1;User=adrian;\u003c/ExtraDetails\u003e\\n \u003cMessage\u003ePSM Connect\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"UnixSSHKeys\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"adrian\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"34.123.103.115\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Operating System\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 11 09:38:20\",\"IsoTimestamp\":\"2021-03-11T17:38:20Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"300\",\"Desc\":\"PSM Connect\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"PSM Connect\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"PSM\",\"File\":\"Root\\\\Operating System-UnixSSHKeys-34.123.103.115-adrian\",\"Station\":\"81.32.170.205\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=ssh;PSMID=PSMServer;SessionID=87012dcc-8290-11eb-949e-080027efd402;SrcHost=127.0.0.1;User=adrian;\",\"Message\":\"PSM Connect\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"UnixSSHKeys\"},{\"Name\":\"UserName\",\"Value\":\"adrian\"},{\"Name\":\"Address\",\"Value\":\"34.123.103.115\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"}]}}}}", "code": "300", "kind": "event", @@ -318,7 +318,7 @@ }, "event": { "severity": 2, - "ingested": "2021-06-04T11:33:11.439618600Z", + "ingested": "2021-06-09T10:24:30.936269200Z", "original": "\u003c5\u003e1 2021-03-11T17:46:56Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 11 09:46:56\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-11T17:46:56Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e300\u003c/MessageID\u003e\\n \u003cDesc\u003ePSM Connect\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003ePSM Connect\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003ePSM\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Operating System-UnixSSHKeys-34.123.103.115-adrian\u003c/File\u003e\\n \u003cStation\u003e81.32.170.205\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003eApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=ssh;PSMID=PSMServer;SessionID=ba22b012-8291-11eb-b981-080027efd402;SrcHost=127.0.0.1;User=adrian;\u003c/ExtraDetails\u003e\\n \u003cMessage\u003ePSM Connect\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"UnixSSHKeys\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"adrian\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"34.123.103.115\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Operating System\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 11 09:46:56\",\"IsoTimestamp\":\"2021-03-11T17:46:56Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"300\",\"Desc\":\"PSM Connect\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"PSM Connect\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"PSM\",\"File\":\"Root\\\\Operating System-UnixSSHKeys-34.123.103.115-adrian\",\"Station\":\"81.32.170.205\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=ssh;PSMID=PSMServer;SessionID=ba22b012-8291-11eb-b981-080027efd402;SrcHost=127.0.0.1;User=adrian;\",\"Message\":\"PSM Connect\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"UnixSSHKeys\"},{\"Name\":\"UserName\",\"Value\":\"adrian\"},{\"Name\":\"Address\",\"Value\":\"34.123.103.115\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"}]}}}}", "code": "300", "kind": "event", @@ -436,7 +436,7 @@ }, "event": { "severity": 2, - "ingested": "2021-06-04T11:33:11.439621800Z", + "ingested": "2021-06-09T10:24:30.936272100Z", "original": "\u003c5\u003e1 2021-03-11T17:48:34Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 11 09:48:34\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-11T17:48:34Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e300\u003c/MessageID\u003e\\n \u003cDesc\u003ePSM Connect\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003ePSM Connect\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003ePSM\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Operating System-UnixSSHKeys-34.123.103.115-adrian\u003c/File\u003e\\n \u003cStation\u003e81.32.170.205\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003eApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=ssh;PSMID=PSMServer;SessionID=f6acbf00-8291-11eb-b9ba-080027efd402;SrcHost=10.0.2.2;User=adrian;\u003c/ExtraDetails\u003e\\n \u003cMessage\u003ePSM Connect\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"UnixSSHKeys\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"adrian\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"34.123.103.115\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Operating System\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 11 09:48:34\",\"IsoTimestamp\":\"2021-03-11T17:48:34Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"300\",\"Desc\":\"PSM Connect\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"PSM Connect\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"PSM\",\"File\":\"Root\\\\Operating System-UnixSSHKeys-34.123.103.115-adrian\",\"Station\":\"81.32.170.205\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=ssh;PSMID=PSMServer;SessionID=f6acbf00-8291-11eb-b9ba-080027efd402;SrcHost=10.0.2.2;User=adrian;\",\"Message\":\"PSM Connect\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"UnixSSHKeys\"},{\"Name\":\"UserName\",\"Value\":\"adrian\"},{\"Name\":\"Address\",\"Value\":\"34.123.103.115\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"}]}}}}", "code": "300", "kind": "event", @@ -554,7 +554,7 @@ }, "event": { "severity": 2, - "ingested": "2021-06-04T11:33:11.439624700Z", + "ingested": "2021-06-09T10:24:30.936274800Z", "original": "\u003c5\u003e1 2021-03-11T17:54:56Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 11 09:54:56\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-11T17:54:56Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e300\u003c/MessageID\u003e\\n \u003cDesc\u003ePSM Connect\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003ePSM Connect\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003ePSM\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Operating System-UnixSSHKeys-34.123.103.115-adrian\u003c/File\u003e\\n \u003cStation\u003e81.32.170.205\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003eApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=ssh;PSMID=PSMServer;SessionID=d8ff4d32-8292-11eb-b962-080027efd402;SrcHost=10.0.2.2;User=adrian;\u003c/ExtraDetails\u003e\\n \u003cMessage\u003ePSM Connect\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"UnixSSHKeys\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"adrian\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"34.123.103.115\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Operating System\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 11 09:54:56\",\"IsoTimestamp\":\"2021-03-11T17:54:56Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"300\",\"Desc\":\"PSM Connect\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"PSM Connect\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"PSM\",\"File\":\"Root\\\\Operating System-UnixSSHKeys-34.123.103.115-adrian\",\"Station\":\"81.32.170.205\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=ssh;PSMID=PSMServer;SessionID=d8ff4d32-8292-11eb-b962-080027efd402;SrcHost=10.0.2.2;User=adrian;\",\"Message\":\"PSM Connect\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"UnixSSHKeys\"},{\"Name\":\"UserName\",\"Value\":\"adrian\"},{\"Name\":\"Address\",\"Value\":\"34.123.103.115\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"}]}}}}", "code": "300", "kind": "event", @@ -672,7 +672,7 @@ }, "event": { "severity": 2, - "ingested": "2021-06-04T11:33:11.439627400Z", + "ingested": "2021-06-09T10:24:30.936277400Z", "original": "\u003c5\u003e1 2021-03-11T17:56:37Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 11 09:56:37\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-11T17:56:37Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e300\u003c/MessageID\u003e\\n \u003cDesc\u003ePSM Connect\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003ePSM Connect\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003ePSM\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Operating System-UnixSSHKeys-34.123.103.115-adrian\u003c/File\u003e\\n \u003cStation\u003e81.32.170.205\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003eApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=ssh;PSMID=PSMServer;SessionID=173dd46a-8293-11eb-afcb-080027efd402;SrcHost=10.0.2.2;User=adrian;\u003c/ExtraDetails\u003e\\n \u003cMessage\u003ePSM Connect\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"UnixSSHKeys\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"adrian\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"34.123.103.115\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Operating System\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 11 09:56:37\",\"IsoTimestamp\":\"2021-03-11T17:56:37Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"300\",\"Desc\":\"PSM Connect\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"PSM Connect\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"PSM\",\"File\":\"Root\\\\Operating System-UnixSSHKeys-34.123.103.115-adrian\",\"Station\":\"81.32.170.205\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=ssh;PSMID=PSMServer;SessionID=173dd46a-8293-11eb-afcb-080027efd402;SrcHost=10.0.2.2;User=adrian;\",\"Message\":\"PSM Connect\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"UnixSSHKeys\"},{\"Name\":\"UserName\",\"Value\":\"adrian\"},{\"Name\":\"Address\",\"Value\":\"34.123.103.115\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"}]}}}}", "code": "300", "kind": "event", @@ -790,7 +790,7 @@ }, "event": { "severity": 2, - "ingested": "2021-06-04T11:33:11.439630100Z", + "ingested": "2021-06-09T10:24:30.936279900Z", "original": "\u003c5\u003e1 2021-03-11T20:23:25Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 11 12:23:25\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-11T20:23:25Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e300\u003c/MessageID\u003e\\n \u003cDesc\u003ePSM Connect\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003ePSM Connect\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003ePSM\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Operating System-UnixSSHKeys-34.123.103.115-adrian\u003c/File\u003e\\n \u003cStation\u003e81.32.170.205\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003eApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=ssh;PSMID=PSMServer;SessionID=988b22e8-82a7-11eb-83b9-080027efd402;SrcHost=10.0.2.2;User=adrian;\u003c/ExtraDetails\u003e\\n \u003cMessage\u003ePSM Connect\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"UnixSSHKeys\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"adrian\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"34.123.103.115\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Operating System\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 11 12:23:25\",\"IsoTimestamp\":\"2021-03-11T20:23:25Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"300\",\"Desc\":\"PSM Connect\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"PSM Connect\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"PSM\",\"File\":\"Root\\\\Operating System-UnixSSHKeys-34.123.103.115-adrian\",\"Station\":\"81.32.170.205\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=ssh;PSMID=PSMServer;SessionID=988b22e8-82a7-11eb-83b9-080027efd402;SrcHost=10.0.2.2;User=adrian;\",\"Message\":\"PSM Connect\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"UnixSSHKeys\"},{\"Name\":\"UserName\",\"Value\":\"adrian\"},{\"Name\":\"Address\",\"Value\":\"34.123.103.115\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"}]}}}}", "code": "300", "kind": "event", @@ -926,7 +926,7 @@ }, "event": { "severity": 2, - "ingested": "2021-06-04T11:33:11.439633Z", + "ingested": "2021-06-09T10:24:30.936282500Z", "original": "\u003c5\u003e1 2021-03-14T13:49:37Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 14 06:49:37\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-14T13:49:37Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e300\u003c/MessageID\u003e\\n \u003cDesc\u003ePSM Connect\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003ePSM Connect\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003epartner\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Operating System-UnixSSH-34.123.103.115-testark\u003c/File\u003e\\n \u003cStation\u003e34.71.250.247\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003eApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=d284c268-2ba0-4366-af52-e33459b073a1;SrcHost=81.32.170.205;User=testark;\u003c/ExtraDetails\u003e\\n \u003cMessage\u003ePSM Connect\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"UnixSSH\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"testark\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"34.123.103.115\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"ResetImmediately\\\" Value=\\\"ReconcileTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMStatus\\\" Value=\\\"failure\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"RetriesCount\\\" Value=\\\"0\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastFailDate\\\" Value=\\\"1615729572\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastTask\\\" Value=\\\"ReconcileTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMErrorDetails\\\" Value=\\\"First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Operating System\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 14 06:49:37\",\"IsoTimestamp\":\"2021-03-14T13:49:37Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"300\",\"Desc\":\"PSM Connect\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"PSM Connect\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"partner\",\"File\":\"Root\\\\Operating System-UnixSSH-34.123.103.115-testark\",\"Station\":\"34.71.250.247\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=d284c268-2ba0-4366-af52-e33459b073a1;SrcHost=81.32.170.205;User=testark;\",\"Message\":\"PSM Connect\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"UnixSSH\"},{\"Name\":\"UserName\",\"Value\":\"testark\"},{\"Name\":\"Address\",\"Value\":\"34.123.103.115\"},{\"Name\":\"ResetImmediately\",\"Value\":\"ReconcileTask\"},{\"Name\":\"CPMStatus\",\"Value\":\"failure\"},{\"Name\":\"RetriesCount\",\"Value\":\"0\"},{\"Name\":\"LastFailDate\",\"Value\":\"1615729572\"},{\"Name\":\"LastTask\",\"Value\":\"ReconcileTask\"},{\"Name\":\"CPMErrorDetails\",\"Value\":\"First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"}]}}}}", "code": "300", "kind": "event", @@ -1062,7 +1062,7 @@ }, "event": { "severity": 2, - "ingested": "2021-06-04T11:33:11.439635900Z", + "ingested": "2021-06-09T10:24:30.936285100Z", "original": "\u003c5\u003e1 2021-03-14T13:50:43Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 14 06:50:43\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-14T13:50:43Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e300\u003c/MessageID\u003e\\n \u003cDesc\u003ePSM Connect\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003ePSM Connect\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003epartner\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Operating System-UnixSSH-34.123.103.115-testark\u003c/File\u003e\\n \u003cStation\u003e34.71.250.247\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003eApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=47747796-03e1-4a11-af39-ab56c00e7732;SrcHost=81.32.170.205;User=testark;\u003c/ExtraDetails\u003e\\n \u003cMessage\u003ePSM Connect\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"UnixSSH\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"testark\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"34.123.103.115\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"ResetImmediately\\\" Value=\\\"ReconcileTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMStatus\\\" Value=\\\"failure\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"RetriesCount\\\" Value=\\\"0\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastFailDate\\\" Value=\\\"1615729572\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastTask\\\" Value=\\\"ReconcileTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMErrorDetails\\\" Value=\\\"First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Operating System\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 14 06:50:43\",\"IsoTimestamp\":\"2021-03-14T13:50:43Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"300\",\"Desc\":\"PSM Connect\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"PSM Connect\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"partner\",\"File\":\"Root\\\\Operating System-UnixSSH-34.123.103.115-testark\",\"Station\":\"34.71.250.247\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=47747796-03e1-4a11-af39-ab56c00e7732;SrcHost=81.32.170.205;User=testark;\",\"Message\":\"PSM Connect\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"UnixSSH\"},{\"Name\":\"UserName\",\"Value\":\"testark\"},{\"Name\":\"Address\",\"Value\":\"34.123.103.115\"},{\"Name\":\"ResetImmediately\",\"Value\":\"ReconcileTask\"},{\"Name\":\"CPMStatus\",\"Value\":\"failure\"},{\"Name\":\"RetriesCount\",\"Value\":\"0\"},{\"Name\":\"LastFailDate\",\"Value\":\"1615729572\"},{\"Name\":\"LastTask\",\"Value\":\"ReconcileTask\"},{\"Name\":\"CPMErrorDetails\",\"Value\":\"First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"}]}}}}", "code": "300", "kind": "event", @@ -1196,7 +1196,7 @@ }, "event": { "severity": 2, - "ingested": "2021-06-04T11:33:11.439639100Z", + "ingested": "2021-06-09T10:24:30.936287500Z", "original": "\u003c5\u003e1 2021-03-15T10:31:56Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 15 03:31:56\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-15T10:31:56Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e300\u003c/MessageID\u003e\\n \u003cDesc\u003ePSM Connect\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003ePSM Connect\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003epartner\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Operating System-UnixSSH-34.123.103.115-testark\u003c/File\u003e\\n \u003cStation\u003e34.71.250.247\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003eApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=29f340df-89e9-405a-beae-0216390cda42;SrcHost=81.32.170.205;User=testark;\u003c/ExtraDetails\u003e\\n \u003cMessage\u003ePSM Connect\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"UnixSSH\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"testark\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"34.123.103.115\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMStatus\\\" Value=\\\"success\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"RetriesCount\\\" Value=\\\"-1\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastTask\\\" Value=\\\"VerifyTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastSuccessVerification\\\" Value=\\\"1615803764\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Operating System\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 15 03:31:56\",\"IsoTimestamp\":\"2021-03-15T10:31:56Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"300\",\"Desc\":\"PSM Connect\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"PSM Connect\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"partner\",\"File\":\"Root\\\\Operating System-UnixSSH-34.123.103.115-testark\",\"Station\":\"34.71.250.247\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=29f340df-89e9-405a-beae-0216390cda42;SrcHost=81.32.170.205;User=testark;\",\"Message\":\"PSM Connect\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"UnixSSH\"},{\"Name\":\"UserName\",\"Value\":\"testark\"},{\"Name\":\"Address\",\"Value\":\"34.123.103.115\"},{\"Name\":\"CPMStatus\",\"Value\":\"success\"},{\"Name\":\"RetriesCount\",\"Value\":\"-1\"},{\"Name\":\"LastTask\",\"Value\":\"VerifyTask\"},{\"Name\":\"LastSuccessVerification\",\"Value\":\"1615803764\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"}]}}}}", "code": "300", "kind": "event", @@ -1330,7 +1330,7 @@ }, "event": { "severity": 2, - "ingested": "2021-06-04T11:33:11.439643800Z", + "ingested": "2021-06-09T10:24:30.936290300Z", "original": "\u003c5\u003e1 2021-03-15T10:33:39Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 15 03:33:39\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-15T10:33:39Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e300\u003c/MessageID\u003e\\n \u003cDesc\u003ePSM Connect\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003ePSM Connect\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003epartner\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Operating System-UnixSSH-34.123.103.115-testark\u003c/File\u003e\\n \u003cStation\u003e34.71.250.247\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003eApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=f1654cf8-8ce5-472a-8205-ba731b0fab46;SrcHost=81.32.170.205;User=testark;\u003c/ExtraDetails\u003e\\n \u003cMessage\u003ePSM Connect\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"UnixSSH\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"testark\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"34.123.103.115\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMStatus\\\" Value=\\\"success\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"RetriesCount\\\" Value=\\\"-1\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastTask\\\" Value=\\\"VerifyTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastSuccessVerification\\\" Value=\\\"1615803764\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Operating System\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 15 03:33:39\",\"IsoTimestamp\":\"2021-03-15T10:33:39Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"300\",\"Desc\":\"PSM Connect\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"PSM Connect\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"partner\",\"File\":\"Root\\\\Operating System-UnixSSH-34.123.103.115-testark\",\"Station\":\"34.71.250.247\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=f1654cf8-8ce5-472a-8205-ba731b0fab46;SrcHost=81.32.170.205;User=testark;\",\"Message\":\"PSM Connect\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"UnixSSH\"},{\"Name\":\"UserName\",\"Value\":\"testark\"},{\"Name\":\"Address\",\"Value\":\"34.123.103.115\"},{\"Name\":\"CPMStatus\",\"Value\":\"success\"},{\"Name\":\"RetriesCount\",\"Value\":\"-1\"},{\"Name\":\"LastTask\",\"Value\":\"VerifyTask\"},{\"Name\":\"LastSuccessVerification\",\"Value\":\"1615803764\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"}]}}}}", "code": "300", "kind": "event", @@ -1464,7 +1464,7 @@ }, "event": { "severity": 2, - "ingested": "2021-06-04T11:33:11.439646900Z", + "ingested": "2021-06-09T10:24:30.936292900Z", "original": "\u003c5\u003e1 2021-03-15T10:35:00Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 15 03:35:00\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-15T10:35:00Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e300\u003c/MessageID\u003e\\n \u003cDesc\u003ePSM Connect\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003ePSM Connect\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003epartner\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Operating System-UnixSSH-34.123.103.115-testark\u003c/File\u003e\\n \u003cStation\u003e34.71.250.247\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003eApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=8b3d0b38-aef5-49d9-bdd7-d57706887d8b;SrcHost=81.32.170.205;User=testark;\u003c/ExtraDetails\u003e\\n \u003cMessage\u003ePSM Connect\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"UnixSSH\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"testark\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"34.123.103.115\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMStatus\\\" Value=\\\"success\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"RetriesCount\\\" Value=\\\"-1\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastTask\\\" Value=\\\"VerifyTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastSuccessVerification\\\" Value=\\\"1615803764\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Operating System\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 15 03:35:00\",\"IsoTimestamp\":\"2021-03-15T10:35:00Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"300\",\"Desc\":\"PSM Connect\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"PSM Connect\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"partner\",\"File\":\"Root\\\\Operating System-UnixSSH-34.123.103.115-testark\",\"Station\":\"34.71.250.247\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=8b3d0b38-aef5-49d9-bdd7-d57706887d8b;SrcHost=81.32.170.205;User=testark;\",\"Message\":\"PSM Connect\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"UnixSSH\"},{\"Name\":\"UserName\",\"Value\":\"testark\"},{\"Name\":\"Address\",\"Value\":\"34.123.103.115\"},{\"Name\":\"CPMStatus\",\"Value\":\"success\"},{\"Name\":\"RetriesCount\",\"Value\":\"-1\"},{\"Name\":\"LastTask\",\"Value\":\"VerifyTask\"},{\"Name\":\"LastSuccessVerification\",\"Value\":\"1615803764\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"}]}}}}", "code": "300", "kind": "event", @@ -1594,7 +1594,7 @@ }, "event": { "severity": 2, - "ingested": "2021-06-04T11:33:11.439649700Z", + "ingested": "2021-06-09T10:24:30.936295400Z", "original": "\u003c5\u003e1 2021-03-15T13:18:31Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 15 06:18:31\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-15T13:18:31Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e300\u003c/MessageID\u003e\\n \u003cDesc\u003ePSM Connect\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003ePSM Connect\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003ePSM\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Operating System-UnixSSHKeys-34.123.103.115-adrian\u003c/File\u003e\\n \u003cStation\u003e34.71.250.247\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003eApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=692fe25f-f940-4170-8ea4-5241b35173f0;SrcHost=81.32.170.205;User=adrian;\u003c/ExtraDetails\u003e\\n \u003cMessage\u003ePSM Connect\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"UnixSSHKeys\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"adrian\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"34.123.103.115\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Operating System\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 15 06:18:31\",\"IsoTimestamp\":\"2021-03-15T13:18:31Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"300\",\"Desc\":\"PSM Connect\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"PSM Connect\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"PSM\",\"File\":\"Root\\\\Operating System-UnixSSHKeys-34.123.103.115-adrian\",\"Station\":\"34.71.250.247\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=692fe25f-f940-4170-8ea4-5241b35173f0;SrcHost=81.32.170.205;User=adrian;\",\"Message\":\"PSM Connect\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"UnixSSHKeys\"},{\"Name\":\"UserName\",\"Value\":\"adrian\"},{\"Name\":\"Address\",\"Value\":\"34.123.103.115\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"}]}}}}", "code": "300", "kind": "event", @@ -1724,7 +1724,7 @@ }, "event": { "severity": 2, - "ingested": "2021-06-04T11:33:11.439652700Z", + "ingested": "2021-06-09T10:24:30.936298200Z", "original": "\u003c5\u003e1 2021-03-15T14:08:06Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 15 07:08:06\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-15T14:08:06Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e300\u003c/MessageID\u003e\\n \u003cDesc\u003ePSM Connect\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003ePSM Connect\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003ePSM\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Operating System-UnixSSHKeys-34.123.103.115-adrian\u003c/File\u003e\\n \u003cStation\u003e34.71.250.247\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003eApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=f5725611-ca57-4a2a-a089-f45b3174a358;SrcHost=81.32.170.205;User=adrian;\u003c/ExtraDetails\u003e\\n \u003cMessage\u003ePSM Connect\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"UnixSSHKeys\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"adrian\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"34.123.103.115\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Operating System\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 15 07:08:06\",\"IsoTimestamp\":\"2021-03-15T14:08:06Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"300\",\"Desc\":\"PSM Connect\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"PSM Connect\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"PSM\",\"File\":\"Root\\\\Operating System-UnixSSHKeys-34.123.103.115-adrian\",\"Station\":\"34.71.250.247\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=f5725611-ca57-4a2a-a089-f45b3174a358;SrcHost=81.32.170.205;User=adrian;\",\"Message\":\"PSM Connect\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"UnixSSHKeys\"},{\"Name\":\"UserName\",\"Value\":\"adrian\"},{\"Name\":\"Address\",\"Value\":\"34.123.103.115\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"}]}}}}", "code": "300", "kind": "event", @@ -1863,7 +1863,7 @@ }, "event": { "severity": 2, - "ingested": "2021-06-04T11:33:11.439656Z", + "ingested": "2021-06-09T10:24:30.936301800Z", "original": "\u003c5\u003e1 2021-03-15T14:08:28Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 15 07:08:28\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-15T14:08:28Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e300\u003c/MessageID\u003e\\n \u003cDesc\u003ePSM Connect\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003ePSM Connect\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003epartner\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Operating System-UnixSSH-34.123.103.115-testark\u003c/File\u003e\\n \u003cStation\u003e34.71.250.247\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003eApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=7db90436-8a1a-4203-9a96-65137625ab2d;SrcHost=81.32.170.205;User=testark;\u003c/ExtraDetails\u003e\\n \u003cMessage\u003ePSM Connect\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"UnixSSH\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"testark\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"34.123.103.115\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"ResetImmediately\\\" Value=\\\"ReconcileTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMStatus\\\" Value=\\\"failure\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"RetriesCount\\\" Value=\\\"0\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastFailDate\\\" Value=\\\"1615814025\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastTask\\\" Value=\\\"ReconcileTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastSuccessVerification\\\" Value=\\\"1615803764\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMErrorDetails\\\" Value=\\\"First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Operating System\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UseSudoOnReconcile\\\" Value=\\\"Yes\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 15 07:08:28\",\"IsoTimestamp\":\"2021-03-15T14:08:28Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"300\",\"Desc\":\"PSM Connect\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"PSM Connect\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"partner\",\"File\":\"Root\\\\Operating System-UnixSSH-34.123.103.115-testark\",\"Station\":\"34.71.250.247\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=7db90436-8a1a-4203-9a96-65137625ab2d;SrcHost=81.32.170.205;User=testark;\",\"Message\":\"PSM Connect\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"UnixSSH\"},{\"Name\":\"UserName\",\"Value\":\"testark\"},{\"Name\":\"Address\",\"Value\":\"34.123.103.115\"},{\"Name\":\"ResetImmediately\",\"Value\":\"ReconcileTask\"},{\"Name\":\"CPMStatus\",\"Value\":\"failure\"},{\"Name\":\"RetriesCount\",\"Value\":\"0\"},{\"Name\":\"LastFailDate\",\"Value\":\"1615814025\"},{\"Name\":\"LastTask\",\"Value\":\"ReconcileTask\"},{\"Name\":\"LastSuccessVerification\",\"Value\":\"1615803764\"},{\"Name\":\"CPMErrorDetails\",\"Value\":\"First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"},{\"Name\":\"UseSudoOnReconcile\",\"Value\":\"Yes\"}]}}}}", "code": "300", "kind": "event", @@ -2002,7 +2002,7 @@ }, "event": { "severity": 2, - "ingested": "2021-06-04T11:33:11.439659Z", + "ingested": "2021-06-09T10:24:30.936304600Z", "original": "\u003c5\u003e1 2021-03-15T14:11:09Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 15 07:11:09\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-15T14:11:09Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e300\u003c/MessageID\u003e\\n \u003cDesc\u003ePSM Connect\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003ePSM Connect\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003epartner\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Operating System-UnixSSH-34.123.103.115-testark\u003c/File\u003e\\n \u003cStation\u003e34.71.250.247\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003eApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=27f74dce-f5d5-4c94-bf99-ca6aafe2c518;SrcHost=81.32.170.205;User=testark;\u003c/ExtraDetails\u003e\\n \u003cMessage\u003ePSM Connect\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"UnixSSH\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"testark\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"34.123.103.115\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"ResetImmediately\\\" Value=\\\"ReconcileTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMStatus\\\" Value=\\\"failure\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"RetriesCount\\\" Value=\\\"0\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastFailDate\\\" Value=\\\"1615814025\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastTask\\\" Value=\\\"ReconcileTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastSuccessVerification\\\" Value=\\\"1615803764\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMErrorDetails\\\" Value=\\\"First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Operating System\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UseSudoOnReconcile\\\" Value=\\\"Yes\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 15 07:11:09\",\"IsoTimestamp\":\"2021-03-15T14:11:09Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"300\",\"Desc\":\"PSM Connect\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"PSM Connect\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"partner\",\"File\":\"Root\\\\Operating System-UnixSSH-34.123.103.115-testark\",\"Station\":\"34.71.250.247\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=27f74dce-f5d5-4c94-bf99-ca6aafe2c518;SrcHost=81.32.170.205;User=testark;\",\"Message\":\"PSM Connect\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"UnixSSH\"},{\"Name\":\"UserName\",\"Value\":\"testark\"},{\"Name\":\"Address\",\"Value\":\"34.123.103.115\"},{\"Name\":\"ResetImmediately\",\"Value\":\"ReconcileTask\"},{\"Name\":\"CPMStatus\",\"Value\":\"failure\"},{\"Name\":\"RetriesCount\",\"Value\":\"0\"},{\"Name\":\"LastFailDate\",\"Value\":\"1615814025\"},{\"Name\":\"LastTask\",\"Value\":\"ReconcileTask\"},{\"Name\":\"LastSuccessVerification\",\"Value\":\"1615803764\"},{\"Name\":\"CPMErrorDetails\",\"Value\":\"First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"},{\"Name\":\"UseSudoOnReconcile\",\"Value\":\"Yes\"}]}}}}", "code": "300", "kind": "event", @@ -2141,7 +2141,7 @@ }, "event": { "severity": 2, - "ingested": "2021-06-04T11:33:11.439662100Z", + "ingested": "2021-06-09T10:24:30.936307800Z", "original": "\u003c5\u003e1 2021-03-16T10:04:51Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 16 03:04:51\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-16T10:04:51Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e300\u003c/MessageID\u003e\\n \u003cDesc\u003ePSM Connect\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003ePSM Connect\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003epartner\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Operating System-UnixSSH-34.123.103.115-testark\u003c/File\u003e\\n \u003cStation\u003e34.71.250.247\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003eApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=8b222ac9-c2ad-49ea-9c4e-6829940f58d4;SrcHost=81.32.170.205;User=testark;\u003c/ExtraDetails\u003e\\n \u003cMessage\u003ePSM Connect\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"UnixSSH\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"testark\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"34.123.103.115\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"ResetImmediately\\\" Value=\\\"ReconcileTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMStatus\\\" Value=\\\"failure\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"RetriesCount\\\" Value=\\\"4\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastFailDate\\\" Value=\\\"1615888216\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastTask\\\" Value=\\\"ReconcileTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastSuccessVerification\\\" Value=\\\"1615803764\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMErrorDetails\\\" Value=\\\"First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Operating System\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UseSudoOnReconcile\\\" Value=\\\"Yes\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 16 03:04:51\",\"IsoTimestamp\":\"2021-03-16T10:04:51Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"300\",\"Desc\":\"PSM Connect\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"PSM Connect\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"partner\",\"File\":\"Root\\\\Operating System-UnixSSH-34.123.103.115-testark\",\"Station\":\"34.71.250.247\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=8b222ac9-c2ad-49ea-9c4e-6829940f58d4;SrcHost=81.32.170.205;User=testark;\",\"Message\":\"PSM Connect\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"UnixSSH\"},{\"Name\":\"UserName\",\"Value\":\"testark\"},{\"Name\":\"Address\",\"Value\":\"34.123.103.115\"},{\"Name\":\"ResetImmediately\",\"Value\":\"ReconcileTask\"},{\"Name\":\"CPMStatus\",\"Value\":\"failure\"},{\"Name\":\"RetriesCount\",\"Value\":\"4\"},{\"Name\":\"LastFailDate\",\"Value\":\"1615888216\"},{\"Name\":\"LastTask\",\"Value\":\"ReconcileTask\"},{\"Name\":\"LastSuccessVerification\",\"Value\":\"1615803764\"},{\"Name\":\"CPMErrorDetails\",\"Value\":\"First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"},{\"Name\":\"UseSudoOnReconcile\",\"Value\":\"Yes\"}]}}}}", "code": "300", "kind": "event", diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-302-psm-disconnect.log-expected.json b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-302-psm-disconnect.log-expected.json index 7331a8b6857..a35ec7a2abf 100644 --- a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-302-psm-disconnect.log-expected.json +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-302-psm-disconnect.log-expected.json @@ -84,7 +84,7 @@ "event": { "severity": 2, "duration": 7000000000, - "ingested": "2021-06-04T11:33:12.127431300Z", + "ingested": "2021-06-09T10:24:31.624781500Z", "original": "{\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eno\u003c/Rfc5424\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.6.0000\u003c/Version\u003e\\n \u003cMessageID\u003e302\u003c/MessageID\u003e\\n \u003cDesc\u003ePSM Disconnect\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003ePSM Disconnect\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003eLinux\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Operating System-LINUX-SSH-radiussrv.cyberark.local-admin2\u003c/File\u003e\\n \u003cStation\u003e10.2.0.7\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003eApplicationType=PSMP-SSH;DstHost=radiussrv.cyberark.local;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionDuration=00:00:07;SessionID=35fac41e-22b5-11eb-83ca-000c297aae88;SrcHost=10.2.0.6;User=admin2;\u003c/ExtraDetails\u003e\\n \u003cMessage\u003ePSM Disconnect\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"LINUX-SSH\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"admin2\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"radiussrv.cyberark.local\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Operating System\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMDisabled\\\" Value=\\\"No Reason\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Customer\\\" Value=\\\"Tesla\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"no\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.6.0000\",\"MessageID\":\"302\",\"IsoTimestamp\":\"2021-03-16T15:01:00Z\",\"Desc\":\"PSM Disconnect\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"PSM Disconnect\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"Linux\",\"File\":\"Root\\\\Operating System-LINUX-SSH-radiussrv.cyberark.local-admin2\",\"Station\":\"10.2.0.7\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"ApplicationType=PSMP-SSH;DstHost=radiussrv.cyberark.local;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionDuration=00:00:07;SessionID=35fac41e-22b5-11eb-83ca-000c297aae88;SrcHost=10.2.0.6;User=admin2;\",\"Message\":\"PSM Disconnect\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"LINUX-SSH\"},{\"Name\":\"UserName\",\"Value\":\"admin2\"},{\"Name\":\"Address\",\"Value\":\"radiussrv.cyberark.local\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"},{\"Name\":\"CPMDisabled\",\"Value\":\"No Reason\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"Customer\",\"Value\":\"Tesla\"}]}}}}", "code": "302", "kind": "event", @@ -204,7 +204,7 @@ "event": { "severity": 2, "duration": 13000000000, - "ingested": "2021-06-04T11:33:12.127448100Z", + "ingested": "2021-06-09T10:24:31.624794100Z", "original": "\u003c5\u003e1 2021-03-11T17:38:26Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 11 09:38:26\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-11T17:38:26Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e302\u003c/MessageID\u003e\\n \u003cDesc\u003ePSM Disconnect\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003ePSM Disconnect\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003ePSM\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Operating System-UnixSSHKeys-34.123.103.115-adrian\u003c/File\u003e\\n \u003cStation\u003e81.32.170.205\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003eApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=ssh;PSMID=PSMServer;SessionDuration=00:00:13;SessionID=87012dcc-8290-11eb-949e-080027efd402;SrcHost=127.0.0.1;User=adrian;\u003c/ExtraDetails\u003e\\n \u003cMessage\u003ePSM Disconnect\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"UnixSSHKeys\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"adrian\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"34.123.103.115\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Operating System\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 11 09:38:26\",\"IsoTimestamp\":\"2021-03-11T17:38:26Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"302\",\"Desc\":\"PSM Disconnect\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"PSM Disconnect\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"PSM\",\"File\":\"Root\\\\Operating System-UnixSSHKeys-34.123.103.115-adrian\",\"Station\":\"81.32.170.205\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=ssh;PSMID=PSMServer;SessionDuration=00:00:13;SessionID=87012dcc-8290-11eb-949e-080027efd402;SrcHost=127.0.0.1;User=adrian;\",\"Message\":\"PSM Disconnect\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"UnixSSHKeys\"},{\"Name\":\"UserName\",\"Value\":\"adrian\"},{\"Name\":\"Address\",\"Value\":\"34.123.103.115\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"}]}}}}", "code": "302", "kind": "event", @@ -324,7 +324,7 @@ "event": { "severity": 2, "duration": 11000000000, - "ingested": "2021-06-04T11:33:12.127453500Z", + "ingested": "2021-06-09T10:24:31.624798Z", "original": "\u003c5\u003e1 2021-03-11T17:47:01Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 11 09:47:01\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-11T17:47:01Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e302\u003c/MessageID\u003e\\n \u003cDesc\u003ePSM Disconnect\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003ePSM Disconnect\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003ePSM\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Operating System-UnixSSHKeys-34.123.103.115-adrian\u003c/File\u003e\\n \u003cStation\u003e81.32.170.205\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003eApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=ssh;PSMID=PSMServer;SessionDuration=00:00:11;SessionID=ba22b012-8291-11eb-b981-080027efd402;SrcHost=127.0.0.1;User=adrian;\u003c/ExtraDetails\u003e\\n \u003cMessage\u003ePSM Disconnect\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"UnixSSHKeys\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"adrian\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"34.123.103.115\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Operating System\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 11 09:47:01\",\"IsoTimestamp\":\"2021-03-11T17:47:01Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"302\",\"Desc\":\"PSM Disconnect\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"PSM Disconnect\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"PSM\",\"File\":\"Root\\\\Operating System-UnixSSHKeys-34.123.103.115-adrian\",\"Station\":\"81.32.170.205\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=ssh;PSMID=PSMServer;SessionDuration=00:00:11;SessionID=ba22b012-8291-11eb-b981-080027efd402;SrcHost=127.0.0.1;User=adrian;\",\"Message\":\"PSM Disconnect\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"UnixSSHKeys\"},{\"Name\":\"UserName\",\"Value\":\"adrian\"},{\"Name\":\"Address\",\"Value\":\"34.123.103.115\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"}]}}}}", "code": "302", "kind": "event", @@ -444,7 +444,7 @@ "event": { "severity": 2, "duration": 12000000000, - "ingested": "2021-06-04T11:33:12.127457200Z", + "ingested": "2021-06-09T10:24:31.624801600Z", "original": "\u003c5\u003e1 2021-03-11T17:48:40Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 11 09:48:40\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-11T17:48:40Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e302\u003c/MessageID\u003e\\n \u003cDesc\u003ePSM Disconnect\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003ePSM Disconnect\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003ePSM\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Operating System-UnixSSHKeys-34.123.103.115-adrian\u003c/File\u003e\\n \u003cStation\u003e81.32.170.205\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003eApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=ssh;PSMID=PSMServer;SessionDuration=00:00:12;SessionID=f6acbf00-8291-11eb-b9ba-080027efd402;SrcHost=10.0.2.2;User=adrian;\u003c/ExtraDetails\u003e\\n \u003cMessage\u003ePSM Disconnect\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"UnixSSHKeys\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"adrian\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"34.123.103.115\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Operating System\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 11 09:48:40\",\"IsoTimestamp\":\"2021-03-11T17:48:40Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"302\",\"Desc\":\"PSM Disconnect\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"PSM Disconnect\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"PSM\",\"File\":\"Root\\\\Operating System-UnixSSHKeys-34.123.103.115-adrian\",\"Station\":\"81.32.170.205\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=ssh;PSMID=PSMServer;SessionDuration=00:00:12;SessionID=f6acbf00-8291-11eb-b9ba-080027efd402;SrcHost=10.0.2.2;User=adrian;\",\"Message\":\"PSM Disconnect\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"UnixSSHKeys\"},{\"Name\":\"UserName\",\"Value\":\"adrian\"},{\"Name\":\"Address\",\"Value\":\"34.123.103.115\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"}]}}}}", "code": "302", "kind": "event", @@ -564,7 +564,7 @@ "event": { "severity": 2, "duration": 12000000000, - "ingested": "2021-06-04T11:33:12.127486800Z", + "ingested": "2021-06-09T10:24:31.624804300Z", "original": "\u003c5\u003e1 2021-03-11T17:55:02Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 11 09:55:02\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-11T17:55:02Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e302\u003c/MessageID\u003e\\n \u003cDesc\u003ePSM Disconnect\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003ePSM Disconnect\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003ePSM\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Operating System-UnixSSHKeys-34.123.103.115-adrian\u003c/File\u003e\\n \u003cStation\u003e81.32.170.205\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003eApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=ssh;PSMID=PSMServer;SessionDuration=00:00:12;SessionID=d8ff4d32-8292-11eb-b962-080027efd402;SrcHost=10.0.2.2;User=adrian;\u003c/ExtraDetails\u003e\\n \u003cMessage\u003ePSM Disconnect\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"UnixSSHKeys\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"adrian\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"34.123.103.115\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Operating System\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 11 09:55:02\",\"IsoTimestamp\":\"2021-03-11T17:55:02Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"302\",\"Desc\":\"PSM Disconnect\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"PSM Disconnect\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"PSM\",\"File\":\"Root\\\\Operating System-UnixSSHKeys-34.123.103.115-adrian\",\"Station\":\"81.32.170.205\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=ssh;PSMID=PSMServer;SessionDuration=00:00:12;SessionID=d8ff4d32-8292-11eb-b962-080027efd402;SrcHost=10.0.2.2;User=adrian;\",\"Message\":\"PSM Disconnect\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"UnixSSHKeys\"},{\"Name\":\"UserName\",\"Value\":\"adrian\"},{\"Name\":\"Address\",\"Value\":\"34.123.103.115\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"}]}}}}", "code": "302", "kind": "event", @@ -684,7 +684,7 @@ "event": { "severity": 2, "duration": 12000000000, - "ingested": "2021-06-04T11:33:12.127491700Z", + "ingested": "2021-06-09T10:24:31.624807Z", "original": "\u003c5\u003e1 2021-03-11T17:56:42Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 11 09:56:42\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-11T17:56:42Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e302\u003c/MessageID\u003e\\n \u003cDesc\u003ePSM Disconnect\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003ePSM Disconnect\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003ePSM\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Operating System-UnixSSHKeys-34.123.103.115-adrian\u003c/File\u003e\\n \u003cStation\u003e81.32.170.205\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003eApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=ssh;PSMID=PSMServer;SessionDuration=00:00:12;SessionID=173dd46a-8293-11eb-afcb-080027efd402;SrcHost=10.0.2.2;User=adrian;\u003c/ExtraDetails\u003e\\n \u003cMessage\u003ePSM Disconnect\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"UnixSSHKeys\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"adrian\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"34.123.103.115\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Operating System\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 11 09:56:42\",\"IsoTimestamp\":\"2021-03-11T17:56:42Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"302\",\"Desc\":\"PSM Disconnect\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"PSM Disconnect\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"PSM\",\"File\":\"Root\\\\Operating System-UnixSSHKeys-34.123.103.115-adrian\",\"Station\":\"81.32.170.205\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=ssh;PSMID=PSMServer;SessionDuration=00:00:12;SessionID=173dd46a-8293-11eb-afcb-080027efd402;SrcHost=10.0.2.2;User=adrian;\",\"Message\":\"PSM Disconnect\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"UnixSSHKeys\"},{\"Name\":\"UserName\",\"Value\":\"adrian\"},{\"Name\":\"Address\",\"Value\":\"34.123.103.115\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"}]}}}}", "code": "302", "kind": "event", @@ -804,7 +804,7 @@ "event": { "severity": 2, "duration": 12000000000, - "ingested": "2021-06-04T11:33:12.127495200Z", + "ingested": "2021-06-09T10:24:31.624809500Z", "original": "\u003c5\u003e1 2021-03-11T20:23:30Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 11 12:23:30\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-11T20:23:30Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e302\u003c/MessageID\u003e\\n \u003cDesc\u003ePSM Disconnect\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003ePSM Disconnect\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003ePSM\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Operating System-UnixSSHKeys-34.123.103.115-adrian\u003c/File\u003e\\n \u003cStation\u003e81.32.170.205\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003eApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=ssh;PSMID=PSMServer;SessionDuration=00:00:12;SessionID=988b22e8-82a7-11eb-83b9-080027efd402;SrcHost=10.0.2.2;User=adrian;\u003c/ExtraDetails\u003e\\n \u003cMessage\u003ePSM Disconnect\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"UnixSSHKeys\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"adrian\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"34.123.103.115\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Operating System\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 11 12:23:30\",\"IsoTimestamp\":\"2021-03-11T20:23:30Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"302\",\"Desc\":\"PSM Disconnect\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"PSM Disconnect\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"PSM\",\"File\":\"Root\\\\Operating System-UnixSSHKeys-34.123.103.115-adrian\",\"Station\":\"81.32.170.205\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=ssh;PSMID=PSMServer;SessionDuration=00:00:12;SessionID=988b22e8-82a7-11eb-83b9-080027efd402;SrcHost=10.0.2.2;User=adrian;\",\"Message\":\"PSM Disconnect\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"UnixSSHKeys\"},{\"Name\":\"UserName\",\"Value\":\"adrian\"},{\"Name\":\"Address\",\"Value\":\"34.123.103.115\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"}]}}}}", "code": "302", "kind": "event", @@ -942,7 +942,7 @@ "event": { "severity": 2, "duration": 18000000000, - "ingested": "2021-06-04T11:33:12.127497900Z", + "ingested": "2021-06-09T10:24:31.624812Z", "original": "\u003c5\u003e1 2021-03-14T13:49:54Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 14 06:49:54\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-14T13:49:54Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e302\u003c/MessageID\u003e\\n \u003cDesc\u003ePSM Disconnect\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003ePSM Disconnect\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003epartner\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Operating System-UnixSSH-34.123.103.115-testark\u003c/File\u003e\\n \u003cStation\u003e34.71.250.247\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003eApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionDuration=00:00:18;SessionID=d284c268-2ba0-4366-af52-e33459b073a1;SrcHost=81.32.170.205;User=testark;\u003c/ExtraDetails\u003e\\n \u003cMessage\u003ePSM Disconnect\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"UnixSSH\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"testark\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"34.123.103.115\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"ResetImmediately\\\" Value=\\\"ReconcileTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMStatus\\\" Value=\\\"failure\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"RetriesCount\\\" Value=\\\"0\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastFailDate\\\" Value=\\\"1615729572\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastTask\\\" Value=\\\"ReconcileTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMErrorDetails\\\" Value=\\\"First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Operating System\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 14 06:49:54\",\"IsoTimestamp\":\"2021-03-14T13:49:54Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"302\",\"Desc\":\"PSM Disconnect\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"PSM Disconnect\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"partner\",\"File\":\"Root\\\\Operating System-UnixSSH-34.123.103.115-testark\",\"Station\":\"34.71.250.247\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionDuration=00:00:18;SessionID=d284c268-2ba0-4366-af52-e33459b073a1;SrcHost=81.32.170.205;User=testark;\",\"Message\":\"PSM Disconnect\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"UnixSSH\"},{\"Name\":\"UserName\",\"Value\":\"testark\"},{\"Name\":\"Address\",\"Value\":\"34.123.103.115\"},{\"Name\":\"ResetImmediately\",\"Value\":\"ReconcileTask\"},{\"Name\":\"CPMStatus\",\"Value\":\"failure\"},{\"Name\":\"RetriesCount\",\"Value\":\"0\"},{\"Name\":\"LastFailDate\",\"Value\":\"1615729572\"},{\"Name\":\"LastTask\",\"Value\":\"ReconcileTask\"},{\"Name\":\"CPMErrorDetails\",\"Value\":\"First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"}]}}}}", "code": "302", "kind": "event", @@ -1080,7 +1080,7 @@ "event": { "severity": 2, "duration": 54000000000, - "ingested": "2021-06-04T11:33:12.127500400Z", + "ingested": "2021-06-09T10:24:31.624814600Z", "original": "\u003c5\u003e1 2021-03-14T13:51:35Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 14 06:51:35\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-14T13:51:35Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e302\u003c/MessageID\u003e\\n \u003cDesc\u003ePSM Disconnect\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003ePSM Disconnect\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003epartner\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Operating System-UnixSSH-34.123.103.115-testark\u003c/File\u003e\\n \u003cStation\u003e34.71.250.247\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003eApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionDuration=00:00:54;SessionID=47747796-03e1-4a11-af39-ab56c00e7732;SrcHost=81.32.170.205;User=testark;\u003c/ExtraDetails\u003e\\n \u003cMessage\u003ePSM Disconnect\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"UnixSSH\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"testark\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"34.123.103.115\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"ResetImmediately\\\" Value=\\\"ReconcileTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMStatus\\\" Value=\\\"failure\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"RetriesCount\\\" Value=\\\"0\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastFailDate\\\" Value=\\\"1615729572\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastTask\\\" Value=\\\"ReconcileTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMErrorDetails\\\" Value=\\\"First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Operating System\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 14 06:51:35\",\"IsoTimestamp\":\"2021-03-14T13:51:35Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"302\",\"Desc\":\"PSM Disconnect\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"PSM Disconnect\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"partner\",\"File\":\"Root\\\\Operating System-UnixSSH-34.123.103.115-testark\",\"Station\":\"34.71.250.247\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionDuration=00:00:54;SessionID=47747796-03e1-4a11-af39-ab56c00e7732;SrcHost=81.32.170.205;User=testark;\",\"Message\":\"PSM Disconnect\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"UnixSSH\"},{\"Name\":\"UserName\",\"Value\":\"testark\"},{\"Name\":\"Address\",\"Value\":\"34.123.103.115\"},{\"Name\":\"ResetImmediately\",\"Value\":\"ReconcileTask\"},{\"Name\":\"CPMStatus\",\"Value\":\"failure\"},{\"Name\":\"RetriesCount\",\"Value\":\"0\"},{\"Name\":\"LastFailDate\",\"Value\":\"1615729572\"},{\"Name\":\"LastTask\",\"Value\":\"ReconcileTask\"},{\"Name\":\"CPMErrorDetails\",\"Value\":\"First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"}]}}}}", "code": "302", "kind": "event", @@ -1216,7 +1216,7 @@ "event": { "severity": 2, "duration": 95000000000, - "ingested": "2021-06-04T11:33:12.127502900Z", + "ingested": "2021-06-09T10:24:31.624817Z", "original": "\u003c5\u003e1 2021-03-15T10:33:30Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 15 03:33:30\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-15T10:33:30Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e302\u003c/MessageID\u003e\\n \u003cDesc\u003ePSM Disconnect\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003ePSM Disconnect\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003epartner\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Operating System-UnixSSH-34.123.103.115-testark\u003c/File\u003e\\n \u003cStation\u003e34.71.250.247\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003eApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionDuration=00:01:35;SessionID=29f340df-89e9-405a-beae-0216390cda42;SrcHost=81.32.170.205;User=testark;\u003c/ExtraDetails\u003e\\n \u003cMessage\u003ePSM Disconnect\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"UnixSSH\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"testark\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"34.123.103.115\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMStatus\\\" Value=\\\"success\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"RetriesCount\\\" Value=\\\"-1\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastTask\\\" Value=\\\"VerifyTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastSuccessVerification\\\" Value=\\\"1615803764\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Operating System\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 15 03:33:30\",\"IsoTimestamp\":\"2021-03-15T10:33:30Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"302\",\"Desc\":\"PSM Disconnect\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"PSM Disconnect\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"partner\",\"File\":\"Root\\\\Operating System-UnixSSH-34.123.103.115-testark\",\"Station\":\"34.71.250.247\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionDuration=00:01:35;SessionID=29f340df-89e9-405a-beae-0216390cda42;SrcHost=81.32.170.205;User=testark;\",\"Message\":\"PSM Disconnect\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"UnixSSH\"},{\"Name\":\"UserName\",\"Value\":\"testark\"},{\"Name\":\"Address\",\"Value\":\"34.123.103.115\"},{\"Name\":\"CPMStatus\",\"Value\":\"success\"},{\"Name\":\"RetriesCount\",\"Value\":\"-1\"},{\"Name\":\"LastTask\",\"Value\":\"VerifyTask\"},{\"Name\":\"LastSuccessVerification\",\"Value\":\"1615803764\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"}]}}}}", "code": "302", "kind": "event", @@ -1352,7 +1352,7 @@ "event": { "severity": 2, "duration": 73000000000, - "ingested": "2021-06-04T11:33:12.127505400Z", + "ingested": "2021-06-09T10:24:31.624819600Z", "original": "\u003c5\u003e1 2021-03-15T10:34:50Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 15 03:34:50\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-15T10:34:50Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e302\u003c/MessageID\u003e\\n \u003cDesc\u003ePSM Disconnect\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003ePSM Disconnect\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003epartner\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Operating System-UnixSSH-34.123.103.115-testark\u003c/File\u003e\\n \u003cStation\u003e34.71.250.247\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003eApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionDuration=00:01:13;SessionID=f1654cf8-8ce5-472a-8205-ba731b0fab46;SrcHost=81.32.170.205;User=testark;\u003c/ExtraDetails\u003e\\n \u003cMessage\u003ePSM Disconnect\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"UnixSSH\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"testark\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"34.123.103.115\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMStatus\\\" Value=\\\"success\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"RetriesCount\\\" Value=\\\"-1\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastTask\\\" Value=\\\"VerifyTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastSuccessVerification\\\" Value=\\\"1615803764\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Operating System\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 15 03:34:50\",\"IsoTimestamp\":\"2021-03-15T10:34:50Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"302\",\"Desc\":\"PSM Disconnect\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"PSM Disconnect\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"partner\",\"File\":\"Root\\\\Operating System-UnixSSH-34.123.103.115-testark\",\"Station\":\"34.71.250.247\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionDuration=00:01:13;SessionID=f1654cf8-8ce5-472a-8205-ba731b0fab46;SrcHost=81.32.170.205;User=testark;\",\"Message\":\"PSM Disconnect\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"UnixSSH\"},{\"Name\":\"UserName\",\"Value\":\"testark\"},{\"Name\":\"Address\",\"Value\":\"34.123.103.115\"},{\"Name\":\"CPMStatus\",\"Value\":\"success\"},{\"Name\":\"RetriesCount\",\"Value\":\"-1\"},{\"Name\":\"LastTask\",\"Value\":\"VerifyTask\"},{\"Name\":\"LastSuccessVerification\",\"Value\":\"1615803764\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"}]}}}}", "code": "302", "kind": "event", @@ -1488,7 +1488,7 @@ "event": { "severity": 2, "duration": 2230000000000, - "ingested": "2021-06-04T11:33:12.127508100Z", + "ingested": "2021-06-09T10:24:31.624822300Z", "original": "\u003c5\u003e1 2021-03-15T11:12:09Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 15 04:12:09\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-15T11:12:09Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e302\u003c/MessageID\u003e\\n \u003cDesc\u003ePSM Disconnect\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003ePSM Disconnect\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003epartner\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Operating System-UnixSSH-34.123.103.115-testark\u003c/File\u003e\\n \u003cStation\u003e34.71.250.247\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003eApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionDuration=00:37:10;SessionID=8b3d0b38-aef5-49d9-bdd7-d57706887d8b;SrcHost=81.32.170.205;User=testark;\u003c/ExtraDetails\u003e\\n \u003cMessage\u003ePSM Disconnect\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"UnixSSH\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"testark\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"34.123.103.115\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMStatus\\\" Value=\\\"success\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"RetriesCount\\\" Value=\\\"-1\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastTask\\\" Value=\\\"VerifyTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastSuccessVerification\\\" Value=\\\"1615803764\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Operating System\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 15 04:12:09\",\"IsoTimestamp\":\"2021-03-15T11:12:09Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"302\",\"Desc\":\"PSM Disconnect\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"PSM Disconnect\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"partner\",\"File\":\"Root\\\\Operating System-UnixSSH-34.123.103.115-testark\",\"Station\":\"34.71.250.247\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionDuration=00:37:10;SessionID=8b3d0b38-aef5-49d9-bdd7-d57706887d8b;SrcHost=81.32.170.205;User=testark;\",\"Message\":\"PSM Disconnect\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"UnixSSH\"},{\"Name\":\"UserName\",\"Value\":\"testark\"},{\"Name\":\"Address\",\"Value\":\"34.123.103.115\"},{\"Name\":\"CPMStatus\",\"Value\":\"success\"},{\"Name\":\"RetriesCount\",\"Value\":\"-1\"},{\"Name\":\"LastTask\",\"Value\":\"VerifyTask\"},{\"Name\":\"LastSuccessVerification\",\"Value\":\"1615803764\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"}]}}}}", "code": "302", "kind": "event", @@ -1620,7 +1620,7 @@ "event": { "severity": 2, "duration": 5000000000, - "ingested": "2021-06-04T11:33:12.127511Z", + "ingested": "2021-06-09T10:24:31.624824800Z", "original": "\u003c5\u003e1 2021-03-15T13:18:36Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 15 06:18:36\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-15T13:18:36Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e302\u003c/MessageID\u003e\\n \u003cDesc\u003ePSM Disconnect\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003ePSM Disconnect\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003ePSM\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Operating System-UnixSSHKeys-34.123.103.115-adrian\u003c/File\u003e\\n \u003cStation\u003e34.71.250.247\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003eApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionDuration=00:00:05;SessionID=692fe25f-f940-4170-8ea4-5241b35173f0;SrcHost=81.32.170.205;User=adrian;\u003c/ExtraDetails\u003e\\n \u003cMessage\u003ePSM Disconnect\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"UnixSSHKeys\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"adrian\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"34.123.103.115\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Operating System\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 15 06:18:36\",\"IsoTimestamp\":\"2021-03-15T13:18:36Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"302\",\"Desc\":\"PSM Disconnect\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"PSM Disconnect\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"PSM\",\"File\":\"Root\\\\Operating System-UnixSSHKeys-34.123.103.115-adrian\",\"Station\":\"34.71.250.247\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionDuration=00:00:05;SessionID=692fe25f-f940-4170-8ea4-5241b35173f0;SrcHost=81.32.170.205;User=adrian;\",\"Message\":\"PSM Disconnect\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"UnixSSHKeys\"},{\"Name\":\"UserName\",\"Value\":\"adrian\"},{\"Name\":\"Address\",\"Value\":\"34.123.103.115\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"}]}}}}", "code": "302", "kind": "event", @@ -1752,7 +1752,7 @@ "event": { "severity": 2, "duration": 6000000000, - "ingested": "2021-06-04T11:33:12.127513500Z", + "ingested": "2021-06-09T10:24:31.624827200Z", "original": "\u003c5\u003e1 2021-03-15T14:08:11Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 15 07:08:11\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-15T14:08:11Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e302\u003c/MessageID\u003e\\n \u003cDesc\u003ePSM Disconnect\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003ePSM Disconnect\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003ePSM\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Operating System-UnixSSHKeys-34.123.103.115-adrian\u003c/File\u003e\\n \u003cStation\u003e34.71.250.247\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003eApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionDuration=00:00:06;SessionID=f5725611-ca57-4a2a-a089-f45b3174a358;SrcHost=81.32.170.205;User=adrian;\u003c/ExtraDetails\u003e\\n \u003cMessage\u003ePSM Disconnect\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"UnixSSHKeys\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"adrian\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"34.123.103.115\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Operating System\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 15 07:08:11\",\"IsoTimestamp\":\"2021-03-15T14:08:11Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"302\",\"Desc\":\"PSM Disconnect\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"PSM Disconnect\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"PSM\",\"File\":\"Root\\\\Operating System-UnixSSHKeys-34.123.103.115-adrian\",\"Station\":\"34.71.250.247\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionDuration=00:00:06;SessionID=f5725611-ca57-4a2a-a089-f45b3174a358;SrcHost=81.32.170.205;User=adrian;\",\"Message\":\"PSM Disconnect\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"UnixSSHKeys\"},{\"Name\":\"UserName\",\"Value\":\"adrian\"},{\"Name\":\"Address\",\"Value\":\"34.123.103.115\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"}]}}}}", "code": "302", "kind": "event", @@ -1893,7 +1893,7 @@ "event": { "severity": 2, "duration": 9000000000, - "ingested": "2021-06-04T11:33:12.127516300Z", + "ingested": "2021-06-09T10:24:31.624829700Z", "original": "\u003c5\u003e1 2021-03-15T14:08:36Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 15 07:08:36\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-15T14:08:36Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e302\u003c/MessageID\u003e\\n \u003cDesc\u003ePSM Disconnect\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003ePSM Disconnect\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003epartner\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Operating System-UnixSSH-34.123.103.115-testark\u003c/File\u003e\\n \u003cStation\u003e34.71.250.247\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003eApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionDuration=00:00:09;SessionID=7db90436-8a1a-4203-9a96-65137625ab2d;SrcHost=81.32.170.205;User=testark;\u003c/ExtraDetails\u003e\\n \u003cMessage\u003ePSM Disconnect\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"UnixSSH\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"testark\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"34.123.103.115\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"ResetImmediately\\\" Value=\\\"ReconcileTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMStatus\\\" Value=\\\"failure\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"RetriesCount\\\" Value=\\\"0\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastFailDate\\\" Value=\\\"1615814025\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastTask\\\" Value=\\\"ReconcileTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastSuccessVerification\\\" Value=\\\"1615803764\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMErrorDetails\\\" Value=\\\"First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Operating System\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UseSudoOnReconcile\\\" Value=\\\"Yes\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 15 07:08:36\",\"IsoTimestamp\":\"2021-03-15T14:08:36Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"302\",\"Desc\":\"PSM Disconnect\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"PSM Disconnect\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"partner\",\"File\":\"Root\\\\Operating System-UnixSSH-34.123.103.115-testark\",\"Station\":\"34.71.250.247\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionDuration=00:00:09;SessionID=7db90436-8a1a-4203-9a96-65137625ab2d;SrcHost=81.32.170.205;User=testark;\",\"Message\":\"PSM Disconnect\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"UnixSSH\"},{\"Name\":\"UserName\",\"Value\":\"testark\"},{\"Name\":\"Address\",\"Value\":\"34.123.103.115\"},{\"Name\":\"ResetImmediately\",\"Value\":\"ReconcileTask\"},{\"Name\":\"CPMStatus\",\"Value\":\"failure\"},{\"Name\":\"RetriesCount\",\"Value\":\"0\"},{\"Name\":\"LastFailDate\",\"Value\":\"1615814025\"},{\"Name\":\"LastTask\",\"Value\":\"ReconcileTask\"},{\"Name\":\"LastSuccessVerification\",\"Value\":\"1615803764\"},{\"Name\":\"CPMErrorDetails\",\"Value\":\"First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"},{\"Name\":\"UseSudoOnReconcile\",\"Value\":\"Yes\"}]}}}}", "code": "302", "kind": "event", @@ -2034,7 +2034,7 @@ "event": { "severity": 2, "duration": 2952000000000, - "ingested": "2021-06-04T11:33:12.127518800Z", + "ingested": "2021-06-09T10:24:31.624832200Z", "original": "\u003c5\u003e1 2021-03-15T15:00:21Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 15 08:00:21\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-15T15:00:21Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e302\u003c/MessageID\u003e\\n \u003cDesc\u003ePSM Disconnect\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003ePSM Disconnect\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003epartner\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Operating System-UnixSSH-34.123.103.115-testark\u003c/File\u003e\\n \u003cStation\u003e34.71.250.247\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003eApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionDuration=00:49:12;SessionID=27f74dce-f5d5-4c94-bf99-ca6aafe2c518;SrcHost=81.32.170.205;User=testark;\u003c/ExtraDetails\u003e\\n \u003cMessage\u003ePSM Disconnect\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"UnixSSH\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"testark\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"34.123.103.115\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"ResetImmediately\\\" Value=\\\"ReconcileTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMStatus\\\" Value=\\\"failure\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"RetriesCount\\\" Value=\\\"1\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastFailDate\\\" Value=\\\"1615819476\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastTask\\\" Value=\\\"ReconcileTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastSuccessVerification\\\" Value=\\\"1615803764\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMErrorDetails\\\" Value=\\\"First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Operating System\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UseSudoOnReconcile\\\" Value=\\\"Yes\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 15 08:00:21\",\"IsoTimestamp\":\"2021-03-15T15:00:21Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"302\",\"Desc\":\"PSM Disconnect\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"PSM Disconnect\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"partner\",\"File\":\"Root\\\\Operating System-UnixSSH-34.123.103.115-testark\",\"Station\":\"34.71.250.247\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"ApplicationType=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionDuration=00:49:12;SessionID=27f74dce-f5d5-4c94-bf99-ca6aafe2c518;SrcHost=81.32.170.205;User=testark;\",\"Message\":\"PSM Disconnect\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"UnixSSH\"},{\"Name\":\"UserName\",\"Value\":\"testark\"},{\"Name\":\"Address\",\"Value\":\"34.123.103.115\"},{\"Name\":\"ResetImmediately\",\"Value\":\"ReconcileTask\"},{\"Name\":\"CPMStatus\",\"Value\":\"failure\"},{\"Name\":\"RetriesCount\",\"Value\":\"1\"},{\"Name\":\"LastFailDate\",\"Value\":\"1615819476\"},{\"Name\":\"LastTask\",\"Value\":\"ReconcileTask\"},{\"Name\":\"LastSuccessVerification\",\"Value\":\"1615803764\"},{\"Name\":\"CPMErrorDetails\",\"Value\":\"First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"},{\"Name\":\"UseSudoOnReconcile\",\"Value\":\"Yes\"}]}}}}", "code": "302", "kind": "event", diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-304-psm-upload-recording.log-expected.json b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-304-psm-upload-recording.log-expected.json index 601d4d22ac9..c58ad2f78cf 100644 --- a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-304-psm-upload-recording.log-expected.json +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-304-psm-upload-recording.log-expected.json @@ -65,7 +65,7 @@ "event": { "severity": 2, "action": "psm upload recording", - "ingested": "2021-06-04T11:33:12.779110700Z", + "ingested": "2021-06-09T10:24:32.315195700Z", "original": "\u003c5\u003e1 2021-03-25T09:20:56Z VLT01 {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 25 05:20:56\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-25T09:20:56Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVLT01\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e12.0.0000\u003c/Version\u003e\\n \u003cMessageID\u003e304\u003c/MessageID\u003e\\n \u003cDesc\u003ePSM Upload Recording\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003ePSMApp_COMP01\u003c/Issuer\u003e\\n \u003cAction\u003ePSM Upload Recording\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003ePSMRecordings\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\a4636750-50a2-492e-984c-e08743d8a883.SSH.txt\u003c/File\u003e\\n \u003cStation\u003e10.0.0.15\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003eDstHost=rhel7.cybr.com;LogonAccount=logon;Protocol=SSH;PSMID=PSMServer;SessionDuration=00:00:46;SessionID=a4636750-50a2-492e-984c-e08743d8a883;SrcHost=127.0.0.1;User=root;\u003c/ExtraDetails\u003e\\n \u003cMessage\u003ePSM Upload Recording\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 25 05:20:56\",\"IsoTimestamp\":\"2021-03-25T09:20:56Z\",\"Hostname\":\"VLT01\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"12.0.0000\",\"MessageID\":\"304\",\"Desc\":\"PSM Upload Recording\",\"Severity\":\"Info\",\"Issuer\":\"PSMApp_COMP01\",\"Action\":\"PSM Upload Recording\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"PSMRecordings\",\"File\":\"Root\\\\a4636750-50a2-492e-984c-e08743d8a883.SSH.txt\",\"Station\":\"10.0.0.15\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"DstHost=rhel7.cybr.com;LogonAccount=logon;Protocol=SSH;PSMID=PSMServer;SessionDuration=00:00:46;SessionID=a4636750-50a2-492e-984c-e08743d8a883;SrcHost=127.0.0.1;User=root;\",\"Message\":\"PSM Upload Recording\",\"GatewayStation\":\"\"}}}", "code": "304", "kind": "event" diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-308-use-password.log-expected.json b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-308-use-password.log-expected.json index 821531cf8a5..7b8103b9c63 100644 --- a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-308-use-password.log-expected.json +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-308-use-password.log-expected.json @@ -75,7 +75,7 @@ "event": { "severity": 2, "reason": "(Action: Connect)", - "ingested": "2021-06-04T11:33:12.812445Z", + "ingested": "2021-06-09T10:24:32.348976500Z", "original": "{\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eno\u003c/Rfc5424\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.6.0000\u003c/Version\u003e\\n \u003cMessageID\u003e308\u003c/MessageID\u003e\\n \u003cDesc\u003eUse Password\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eadm2\u003c/Issuer\u003e\\n \u003cAction\u003eUse Password\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003eWindows\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Operating System-WIN-SERVER-LOCAL-dbserver.cyberark.local-Administrator2\u003c/File\u003e\\n \u003cStation\u003e10.2.0.6\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e(Action: Connect)\u003c/Reason\u003e\\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eUse Password\u003c/Message\u003e\\n \u003cGatewayStation\u003e10.2.0.3\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"WIN-SERVER-LOCAL\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"Administrator2\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"dbserver.cyberark.local\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Operating System\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LogonDomain\\\" Value=\\\"DBServer\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"SequenceID\\\" Value=\\\"1\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"RetriesCount\\\" Value=\\\"-1\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastTask\\\" Value=\\\"ReconcileTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMStatus\\\" Value=\\\"success\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastSuccessReconciliation\\\" Value=\\\"1604944215\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Customer\\\" Value=\\\"EvilCorp\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"no\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.6.0000\",\"MessageID\":\"308\",\"IsoTimestamp\":\"2021-03-16T15:01:00Z\",\"Desc\":\"Use Password\",\"Severity\":\"Info\",\"Issuer\":\"adm2\",\"Action\":\"Use Password\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"Windows\",\"File\":\"Root\\\\Operating System-WIN-SERVER-LOCAL-dbserver.cyberark.local-Administrator2\",\"Station\":\"10.2.0.6\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"(Action: Connect)\",\"ExtraDetails\":\"\",\"Message\":\"Use Password\",\"GatewayStation\":\"10.2.0.3\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"WIN-SERVER-LOCAL\"},{\"Name\":\"UserName\",\"Value\":\"Administrator2\"},{\"Name\":\"Address\",\"Value\":\"dbserver.cyberark.local\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"},{\"Name\":\"LogonDomain\",\"Value\":\"DBServer\"},{\"Name\":\"SequenceID\",\"Value\":\"1\"},{\"Name\":\"RetriesCount\",\"Value\":\"-1\"},{\"Name\":\"LastTask\",\"Value\":\"ReconcileTask\"},{\"Name\":\"CPMStatus\",\"Value\":\"success\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"LastSuccessReconciliation\",\"Value\":\"1604944215\"},{\"Name\":\"Customer\",\"Value\":\"EvilCorp\"}]}}}}", "code": "308", "kind": "event", @@ -184,7 +184,7 @@ "event": { "severity": 2, "reason": "fun and profit", - "ingested": "2021-06-04T11:33:12.812459700Z", + "ingested": "2021-06-09T10:24:32.348991100Z", "original": "\u003c5\u003e1 2021-03-11T17:38:12Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 11 09:38:12\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-11T17:38:12Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e308\u003c/MessageID\u003e\\n \u003cDesc\u003eUse Password\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003eUse Password\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003ePSM\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Operating System-UnixSSHKeys-34.123.103.115-adrian\u003c/File\u003e\\n \u003cStation\u003e127.0.0.1\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003efun and profit\u003c/Reason\u003e\\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eUse Password\u003c/Message\u003e\\n \u003cGatewayStation\u003e81.32.170.205\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"UnixSSHKeys\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"adrian\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"34.123.103.115\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Operating System\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 11 09:38:12\",\"IsoTimestamp\":\"2021-03-11T17:38:12Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"308\",\"Desc\":\"Use Password\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Use Password\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"PSM\",\"File\":\"Root\\\\Operating System-UnixSSHKeys-34.123.103.115-adrian\",\"Station\":\"127.0.0.1\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"fun and profit\",\"ExtraDetails\":\"\",\"Message\":\"Use Password\",\"GatewayStation\":\"81.32.170.205\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"UnixSSHKeys\"},{\"Name\":\"UserName\",\"Value\":\"adrian\"},{\"Name\":\"Address\",\"Value\":\"34.123.103.115\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"}]}}}}", "code": "308", "kind": "event", @@ -292,7 +292,7 @@ "event": { "severity": 2, "reason": "FOR FUN.", - "ingested": "2021-06-04T11:33:12.812463Z", + "ingested": "2021-06-09T10:24:32.348994500Z", "original": "\u003c5\u003e1 2021-03-11T17:46:49Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 11 09:46:49\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-11T17:46:49Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e308\u003c/MessageID\u003e\\n \u003cDesc\u003eUse Password\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003eUse Password\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003ePSM\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Operating System-UnixSSHKeys-34.123.103.115-adrian\u003c/File\u003e\\n \u003cStation\u003e127.0.0.1\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003eFOR FUN.\u003c/Reason\u003e\\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eUse Password\u003c/Message\u003e\\n \u003cGatewayStation\u003e81.32.170.205\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"UnixSSHKeys\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"adrian\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"34.123.103.115\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Operating System\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 11 09:46:49\",\"IsoTimestamp\":\"2021-03-11T17:46:49Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"308\",\"Desc\":\"Use Password\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Use Password\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"PSM\",\"File\":\"Root\\\\Operating System-UnixSSHKeys-34.123.103.115-adrian\",\"Station\":\"127.0.0.1\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"FOR FUN.\",\"ExtraDetails\":\"\",\"Message\":\"Use Password\",\"GatewayStation\":\"81.32.170.205\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"UnixSSHKeys\"},{\"Name\":\"UserName\",\"Value\":\"adrian\"},{\"Name\":\"Address\",\"Value\":\"34.123.103.115\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"}]}}}}", "code": "308", "kind": "event", @@ -400,7 +400,7 @@ "event": { "severity": 2, "reason": "For fun and profit", - "ingested": "2021-06-04T11:33:12.812465400Z", + "ingested": "2021-06-09T10:24:32.348997400Z", "original": "\u003c5\u003e1 2021-03-11T17:48:27Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 11 09:48:27\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-11T17:48:27Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e308\u003c/MessageID\u003e\\n \u003cDesc\u003eUse Password\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003eUse Password\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003ePSM\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Operating System-UnixSSHKeys-34.123.103.115-adrian\u003c/File\u003e\\n \u003cStation\u003e10.0.2.2\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003eFor fun and profit\u003c/Reason\u003e\\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eUse Password\u003c/Message\u003e\\n \u003cGatewayStation\u003e81.32.170.205\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"UnixSSHKeys\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"adrian\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"34.123.103.115\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Operating System\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 11 09:48:27\",\"IsoTimestamp\":\"2021-03-11T17:48:27Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"308\",\"Desc\":\"Use Password\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Use Password\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"PSM\",\"File\":\"Root\\\\Operating System-UnixSSHKeys-34.123.103.115-adrian\",\"Station\":\"10.0.2.2\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"For fun and profit\",\"ExtraDetails\":\"\",\"Message\":\"Use Password\",\"GatewayStation\":\"81.32.170.205\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"UnixSSHKeys\"},{\"Name\":\"UserName\",\"Value\":\"adrian\"},{\"Name\":\"Address\",\"Value\":\"34.123.103.115\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"}]}}}}", "code": "308", "kind": "event", @@ -508,7 +508,7 @@ "event": { "severity": 2, "reason": "Because I say so", - "ingested": "2021-06-04T11:33:12.812468Z", + "ingested": "2021-06-09T10:24:32.348999900Z", "original": "\u003c5\u003e1 2021-03-11T17:54:49Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 11 09:54:49\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-11T17:54:49Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e308\u003c/MessageID\u003e\\n \u003cDesc\u003eUse Password\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003eUse Password\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003ePSM\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Operating System-UnixSSHKeys-34.123.103.115-adrian\u003c/File\u003e\\n \u003cStation\u003e10.0.2.2\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003eBecause I say so\u003c/Reason\u003e\\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eUse Password\u003c/Message\u003e\\n \u003cGatewayStation\u003e81.32.170.205\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"UnixSSHKeys\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"adrian\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"34.123.103.115\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Operating System\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 11 09:54:49\",\"IsoTimestamp\":\"2021-03-11T17:54:49Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"308\",\"Desc\":\"Use Password\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Use Password\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"PSM\",\"File\":\"Root\\\\Operating System-UnixSSHKeys-34.123.103.115-adrian\",\"Station\":\"10.0.2.2\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"Because I say so\",\"ExtraDetails\":\"\",\"Message\":\"Use Password\",\"GatewayStation\":\"81.32.170.205\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"UnixSSHKeys\"},{\"Name\":\"UserName\",\"Value\":\"adrian\"},{\"Name\":\"Address\",\"Value\":\"34.123.103.115\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"}]}}}}", "code": "308", "kind": "event", @@ -616,7 +616,7 @@ "event": { "severity": 2, "reason": "for fun", - "ingested": "2021-06-04T11:33:12.812470400Z", + "ingested": "2021-06-09T10:24:32.349002400Z", "original": "\u003c5\u003e1 2021-03-11T17:56:30Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 11 09:56:30\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-11T17:56:30Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e308\u003c/MessageID\u003e\\n \u003cDesc\u003eUse Password\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003eUse Password\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003ePSM\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Operating System-UnixSSHKeys-34.123.103.115-adrian\u003c/File\u003e\\n \u003cStation\u003e10.0.2.2\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003efor fun\u003c/Reason\u003e\\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eUse Password\u003c/Message\u003e\\n \u003cGatewayStation\u003e81.32.170.205\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"UnixSSHKeys\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"adrian\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"34.123.103.115\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Operating System\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 11 09:56:30\",\"IsoTimestamp\":\"2021-03-11T17:56:30Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"308\",\"Desc\":\"Use Password\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Use Password\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"PSM\",\"File\":\"Root\\\\Operating System-UnixSSHKeys-34.123.103.115-adrian\",\"Station\":\"10.0.2.2\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"for fun\",\"ExtraDetails\":\"\",\"Message\":\"Use Password\",\"GatewayStation\":\"81.32.170.205\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"UnixSSHKeys\"},{\"Name\":\"UserName\",\"Value\":\"adrian\"},{\"Name\":\"Address\",\"Value\":\"34.123.103.115\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"}]}}}}", "code": "308", "kind": "event", @@ -724,7 +724,7 @@ "event": { "severity": 2, "reason": "testing", - "ingested": "2021-06-04T11:33:12.812488100Z", + "ingested": "2021-06-09T10:24:32.349004900Z", "original": "\u003c5\u003e1 2021-03-11T20:23:17Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 11 12:23:17\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-11T20:23:17Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e308\u003c/MessageID\u003e\\n \u003cDesc\u003eUse Password\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003eUse Password\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003ePSM\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Operating System-UnixSSHKeys-34.123.103.115-adrian\u003c/File\u003e\\n \u003cStation\u003e10.0.2.2\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003etesting\u003c/Reason\u003e\\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eUse Password\u003c/Message\u003e\\n \u003cGatewayStation\u003e81.32.170.205\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"UnixSSHKeys\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"adrian\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"34.123.103.115\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Operating System\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 11 12:23:17\",\"IsoTimestamp\":\"2021-03-11T20:23:17Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"308\",\"Desc\":\"Use Password\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Use Password\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"PSM\",\"File\":\"Root\\\\Operating System-UnixSSHKeys-34.123.103.115-adrian\",\"Station\":\"10.0.2.2\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"testing\",\"ExtraDetails\":\"\",\"Message\":\"Use Password\",\"GatewayStation\":\"81.32.170.205\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"UnixSSHKeys\"},{\"Name\":\"UserName\",\"Value\":\"adrian\"},{\"Name\":\"Address\",\"Value\":\"34.123.103.115\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"}]}}}}", "code": "308", "kind": "event", @@ -848,7 +848,7 @@ }, "event": { "severity": 2, - "ingested": "2021-06-04T11:33:12.812497400Z", + "ingested": "2021-06-09T10:24:32.349048100Z", "original": "\u003c5\u003e1 2021-03-14T13:49:35Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 14 06:49:35\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-14T13:49:35Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e308\u003c/MessageID\u003e\\n \u003cDesc\u003eUse Password\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003eUse Password\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003epartner\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Operating System-UnixSSH-34.123.103.115-testark\u003c/File\u003e\\n \u003cStation\u003e81.32.170.205\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eUse Password\u003c/Message\u003e\\n \u003cGatewayStation\u003e34.71.250.247\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"UnixSSH\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"testark\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"34.123.103.115\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"ResetImmediately\\\" Value=\\\"ReconcileTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMStatus\\\" Value=\\\"failure\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"RetriesCount\\\" Value=\\\"0\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastFailDate\\\" Value=\\\"1615729572\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastTask\\\" Value=\\\"ReconcileTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMErrorDetails\\\" Value=\\\"First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Operating System\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 14 06:49:35\",\"IsoTimestamp\":\"2021-03-14T13:49:35Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"308\",\"Desc\":\"Use Password\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Use Password\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"partner\",\"File\":\"Root\\\\Operating System-UnixSSH-34.123.103.115-testark\",\"Station\":\"81.32.170.205\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Use Password\",\"GatewayStation\":\"34.71.250.247\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"UnixSSH\"},{\"Name\":\"UserName\",\"Value\":\"testark\"},{\"Name\":\"Address\",\"Value\":\"34.123.103.115\"},{\"Name\":\"ResetImmediately\",\"Value\":\"ReconcileTask\"},{\"Name\":\"CPMStatus\",\"Value\":\"failure\"},{\"Name\":\"RetriesCount\",\"Value\":\"0\"},{\"Name\":\"LastFailDate\",\"Value\":\"1615729572\"},{\"Name\":\"LastTask\",\"Value\":\"ReconcileTask\"},{\"Name\":\"CPMErrorDetails\",\"Value\":\"First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"}]}}}}", "code": "308", "kind": "event", @@ -971,7 +971,7 @@ }, "event": { "severity": 2, - "ingested": "2021-06-04T11:33:12.812500500Z", + "ingested": "2021-06-09T10:24:32.349060300Z", "original": "\u003c5\u003e1 2021-03-15T10:31:54Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 15 03:31:54\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-15T10:31:54Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e308\u003c/MessageID\u003e\\n \u003cDesc\u003eUse Password\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003eUse Password\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003epartner\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Operating System-UnixSSH-34.123.103.115-testark\u003c/File\u003e\\n \u003cStation\u003e81.32.170.205\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eUse Password\u003c/Message\u003e\\n \u003cGatewayStation\u003e34.71.250.247\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"UnixSSH\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"testark\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"34.123.103.115\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMStatus\\\" Value=\\\"success\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"RetriesCount\\\" Value=\\\"-1\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastTask\\\" Value=\\\"VerifyTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastSuccessVerification\\\" Value=\\\"1615803764\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Operating System\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 15 03:31:54\",\"IsoTimestamp\":\"2021-03-15T10:31:54Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"308\",\"Desc\":\"Use Password\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Use Password\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"partner\",\"File\":\"Root\\\\Operating System-UnixSSH-34.123.103.115-testark\",\"Station\":\"81.32.170.205\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Use Password\",\"GatewayStation\":\"34.71.250.247\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"UnixSSH\"},{\"Name\":\"UserName\",\"Value\":\"testark\"},{\"Name\":\"Address\",\"Value\":\"34.123.103.115\"},{\"Name\":\"CPMStatus\",\"Value\":\"success\"},{\"Name\":\"RetriesCount\",\"Value\":\"-1\"},{\"Name\":\"LastTask\",\"Value\":\"VerifyTask\"},{\"Name\":\"LastSuccessVerification\",\"Value\":\"1615803764\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"}]}}}}", "code": "308", "kind": "event", @@ -1099,7 +1099,7 @@ }, "event": { "severity": 2, - "ingested": "2021-06-04T11:33:12.812503800Z", + "ingested": "2021-06-09T10:24:32.349063500Z", "original": "\u003c5\u003e1 2021-03-15T14:08:26Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 15 07:08:26\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-15T14:08:26Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e308\u003c/MessageID\u003e\\n \u003cDesc\u003eUse Password\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003eUse Password\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003epartner\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Operating System-UnixSSH-34.123.103.115-testark\u003c/File\u003e\\n \u003cStation\u003e81.32.170.205\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eUse Password\u003c/Message\u003e\\n \u003cGatewayStation\u003e34.71.250.247\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"UnixSSH\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"testark\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"34.123.103.115\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"ResetImmediately\\\" Value=\\\"ReconcileTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMStatus\\\" Value=\\\"failure\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"RetriesCount\\\" Value=\\\"0\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastFailDate\\\" Value=\\\"1615814025\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastTask\\\" Value=\\\"ReconcileTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastSuccessVerification\\\" Value=\\\"1615803764\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMErrorDetails\\\" Value=\\\"First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Operating System\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UseSudoOnReconcile\\\" Value=\\\"Yes\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 15 07:08:26\",\"IsoTimestamp\":\"2021-03-15T14:08:26Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"308\",\"Desc\":\"Use Password\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Use Password\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"partner\",\"File\":\"Root\\\\Operating System-UnixSSH-34.123.103.115-testark\",\"Station\":\"81.32.170.205\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Use Password\",\"GatewayStation\":\"34.71.250.247\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"UnixSSH\"},{\"Name\":\"UserName\",\"Value\":\"testark\"},{\"Name\":\"Address\",\"Value\":\"34.123.103.115\"},{\"Name\":\"ResetImmediately\",\"Value\":\"ReconcileTask\"},{\"Name\":\"CPMStatus\",\"Value\":\"failure\"},{\"Name\":\"RetriesCount\",\"Value\":\"0\"},{\"Name\":\"LastFailDate\",\"Value\":\"1615814025\"},{\"Name\":\"LastTask\",\"Value\":\"ReconcileTask\"},{\"Name\":\"LastSuccessVerification\",\"Value\":\"1615803764\"},{\"Name\":\"CPMErrorDetails\",\"Value\":\"First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"},{\"Name\":\"UseSudoOnReconcile\",\"Value\":\"Yes\"}]}}}}", "code": "308", "kind": "event", @@ -1227,7 +1227,7 @@ }, "event": { "severity": 2, - "ingested": "2021-06-04T11:33:12.812506300Z", + "ingested": "2021-06-09T10:24:32.349066800Z", "original": "\u003c5\u003e1 2021-03-16T10:04:49Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 16 03:04:49\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-16T10:04:49Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e308\u003c/MessageID\u003e\\n \u003cDesc\u003eUse Password\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003eUse Password\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003epartner\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Operating System-UnixSSH-34.123.103.115-testark\u003c/File\u003e\\n \u003cStation\u003e81.32.170.205\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eUse Password\u003c/Message\u003e\\n \u003cGatewayStation\u003e34.71.250.247\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"UnixSSH\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"testark\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"34.123.103.115\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"ResetImmediately\\\" Value=\\\"ReconcileTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMStatus\\\" Value=\\\"failure\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"RetriesCount\\\" Value=\\\"4\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastFailDate\\\" Value=\\\"1615888216\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastTask\\\" Value=\\\"ReconcileTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastSuccessVerification\\\" Value=\\\"1615803764\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMErrorDetails\\\" Value=\\\"First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Operating System\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UseSudoOnReconcile\\\" Value=\\\"Yes\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 16 03:04:49\",\"IsoTimestamp\":\"2021-03-16T10:04:49Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"308\",\"Desc\":\"Use Password\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Use Password\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"partner\",\"File\":\"Root\\\\Operating System-UnixSSH-34.123.103.115-testark\",\"Station\":\"81.32.170.205\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Use Password\",\"GatewayStation\":\"34.71.250.247\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"UnixSSH\"},{\"Name\":\"UserName\",\"Value\":\"testark\"},{\"Name\":\"Address\",\"Value\":\"34.123.103.115\"},{\"Name\":\"ResetImmediately\",\"Value\":\"ReconcileTask\"},{\"Name\":\"CPMStatus\",\"Value\":\"failure\"},{\"Name\":\"RetriesCount\",\"Value\":\"4\"},{\"Name\":\"LastFailDate\",\"Value\":\"1615888216\"},{\"Name\":\"LastTask\",\"Value\":\"ReconcileTask\"},{\"Name\":\"LastSuccessVerification\",\"Value\":\"1615803764\"},{\"Name\":\"CPMErrorDetails\",\"Value\":\"First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"},{\"Name\":\"UseSudoOnReconcile\",\"Value\":\"Yes\"}]}}}}", "code": "308", "kind": "event", diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-309-undefined-user-logon.log-expected.json b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-309-undefined-user-logon.log-expected.json index 3e674937811..6ce074ee17a 100644 --- a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-309-undefined-user-logon.log-expected.json +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-309-undefined-user-logon.log-expected.json @@ -58,7 +58,7 @@ }, "event": { "severity": 7, - "ingested": "2021-06-04T11:33:13.186536400Z", + "ingested": "2021-06-09T10:24:32.715271800Z", "original": "\u003c7\u003e1 2021-03-08T18:31:52Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 08 10:31:52\",\"IsoTimestamp\":\"2021-03-08T18:31:52Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"309\",\"Desc\":\"Undefined User Logon\",\"Severity\":\"Error\",\"Issuer\":\"adriansr\",\"Action\":\"Undefined User Logon\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"127.0.0.1\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Undefined User Logon\",\"GatewayStation\":\"10.0.1.20\"}}}", "code": "309", "kind": "event", @@ -133,7 +133,7 @@ }, "event": { "severity": 7, - "ingested": "2021-06-04T11:33:13.186550800Z", + "ingested": "2021-06-09T10:24:32.715285900Z", "original": "\u003c7\u003e1 2021-03-08T18:32:03Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 08 10:32:03\",\"IsoTimestamp\":\"2021-03-08T18:32:03Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"309\",\"Desc\":\"Undefined User Logon\",\"Severity\":\"Error\",\"Issuer\":\"adriansra\",\"Action\":\"Undefined User Logon\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"127.0.0.1\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Undefined User Logon\",\"GatewayStation\":\"10.0.1.20\"}}}", "code": "309", "kind": "event", @@ -212,7 +212,7 @@ }, "event": { "severity": 7, - "ingested": "2021-06-04T11:33:13.186555300Z", + "ingested": "2021-06-09T10:24:32.715289Z", "original": "\u003c7\u003e1 2021-03-11T16:43:26Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 11 08:43:26\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-11T16:43:26Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e309\u003c/MessageID\u003e\\n \u003cDesc\u003eUndefined User Logon\u003c/Desc\u003e\\n \u003cSeverity\u003eError\u003c/Severity\u003e\\n \u003cIssuer\u003ePSMAdmin\u003c/Issuer\u003e\\n \u003cAction\u003eUndefined User Logon\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003e\u003c/Safe\u003e\\n \u003cFile\u003e\u003c/File\u003e\\n \u003cStation\u003e81.32.170.205\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eUndefined User Logon\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 11 08:43:26\",\"IsoTimestamp\":\"2021-03-11T16:43:26Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"309\",\"Desc\":\"Undefined User Logon\",\"Severity\":\"Error\",\"Issuer\":\"PSMAdmin\",\"Action\":\"Undefined User Logon\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"81.32.170.205\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Undefined User Logon\",\"GatewayStation\":\"\"}}}", "code": "309", "kind": "event", @@ -300,7 +300,7 @@ }, "event": { "severity": 7, - "ingested": "2021-06-04T11:33:13.186558Z", + "ingested": "2021-06-09T10:24:32.715291600Z", "original": "\u003c7\u003e1 2021-03-11T17:46:28Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 11 09:46:28\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-11T17:46:28Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e309\u003c/MessageID\u003e\\n \u003cDesc\u003eUndefined User Logon\u003c/Desc\u003e\\n \u003cSeverity\u003eError\u003c/Severity\u003e\\n \u003cIssuer\u003eadrian\u003c/Issuer\u003e\\n \u003cAction\u003eUndefined User Logon\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003e\u003c/Safe\u003e\\n \u003cFile\u003e\u003c/File\u003e\\n \u003cStation\u003e127.0.0.1\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eUndefined User Logon\u003c/Message\u003e\\n \u003cGatewayStation\u003e81.32.170.205\u003c/GatewayStation\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 11 09:46:28\",\"IsoTimestamp\":\"2021-03-11T17:46:28Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"309\",\"Desc\":\"Undefined User Logon\",\"Severity\":\"Error\",\"Issuer\":\"adrian\",\"Action\":\"Undefined User Logon\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"127.0.0.1\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Undefined User Logon\",\"GatewayStation\":\"81.32.170.205\"}}}", "code": "309", "kind": "event", @@ -397,7 +397,7 @@ }, "event": { "severity": 7, - "ingested": "2021-06-04T11:33:13.186560300Z", + "ingested": "2021-06-09T10:24:32.715294Z", "original": "\u003c7\u003e1 2021-03-14T13:28:00Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 14 06:28:00\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-14T13:28:00Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e309\u003c/MessageID\u003e\\n \u003cDesc\u003eUndefined User Logon\u003c/Desc\u003e\\n \u003cSeverity\u003eError\u003c/Severity\u003e\\n \u003cIssuer\u003etestark\u003c/Issuer\u003e\\n \u003cAction\u003eUndefined User Logon\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003e\u003c/Safe\u003e\\n \u003cFile\u003e\u003c/File\u003e\\n \u003cStation\u003e81.32.170.205\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eUndefined User Logon\u003c/Message\u003e\\n \u003cGatewayStation\u003e34.71.250.247\u003c/GatewayStation\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 14 06:28:00\",\"IsoTimestamp\":\"2021-03-14T13:28:00Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"309\",\"Desc\":\"Undefined User Logon\",\"Severity\":\"Error\",\"Issuer\":\"testark\",\"Action\":\"Undefined User Logon\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"81.32.170.205\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Undefined User Logon\",\"GatewayStation\":\"34.71.250.247\"}}}", "code": "309", "kind": "event", diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-31-cpm-reconcile-password.log-expected.json b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-31-cpm-reconcile-password.log-expected.json index b6b9c2c8a11..4cf623cd62d 100644 --- a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-31-cpm-reconcile-password.log-expected.json +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-31-cpm-reconcile-password.log-expected.json @@ -72,7 +72,7 @@ }, "event": { "severity": 2, - "ingested": "2021-06-04T11:33:13.302401500Z", + "ingested": "2021-06-09T10:24:32.839807100Z", "original": "{\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eno\u003c/Rfc5424\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.6.0000\u003c/Version\u003e\\n \u003cMessageID\u003e31\u003c/MessageID\u003e\\n \u003cDesc\u003eCPM Reconcile Password\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003ePasswordManager\u003c/Issuer\u003e\\n \u003cAction\u003eCPM Reconcile Password\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003eWindows\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Operating System-WIN-SERVER-LOCAL-dbserver.cyberark.local-Administrator2\u003c/File\u003e\\n \u003cStation\u003e10.2.0.4\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003eImmediateTask\u003c/Reason\u003e\\n \u003cExtraDetails\u003eaddress=dbserver.cyberark.local;username=Administrator2;\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eCPM Reconcile Password\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"WIN-SERVER-LOCAL\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"Administrator2\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"dbserver.cyberark.local\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Operating System\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LogonDomain\\\" Value=\\\"DBServer\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"SequenceID\\\" Value=\\\"1\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"RetriesCount\\\" Value=\\\"-1\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastTask\\\" Value=\\\"ReconcileTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMStatus\\\" Value=\\\"success\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastSuccessReconciliation\\\" Value=\\\"1604944215\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Customer\\\" Value=\\\"EvilCorp\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"no\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"IsoTimestamp\":\"2021-03-16T15:01:00Z\",\"Version\":\"11.6.0000\",\"MessageID\":\"31\",\"Desc\":\"CPM Reconcile Password\",\"Severity\":\"Info\",\"Issuer\":\"PasswordManager\",\"Action\":\"CPM Reconcile Password\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"Windows\",\"File\":\"Root\\\\Operating System-WIN-SERVER-LOCAL-dbserver.cyberark.local-Administrator2\",\"Station\":\"10.2.0.4\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"ImmediateTask\",\"ExtraDetails\":\"address=dbserver.cyberark.local;username=Administrator2;\",\"Message\":\"CPM Reconcile Password\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"WIN-SERVER-LOCAL\"},{\"Name\":\"UserName\",\"Value\":\"Administrator2\"},{\"Name\":\"Address\",\"Value\":\"dbserver.cyberark.local\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"},{\"Name\":\"LogonDomain\",\"Value\":\"DBServer\"},{\"Name\":\"SequenceID\",\"Value\":\"1\"},{\"Name\":\"RetriesCount\",\"Value\":\"-1\"},{\"Name\":\"LastTask\",\"Value\":\"ReconcileTask\"},{\"Name\":\"CPMStatus\",\"Value\":\"success\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"LastSuccessReconciliation\",\"Value\":\"1604944215\"},{\"Name\":\"Customer\",\"Value\":\"EvilCorp\"}]}}}}", "code": "31", "kind": "event", diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-310-monitor-dr-replication-start.log-expected.json b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-310-monitor-dr-replication-start.log-expected.json index c6b75fca4ba..bb982766042 100644 --- a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-310-monitor-dr-replication-start.log-expected.json +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-310-monitor-dr-replication-start.log-expected.json @@ -47,7 +47,7 @@ "event": { "severity": 2, "action": "monitor dr replication start", - "ingested": "2021-06-04T11:33:13.339254200Z", + "ingested": "2021-06-09T10:24:32.883718900Z", "original": "\u003c5\u003e1 2021-03-04T19:10:01Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 04 11:10:01\",\"IsoTimestamp\":\"2021-03-04T19:10:01Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"310\",\"Desc\":\"Monitor DR Replication start\",\"Severity\":\"Info\",\"Issuer\":\"Batch\",\"Action\":\"Monitor DR Replication start\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"0.0.0.0\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Monitor DR Replication start\",\"GatewayStation\":\"\"}}}", "code": "310", "kind": "event" @@ -90,7 +90,7 @@ "event": { "severity": 2, "action": "monitor dr replication start", - "ingested": "2021-06-04T11:33:13.339268800Z", + "ingested": "2021-06-09T10:24:32.883735400Z", "original": "Mar 08 02:48:07 VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"no\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"310\",\"Desc\":\"Monitor DR Replication start\",\"Severity\":\"Info\",\"Issuer\":\"Batch\",\"Action\":\"Monitor DR Replication start\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"0.0.0.0\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Monitor DR Replication start\",\"GatewayStation\":\"\"}}}", "code": "310", "kind": "event" diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-311-monitor-dr-replication-end.log-expected.json b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-311-monitor-dr-replication-end.log-expected.json index 0fc53703252..b94c4c4262a 100644 --- a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-311-monitor-dr-replication-end.log-expected.json +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-311-monitor-dr-replication-end.log-expected.json @@ -47,7 +47,7 @@ "event": { "severity": 2, "action": "monitor dr replication end", - "ingested": "2021-06-04T11:33:13.373469900Z", + "ingested": "2021-06-09T10:24:32.928867700Z", "original": "\u003c5\u003e1 2021-03-04T19:10:01Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 04 11:10:01\",\"IsoTimestamp\":\"2021-03-04T19:10:01Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"311\",\"Desc\":\"Monitor DR Replication end\",\"Severity\":\"Info\",\"Issuer\":\"Batch\",\"Action\":\"Monitor DR Replication end\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"0.0.0.0\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Monitor DR Replication end\",\"GatewayStation\":\"\"}}}", "code": "311", "kind": "event" @@ -90,7 +90,7 @@ "event": { "severity": 2, "action": "monitor dr replication end", - "ingested": "2021-06-04T11:33:13.373479200Z", + "ingested": "2021-06-09T10:24:32.928881400Z", "original": "Mar 08 02:48:07 VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"no\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"311\",\"Desc\":\"Monitor DR Replication end\",\"Severity\":\"Info\",\"Issuer\":\"Batch\",\"Action\":\"Monitor DR Replication end\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"0.0.0.0\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Monitor DR Replication end\",\"GatewayStation\":\"\"}}}", "code": "311", "kind": "event" diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-316-reset-user-password-detailed-information.log-expected.json b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-316-reset-user-password-detailed-information.log-expected.json index bf0083ddb54..75387bbd297 100644 --- a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-316-reset-user-password-detailed-information.log-expected.json +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-316-reset-user-password-detailed-information.log-expected.json @@ -61,7 +61,7 @@ "event": { "severity": 2, "action": "reset user password detailed information", - "ingested": "2021-06-04T11:33:13.410630600Z", + "ingested": "2021-06-09T10:24:32.965227300Z", "original": "\u003c5\u003e1 2021-03-10T18:16:45Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 10:16:45\",\"IsoTimestamp\":\"2021-03-10T18:16:45Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"316\",\"Desc\":\"Reset User Password Detailed Information\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Reset User Password Detailed Information\",\"SourceUser\":\"PSMGw_VAGRANT\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"81.32.170.205\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"Password changed\",\"ExtraDetails\":\"\",\"Message\":\"Reset User Password Detailed Information\",\"GatewayStation\":\"\"}}}", "code": "316", "kind": "event" diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-317-reset-user-password.log-expected.json b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-317-reset-user-password.log-expected.json index 1d90ab078bb..931ee7ca23a 100644 --- a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-317-reset-user-password.log-expected.json +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-317-reset-user-password.log-expected.json @@ -60,7 +60,7 @@ "event": { "severity": 2, "action": "reset user password", - "ingested": "2021-06-04T11:33:13.438169700Z", + "ingested": "2021-06-09T10:24:32.992212100Z", "original": "\u003c5\u003e1 2021-03-10T18:16:45Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 10:16:45\",\"IsoTimestamp\":\"2021-03-10T18:16:45Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"317\",\"Desc\":\"Reset User Password\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Reset User Password\",\"SourceUser\":\"PSMGw_VAGRANT\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"81.32.170.205\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Reset User Password\",\"GatewayStation\":\"\"}}}", "code": "317", "kind": "event" diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-32-add-owner.log-expected.json b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-32-add-owner.log-expected.json index afe4df95a34..20b5e423233 100644 --- a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-32-add-owner.log-expected.json +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-32-add-owner.log-expected.json @@ -64,7 +64,7 @@ }, "event": { "severity": 2, - "ingested": "2021-06-04T11:33:13.462377900Z", + "ingested": "2021-06-09T10:24:33.021023200Z", "original": "\u003c5\u003e1 2021-03-10T09:11:20Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 01:11:20\",\"IsoTimestamp\":\"2021-03-10T09:11:20Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"32\",\"Desc\":\"Add Owner\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Add Owner\",\"SourceUser\":\"Master\",\"TargetUser\":\"\",\"Safe\":\"PSMPConf\",\"File\":\"\",\"Station\":\"81.32.170.205\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Add Owner\",\"GatewayStation\":\"\"}}}", "code": "32", "kind": "event", @@ -148,7 +148,7 @@ }, "event": { "severity": 2, - "ingested": "2021-06-04T11:33:13.462388900Z", + "ingested": "2021-06-09T10:24:33.021035500Z", "original": "\u003c5\u003e1 2021-03-10T09:11:20Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 01:11:20\",\"IsoTimestamp\":\"2021-03-10T09:11:20Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"32\",\"Desc\":\"Add Owner\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Add Owner\",\"SourceUser\":\"Administrator\",\"TargetUser\":\"\",\"Safe\":\"PSMPConf\",\"File\":\"\",\"Station\":\"81.32.170.205\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Add Owner\",\"GatewayStation\":\"\"}}}", "code": "32", "kind": "event", @@ -233,7 +233,7 @@ }, "event": { "severity": 2, - "ingested": "2021-06-04T11:33:13.462392200Z", + "ingested": "2021-06-09T10:24:33.021038900Z", "original": "\u003c5\u003e1 2021-03-10T09:11:20Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 01:11:20\",\"IsoTimestamp\":\"2021-03-10T09:11:20Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"32\",\"Desc\":\"Add Owner\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Add Owner\",\"SourceUser\":\"Batch\",\"TargetUser\":\"\",\"Safe\":\"PSMPConf\",\"File\":\"\",\"Station\":\"81.32.170.205\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Add Owner\",\"GatewayStation\":\"\"}}}", "code": "32", "kind": "event", @@ -318,7 +318,7 @@ }, "event": { "severity": 2, - "ingested": "2021-06-04T11:33:13.462394900Z", + "ingested": "2021-06-09T10:24:33.021041600Z", "original": "\u003c5\u003e1 2021-03-10T09:11:20Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 01:11:20\",\"IsoTimestamp\":\"2021-03-10T09:11:20Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"32\",\"Desc\":\"Add Owner\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Add Owner\",\"SourceUser\":\"Operators\",\"TargetUser\":\"\",\"Safe\":\"PSMPConf\",\"File\":\"\",\"Station\":\"81.32.170.205\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Add Owner\",\"GatewayStation\":\"\"}}}", "code": "32", "kind": "event", @@ -403,7 +403,7 @@ }, "event": { "severity": 2, - "ingested": "2021-06-04T11:33:13.462397300Z", + "ingested": "2021-06-09T10:24:33.021044200Z", "original": "\u003c5\u003e1 2021-03-10T09:11:20Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 01:11:20\",\"IsoTimestamp\":\"2021-03-10T09:11:20Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"32\",\"Desc\":\"Add Owner\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Add Owner\",\"SourceUser\":\"Backup Users\",\"TargetUser\":\"\",\"Safe\":\"PSMPConf\",\"File\":\"\",\"Station\":\"81.32.170.205\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Add Owner\",\"GatewayStation\":\"\"}}}", "code": "32", "kind": "event", @@ -488,7 +488,7 @@ }, "event": { "severity": 2, - "ingested": "2021-06-04T11:33:13.462399500Z", + "ingested": "2021-06-09T10:24:33.021046400Z", "original": "\u003c5\u003e1 2021-03-10T09:11:20Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 01:11:20\",\"IsoTimestamp\":\"2021-03-10T09:11:20Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"32\",\"Desc\":\"Add Owner\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Add Owner\",\"SourceUser\":\"Auditors\",\"TargetUser\":\"\",\"Safe\":\"PSMPConf\",\"File\":\"\",\"Station\":\"81.32.170.205\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Add Owner\",\"GatewayStation\":\"\"}}}", "code": "32", "kind": "event", @@ -573,7 +573,7 @@ }, "event": { "severity": 2, - "ingested": "2021-06-04T11:33:13.462401800Z", + "ingested": "2021-06-09T10:24:33.021048500Z", "original": "\u003c5\u003e1 2021-03-10T09:11:20Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 01:11:20\",\"IsoTimestamp\":\"2021-03-10T09:11:20Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"32\",\"Desc\":\"Add Owner\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Add Owner\",\"SourceUser\":\"DR Users\",\"TargetUser\":\"\",\"Safe\":\"PSMPConf\",\"File\":\"\",\"Station\":\"81.32.170.205\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Add Owner\",\"GatewayStation\":\"\"}}}", "code": "32", "kind": "event", @@ -658,7 +658,7 @@ }, "event": { "severity": 2, - "ingested": "2021-06-04T11:33:13.462404200Z", + "ingested": "2021-06-09T10:24:33.021050700Z", "original": "\u003c5\u003e1 2021-03-10T09:11:20Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 01:11:20\",\"IsoTimestamp\":\"2021-03-10T09:11:20Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"32\",\"Desc\":\"Add Owner\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Add Owner\",\"SourceUser\":\"Notification Engines\",\"TargetUser\":\"\",\"Safe\":\"PSMPConf\",\"File\":\"\",\"Station\":\"81.32.170.205\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Add Owner\",\"GatewayStation\":\"\"}}}", "code": "32", "kind": "event", @@ -743,7 +743,7 @@ }, "event": { "severity": 2, - "ingested": "2021-06-04T11:33:13.462406400Z", + "ingested": "2021-06-09T10:24:33.021052900Z", "original": "\u003c5\u003e1 2021-03-10T09:11:22Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 01:11:22\",\"IsoTimestamp\":\"2021-03-10T09:11:22Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"32\",\"Desc\":\"Add Owner\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Add Owner\",\"SourceUser\":\"PSMPApp_localhost.localdomain\",\"TargetUser\":\"\",\"Safe\":\"PVWAConfig\",\"File\":\"\",\"Station\":\"81.32.170.205\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Add Owner\",\"GatewayStation\":\"\"}}}", "code": "32", "kind": "event", @@ -828,7 +828,7 @@ }, "event": { "severity": 2, - "ingested": "2021-06-04T11:33:13.462408600Z", + "ingested": "2021-06-09T10:24:33.021055100Z", "original": "\u003c5\u003e1 2021-03-10T09:11:23Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 01:11:23\",\"IsoTimestamp\":\"2021-03-10T09:11:23Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"32\",\"Desc\":\"Add Owner\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Add Owner\",\"SourceUser\":\"PSMAppUsers\",\"TargetUser\":\"\",\"Safe\":\"PSMPLiveSessions\",\"File\":\"\",\"Station\":\"81.32.170.205\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Add Owner\",\"GatewayStation\":\"\"}}}", "code": "32", "kind": "event", @@ -913,7 +913,7 @@ }, "event": { "severity": 2, - "ingested": "2021-06-04T11:33:13.462410900Z", + "ingested": "2021-06-09T10:24:33.021057400Z", "original": "\u003c5\u003e1 2021-03-10T09:11:23Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 01:11:23\",\"IsoTimestamp\":\"2021-03-10T09:11:23Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"32\",\"Desc\":\"Add Owner\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Add Owner\",\"SourceUser\":\"Vault Admins\",\"TargetUser\":\"\",\"Safe\":\"PSMPConf\",\"File\":\"\",\"Station\":\"81.32.170.205\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Add Owner\",\"GatewayStation\":\"\"}}}", "code": "32", "kind": "event", @@ -998,7 +998,7 @@ }, "event": { "severity": 2, - "ingested": "2021-06-04T11:33:13.462413400Z", + "ingested": "2021-06-09T10:24:33.021059600Z", "original": "\u003c5\u003e1 2021-03-10T09:11:23Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 01:11:23\",\"IsoTimestamp\":\"2021-03-10T09:11:23Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"32\",\"Desc\":\"Add Owner\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Add Owner\",\"SourceUser\":\"PVWAAppUsers\",\"TargetUser\":\"\",\"Safe\":\"PSMPLiveSessions\",\"File\":\"\",\"Station\":\"81.32.170.205\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Add Owner\",\"GatewayStation\":\"\"}}}", "code": "32", "kind": "event", @@ -1083,7 +1083,7 @@ }, "event": { "severity": 2, - "ingested": "2021-06-04T11:33:13.462415800Z", + "ingested": "2021-06-09T10:24:33.021061900Z", "original": "\u003c5\u003e1 2021-03-10T09:11:36Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 01:11:36\",\"IsoTimestamp\":\"2021-03-10T09:11:36Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"32\",\"Desc\":\"Add Owner\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Add Owner\",\"SourceUser\":\"PVWAGWAccounts\",\"TargetUser\":\"\",\"Safe\":\"PSMPADBUserProfile\",\"File\":\"\",\"Station\":\"81.32.170.205\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Add Owner\",\"GatewayStation\":\"\"}}}", "code": "32", "kind": "event", @@ -1168,7 +1168,7 @@ }, "event": { "severity": 2, - "ingested": "2021-06-04T11:33:13.462418100Z", + "ingested": "2021-06-09T10:24:33.021064100Z", "original": "\u003c5\u003e1 2021-03-10T09:11:37Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 01:11:37\",\"IsoTimestamp\":\"2021-03-10T09:11:37Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"32\",\"Desc\":\"Add Owner\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Add Owner\",\"SourceUser\":\"PSMP_ADB_localhost.localdomain\",\"TargetUser\":\"\",\"Safe\":\"PSMPADBridgeConf\",\"File\":\"\",\"Station\":\"81.32.170.205\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Add Owner\",\"GatewayStation\":\"\"}}}", "code": "32", "kind": "event", @@ -1253,7 +1253,7 @@ }, "event": { "severity": 2, - "ingested": "2021-06-04T11:33:13.462420400Z", + "ingested": "2021-06-09T10:24:33.021066500Z", "original": "\u003c5\u003e1 2021-03-10T09:11:38Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 01:11:38\",\"IsoTimestamp\":\"2021-03-10T09:11:38Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"32\",\"Desc\":\"Add Owner\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Add Owner\",\"SourceUser\":\"PSMP_ADB_AppUsers\",\"TargetUser\":\"\",\"Safe\":\"PSMPADBridgeCustom\",\"File\":\"\",\"Station\":\"81.32.170.205\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Add Owner\",\"GatewayStation\":\"\"}}}", "code": "32", "kind": "event", @@ -1338,7 +1338,7 @@ }, "event": { "severity": 2, - "ingested": "2021-06-04T11:33:13.462422800Z", + "ingested": "2021-06-09T10:24:33.021068800Z", "original": "\u003c5\u003e1 2021-03-10T17:59:32Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 09:59:32\",\"IsoTimestamp\":\"2021-03-10T17:59:32Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"32\",\"Desc\":\"Add Owner\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Add Owner\",\"SourceUser\":\"PSMApp_VAGRANT\",\"TargetUser\":\"\",\"Safe\":\"PVWAConfig\",\"File\":\"\",\"Station\":\"81.32.170.205\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Add Owner\",\"GatewayStation\":\"\"}}}", "code": "32", "kind": "event", diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-326-cpm-auto-detection-start.log-expected.json b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-326-cpm-auto-detection-start.log-expected.json index 8dffa2f64df..ee36e11d950 100644 --- a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-326-cpm-auto-detection-start.log-expected.json +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-326-cpm-auto-detection-start.log-expected.json @@ -59,7 +59,7 @@ "event": { "severity": 2, "action": "cpm auto-detection start", - "ingested": "2021-06-04T11:33:13.854526500Z", + "ingested": "2021-06-09T10:24:33.411730200Z", "original": "\u003c5\u003e1 2021-03-11T16:21:37Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 11 08:21:37\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-11T16:21:37Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e326\u003c/MessageID\u003e\\n \u003cDesc\u003eCPM Auto-detection Start\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003ePasswordManager\u003c/Issuer\u003e\\n \u003cAction\u003eCPM Auto-detection Start\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003ePasswordManager_info\u003c/Safe\u003e\\n \u003cFile\u003e \u003c/File\u003e\\n \u003cStation\u003e10.0.1.20\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e \u003c/Reason\u003e\\n \u003cExtraDetails\u003eADProcessID=2b2d3024-be5a-4b57-9f64-3813fb56e9b9;ADProcessName=LDAP Based Windows Local Administrator Account Provisioning;\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eCPM Auto-detection Start\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 11 08:21:37\",\"IsoTimestamp\":\"2021-03-11T16:21:37Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"326\",\"Desc\":\"CPM Auto-detection Start\",\"Severity\":\"Info\",\"Issuer\":\"PasswordManager\",\"Action\":\"CPM Auto-detection Start\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"PasswordManager_info\",\"File\":\" \",\"Station\":\"10.0.1.20\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\" \",\"ExtraDetails\":\"ADProcessID=2b2d3024-be5a-4b57-9f64-3813fb56e9b9;ADProcessName=LDAP Based Windows Local Administrator Account Provisioning;\",\"Message\":\"CPM Auto-detection Start\",\"GatewayStation\":\"\"}}}", "code": "326", "kind": "event" diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-327-cpm-auto-detection-end.log-expected.json b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-327-cpm-auto-detection-end.log-expected.json index 4960b9d2f44..5225622a7d1 100644 --- a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-327-cpm-auto-detection-end.log-expected.json +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-327-cpm-auto-detection-end.log-expected.json @@ -59,7 +59,7 @@ "event": { "severity": 2, "action": "cpm auto-detection end", - "ingested": "2021-06-04T11:33:13.883078500Z", + "ingested": "2021-06-09T10:24:33.441721800Z", "original": "\u003c5\u003e1 2021-03-11T16:21:37Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 11 08:21:37\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-11T16:21:37Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e327\u003c/MessageID\u003e\\n \u003cDesc\u003eCPM Auto-detection End\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003ePasswordManager\u003c/Issuer\u003e\\n \u003cAction\u003eCPM Auto-detection End\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003ePasswordManager_info\u003c/Safe\u003e\\n \u003cFile\u003e \u003c/File\u003e\\n \u003cStation\u003e10.0.1.20\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e \u003c/Reason\u003e\\n \u003cExtraDetails\u003eADProcessID=2b2d3024-be5a-4b57-9f64-3813fb56e9b9;ADProcessName=LDAP Based Windows Local Administrator Account Provisioning;\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eCPM Auto-detection End\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 11 08:21:37\",\"IsoTimestamp\":\"2021-03-11T16:21:37Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"327\",\"Desc\":\"CPM Auto-detection End\",\"Severity\":\"Info\",\"Issuer\":\"PasswordManager\",\"Action\":\"CPM Auto-detection End\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"PasswordManager_info\",\"File\":\" \",\"Station\":\"10.0.1.20\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\" \",\"ExtraDetails\":\"ADProcessID=2b2d3024-be5a-4b57-9f64-3813fb56e9b9;ADProcessName=LDAP Based Windows Local Administrator Account Provisioning;\",\"Message\":\"CPM Auto-detection End\",\"GatewayStation\":\"\"}}}", "code": "327", "kind": "event" diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-33-update-owner.log-expected.json b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-33-update-owner.log-expected.json index a97a3b2c9ed..ed70471a5a3 100644 --- a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-33-update-owner.log-expected.json +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-33-update-owner.log-expected.json @@ -64,7 +64,7 @@ }, "event": { "severity": 2, - "ingested": "2021-06-04T11:33:13.917022900Z", + "ingested": "2021-06-09T10:24:33.474073800Z", "original": "\u003c5\u003e1 2021-03-10T18:16:49Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 10:16:49\",\"IsoTimestamp\":\"2021-03-10T18:16:49Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"33\",\"Desc\":\"Update Owner\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Update Owner\",\"SourceUser\":\"PVWAAppUsers\",\"TargetUser\":\"\",\"Safe\":\"PSM\",\"File\":\"\",\"Station\":\"81.32.170.205\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Update Owner\",\"GatewayStation\":\"\"}}}", "code": "33", "kind": "event", @@ -149,7 +149,7 @@ }, "event": { "severity": 2, - "ingested": "2021-06-04T11:33:13.917035800Z", + "ingested": "2021-06-09T10:24:33.474089200Z", "original": "\u003c5\u003e1 2021-03-10T18:16:50Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 10:16:50\",\"IsoTimestamp\":\"2021-03-10T18:16:50Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"33\",\"Desc\":\"Update Owner\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Update Owner\",\"SourceUser\":\"PSMApp_VAGRANT\",\"TargetUser\":\"\",\"Safe\":\"PVWAConfig\",\"File\":\"\",\"Station\":\"81.32.170.205\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Update Owner\",\"GatewayStation\":\"\"}}}", "code": "33", "kind": "event", @@ -234,7 +234,7 @@ }, "event": { "severity": 2, - "ingested": "2021-06-04T11:33:13.917039Z", + "ingested": "2021-06-09T10:24:33.474092400Z", "original": "\u003c5\u003e1 2021-03-10T18:16:51Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 10:16:51\",\"IsoTimestamp\":\"2021-03-10T18:16:51Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"33\",\"Desc\":\"Update Owner\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Update Owner\",\"SourceUser\":\"PSMAppUsers\",\"TargetUser\":\"\",\"Safe\":\"PSM\",\"File\":\"\",\"Station\":\"81.32.170.205\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Update Owner\",\"GatewayStation\":\"\"}}}", "code": "33", "kind": "event", @@ -319,7 +319,7 @@ }, "event": { "severity": 2, - "ingested": "2021-06-04T11:33:13.917041400Z", + "ingested": "2021-06-09T10:24:33.474095100Z", "original": "\u003c5\u003e1 2021-03-10T18:16:51Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 10:16:51\",\"IsoTimestamp\":\"2021-03-10T18:16:51Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"33\",\"Desc\":\"Update Owner\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Update Owner\",\"SourceUser\":\"PSMMaster\",\"TargetUser\":\"\",\"Safe\":\"PSM\",\"File\":\"\",\"Station\":\"81.32.170.205\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Update Owner\",\"GatewayStation\":\"\"}}}", "code": "33", "kind": "event", @@ -404,7 +404,7 @@ }, "event": { "severity": 2, - "ingested": "2021-06-04T11:33:13.917043900Z", + "ingested": "2021-06-09T10:24:33.474097700Z", "original": "\u003c5\u003e1 2021-03-10T18:16:53Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 10:16:53\",\"IsoTimestamp\":\"2021-03-10T18:16:53Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"33\",\"Desc\":\"Update Owner\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Update Owner\",\"SourceUser\":\"Vault Admins\",\"TargetUser\":\"\",\"Safe\":\"PSMUniversalConnectors\",\"File\":\"\",\"Station\":\"81.32.170.205\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Update Owner\",\"GatewayStation\":\"\"}}}", "code": "33", "kind": "event", @@ -488,7 +488,7 @@ }, "event": { "severity": 2, - "ingested": "2021-06-04T11:33:13.917046100Z", + "ingested": "2021-06-09T10:24:33.474100Z", "original": "\u003c5\u003e1 2021-03-10T22:19:18Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 14:19:18\",\"IsoTimestamp\":\"2021-03-10T22:19:18Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"33\",\"Desc\":\"Update Owner\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Update Owner\",\"SourceUser\":\"PVWAAppUsers\",\"TargetUser\":\"\",\"Safe\":\"PSM\",\"File\":\"\",\"Station\":\"35.192.121.42\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Update Owner\",\"GatewayStation\":\"\"}}}", "code": "33", "kind": "event", @@ -574,7 +574,7 @@ }, "event": { "severity": 2, - "ingested": "2021-06-04T11:33:13.917048400Z", + "ingested": "2021-06-09T10:24:33.474102300Z", "original": "\u003c5\u003e1 2021-03-11T17:38:14Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 11 09:38:14\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-11T17:38:14Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e33\u003c/MessageID\u003e\\n \u003cDesc\u003eUpdate Owner\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003ePSMPApp_VAGRANT\u003c/Issuer\u003e\\n \u003cAction\u003eUpdate Owner\u003c/Action\u003e\\n \u003cSourceUser\u003eAuditors\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003ePSMRecordings\u003c/Safe\u003e\\n \u003cFile\u003e\u003c/File\u003e\\n \u003cStation\u003e81.32.170.205\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eUpdate Owner\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 11 09:38:14\",\"IsoTimestamp\":\"2021-03-11T17:38:14Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"33\",\"Desc\":\"Update Owner\",\"Severity\":\"Info\",\"Issuer\":\"PSMPApp_VAGRANT\",\"Action\":\"Update Owner\",\"SourceUser\":\"Auditors\",\"TargetUser\":\"\",\"Safe\":\"PSMRecordings\",\"File\":\"\",\"Station\":\"81.32.170.205\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Update Owner\",\"GatewayStation\":\"\"}}}", "code": "33", "kind": "event", diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-355-monitor-license-expiration-date-start.log-expected.json b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-355-monitor-license-expiration-date-start.log-expected.json index fbb54c9165b..d66bb09aa94 100644 --- a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-355-monitor-license-expiration-date-start.log-expected.json +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-355-monitor-license-expiration-date-start.log-expected.json @@ -47,7 +47,7 @@ "event": { "severity": 2, "action": "monitor license expiration date start", - "ingested": "2021-06-04T11:33:14.089316900Z", + "ingested": "2021-06-09T10:24:33.660154700Z", "original": "\u003c5\u003e1 2021-03-09T10:17:54Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 09 02:17:54\",\"IsoTimestamp\":\"2021-03-09T10:17:54Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"355\",\"Desc\":\"Monitor License Expiration Date start\",\"Severity\":\"Info\",\"Issuer\":\"Batch\",\"Action\":\"Monitor License Expiration Date start\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"0.0.0.0\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Monitor License Expiration Date start\",\"GatewayStation\":\"\"}}}", "code": "355", "kind": "event" diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-356-monitor-license-expiration-date-end.log-expected.json b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-356-monitor-license-expiration-date-end.log-expected.json index 755d06e5a88..9f99ecb1719 100644 --- a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-356-monitor-license-expiration-date-end.log-expected.json +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-356-monitor-license-expiration-date-end.log-expected.json @@ -47,7 +47,7 @@ "event": { "severity": 2, "action": "monitor license expiration date end", - "ingested": "2021-06-04T11:33:14.113820700Z", + "ingested": "2021-06-09T10:24:33.682528300Z", "original": "\u003c5\u003e1 2021-03-09T10:17:54Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 09 02:17:54\",\"IsoTimestamp\":\"2021-03-09T10:17:54Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"356\",\"Desc\":\"Monitor License Expiration Date end\",\"Severity\":\"Info\",\"Issuer\":\"Batch\",\"Action\":\"Monitor License Expiration Date end\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"0.0.0.0\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Monitor License Expiration Date end\",\"GatewayStation\":\"\"}}}", "code": "356", "kind": "event" diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-357-monitor-fw-rules-start.log-expected.json b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-357-monitor-fw-rules-start.log-expected.json index bd6ad4b1693..e6bc94ebcd2 100644 --- a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-357-monitor-fw-rules-start.log-expected.json +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-357-monitor-fw-rules-start.log-expected.json @@ -47,7 +47,7 @@ "event": { "severity": 2, "action": "monitor fw rules start", - "ingested": "2021-06-04T11:33:14.160454200Z", + "ingested": "2021-06-09T10:24:33.706025600Z", "original": "\u003c5\u003e1 2021-03-04T19:10:01Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 04 11:10:01\",\"IsoTimestamp\":\"2021-03-04T19:10:01Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"357\",\"Desc\":\"Monitor FW rules start\",\"Severity\":\"Info\",\"Issuer\":\"Batch\",\"Action\":\"Monitor FW rules start\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"0.0.0.0\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Monitor FW rules start\",\"GatewayStation\":\"\"}}}", "code": "357", "kind": "event" @@ -90,7 +90,7 @@ "event": { "severity": 2, "action": "monitor fw rules start", - "ingested": "2021-06-04T11:33:14.160469100Z", + "ingested": "2021-06-09T10:24:33.706037Z", "original": "Mar 08 02:32:56 VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"no\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"357\",\"Desc\":\"Monitor FW rules start\",\"Severity\":\"Info\",\"Issuer\":\"Batch\",\"Action\":\"Monitor FW rules start\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"0.0.0.0\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Monitor FW rules start\",\"GatewayStation\":\"\"}}}", "code": "357", "kind": "event" diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-358-monitor-fw-rules-end.log-expected.json b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-358-monitor-fw-rules-end.log-expected.json index 42fb47fd3b9..1e5973cd121 100644 --- a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-358-monitor-fw-rules-end.log-expected.json +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-358-monitor-fw-rules-end.log-expected.json @@ -47,7 +47,7 @@ "event": { "severity": 2, "action": "monitor fw rules end", - "ingested": "2021-06-04T11:33:14.196022700Z", + "ingested": "2021-06-09T10:24:33.740907200Z", "original": "\u003c5\u003e1 2021-03-04T19:10:01Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 04 11:10:01\",\"IsoTimestamp\":\"2021-03-04T19:10:01Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"358\",\"Desc\":\"Monitor FW Rules end\",\"Severity\":\"Info\",\"Issuer\":\"Batch\",\"Action\":\"Monitor FW Rules end\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"0.0.0.0\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Monitor FW Rules end\",\"GatewayStation\":\"\"}}}", "code": "358", "kind": "event" @@ -90,7 +90,7 @@ "event": { "severity": 2, "action": "monitor fw rules end", - "ingested": "2021-06-04T11:33:14.196035800Z", + "ingested": "2021-06-09T10:24:33.740920600Z", "original": "Mar 08 02:32:56 VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"no\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"358\",\"Desc\":\"Monitor FW Rules end\",\"Severity\":\"Info\",\"Issuer\":\"Batch\",\"Action\":\"Monitor FW Rules end\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"0.0.0.0\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Monitor FW Rules end\",\"GatewayStation\":\"\"}}}", "code": "358", "kind": "event" diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-359-sql-command.log-expected.json b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-359-sql-command.log-expected.json index 8f7fb9f6823..3644ea6f7b9 100644 --- a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-359-sql-command.log-expected.json +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-359-sql-command.log-expected.json @@ -102,7 +102,7 @@ }, "event": { "severity": 2, - "ingested": "2021-06-04T11:33:14.230205Z", + "ingested": "2021-06-09T10:24:33.776957500Z", "original": "\u003c5\u003e1 2021-03-25T14:56:44Z VLT01 {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 25 10:56:44\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-25T14:56:44Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVLT01\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e12.0.0000\u003c/Version\u003e\\n \u003cMessageID\u003e359\u003c/MessageID\u003e\\n \u003cDesc\u003eSQL Command\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003eSQL Command\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003eOracle\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Database-Oracle-oracle.cybr.com-HR\u003c/File\u003e\\n \u003cStation\u003e10.0.0.15\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003eCommand=SELECT USER FROM DUAL;ConnectionComponentId=PSM-SQLPlus;DataBase=XE;DstHost=oracle.cybr.com;Protocol=SQLNet;PSMID=PSMServer;SessionID=0887c643-42f2-4a4f-806e-58c1689de0e6;SQLOffset=69B;SrcHost=127.0.0.1;User=HR;VIDOffset=4T;\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eSQL Command\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"Oracle\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"HR\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"oracle.cybr.com\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Database\\\" Value=\\\"XE\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Database\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMStatus\\\" Value=\\\"success\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"RetriesCount\\\" Value=\\\"-1\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastTask\\\" Value=\\\"VerifyTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastSuccessVerification\\\" Value=\\\"1616580248\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Port\\\" Value=\\\"1521\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastSuccessChange\\\" Value=\\\"1616011984\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Tags\\\" Value=\\\"Oracle;DB\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Privcloud\\\" Value=\\\"privcloud\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 25 10:56:44\",\"IsoTimestamp\":\"2021-03-25T14:56:44Z\",\"Hostname\":\"VLT01\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"12.0.0000\",\"MessageID\":\"359\",\"Desc\":\"SQL Command\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"SQL Command\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"Oracle\",\"File\":\"Root\\\\Database-Oracle-oracle.cybr.com-HR\",\"Station\":\"10.0.0.15\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"Command=SELECT USER FROM DUAL;ConnectionComponentId=PSM-SQLPlus;DataBase=XE;DstHost=oracle.cybr.com;Protocol=SQLNet;PSMID=PSMServer;SessionID=0887c643-42f2-4a4f-806e-58c1689de0e6;SQLOffset=69B;SrcHost=127.0.0.1;User=HR;VIDOffset=4T;\",\"Message\":\"SQL Command\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"Oracle\"},{\"Name\":\"UserName\",\"Value\":\"HR\"},{\"Name\":\"Address\",\"Value\":\"oracle.cybr.com\"},{\"Name\":\"Database\",\"Value\":\"XE\"},{\"Name\":\"DeviceType\",\"Value\":\"Database\"},{\"Name\":\"CPMStatus\",\"Value\":\"success\"},{\"Name\":\"RetriesCount\",\"Value\":\"-1\"},{\"Name\":\"LastTask\",\"Value\":\"VerifyTask\"},{\"Name\":\"LastSuccessVerification\",\"Value\":\"1616580248\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"Port\",\"Value\":\"1521\"},{\"Name\":\"LastSuccessChange\",\"Value\":\"1616011984\"},{\"Name\":\"Tags\",\"Value\":\"Oracle;DB\"},{\"Name\":\"Privcloud\",\"Value\":\"privcloud\"}]}}}}", "code": "359", "kind": "event", @@ -221,7 +221,7 @@ }, "event": { "severity": 2, - "ingested": "2021-06-04T11:33:14.230216500Z", + "ingested": "2021-06-09T10:24:33.776968300Z", "original": "\u003c5\u003e1 2021-03-25T14:56:44Z VLT01 {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 25 10:56:44\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-25T14:56:44Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVLT01\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e12.0.0000\u003c/Version\u003e\\n \u003cMessageID\u003e359\u003c/MessageID\u003e\\n \u003cDesc\u003eSQL Command\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003eSQL Command\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003eOracle\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Database-Oracle-oracle.cybr.com-HR\u003c/File\u003e\\n \u003cStation\u003e10.0.0.15\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003eCommand=BEGIN DBMS_OUTPUT.DISABLE\\\\; END\\\\;;ConnectionComponentId=PSM-SQLPlus;DataBase=XE;DstHost=oracle.cybr.com;Protocol=SQLNet;PSMID=PSMServer;SessionID=0887c643-42f2-4a4f-806e-58c1689de0e6;SQLOffset=123B;SrcHost=127.0.0.1;User=HR;VIDOffset=4T;\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eSQL Command\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"Oracle\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"HR\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"oracle.cybr.com\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Database\\\" Value=\\\"XE\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Database\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMStatus\\\" Value=\\\"success\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"RetriesCount\\\" Value=\\\"-1\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastTask\\\" Value=\\\"VerifyTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastSuccessVerification\\\" Value=\\\"1616580248\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Port\\\" Value=\\\"1521\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastSuccessChange\\\" Value=\\\"1616011984\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Tags\\\" Value=\\\"Oracle;DB\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Privcloud\\\" Value=\\\"privcloud\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 25 10:56:44\",\"IsoTimestamp\":\"2021-03-25T14:56:44Z\",\"Hostname\":\"VLT01\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"12.0.0000\",\"MessageID\":\"359\",\"Desc\":\"SQL Command\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"SQL Command\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"Oracle\",\"File\":\"Root\\\\Database-Oracle-oracle.cybr.com-HR\",\"Station\":\"10.0.0.15\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"Command=BEGIN DBMS_OUTPUT.DISABLE\\\\; END\\\\;;ConnectionComponentId=PSM-SQLPlus;DataBase=XE;DstHost=oracle.cybr.com;Protocol=SQLNet;PSMID=PSMServer;SessionID=0887c643-42f2-4a4f-806e-58c1689de0e6;SQLOffset=123B;SrcHost=127.0.0.1;User=HR;VIDOffset=4T;\",\"Message\":\"SQL Command\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"Oracle\"},{\"Name\":\"UserName\",\"Value\":\"HR\"},{\"Name\":\"Address\",\"Value\":\"oracle.cybr.com\"},{\"Name\":\"Database\",\"Value\":\"XE\"},{\"Name\":\"DeviceType\",\"Value\":\"Database\"},{\"Name\":\"CPMStatus\",\"Value\":\"success\"},{\"Name\":\"RetriesCount\",\"Value\":\"-1\"},{\"Name\":\"LastTask\",\"Value\":\"VerifyTask\"},{\"Name\":\"LastSuccessVerification\",\"Value\":\"1616580248\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"Port\",\"Value\":\"1521\"},{\"Name\":\"LastSuccessChange\",\"Value\":\"1616011984\"},{\"Name\":\"Tags\",\"Value\":\"Oracle;DB\"},{\"Name\":\"Privcloud\",\"Value\":\"privcloud\"}]}}}}", "code": "359", "kind": "event", @@ -340,7 +340,7 @@ }, "event": { "severity": 2, - "ingested": "2021-06-04T11:33:14.230219500Z", + "ingested": "2021-06-09T10:24:33.776971400Z", "original": "\u003c5\u003e1 2021-03-25T14:56:44Z VLT01 {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 25 10:56:44\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-25T14:56:44Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVLT01\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e12.0.0000\u003c/Version\u003e\\n \u003cMessageID\u003e359\u003c/MessageID\u003e\\n \u003cDesc\u003eSQL Command\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003eSQL Command\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003eOracle\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Database-Oracle-oracle.cybr.com-HR\u003c/File\u003e\\n \u003cStation\u003e10.0.0.15\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003eCommand=SELECT ATTRIBUTE,SCOPE,NUMERIC_VALUE,CHAR_VALUE,DATE_VALUE FROM SYSTEM.PRODUCT_PRIVS WHERE (UPPER('SQL*Plus') LIKE UPPER(PRODUCT)) AND (UPPER(USER) LIKE USERID);ConnectionComponentId=PSM-SQLPlus;DataBase=XE;DstHost=oracle.cybr.com;Protocol=SQLNet;PSMID=PSMServer;SessionID=0887c643-42f2-4a4f-806e-58c1689de0e6;SQLOffset=187B;SrcHost=127.0.0.1;User=HR;VIDOffset=4T;\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eSQL Command\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"Oracle\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"HR\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"oracle.cybr.com\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Database\\\" Value=\\\"XE\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Database\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMStatus\\\" Value=\\\"success\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"RetriesCount\\\" Value=\\\"-1\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastTask\\\" Value=\\\"VerifyTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastSuccessVerification\\\" Value=\\\"1616580248\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Port\\\" Value=\\\"1521\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastSuccessChange\\\" Value=\\\"1616011984\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Tags\\\" Value=\\\"Oracle;DB\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Privcloud\\\" Value=\\\"privcloud\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 25 10:56:44\",\"IsoTimestamp\":\"2021-03-25T14:56:44Z\",\"Hostname\":\"VLT01\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"12.0.0000\",\"MessageID\":\"359\",\"Desc\":\"SQL Command\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"SQL Command\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"Oracle\",\"File\":\"Root\\\\Database-Oracle-oracle.cybr.com-HR\",\"Station\":\"10.0.0.15\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"Command=SELECT ATTRIBUTE,SCOPE,NUMERIC_VALUE,CHAR_VALUE,DATE_VALUE FROM SYSTEM.PRODUCT_PRIVS WHERE (UPPER('SQL*Plus') LIKE UPPER(PRODUCT)) AND (UPPER(USER) LIKE USERID);ConnectionComponentId=PSM-SQLPlus;DataBase=XE;DstHost=oracle.cybr.com;Protocol=SQLNet;PSMID=PSMServer;SessionID=0887c643-42f2-4a4f-806e-58c1689de0e6;SQLOffset=187B;SrcHost=127.0.0.1;User=HR;VIDOffset=4T;\",\"Message\":\"SQL Command\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"Oracle\"},{\"Name\":\"UserName\",\"Value\":\"HR\"},{\"Name\":\"Address\",\"Value\":\"oracle.cybr.com\"},{\"Name\":\"Database\",\"Value\":\"XE\"},{\"Name\":\"DeviceType\",\"Value\":\"Database\"},{\"Name\":\"CPMStatus\",\"Value\":\"success\"},{\"Name\":\"RetriesCount\",\"Value\":\"-1\"},{\"Name\":\"LastTask\",\"Value\":\"VerifyTask\"},{\"Name\":\"LastSuccessVerification\",\"Value\":\"1616580248\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"Port\",\"Value\":\"1521\"},{\"Name\":\"LastSuccessChange\",\"Value\":\"1616011984\"},{\"Name\":\"Tags\",\"Value\":\"Oracle;DB\"},{\"Name\":\"Privcloud\",\"Value\":\"privcloud\"}]}}}}", "code": "359", "kind": "event", @@ -459,7 +459,7 @@ }, "event": { "severity": 2, - "ingested": "2021-06-04T11:33:14.230222Z", + "ingested": "2021-06-09T10:24:33.776973800Z", "original": "\u003c5\u003e1 2021-03-25T14:56:44Z VLT01 {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 25 10:56:44\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-25T14:56:44Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVLT01\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e12.0.0000\u003c/Version\u003e\\n \u003cMessageID\u003e359\u003c/MessageID\u003e\\n \u003cDesc\u003eSQL Command\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003eSQL Command\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003eOracle\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Database-Oracle-oracle.cybr.com-HR\u003c/File\u003e\\n \u003cStation\u003e10.0.0.15\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003eCommand=SELECT CHAR_VALUE FROM SYSTEM.PRODUCT_PRIVS WHERE (UPPER('SQL*Plus') LIKE UPPER(PRODUCT)) AND ((UPPER(USER) LIKE USERID) OR (USERID \\\\= 'PUBLIC')) AND (UPPER(ATTRIBUTE) \\\\= 'ROLES');ConnectionComponentId=PSM-SQLPlus;DataBase=XE;DstHost=oracle.cybr.com;Protocol=SQLNet;PSMID=PSMServer;SessionID=0887c643-42f2-4a4f-806e-58c1689de0e6;SQLOffset=380B;SrcHost=127.0.0.1;User=HR;VIDOffset=4T;\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eSQL Command\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"Oracle\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"HR\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"oracle.cybr.com\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Database\\\" Value=\\\"XE\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Database\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMStatus\\\" Value=\\\"success\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"RetriesCount\\\" Value=\\\"-1\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastTask\\\" Value=\\\"VerifyTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastSuccessVerification\\\" Value=\\\"1616580248\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Port\\\" Value=\\\"1521\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastSuccessChange\\\" Value=\\\"1616011984\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Tags\\\" Value=\\\"Oracle;DB\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Privcloud\\\" Value=\\\"privcloud\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 25 10:56:44\",\"IsoTimestamp\":\"2021-03-25T14:56:44Z\",\"Hostname\":\"VLT01\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"12.0.0000\",\"MessageID\":\"359\",\"Desc\":\"SQL Command\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"SQL Command\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"Oracle\",\"File\":\"Root\\\\Database-Oracle-oracle.cybr.com-HR\",\"Station\":\"10.0.0.15\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"Command=SELECT CHAR_VALUE FROM SYSTEM.PRODUCT_PRIVS WHERE (UPPER('SQL*Plus') LIKE UPPER(PRODUCT)) AND ((UPPER(USER) LIKE USERID) OR (USERID \\\\= 'PUBLIC')) AND (UPPER(ATTRIBUTE) \\\\= 'ROLES');ConnectionComponentId=PSM-SQLPlus;DataBase=XE;DstHost=oracle.cybr.com;Protocol=SQLNet;PSMID=PSMServer;SessionID=0887c643-42f2-4a4f-806e-58c1689de0e6;SQLOffset=380B;SrcHost=127.0.0.1;User=HR;VIDOffset=4T;\",\"Message\":\"SQL Command\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"Oracle\"},{\"Name\":\"UserName\",\"Value\":\"HR\"},{\"Name\":\"Address\",\"Value\":\"oracle.cybr.com\"},{\"Name\":\"Database\",\"Value\":\"XE\"},{\"Name\":\"DeviceType\",\"Value\":\"Database\"},{\"Name\":\"CPMStatus\",\"Value\":\"success\"},{\"Name\":\"RetriesCount\",\"Value\":\"-1\"},{\"Name\":\"LastTask\",\"Value\":\"VerifyTask\"},{\"Name\":\"LastSuccessVerification\",\"Value\":\"1616580248\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"Port\",\"Value\":\"1521\"},{\"Name\":\"LastSuccessChange\",\"Value\":\"1616011984\"},{\"Name\":\"Tags\",\"Value\":\"Oracle;DB\"},{\"Name\":\"Privcloud\",\"Value\":\"privcloud\"}]}}}}", "code": "359", "kind": "event", @@ -578,7 +578,7 @@ }, "event": { "severity": 2, - "ingested": "2021-06-04T11:33:14.230224300Z", + "ingested": "2021-06-09T10:24:33.776976100Z", "original": "\u003c5\u003e1 2021-03-25T14:56:44Z VLT01 {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 25 10:56:44\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-25T14:56:44Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVLT01\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e12.0.0000\u003c/Version\u003e\\n \u003cMessageID\u003e359\u003c/MessageID\u003e\\n \u003cDesc\u003eSQL Command\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003eSQL Command\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003eOracle\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Database-Oracle-oracle.cybr.com-HR\u003c/File\u003e\\n \u003cStation\u003e10.0.0.15\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003eCommand=BEGIN DBMS_APPLICATION_INFO.SET_MODULE(:1,NULL)\\\\; END\\\\; (Parameters bound by position: 1\\\\=[SQL*Plus]);ConnectionComponentId=PSM-SQLPlus;DataBase=XE;DstHost=oracle.cybr.com;Protocol=SQLNet;PSMID=PSMServer;SessionID=0887c643-42f2-4a4f-806e-58c1689de0e6;SQLOffset=596B;SrcHost=127.0.0.1;User=HR;VIDOffset=4T;\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eSQL Command\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"Oracle\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"HR\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"oracle.cybr.com\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Database\\\" Value=\\\"XE\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Database\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMStatus\\\" Value=\\\"success\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"RetriesCount\\\" Value=\\\"-1\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastTask\\\" Value=\\\"VerifyTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastSuccessVerification\\\" Value=\\\"1616580248\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Port\\\" Value=\\\"1521\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastSuccessChange\\\" Value=\\\"1616011984\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Tags\\\" Value=\\\"Oracle;DB\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Privcloud\\\" Value=\\\"privcloud\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 25 10:56:44\",\"IsoTimestamp\":\"2021-03-25T14:56:44Z\",\"Hostname\":\"VLT01\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"12.0.0000\",\"MessageID\":\"359\",\"Desc\":\"SQL Command\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"SQL Command\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"Oracle\",\"File\":\"Root\\\\Database-Oracle-oracle.cybr.com-HR\",\"Station\":\"10.0.0.15\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"Command=BEGIN DBMS_APPLICATION_INFO.SET_MODULE(:1,NULL)\\\\; END\\\\; (Parameters bound by position: 1\\\\=[SQL*Plus]);ConnectionComponentId=PSM-SQLPlus;DataBase=XE;DstHost=oracle.cybr.com;Protocol=SQLNet;PSMID=PSMServer;SessionID=0887c643-42f2-4a4f-806e-58c1689de0e6;SQLOffset=596B;SrcHost=127.0.0.1;User=HR;VIDOffset=4T;\",\"Message\":\"SQL Command\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"Oracle\"},{\"Name\":\"UserName\",\"Value\":\"HR\"},{\"Name\":\"Address\",\"Value\":\"oracle.cybr.com\"},{\"Name\":\"Database\",\"Value\":\"XE\"},{\"Name\":\"DeviceType\",\"Value\":\"Database\"},{\"Name\":\"CPMStatus\",\"Value\":\"success\"},{\"Name\":\"RetriesCount\",\"Value\":\"-1\"},{\"Name\":\"LastTask\",\"Value\":\"VerifyTask\"},{\"Name\":\"LastSuccessVerification\",\"Value\":\"1616580248\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"Port\",\"Value\":\"1521\"},{\"Name\":\"LastSuccessChange\",\"Value\":\"1616011984\"},{\"Name\":\"Tags\",\"Value\":\"Oracle;DB\"},{\"Name\":\"Privcloud\",\"Value\":\"privcloud\"}]}}}}", "code": "359", "kind": "event", @@ -697,7 +697,7 @@ }, "event": { "severity": 2, - "ingested": "2021-06-04T11:33:14.230226800Z", + "ingested": "2021-06-09T10:24:33.776978400Z", "original": "\u003c5\u003e1 2021-03-25T14:56:45Z VLT01 {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 25 10:56:45\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-25T14:56:45Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVLT01\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e12.0.0000\u003c/Version\u003e\\n \u003cMessageID\u003e359\u003c/MessageID\u003e\\n \u003cDesc\u003eSQL Command\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003eSQL Command\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003eOracle\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Database-Oracle-oracle.cybr.com-HR\u003c/File\u003e\\n \u003cStation\u003e10.0.0.15\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003eCommand=SELECT DECODE('A','A','1','2') FROM DUAL;ConnectionComponentId=PSM-SQLPlus;DataBase=XE;DstHost=oracle.cybr.com;Protocol=SQLNet;PSMID=PSMServer;SessionID=0887c643-42f2-4a4f-806e-58c1689de0e6;SQLOffset=727B;SrcHost=127.0.0.1;User=HR;VIDOffset=5T;\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eSQL Command\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"Oracle\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"HR\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"oracle.cybr.com\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Database\\\" Value=\\\"XE\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Database\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMStatus\\\" Value=\\\"success\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"RetriesCount\\\" Value=\\\"-1\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastTask\\\" Value=\\\"VerifyTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastSuccessVerification\\\" Value=\\\"1616580248\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Port\\\" Value=\\\"1521\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastSuccessChange\\\" Value=\\\"1616011984\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Tags\\\" Value=\\\"Oracle;DB\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Privcloud\\\" Value=\\\"privcloud\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 25 10:56:45\",\"IsoTimestamp\":\"2021-03-25T14:56:45Z\",\"Hostname\":\"VLT01\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"12.0.0000\",\"MessageID\":\"359\",\"Desc\":\"SQL Command\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"SQL Command\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"Oracle\",\"File\":\"Root\\\\Database-Oracle-oracle.cybr.com-HR\",\"Station\":\"10.0.0.15\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"Command=SELECT DECODE('A','A','1','2') FROM DUAL;ConnectionComponentId=PSM-SQLPlus;DataBase=XE;DstHost=oracle.cybr.com;Protocol=SQLNet;PSMID=PSMServer;SessionID=0887c643-42f2-4a4f-806e-58c1689de0e6;SQLOffset=727B;SrcHost=127.0.0.1;User=HR;VIDOffset=5T;\",\"Message\":\"SQL Command\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"Oracle\"},{\"Name\":\"UserName\",\"Value\":\"HR\"},{\"Name\":\"Address\",\"Value\":\"oracle.cybr.com\"},{\"Name\":\"Database\",\"Value\":\"XE\"},{\"Name\":\"DeviceType\",\"Value\":\"Database\"},{\"Name\":\"CPMStatus\",\"Value\":\"success\"},{\"Name\":\"RetriesCount\",\"Value\":\"-1\"},{\"Name\":\"LastTask\",\"Value\":\"VerifyTask\"},{\"Name\":\"LastSuccessVerification\",\"Value\":\"1616580248\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"Port\",\"Value\":\"1521\"},{\"Name\":\"LastSuccessChange\",\"Value\":\"1616011984\"},{\"Name\":\"Tags\",\"Value\":\"Oracle;DB\"},{\"Name\":\"Privcloud\",\"Value\":\"privcloud\"}]}}}}", "code": "359", "kind": "event", @@ -816,7 +816,7 @@ }, "event": { "severity": 2, - "ingested": "2021-06-04T11:33:14.230229100Z", + "ingested": "2021-06-09T10:24:33.776980600Z", "original": "\u003c5\u003e1 2021-03-25T14:56:54Z VLT01 {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 25 10:56:54\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-25T14:56:54Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVLT01\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e12.0.0000\u003c/Version\u003e\\n \u003cMessageID\u003e359\u003c/MessageID\u003e\\n \u003cDesc\u003eSQL Command\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003eSQL Command\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003eOracle\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Database-Oracle-oracle.cybr.com-HR\u003c/File\u003e\\n \u003cStation\u003e10.0.0.15\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003eCommand=SELECT INFO FROM SYSTEM.HELP WHERE UPPER(TOPIC) LIKE :1 ORDER BY TOPIC,SEQ (Parameters bound by position: 1\\\\=[HELP]);ConnectionComponentId=PSM-SQLPlus;DataBase=XE;DstHost=oracle.cybr.com;Protocol=SQLNet;PSMID=PSMServer;SessionID=0887c643-42f2-4a4f-806e-58c1689de0e6;SQLOffset=800B;SrcHost=127.0.0.1;User=HR;VIDOffset=14T;\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eSQL Command\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"Oracle\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"HR\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"oracle.cybr.com\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Database\\\" Value=\\\"XE\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Database\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMStatus\\\" Value=\\\"success\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"RetriesCount\\\" Value=\\\"-1\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastTask\\\" Value=\\\"VerifyTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastSuccessVerification\\\" Value=\\\"1616580248\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Port\\\" Value=\\\"1521\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastSuccessChange\\\" Value=\\\"1616011984\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Tags\\\" Value=\\\"Oracle;DB\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Privcloud\\\" Value=\\\"privcloud\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 25 10:56:54\",\"IsoTimestamp\":\"2021-03-25T14:56:54Z\",\"Hostname\":\"VLT01\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"12.0.0000\",\"MessageID\":\"359\",\"Desc\":\"SQL Command\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"SQL Command\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"Oracle\",\"File\":\"Root\\\\Database-Oracle-oracle.cybr.com-HR\",\"Station\":\"10.0.0.15\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"Command=SELECT INFO FROM SYSTEM.HELP WHERE UPPER(TOPIC) LIKE :1 ORDER BY TOPIC,SEQ (Parameters bound by position: 1\\\\=[HELP]);ConnectionComponentId=PSM-SQLPlus;DataBase=XE;DstHost=oracle.cybr.com;Protocol=SQLNet;PSMID=PSMServer;SessionID=0887c643-42f2-4a4f-806e-58c1689de0e6;SQLOffset=800B;SrcHost=127.0.0.1;User=HR;VIDOffset=14T;\",\"Message\":\"SQL Command\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"Oracle\"},{\"Name\":\"UserName\",\"Value\":\"HR\"},{\"Name\":\"Address\",\"Value\":\"oracle.cybr.com\"},{\"Name\":\"Database\",\"Value\":\"XE\"},{\"Name\":\"DeviceType\",\"Value\":\"Database\"},{\"Name\":\"CPMStatus\",\"Value\":\"success\"},{\"Name\":\"RetriesCount\",\"Value\":\"-1\"},{\"Name\":\"LastTask\",\"Value\":\"VerifyTask\"},{\"Name\":\"LastSuccessVerification\",\"Value\":\"1616580248\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"Port\",\"Value\":\"1521\"},{\"Name\":\"LastSuccessChange\",\"Value\":\"1616011984\"},{\"Name\":\"Tags\",\"Value\":\"Oracle;DB\"},{\"Name\":\"Privcloud\",\"Value\":\"privcloud\"}]}}}}", "code": "359", "kind": "event", @@ -935,7 +935,7 @@ }, "event": { "severity": 2, - "ingested": "2021-06-04T11:33:14.230231300Z", + "ingested": "2021-06-09T10:24:33.776982800Z", "original": "\u003c5\u003e1 2021-03-25T14:58:02Z VLT01 {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 25 10:58:02\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-25T14:58:02Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVLT01\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e12.0.0000\u003c/Version\u003e\\n \u003cMessageID\u003e359\u003c/MessageID\u003e\\n \u003cDesc\u003eSQL Command\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003eSQL Command\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003eOracle\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Database-Oracle-oracle.cybr.com-HR\u003c/File\u003e\\n \u003cStation\u003e10.0.0.15\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003eCommand=SELECT * FROM DBA_USERS;ConnectionComponentId=PSM-SQLPlus;DataBase=XE;DstHost=oracle.cybr.com;Protocol=SQLNet;PSMID=PSMServer;SessionID=0887c643-42f2-4a4f-806e-58c1689de0e6;SQLOffset=1097B;SrcHost=127.0.0.1;User=HR;VIDOffset=82T;\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eSQL Command\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"Oracle\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"HR\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"oracle.cybr.com\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Database\\\" Value=\\\"XE\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Database\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMStatus\\\" Value=\\\"success\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"RetriesCount\\\" Value=\\\"-1\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastTask\\\" Value=\\\"VerifyTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastSuccessVerification\\\" Value=\\\"1616580248\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Port\\\" Value=\\\"1521\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastSuccessChange\\\" Value=\\\"1616011984\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Tags\\\" Value=\\\"Oracle;DB\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Privcloud\\\" Value=\\\"privcloud\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 25 10:58:02\",\"IsoTimestamp\":\"2021-03-25T14:58:02Z\",\"Hostname\":\"VLT01\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"12.0.0000\",\"MessageID\":\"359\",\"Desc\":\"SQL Command\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"SQL Command\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"Oracle\",\"File\":\"Root\\\\Database-Oracle-oracle.cybr.com-HR\",\"Station\":\"10.0.0.15\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"Command=SELECT * FROM DBA_USERS;ConnectionComponentId=PSM-SQLPlus;DataBase=XE;DstHost=oracle.cybr.com;Protocol=SQLNet;PSMID=PSMServer;SessionID=0887c643-42f2-4a4f-806e-58c1689de0e6;SQLOffset=1097B;SrcHost=127.0.0.1;User=HR;VIDOffset=82T;\",\"Message\":\"SQL Command\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"Oracle\"},{\"Name\":\"UserName\",\"Value\":\"HR\"},{\"Name\":\"Address\",\"Value\":\"oracle.cybr.com\"},{\"Name\":\"Database\",\"Value\":\"XE\"},{\"Name\":\"DeviceType\",\"Value\":\"Database\"},{\"Name\":\"CPMStatus\",\"Value\":\"success\"},{\"Name\":\"RetriesCount\",\"Value\":\"-1\"},{\"Name\":\"LastTask\",\"Value\":\"VerifyTask\"},{\"Name\":\"LastSuccessVerification\",\"Value\":\"1616580248\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"Port\",\"Value\":\"1521\"},{\"Name\":\"LastSuccessChange\",\"Value\":\"1616011984\"},{\"Name\":\"Tags\",\"Value\":\"Oracle;DB\"},{\"Name\":\"Privcloud\",\"Value\":\"privcloud\"}]}}}}", "code": "359", "kind": "event", @@ -1054,7 +1054,7 @@ }, "event": { "severity": 2, - "ingested": "2021-06-04T11:33:14.230233800Z", + "ingested": "2021-06-09T10:24:33.776985100Z", "original": "\u003c5\u003e1 2021-03-25T14:57:05Z VLT01 {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 25 10:57:05\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-25T14:57:05Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVLT01\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e12.0.0000\u003c/Version\u003e\\n \u003cMessageID\u003e359\u003c/MessageID\u003e\\n \u003cDesc\u003eSQL Command\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003eSQL Command\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003eOracle\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Database-Oracle-oracle.cybr.com-HR\u003c/File\u003e\\n \u003cStation\u003e10.0.0.15\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003eCommand=SELECT INFO FROM SYSTEM.HELP WHERE UPPER(TOPIC) LIKE :1 ORDER BY TOPIC,SEQ (Parameters bound by position: 1\\\\=[SHOW%]);ConnectionComponentId=PSM-SQLPlus;DataBase=XE;DstHost=oracle.cybr.com;Protocol=SQLNet;PSMID=PSMServer;SessionID=0887c643-42f2-4a4f-806e-58c1689de0e6;SQLOffset=948B;SrcHost=127.0.0.1;User=HR;VIDOffset=25T;\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eSQL Command\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"Oracle\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"HR\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"oracle.cybr.com\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Database\\\" Value=\\\"XE\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Database\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMStatus\\\" Value=\\\"success\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"RetriesCount\\\" Value=\\\"-1\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastTask\\\" Value=\\\"VerifyTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastSuccessVerification\\\" Value=\\\"1616580248\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Port\\\" Value=\\\"1521\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastSuccessChange\\\" Value=\\\"1616011984\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Tags\\\" Value=\\\"Oracle;DB\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Privcloud\\\" Value=\\\"privcloud\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 25 10:57:05\",\"IsoTimestamp\":\"2021-03-25T14:57:05Z\",\"Hostname\":\"VLT01\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"12.0.0000\",\"MessageID\":\"359\",\"Desc\":\"SQL Command\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"SQL Command\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"Oracle\",\"File\":\"Root\\\\Database-Oracle-oracle.cybr.com-HR\",\"Station\":\"10.0.0.15\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"Command=SELECT INFO FROM SYSTEM.HELP WHERE UPPER(TOPIC) LIKE :1 ORDER BY TOPIC,SEQ (Parameters bound by position: 1\\\\=[SHOW%]);ConnectionComponentId=PSM-SQLPlus;DataBase=XE;DstHost=oracle.cybr.com;Protocol=SQLNet;PSMID=PSMServer;SessionID=0887c643-42f2-4a4f-806e-58c1689de0e6;SQLOffset=948B;SrcHost=127.0.0.1;User=HR;VIDOffset=25T;\",\"Message\":\"SQL Command\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"Oracle\"},{\"Name\":\"UserName\",\"Value\":\"HR\"},{\"Name\":\"Address\",\"Value\":\"oracle.cybr.com\"},{\"Name\":\"Database\",\"Value\":\"XE\"},{\"Name\":\"DeviceType\",\"Value\":\"Database\"},{\"Name\":\"CPMStatus\",\"Value\":\"success\"},{\"Name\":\"RetriesCount\",\"Value\":\"-1\"},{\"Name\":\"LastTask\",\"Value\":\"VerifyTask\"},{\"Name\":\"LastSuccessVerification\",\"Value\":\"1616580248\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"Port\",\"Value\":\"1521\"},{\"Name\":\"LastSuccessChange\",\"Value\":\"1616011984\"},{\"Name\":\"Tags\",\"Value\":\"Oracle;DB\"},{\"Name\":\"Privcloud\",\"Value\":\"privcloud\"}]}}}}", "code": "359", "kind": "event", @@ -1173,7 +1173,7 @@ }, "event": { "severity": 2, - "ingested": "2021-06-04T11:33:14.230236100Z", + "ingested": "2021-06-09T10:24:33.776987300Z", "original": "\u003c5\u003e1 2021-03-25T14:58:44Z VLT01 {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 25 10:58:44\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-25T14:58:44Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVLT01\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e12.0.0000\u003c/Version\u003e\\n \u003cMessageID\u003e359\u003c/MessageID\u003e\\n \u003cDesc\u003eSQL Command\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003eSQL Command\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003eOracle\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Database-Oracle-oracle.cybr.com-HR\u003c/File\u003e\\n \u003cStation\u003e10.0.0.15\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003eCommand=select distinct owner from all_objects;ConnectionComponentId=PSM-SQLPlus;DataBase=XE;DstHost=oracle.cybr.com;Protocol=SQLNet;PSMID=PSMServer;SessionID=0887c643-42f2-4a4f-806e-58c1689de0e6;SQLOffset=1153B;SrcHost=127.0.0.1;User=HR;VIDOffset=124T;\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eSQL Command\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"Oracle\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"HR\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"oracle.cybr.com\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Database\\\" Value=\\\"XE\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Database\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMStatus\\\" Value=\\\"success\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"RetriesCount\\\" Value=\\\"-1\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastTask\\\" Value=\\\"VerifyTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastSuccessVerification\\\" Value=\\\"1616580248\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Port\\\" Value=\\\"1521\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastSuccessChange\\\" Value=\\\"1616011984\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Tags\\\" Value=\\\"Oracle;DB\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Privcloud\\\" Value=\\\"privcloud\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 25 10:58:44\",\"IsoTimestamp\":\"2021-03-25T14:58:44Z\",\"Hostname\":\"VLT01\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"12.0.0000\",\"MessageID\":\"359\",\"Desc\":\"SQL Command\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"SQL Command\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"Oracle\",\"File\":\"Root\\\\Database-Oracle-oracle.cybr.com-HR\",\"Station\":\"10.0.0.15\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"Command=select distinct owner from all_objects;ConnectionComponentId=PSM-SQLPlus;DataBase=XE;DstHost=oracle.cybr.com;Protocol=SQLNet;PSMID=PSMServer;SessionID=0887c643-42f2-4a4f-806e-58c1689de0e6;SQLOffset=1153B;SrcHost=127.0.0.1;User=HR;VIDOffset=124T;\",\"Message\":\"SQL Command\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"Oracle\"},{\"Name\":\"UserName\",\"Value\":\"HR\"},{\"Name\":\"Address\",\"Value\":\"oracle.cybr.com\"},{\"Name\":\"Database\",\"Value\":\"XE\"},{\"Name\":\"DeviceType\",\"Value\":\"Database\"},{\"Name\":\"CPMStatus\",\"Value\":\"success\"},{\"Name\":\"RetriesCount\",\"Value\":\"-1\"},{\"Name\":\"LastTask\",\"Value\":\"VerifyTask\"},{\"Name\":\"LastSuccessVerification\",\"Value\":\"1616580248\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"Port\",\"Value\":\"1521\"},{\"Name\":\"LastSuccessChange\",\"Value\":\"1616011984\"},{\"Name\":\"Tags\",\"Value\":\"Oracle;DB\"},{\"Name\":\"Privcloud\",\"Value\":\"privcloud\"}]}}}}", "code": "359", "kind": "event", diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-361-keystroke-logging.log-expected.json b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-361-keystroke-logging.log-expected.json index 358c273e228..5ec2c6159d0 100644 --- a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-361-keystroke-logging.log-expected.json +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-361-keystroke-logging.log-expected.json @@ -85,7 +85,7 @@ }, "event": { "severity": 2, - "ingested": "2021-06-04T11:33:14.622793600Z", + "ingested": "2021-06-09T10:24:34.191920Z", "original": "{\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eno\u003c/Rfc5424\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.6.0000\u003c/Version\u003e\\n \u003cMessageID\u003e361\u003c/MessageID\u003e\\n \u003cDesc\u003eKeystroke logging\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003eKeystroke logging\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003eLinux\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Operating System-LINUX-SSH-radiussrv.cyberark.local-admin2\u003c/File\u003e\\n \u003cStation\u003e10.2.0.7\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003eCommand=ls \\\"/var/tmp\\\";ConnectionComponentId=PSMP-SSH;DstHost=radiussrv.cyberark.local;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=499852f2-22b5-11eb-8bff-000c297aae88;SrcHost=10.2.0.6;SSHOffset=3642B;User=admin2;VIDOffset=125T;\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eKeystroke logging\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"LINUX-SSH\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"admin2\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"radiussrv.cyberark.local\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Operating System\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMDisabled\\\" Value=\\\"No Reason\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Customer\\\" Value=\\\"Tesla\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"no\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.6.0000\",\"MessageID\":\"361\",\"IsoTimestamp\":\"2021-03-16T15:01:00Z\",\"Desc\":\"Keystroke logging\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Keystroke logging\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"Linux\",\"File\":\"Root\\\\Operating System-LINUX-SSH-radiussrv.cyberark.local-admin2\",\"Station\":\"10.2.0.7\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"Command=ls \\\"/var/tmp\\\";ConnectionComponentId=PSMP-SSH;DstHost=radiussrv.cyberark.local;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=499852f2-22b5-11eb-8bff-000c297aae88;SrcHost=10.2.0.6;SSHOffset=3642B;User=admin2;VIDOffset=125T;\",\"Message\":\"Keystroke logging\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"LINUX-SSH\"},{\"Name\":\"UserName\",\"Value\":\"admin2\"},{\"Name\":\"Address\",\"Value\":\"radiussrv.cyberark.local\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"},{\"Name\":\"CPMDisabled\",\"Value\":\"No Reason\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"Customer\",\"Value\":\"Tesla\"}]}}}}", "code": "361", "kind": "event", @@ -223,7 +223,7 @@ }, "event": { "severity": 2, - "ingested": "2021-06-04T11:33:14.622807500Z", + "ingested": "2021-06-09T10:24:34.191933600Z", "original": "\u003c5\u003e1 2021-03-14T13:49:49Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 14 06:49:49\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-14T13:49:49Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e361\u003c/MessageID\u003e\\n \u003cDesc\u003eKeystroke logging\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003eKeystroke logging\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003epartner\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Operating System-UnixSSH-34.123.103.115-testark\u003c/File\u003e\\n \u003cStation\u003e34.71.250.247\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003eCommand=sudo su;ConnectionComponentId=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=d284c268-2ba0-4366-af52-e33459b073a1;SrcHost=81.32.170.205;SSHOffset=1309B;User=testark;VIDOffset=10T;\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eKeystroke logging\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"UnixSSH\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"testark\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"34.123.103.115\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"ResetImmediately\\\" Value=\\\"ReconcileTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMStatus\\\" Value=\\\"failure\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"RetriesCount\\\" Value=\\\"0\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastFailDate\\\" Value=\\\"1615729572\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastTask\\\" Value=\\\"ReconcileTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMErrorDetails\\\" Value=\\\"First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Operating System\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 14 06:49:49\",\"IsoTimestamp\":\"2021-03-14T13:49:49Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"361\",\"Desc\":\"Keystroke logging\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Keystroke logging\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"partner\",\"File\":\"Root\\\\Operating System-UnixSSH-34.123.103.115-testark\",\"Station\":\"34.71.250.247\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"Command=sudo su;ConnectionComponentId=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=d284c268-2ba0-4366-af52-e33459b073a1;SrcHost=81.32.170.205;SSHOffset=1309B;User=testark;VIDOffset=10T;\",\"Message\":\"Keystroke logging\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"UnixSSH\"},{\"Name\":\"UserName\",\"Value\":\"testark\"},{\"Name\":\"Address\",\"Value\":\"34.123.103.115\"},{\"Name\":\"ResetImmediately\",\"Value\":\"ReconcileTask\"},{\"Name\":\"CPMStatus\",\"Value\":\"failure\"},{\"Name\":\"RetriesCount\",\"Value\":\"0\"},{\"Name\":\"LastFailDate\",\"Value\":\"1615729572\"},{\"Name\":\"LastTask\",\"Value\":\"ReconcileTask\"},{\"Name\":\"CPMErrorDetails\",\"Value\":\"First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"}]}}}}", "code": "361", "kind": "event", @@ -359,7 +359,7 @@ }, "event": { "severity": 2, - "ingested": "2021-06-04T11:33:14.622810700Z", + "ingested": "2021-06-09T10:24:34.191936800Z", "original": "\u003c5\u003e1 2021-03-15T10:32:04Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 15 03:32:04\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-15T10:32:04Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e361\u003c/MessageID\u003e\\n \u003cDesc\u003eKeystroke logging\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003eKeystroke logging\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003epartner\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Operating System-UnixSSH-34.123.103.115-testark\u003c/File\u003e\\n \u003cStation\u003e34.71.250.247\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003eCommand=sudo su;ConnectionComponentId=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=29f340df-89e9-405a-beae-0216390cda42;SrcHost=81.32.170.205;SSHOffset=1312B;User=testark;VIDOffset=6T;\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eKeystroke logging\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"UnixSSH\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"testark\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"34.123.103.115\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMStatus\\\" Value=\\\"success\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"RetriesCount\\\" Value=\\\"-1\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastTask\\\" Value=\\\"VerifyTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastSuccessVerification\\\" Value=\\\"1615803764\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Operating System\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 15 03:32:04\",\"IsoTimestamp\":\"2021-03-15T10:32:04Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"361\",\"Desc\":\"Keystroke logging\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Keystroke logging\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"partner\",\"File\":\"Root\\\\Operating System-UnixSSH-34.123.103.115-testark\",\"Station\":\"34.71.250.247\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"Command=sudo su;ConnectionComponentId=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=29f340df-89e9-405a-beae-0216390cda42;SrcHost=81.32.170.205;SSHOffset=1312B;User=testark;VIDOffset=6T;\",\"Message\":\"Keystroke logging\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"UnixSSH\"},{\"Name\":\"UserName\",\"Value\":\"testark\"},{\"Name\":\"Address\",\"Value\":\"34.123.103.115\"},{\"Name\":\"CPMStatus\",\"Value\":\"success\"},{\"Name\":\"RetriesCount\",\"Value\":\"-1\"},{\"Name\":\"LastTask\",\"Value\":\"VerifyTask\"},{\"Name\":\"LastSuccessVerification\",\"Value\":\"1615803764\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"}]}}}}", "code": "361", "kind": "event", @@ -495,7 +495,7 @@ }, "event": { "severity": 2, - "ingested": "2021-06-04T11:33:14.622813600Z", + "ingested": "2021-06-09T10:24:34.191939300Z", "original": "\u003c5\u003e1 2021-03-15T10:33:47Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 15 03:33:47\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-15T10:33:47Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e361\u003c/MessageID\u003e\\n \u003cDesc\u003eKeystroke logging\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003eKeystroke logging\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003epartner\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Operating System-UnixSSH-34.123.103.115-testark\u003c/File\u003e\\n \u003cStation\u003e34.71.250.247\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003eCommand=sudo su;ConnectionComponentId=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=f1654cf8-8ce5-472a-8205-ba731b0fab46;SrcHost=81.32.170.205;SSHOffset=1309B;User=testark;VIDOffset=7T;\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eKeystroke logging\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"UnixSSH\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"testark\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"34.123.103.115\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMStatus\\\" Value=\\\"success\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"RetriesCount\\\" Value=\\\"-1\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastTask\\\" Value=\\\"VerifyTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastSuccessVerification\\\" Value=\\\"1615803764\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Operating System\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 15 03:33:47\",\"IsoTimestamp\":\"2021-03-15T10:33:47Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"361\",\"Desc\":\"Keystroke logging\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Keystroke logging\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"partner\",\"File\":\"Root\\\\Operating System-UnixSSH-34.123.103.115-testark\",\"Station\":\"34.71.250.247\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"Command=sudo su;ConnectionComponentId=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=f1654cf8-8ce5-472a-8205-ba731b0fab46;SrcHost=81.32.170.205;SSHOffset=1309B;User=testark;VIDOffset=7T;\",\"Message\":\"Keystroke logging\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"UnixSSH\"},{\"Name\":\"UserName\",\"Value\":\"testark\"},{\"Name\":\"Address\",\"Value\":\"34.123.103.115\"},{\"Name\":\"CPMStatus\",\"Value\":\"success\"},{\"Name\":\"RetriesCount\",\"Value\":\"-1\"},{\"Name\":\"LastTask\",\"Value\":\"VerifyTask\"},{\"Name\":\"LastSuccessVerification\",\"Value\":\"1615803764\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"}]}}}}", "code": "361", "kind": "event", @@ -631,7 +631,7 @@ }, "event": { "severity": 2, - "ingested": "2021-06-04T11:33:14.622816Z", + "ingested": "2021-06-09T10:24:34.191941800Z", "original": "\u003c5\u003e1 2021-03-15T10:35:08Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 15 03:35:08\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-15T10:35:08Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e361\u003c/MessageID\u003e\\n \u003cDesc\u003eKeystroke logging\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003eKeystroke logging\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003epartner\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Operating System-UnixSSH-34.123.103.115-testark\u003c/File\u003e\\n \u003cStation\u003e34.71.250.247\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003eCommand=sudo su;ConnectionComponentId=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=8b3d0b38-aef5-49d9-bdd7-d57706887d8b;SrcHost=81.32.170.205;SSHOffset=1309B;User=testark;VIDOffset=7T;\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eKeystroke logging\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"UnixSSH\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"testark\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"34.123.103.115\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMStatus\\\" Value=\\\"success\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"RetriesCount\\\" Value=\\\"-1\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastTask\\\" Value=\\\"VerifyTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastSuccessVerification\\\" Value=\\\"1615803764\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Operating System\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 15 03:35:08\",\"IsoTimestamp\":\"2021-03-15T10:35:08Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"361\",\"Desc\":\"Keystroke logging\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Keystroke logging\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"partner\",\"File\":\"Root\\\\Operating System-UnixSSH-34.123.103.115-testark\",\"Station\":\"34.71.250.247\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"Command=sudo su;ConnectionComponentId=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=8b3d0b38-aef5-49d9-bdd7-d57706887d8b;SrcHost=81.32.170.205;SSHOffset=1309B;User=testark;VIDOffset=7T;\",\"Message\":\"Keystroke logging\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"UnixSSH\"},{\"Name\":\"UserName\",\"Value\":\"testark\"},{\"Name\":\"Address\",\"Value\":\"34.123.103.115\"},{\"Name\":\"CPMStatus\",\"Value\":\"success\"},{\"Name\":\"RetriesCount\",\"Value\":\"-1\"},{\"Name\":\"LastTask\",\"Value\":\"VerifyTask\"},{\"Name\":\"LastSuccessVerification\",\"Value\":\"1615803764\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"}]}}}}", "code": "361", "kind": "event", @@ -772,7 +772,7 @@ }, "event": { "severity": 2, - "ingested": "2021-06-04T11:33:14.622859Z", + "ingested": "2021-06-09T10:24:34.192007800Z", "original": "\u003c5\u003e1 2021-03-15T14:11:18Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 15 07:11:18\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-15T14:11:18Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e361\u003c/MessageID\u003e\\n \u003cDesc\u003eKeystroke logging\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003eKeystroke logging\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003epartner\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Operating System-UnixSSH-34.123.103.115-testark\u003c/File\u003e\\n \u003cStation\u003e34.71.250.247\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003eCommand=sudo su;ConnectionComponentId=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=27f74dce-f5d5-4c94-bf99-ca6aafe2c518;SrcHost=81.32.170.205;SSHOffset=1309B;User=testark;VIDOffset=8T;\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eKeystroke logging\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"UnixSSH\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"testark\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"34.123.103.115\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"ResetImmediately\\\" Value=\\\"ReconcileTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMStatus\\\" Value=\\\"failure\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"RetriesCount\\\" Value=\\\"0\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastFailDate\\\" Value=\\\"1615814025\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastTask\\\" Value=\\\"ReconcileTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastSuccessVerification\\\" Value=\\\"1615803764\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMErrorDetails\\\" Value=\\\"First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Operating System\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UseSudoOnReconcile\\\" Value=\\\"Yes\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 15 07:11:18\",\"IsoTimestamp\":\"2021-03-15T14:11:18Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"361\",\"Desc\":\"Keystroke logging\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Keystroke logging\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"partner\",\"File\":\"Root\\\\Operating System-UnixSSH-34.123.103.115-testark\",\"Station\":\"34.71.250.247\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"Command=sudo su;ConnectionComponentId=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=27f74dce-f5d5-4c94-bf99-ca6aafe2c518;SrcHost=81.32.170.205;SSHOffset=1309B;User=testark;VIDOffset=8T;\",\"Message\":\"Keystroke logging\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"UnixSSH\"},{\"Name\":\"UserName\",\"Value\":\"testark\"},{\"Name\":\"Address\",\"Value\":\"34.123.103.115\"},{\"Name\":\"ResetImmediately\",\"Value\":\"ReconcileTask\"},{\"Name\":\"CPMStatus\",\"Value\":\"failure\"},{\"Name\":\"RetriesCount\",\"Value\":\"0\"},{\"Name\":\"LastFailDate\",\"Value\":\"1615814025\"},{\"Name\":\"LastTask\",\"Value\":\"ReconcileTask\"},{\"Name\":\"LastSuccessVerification\",\"Value\":\"1615803764\"},{\"Name\":\"CPMErrorDetails\",\"Value\":\"First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"},{\"Name\":\"UseSudoOnReconcile\",\"Value\":\"Yes\"}]}}}}", "code": "361", "kind": "event", @@ -913,7 +913,7 @@ }, "event": { "severity": 2, - "ingested": "2021-06-04T11:33:14.622862600Z", + "ingested": "2021-06-09T10:24:34.192011900Z", "original": "\u003c5\u003e1 2021-03-15T14:45:51Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 15 07:45:51\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-15T14:45:51Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e361\u003c/MessageID\u003e\\n \u003cDesc\u003eKeystroke logging\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003eKeystroke logging\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003epartner\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Operating System-UnixSSH-34.123.103.115-testark\u003c/File\u003e\\n \u003cStation\u003e34.71.250.247\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003eCommand=(reverse-i-search)`grant': grant all privileges on *.* TO 'root'@'%' with grant option\\\\;;ConnectionComponentId=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=27f74dce-f5d5-4c94-bf99-ca6aafe2c518;SrcHost=81.32.170.205;SSHOffset=296291B;User=testark;VIDOffset=2081T;\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eKeystroke logging\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"UnixSSH\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"testark\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"34.123.103.115\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"ResetImmediately\\\" Value=\\\"ReconcileTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMStatus\\\" Value=\\\"failure\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"RetriesCount\\\" Value=\\\"1\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastFailDate\\\" Value=\\\"1615819476\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastTask\\\" Value=\\\"ReconcileTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastSuccessVerification\\\" Value=\\\"1615803764\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMErrorDetails\\\" Value=\\\"First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Operating System\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UseSudoOnReconcile\\\" Value=\\\"Yes\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 15 07:45:51\",\"IsoTimestamp\":\"2021-03-15T14:45:51Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"361\",\"Desc\":\"Keystroke logging\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Keystroke logging\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"partner\",\"File\":\"Root\\\\Operating System-UnixSSH-34.123.103.115-testark\",\"Station\":\"34.71.250.247\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"Command=(reverse-i-search)`grant': grant all privileges on *.* TO 'root'@'%' with grant option\\\\;;ConnectionComponentId=PSMP-SSH;DstHost=34.123.103.115;ManagedAccount=Yes;Protocol=SSH;PSMID=PSMServer;SessionID=27f74dce-f5d5-4c94-bf99-ca6aafe2c518;SrcHost=81.32.170.205;SSHOffset=296291B;User=testark;VIDOffset=2081T;\",\"Message\":\"Keystroke logging\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"UnixSSH\"},{\"Name\":\"UserName\",\"Value\":\"testark\"},{\"Name\":\"Address\",\"Value\":\"34.123.103.115\"},{\"Name\":\"ResetImmediately\",\"Value\":\"ReconcileTask\"},{\"Name\":\"CPMStatus\",\"Value\":\"failure\"},{\"Name\":\"RetriesCount\",\"Value\":\"1\"},{\"Name\":\"LastFailDate\",\"Value\":\"1615819476\"},{\"Name\":\"LastTask\",\"Value\":\"ReconcileTask\"},{\"Name\":\"LastSuccessVerification\",\"Value\":\"1615803764\"},{\"Name\":\"CPMErrorDetails\",\"Value\":\"First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"},{\"Name\":\"UseSudoOnReconcile\",\"Value\":\"Yes\"}]}}}}", "code": "361", "kind": "event", diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-38-cpm-verify-password-failed.log-expected.json b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-38-cpm-verify-password-failed.log-expected.json index b5352383175..bd209cb5979 100644 --- a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-38-cpm-verify-password-failed.log-expected.json +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-38-cpm-verify-password-failed.log-expected.json @@ -104,7 +104,7 @@ "event": { "severity": 7, "reason": "Error in verifypass to user 34.66.114.180\\ELASTIC\\bart on domain 34.66.114.180(\\\\34.66.114.180). Reason: The specified username is invalid. (winRc=2202). ", - "ingested": "2021-06-04T11:33:14.919425Z", + "ingested": "2021-06-09T10:24:34.493868300Z", "original": "\u003c7\u003e1 2021-03-15T13:19:58Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 15 06:19:58\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-15T13:19:58Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e38\u003c/MessageID\u003e\\n \u003cDesc\u003eCPM Verify Password Failed\u003c/Desc\u003e\\n \u003cSeverity\u003eError\u003c/Severity\u003e\\n \u003cIssuer\u003ePasswordManager\u003c/Issuer\u003e\\n \u003cAction\u003eCPM Verify Password Failed\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003epartner\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Operating System-WinDomain-35.192.121.42-ELASTICbart\u003c/File\u003e\\n \u003cStation\u003e10.0.1.20\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003eImmediateTask. Failure Description: CACPM344E Verifying Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-35.192.121.42-ELASTICbart failed (try #0). Code: 2101, Error: Error in verifypass to user 34.66.114.180\\\\ELASTIC\\\\bart on domain 34.66.114.180(\\\\\\\\34.66.114.180). Reason: The specified username is invalid. (winRc=2202). \\n\u003c/Reason\u003e\\n \u003cExtraDetails\u003eaddress=34.66.114.180;username=ELASTIC\\\\bart;\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eCPM Verify Password Failed\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"WinDomain\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"ELASTIC\\\\bart\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"34.66.114.180\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"ResetImmediately\\\" Value=\\\"VerifyTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMStatus\\\" Value=\\\"failure\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"RetriesCount\\\" Value=\\\"0\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastFailDate\\\" Value=\\\"1615814397\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastTask\\\" Value=\\\"VerifyTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LogonDomain\\\" Value=\\\"34.66.114.180\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMErrorDetails\\\" Value=\\\"Error in verifypass to user 34.66.114.180\\\\ELASTIC\\\\bart on domain 34.66.114.180(\\\\\\\\34.66.114.180). Reason: The specified username is invalid. (winRc=2202). \\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Operating System\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 15 06:19:58\",\"IsoTimestamp\":\"2021-03-15T13:19:58Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"38\",\"Desc\":\"CPM Verify Password Failed\",\"Severity\":\"Error\",\"Issuer\":\"PasswordManager\",\"Action\":\"CPM Verify Password Failed\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"partner\",\"File\":\"Root\\\\Operating System-WinDomain-35.192.121.42-ELASTICbart\",\"Station\":\"10.0.1.20\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"ImmediateTask. Failure Description: CACPM344E Verifying Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-35.192.121.42-ELASTICbart failed (try #0). Code: 2101, Error: Error in verifypass to user 34.66.114.180\\\\ELASTIC\\\\bart on domain 34.66.114.180(\\\\\\\\34.66.114.180). Reason: The specified username is invalid. (winRc=2202). \\n\",\"ExtraDetails\":\"address=34.66.114.180;username=ELASTIC\\\\bart;\",\"Message\":\"CPM Verify Password Failed\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"WinDomain\"},{\"Name\":\"UserName\",\"Value\":\"ELASTIC\\\\bart\"},{\"Name\":\"Address\",\"Value\":\"34.66.114.180\"},{\"Name\":\"ResetImmediately\",\"Value\":\"VerifyTask\"},{\"Name\":\"CPMStatus\",\"Value\":\"failure\"},{\"Name\":\"RetriesCount\",\"Value\":\"0\"},{\"Name\":\"LastFailDate\",\"Value\":\"1615814397\"},{\"Name\":\"LastTask\",\"Value\":\"VerifyTask\"},{\"Name\":\"LogonDomain\",\"Value\":\"34.66.114.180\"},{\"Name\":\"CPMErrorDetails\",\"Value\":\"Error in verifypass to user 34.66.114.180\\\\ELASTIC\\\\bart on domain 34.66.114.180(\\\\\\\\34.66.114.180). Reason: The specified username is invalid. (winRc=2202). \"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"}]}}}}", "code": "38", "kind": "event", @@ -226,7 +226,7 @@ "event": { "severity": 7, "reason": "Error in verifypass to user 34.66.114.180\\bart on domain 34.66.114.180(\\\\34.66.114.180). Reason: The network name cannot be found. (winRc=67). ", - "ingested": "2021-06-04T11:33:14.919437700Z", + "ingested": "2021-06-09T10:24:34.493901800Z", "original": "\u003c7\u003e1 2021-03-15T13:25:32Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 15 06:25:32\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-15T13:25:32Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e38\u003c/MessageID\u003e\\n \u003cDesc\u003eCPM Verify Password Failed\u003c/Desc\u003e\\n \u003cSeverity\u003eError\u003c/Severity\u003e\\n \u003cIssuer\u003ePasswordManager\u003c/Issuer\u003e\\n \u003cAction\u003eCPM Verify Password Failed\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003epartner\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Operating System-WinDomain-35.192.121.42-ELASTICbart\u003c/File\u003e\\n \u003cStation\u003e10.0.1.20\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003eImmediateTask. Failure Description: CACPM344E Verifying Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-35.192.121.42-ELASTICbart failed (try #0). Code: 2101, Error: Error in verifypass to user 34.66.114.180\\\\bart on domain 34.66.114.180(\\\\\\\\34.66.114.180). Reason: The network name cannot be found. (winRc=67). \\n\u003c/Reason\u003e\\n \u003cExtraDetails\u003eaddress=34.66.114.180;username=bart;\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eCPM Verify Password Failed\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"WinDomain\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"bart\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"34.66.114.180\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"ResetImmediately\\\" Value=\\\"VerifyTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMStatus\\\" Value=\\\"failure\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"RetriesCount\\\" Value=\\\"0\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastFailDate\\\" Value=\\\"1615814709\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastTask\\\" Value=\\\"VerifyTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserDN\\\" Value=\\\"ELASTIC.local\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LogonDomain\\\" Value=\\\"34.66.114.180\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMErrorDetails\\\" Value=\\\"Error in verifypass to user 34.66.114.180\\\\bart on domain 34.66.114.180(\\\\\\\\34.66.114.180). Reason: The network name cannot be found. (winRc=67). \\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Operating System\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 15 06:25:32\",\"IsoTimestamp\":\"2021-03-15T13:25:32Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"38\",\"Desc\":\"CPM Verify Password Failed\",\"Severity\":\"Error\",\"Issuer\":\"PasswordManager\",\"Action\":\"CPM Verify Password Failed\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"partner\",\"File\":\"Root\\\\Operating System-WinDomain-35.192.121.42-ELASTICbart\",\"Station\":\"10.0.1.20\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"ImmediateTask. Failure Description: CACPM344E Verifying Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-35.192.121.42-ELASTICbart failed (try #0). Code: 2101, Error: Error in verifypass to user 34.66.114.180\\\\bart on domain 34.66.114.180(\\\\\\\\34.66.114.180). Reason: The network name cannot be found. (winRc=67). \\n\",\"ExtraDetails\":\"address=34.66.114.180;username=bart;\",\"Message\":\"CPM Verify Password Failed\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"WinDomain\"},{\"Name\":\"UserName\",\"Value\":\"bart\"},{\"Name\":\"Address\",\"Value\":\"34.66.114.180\"},{\"Name\":\"ResetImmediately\",\"Value\":\"VerifyTask\"},{\"Name\":\"CPMStatus\",\"Value\":\"failure\"},{\"Name\":\"RetriesCount\",\"Value\":\"0\"},{\"Name\":\"LastFailDate\",\"Value\":\"1615814709\"},{\"Name\":\"LastTask\",\"Value\":\"VerifyTask\"},{\"Name\":\"UserDN\",\"Value\":\"ELASTIC.local\"},{\"Name\":\"LogonDomain\",\"Value\":\"34.66.114.180\"},{\"Name\":\"CPMErrorDetails\",\"Value\":\"Error in verifypass to user 34.66.114.180\\\\bart on domain 34.66.114.180(\\\\\\\\34.66.114.180). Reason: The network name cannot be found. (winRc=67). \"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"}]}}}}", "code": "38", "kind": "event", @@ -347,7 +347,7 @@ "event": { "severity": 7, "reason": "Error in verifypass to user 34.66.114.180\\ELASTIC.local\\bart on domain 34.66.114.180(\\\\34.66.114.180). Reason: The specified username is invalid. (winRc=2202). ", - "ingested": "2021-06-04T11:33:14.919440500Z", + "ingested": "2021-06-09T10:24:34.493904800Z", "original": "\u003c7\u003e1 2021-03-15T13:33:26Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 15 06:33:26\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-15T13:33:26Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e38\u003c/MessageID\u003e\\n \u003cDesc\u003eCPM Verify Password Failed\u003c/Desc\u003e\\n \u003cSeverity\u003eError\u003c/Severity\u003e\\n \u003cIssuer\u003ePasswordManager\u003c/Issuer\u003e\\n \u003cAction\u003eCPM Verify Password Failed\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003epartner\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Operating System-WinDomain-34.66.114.180-ELASTICbart\u003c/File\u003e\\n \u003cStation\u003e10.0.1.20\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003eImmediateTask. Failure Description: CACPM344E Verifying Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-34.66.114.180-ELASTICbart failed (try #0). Code: 2101, Error: Error in verifypass to user 34.66.114.180\\\\ELASTIC.local\\\\bart on domain 34.66.114.180(\\\\\\\\34.66.114.180). Reason: The specified username is invalid. (winRc=2202). \\n\u003c/Reason\u003e\\n \u003cExtraDetails\u003eaddress=34.66.114.180;username=ELASTIC.local\\\\bart;\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eCPM Verify Password Failed\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"WinDomain\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"ELASTIC.local\\\\bart\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"34.66.114.180\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"ResetImmediately\\\" Value=\\\"VerifyTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMStatus\\\" Value=\\\"failure\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"RetriesCount\\\" Value=\\\"0\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastFailDate\\\" Value=\\\"1615815206\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastTask\\\" Value=\\\"VerifyTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LogonDomain\\\" Value=\\\"34.66.114.180\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMErrorDetails\\\" Value=\\\"Error in verifypass to user 34.66.114.180\\\\ELASTIC.local\\\\bart on domain 34.66.114.180(\\\\\\\\34.66.114.180). Reason: The specified username is invalid. (winRc=2202). \\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Operating System\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 15 06:33:26\",\"IsoTimestamp\":\"2021-03-15T13:33:26Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"38\",\"Desc\":\"CPM Verify Password Failed\",\"Severity\":\"Error\",\"Issuer\":\"PasswordManager\",\"Action\":\"CPM Verify Password Failed\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"partner\",\"File\":\"Root\\\\Operating System-WinDomain-34.66.114.180-ELASTICbart\",\"Station\":\"10.0.1.20\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"ImmediateTask. Failure Description: CACPM344E Verifying Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-34.66.114.180-ELASTICbart failed (try #0). Code: 2101, Error: Error in verifypass to user 34.66.114.180\\\\ELASTIC.local\\\\bart on domain 34.66.114.180(\\\\\\\\34.66.114.180). Reason: The specified username is invalid. (winRc=2202). \\n\",\"ExtraDetails\":\"address=34.66.114.180;username=ELASTIC.local\\\\bart;\",\"Message\":\"CPM Verify Password Failed\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"WinDomain\"},{\"Name\":\"UserName\",\"Value\":\"ELASTIC.local\\\\bart\"},{\"Name\":\"Address\",\"Value\":\"34.66.114.180\"},{\"Name\":\"ResetImmediately\",\"Value\":\"VerifyTask\"},{\"Name\":\"CPMStatus\",\"Value\":\"failure\"},{\"Name\":\"RetriesCount\",\"Value\":\"0\"},{\"Name\":\"LastFailDate\",\"Value\":\"1615815206\"},{\"Name\":\"LastTask\",\"Value\":\"VerifyTask\"},{\"Name\":\"LogonDomain\",\"Value\":\"34.66.114.180\"},{\"Name\":\"CPMErrorDetails\",\"Value\":\"Error in verifypass to user 34.66.114.180\\\\ELASTIC.local\\\\bart on domain 34.66.114.180(\\\\\\\\34.66.114.180). Reason: The specified username is invalid. (winRc=2202). \"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"}]}}}}", "code": "38", "kind": "event", @@ -469,7 +469,7 @@ "event": { "severity": 7, "reason": "Error in verifypass to user 34.66.114.180\\ELASTIC.local\\bart on domain 34.66.114.180(\\\\34.66.114.180). Reason: The specified username is invalid. (winRc=2202). ", - "ingested": "2021-06-04T11:33:14.919442800Z", + "ingested": "2021-06-09T10:24:34.493907200Z", "original": "\u003c7\u003e1 2021-03-15T15:04:11Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 15 08:04:11\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-15T15:04:11Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e38\u003c/MessageID\u003e\\n \u003cDesc\u003eCPM Verify Password Failed\u003c/Desc\u003e\\n \u003cSeverity\u003eError\u003c/Severity\u003e\\n \u003cIssuer\u003ePasswordManager\u003c/Issuer\u003e\\n \u003cAction\u003eCPM Verify Password Failed\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003epartner\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Operating System-WinDomain-34.66.114.180-ELASTICbart\u003c/File\u003e\\n \u003cStation\u003e10.0.1.20\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003eImmediateTask,Failure. Failure Description: CACPM344E Verifying Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-34.66.114.180-ELASTICbart failed (try #1). Code: 2101, Error: Error in verifypass to user 34.66.114.180\\\\ELASTIC.local\\\\bart on domain 34.66.114.180(\\\\\\\\34.66.114.180). Reason: The specified username is invalid. (winRc=2202). \\n\u003c/Reason\u003e\\n \u003cExtraDetails\u003eaddress=34.66.114.180;retriescount=1;username=ELASTIC.local\\\\bart;\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eCPM Verify Password Failed\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"WinDomain\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"ELASTIC.local\\\\bart\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"34.66.114.180\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"ResetImmediately\\\" Value=\\\"VerifyTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMStatus\\\" Value=\\\"failure\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"RetriesCount\\\" Value=\\\"1\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastFailDate\\\" Value=\\\"1615820651\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastTask\\\" Value=\\\"VerifyTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LogonDomain\\\" Value=\\\"34.66.114.180\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMErrorDetails\\\" Value=\\\"Error in verifypass to user 34.66.114.180\\\\ELASTIC.local\\\\bart on domain 34.66.114.180(\\\\\\\\34.66.114.180). Reason: The specified username is invalid. (winRc=2202). \\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Operating System\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 15 08:04:11\",\"IsoTimestamp\":\"2021-03-15T15:04:11Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"38\",\"Desc\":\"CPM Verify Password Failed\",\"Severity\":\"Error\",\"Issuer\":\"PasswordManager\",\"Action\":\"CPM Verify Password Failed\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"partner\",\"File\":\"Root\\\\Operating System-WinDomain-34.66.114.180-ELASTICbart\",\"Station\":\"10.0.1.20\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"ImmediateTask,Failure. Failure Description: CACPM344E Verifying Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-34.66.114.180-ELASTICbart failed (try #1). Code: 2101, Error: Error in verifypass to user 34.66.114.180\\\\ELASTIC.local\\\\bart on domain 34.66.114.180(\\\\\\\\34.66.114.180). Reason: The specified username is invalid. (winRc=2202). \\n\",\"ExtraDetails\":\"address=34.66.114.180;retriescount=1;username=ELASTIC.local\\\\bart;\",\"Message\":\"CPM Verify Password Failed\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"WinDomain\"},{\"Name\":\"UserName\",\"Value\":\"ELASTIC.local\\\\bart\"},{\"Name\":\"Address\",\"Value\":\"34.66.114.180\"},{\"Name\":\"ResetImmediately\",\"Value\":\"VerifyTask\"},{\"Name\":\"CPMStatus\",\"Value\":\"failure\"},{\"Name\":\"RetriesCount\",\"Value\":\"1\"},{\"Name\":\"LastFailDate\",\"Value\":\"1615820651\"},{\"Name\":\"LastTask\",\"Value\":\"VerifyTask\"},{\"Name\":\"LogonDomain\",\"Value\":\"34.66.114.180\"},{\"Name\":\"CPMErrorDetails\",\"Value\":\"Error in verifypass to user 34.66.114.180\\\\ELASTIC.local\\\\bart on domain 34.66.114.180(\\\\\\\\34.66.114.180). Reason: The specified username is invalid. (winRc=2202). \"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"}]}}}}", "code": "38", "kind": "event", @@ -591,7 +591,7 @@ "event": { "severity": 7, "reason": "Error in verifypass to user 34.66.114.180\\ELASTIC.local\\bart on domain 34.66.114.180(\\\\34.66.114.180). Reason: The specified username is invalid. (winRc=2202). ", - "ingested": "2021-06-04T11:33:14.919444900Z", + "ingested": "2021-06-09T10:24:34.493909500Z", "original": "\u003c7\u003e1 2021-03-15T16:35:01Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 15 09:35:01\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-15T16:35:01Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e38\u003c/MessageID\u003e\\n \u003cDesc\u003eCPM Verify Password Failed\u003c/Desc\u003e\\n \u003cSeverity\u003eError\u003c/Severity\u003e\\n \u003cIssuer\u003ePasswordManager\u003c/Issuer\u003e\\n \u003cAction\u003eCPM Verify Password Failed\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003epartner\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Operating System-WinDomain-34.66.114.180-ELASTICbart\u003c/File\u003e\\n \u003cStation\u003e10.0.1.20\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003eImmediateTask,Failure. Failure Description: CACPM344E Verifying Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-34.66.114.180-ELASTICbart failed (try #2). Code: 2101, Error: Error in verifypass to user 34.66.114.180\\\\ELASTIC.local\\\\bart on domain 34.66.114.180(\\\\\\\\34.66.114.180). Reason: The specified username is invalid. (winRc=2202). \\n\u003c/Reason\u003e\\n \u003cExtraDetails\u003eaddress=34.66.114.180;retriescount=2;username=ELASTIC.local\\\\bart;\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eCPM Verify Password Failed\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"WinDomain\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"ELASTIC.local\\\\bart\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"34.66.114.180\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"ResetImmediately\\\" Value=\\\"VerifyTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMStatus\\\" Value=\\\"failure\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"RetriesCount\\\" Value=\\\"2\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastFailDate\\\" Value=\\\"1615826099\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastTask\\\" Value=\\\"VerifyTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LogonDomain\\\" Value=\\\"34.66.114.180\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMErrorDetails\\\" Value=\\\"Error in verifypass to user 34.66.114.180\\\\ELASTIC.local\\\\bart on domain 34.66.114.180(\\\\\\\\34.66.114.180). Reason: The specified username is invalid. (winRc=2202). \\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Operating System\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 15 09:35:01\",\"IsoTimestamp\":\"2021-03-15T16:35:01Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"38\",\"Desc\":\"CPM Verify Password Failed\",\"Severity\":\"Error\",\"Issuer\":\"PasswordManager\",\"Action\":\"CPM Verify Password Failed\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"partner\",\"File\":\"Root\\\\Operating System-WinDomain-34.66.114.180-ELASTICbart\",\"Station\":\"10.0.1.20\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"ImmediateTask,Failure. Failure Description: CACPM344E Verifying Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-34.66.114.180-ELASTICbart failed (try #2). Code: 2101, Error: Error in verifypass to user 34.66.114.180\\\\ELASTIC.local\\\\bart on domain 34.66.114.180(\\\\\\\\34.66.114.180). Reason: The specified username is invalid. (winRc=2202). \\n\",\"ExtraDetails\":\"address=34.66.114.180;retriescount=2;username=ELASTIC.local\\\\bart;\",\"Message\":\"CPM Verify Password Failed\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"WinDomain\"},{\"Name\":\"UserName\",\"Value\":\"ELASTIC.local\\\\bart\"},{\"Name\":\"Address\",\"Value\":\"34.66.114.180\"},{\"Name\":\"ResetImmediately\",\"Value\":\"VerifyTask\"},{\"Name\":\"CPMStatus\",\"Value\":\"failure\"},{\"Name\":\"RetriesCount\",\"Value\":\"2\"},{\"Name\":\"LastFailDate\",\"Value\":\"1615826099\"},{\"Name\":\"LastTask\",\"Value\":\"VerifyTask\"},{\"Name\":\"LogonDomain\",\"Value\":\"34.66.114.180\"},{\"Name\":\"CPMErrorDetails\",\"Value\":\"Error in verifypass to user 34.66.114.180\\\\ELASTIC.local\\\\bart on domain 34.66.114.180(\\\\\\\\34.66.114.180). Reason: The specified username is invalid. (winRc=2202). \"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"}]}}}}", "code": "38", "kind": "event", @@ -699,7 +699,7 @@ "event": { "severity": 7, "reason": "Error when verifypass to User root on Server 10.0.1.20. State: IM002 Native error: 0 Message: [Microsoft][ODBC Driver Manager] Data source name not found and no default driver specified", - "ingested": "2021-06-04T11:33:14.919447500Z", + "ingested": "2021-06-09T10:24:34.493911500Z", "original": "\u003c7\u003e1 2021-03-15T16:56:29Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 15 09:56:29\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-15T16:56:29Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e38\u003c/MessageID\u003e\\n \u003cDesc\u003eCPM Verify Password Failed\u003c/Desc\u003e\\n \u003cSeverity\u003eError\u003c/Severity\u003e\\n \u003cIssuer\u003ePasswordManager\u003c/Issuer\u003e\\n \u003cAction\u003eCPM Verify Password Failed\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003epartner\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Database-MySQL-10.0.1.20-root\u003c/File\u003e\\n \u003cStation\u003e10.0.1.20\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003eImmediateTask. Failure Description: CACPM344E Verifying Password Safe: partner, Folder: Root, Object: Database-MySQL-10.0.1.20-root failed (try #0). Code: 2103, Error: Error when verifypass to User root on Server 10.0.1.20. State: IM002 Native error: 0 Message: [Microsoft][ODBC Driver Manager] Data source name not found and no default driver specified\\n\u003c/Reason\u003e\\n \u003cExtraDetails\u003eaddress=10.0.1.20;username=root;\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eCPM Verify Password Failed\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"MySQL\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"root\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"10.0.1.20\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"ResetImmediately\\\" Value=\\\"VerifyTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMStatus\\\" Value=\\\"failure\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"RetriesCount\\\" Value=\\\"0\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastFailDate\\\" Value=\\\"1615827245\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastTask\\\" Value=\\\"VerifyTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMErrorDetails\\\" Value=\\\"Error when verifypass to User root on Server 10.0.1.20. State: IM002 Native error: 0 Message: [Microsoft][ODBC Driver Manager] Data source name not found and no default driver specified\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Database\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 15 09:56:29\",\"IsoTimestamp\":\"2021-03-15T16:56:29Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"38\",\"Desc\":\"CPM Verify Password Failed\",\"Severity\":\"Error\",\"Issuer\":\"PasswordManager\",\"Action\":\"CPM Verify Password Failed\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"partner\",\"File\":\"Root\\\\Database-MySQL-10.0.1.20-root\",\"Station\":\"10.0.1.20\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"ImmediateTask. Failure Description: CACPM344E Verifying Password Safe: partner, Folder: Root, Object: Database-MySQL-10.0.1.20-root failed (try #0). Code: 2103, Error: Error when verifypass to User root on Server 10.0.1.20. State: IM002 Native error: 0 Message: [Microsoft][ODBC Driver Manager] Data source name not found and no default driver specified\\n\",\"ExtraDetails\":\"address=10.0.1.20;username=root;\",\"Message\":\"CPM Verify Password Failed\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"MySQL\"},{\"Name\":\"UserName\",\"Value\":\"root\"},{\"Name\":\"Address\",\"Value\":\"10.0.1.20\"},{\"Name\":\"ResetImmediately\",\"Value\":\"VerifyTask\"},{\"Name\":\"CPMStatus\",\"Value\":\"failure\"},{\"Name\":\"RetriesCount\",\"Value\":\"0\"},{\"Name\":\"LastFailDate\",\"Value\":\"1615827245\"},{\"Name\":\"LastTask\",\"Value\":\"VerifyTask\"},{\"Name\":\"CPMErrorDetails\",\"Value\":\"Error when verifypass to User root on Server 10.0.1.20. State: IM002 Native error: 0 Message: [Microsoft][ODBC Driver Manager] Data source name not found and no default driver specified\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Database\"}]}}}}", "code": "38", "kind": "event", @@ -809,7 +809,7 @@ "event": { "severity": 7, "reason": "Error when verifypass to User root on Server . State: IM014 Native error: 0 Message: [Microsoft][ODBC Driver Manager] The specified DSN contains an architecture mismatch between the Driver and Application", - "ingested": "2021-06-04T11:33:14.919449600Z", + "ingested": "2021-06-09T10:24:34.493919100Z", "original": "\u003c7\u003e1 2021-03-15T17:01:07Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 15 10:01:07\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-15T17:01:07Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e38\u003c/MessageID\u003e\\n \u003cDesc\u003eCPM Verify Password Failed\u003c/Desc\u003e\\n \u003cSeverity\u003eError\u003c/Severity\u003e\\n \u003cIssuer\u003ePasswordManager\u003c/Issuer\u003e\\n \u003cAction\u003eCPM Verify Password Failed\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003epartner\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Database-MySQL-10.0.1.20-root\u003c/File\u003e\\n \u003cStation\u003e10.0.1.20\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003eImmediateTask. Failure Description: CACPM344E Verifying Password Safe: partner, Folder: Root, Object: Database-MySQL-10.0.1.20-root failed (try #0). Code: 2103, Error: Error when verifypass to User root on Server . State: IM014 Native error: 0 Message: [Microsoft][ODBC Driver Manager] The specified DSN contains an architecture mismatch between the Driver and Application\\n\u003c/Reason\u003e\\n \u003cExtraDetails\u003eaddress=10.0.1.20;username=root;\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eCPM Verify Password Failed\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"MySQL\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"root\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"10.0.1.20\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"ResetImmediately\\\" Value=\\\"VerifyTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMStatus\\\" Value=\\\"failure\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"RetriesCount\\\" Value=\\\"0\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastFailDate\\\" Value=\\\"1615827554\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastTask\\\" Value=\\\"VerifyTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DSN\\\" Value=\\\"mariadb\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMErrorDetails\\\" Value=\\\"Error when verifypass to User root on Server . State: IM014 Native error: 0 Message: [Microsoft][ODBC Driver Manager] The specified DSN contains an architecture mismatch between the Driver and Application\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Database\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 15 10:01:07\",\"IsoTimestamp\":\"2021-03-15T17:01:07Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"38\",\"Desc\":\"CPM Verify Password Failed\",\"Severity\":\"Error\",\"Issuer\":\"PasswordManager\",\"Action\":\"CPM Verify Password Failed\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"partner\",\"File\":\"Root\\\\Database-MySQL-10.0.1.20-root\",\"Station\":\"10.0.1.20\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"ImmediateTask. Failure Description: CACPM344E Verifying Password Safe: partner, Folder: Root, Object: Database-MySQL-10.0.1.20-root failed (try #0). Code: 2103, Error: Error when verifypass to User root on Server . State: IM014 Native error: 0 Message: [Microsoft][ODBC Driver Manager] The specified DSN contains an architecture mismatch between the Driver and Application\\n\",\"ExtraDetails\":\"address=10.0.1.20;username=root;\",\"Message\":\"CPM Verify Password Failed\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"MySQL\"},{\"Name\":\"UserName\",\"Value\":\"root\"},{\"Name\":\"Address\",\"Value\":\"10.0.1.20\"},{\"Name\":\"ResetImmediately\",\"Value\":\"VerifyTask\"},{\"Name\":\"CPMStatus\",\"Value\":\"failure\"},{\"Name\":\"RetriesCount\",\"Value\":\"0\"},{\"Name\":\"LastFailDate\",\"Value\":\"1615827554\"},{\"Name\":\"LastTask\",\"Value\":\"VerifyTask\"},{\"Name\":\"DSN\",\"Value\":\"mariadb\"},{\"Name\":\"CPMErrorDetails\",\"Value\":\"Error when verifypass to User root on Server . State: IM014 Native error: 0 Message: [Microsoft][ODBC Driver Manager] The specified DSN contains an architecture mismatch between the Driver and Application\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Database\"}]}}}}", "code": "38", "kind": "event", @@ -919,7 +919,7 @@ "event": { "severity": 7, "reason": "Error when verifypass to User root on Server . State: HY090 Native error: 0 Message: [Microsoft][ODBC Driver Manager] Invalid string or buffer length", - "ingested": "2021-06-04T11:33:14.919451800Z", + "ingested": "2021-06-09T10:24:34.493922700Z", "original": "\u003c7\u003e1 2021-03-15T17:05:47Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 15 10:05:47\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-15T17:05:47Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e38\u003c/MessageID\u003e\\n \u003cDesc\u003eCPM Verify Password Failed\u003c/Desc\u003e\\n \u003cSeverity\u003eError\u003c/Severity\u003e\\n \u003cIssuer\u003ePasswordManager\u003c/Issuer\u003e\\n \u003cAction\u003eCPM Verify Password Failed\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003epartner\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Database-MySQL-10.0.1.20-root\u003c/File\u003e\\n \u003cStation\u003e10.0.1.20\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003eImmediateTask. Failure Description: CACPM344E Verifying Password Safe: partner, Folder: Root, Object: Database-MySQL-10.0.1.20-root failed (try #0). Code: 2103, Error: Error when verifypass to User root on Server . State: HY090 Native error: 0 Message: [Microsoft][ODBC Driver Manager] Invalid string or buffer length\\n\u003c/Reason\u003e\\n \u003cExtraDetails\u003eaddress=10.0.1.20;username=root;\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eCPM Verify Password Failed\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"MySQL\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"root\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"10.0.1.20\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"ResetImmediately\\\" Value=\\\"VerifyTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMStatus\\\" Value=\\\"failure\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"RetriesCount\\\" Value=\\\"0\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastFailDate\\\" Value=\\\"1615827864\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastTask\\\" Value=\\\"VerifyTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DSN\\\" Value=\\\"DRIVER={MariaDB ODBC 3.1 Driver};TCPIP=1;SERVER=localhost;UID=root;PWD=1234;DATABASE=test\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMErrorDetails\\\" Value=\\\"Error when verifypass to User root on Server . State: HY090 Native error: 0 Message: [Microsoft][ODBC Driver Manager] Invalid string or buffer length\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Database\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 15 10:05:47\",\"IsoTimestamp\":\"2021-03-15T17:05:47Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"38\",\"Desc\":\"CPM Verify Password Failed\",\"Severity\":\"Error\",\"Issuer\":\"PasswordManager\",\"Action\":\"CPM Verify Password Failed\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"partner\",\"File\":\"Root\\\\Database-MySQL-10.0.1.20-root\",\"Station\":\"10.0.1.20\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"ImmediateTask. Failure Description: CACPM344E Verifying Password Safe: partner, Folder: Root, Object: Database-MySQL-10.0.1.20-root failed (try #0). Code: 2103, Error: Error when verifypass to User root on Server . State: HY090 Native error: 0 Message: [Microsoft][ODBC Driver Manager] Invalid string or buffer length\\n\",\"ExtraDetails\":\"address=10.0.1.20;username=root;\",\"Message\":\"CPM Verify Password Failed\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"MySQL\"},{\"Name\":\"UserName\",\"Value\":\"root\"},{\"Name\":\"Address\",\"Value\":\"10.0.1.20\"},{\"Name\":\"ResetImmediately\",\"Value\":\"VerifyTask\"},{\"Name\":\"CPMStatus\",\"Value\":\"failure\"},{\"Name\":\"RetriesCount\",\"Value\":\"0\"},{\"Name\":\"LastFailDate\",\"Value\":\"1615827864\"},{\"Name\":\"LastTask\",\"Value\":\"VerifyTask\"},{\"Name\":\"DSN\",\"Value\":\"DRIVER={MariaDB ODBC 3.1 Driver};TCPIP=1;SERVER=localhost;UID=root;PWD=1234;DATABASE=test\"},{\"Name\":\"CPMErrorDetails\",\"Value\":\"Error when verifypass to User root on Server . State: HY090 Native error: 0 Message: [Microsoft][ODBC Driver Manager] Invalid string or buffer length\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Database\"}]}}}}", "code": "38", "kind": "event", @@ -1029,7 +1029,7 @@ "event": { "severity": 7, "reason": "Error when verifypass to User root on Server . State: HY090 Native error: 0 Message: [Microsoft][ODBC Driver Manager] Invalid string or buffer length", - "ingested": "2021-06-04T11:33:14.919454Z", + "ingested": "2021-06-09T10:24:34.493925300Z", "original": "\u003c7\u003e1 2021-03-15T17:10:25Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 15 10:10:25\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-15T17:10:25Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e38\u003c/MessageID\u003e\\n \u003cDesc\u003eCPM Verify Password Failed\u003c/Desc\u003e\\n \u003cSeverity\u003eError\u003c/Severity\u003e\\n \u003cIssuer\u003ePasswordManager\u003c/Issuer\u003e\\n \u003cAction\u003eCPM Verify Password Failed\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003epartner\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Database-MySQL-10.0.1.20-root\u003c/File\u003e\\n \u003cStation\u003e10.0.1.20\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003eImmediateTask. Failure Description: CACPM344E Verifying Password Safe: partner, Folder: Root, Object: Database-MySQL-10.0.1.20-root failed (try #0). Code: 2103, Error: Error when verifypass to User root on Server . State: HY090 Native error: 0 Message: [Microsoft][ODBC Driver Manager] Invalid string or buffer length\\n\u003c/Reason\u003e\\n \u003cExtraDetails\u003eaddress=10.0.1.20;username=root;\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eCPM Verify Password Failed\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"MySQL\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"root\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"10.0.1.20\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"ResetImmediately\\\" Value=\\\"VerifyTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMStatus\\\" Value=\\\"failure\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"RetriesCount\\\" Value=\\\"0\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastFailDate\\\" Value=\\\"1615828174\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastTask\\\" Value=\\\"VerifyTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DSN\\\" Value=\\\"DSN=mariadb;TCPIP=1;SERVER=localhost;UID=root;PWD=1234;DATABASE=test\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMErrorDetails\\\" Value=\\\"Error when verifypass to User root on Server . State: HY090 Native error: 0 Message: [Microsoft][ODBC Driver Manager] Invalid string or buffer length\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Database\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 15 10:10:25\",\"IsoTimestamp\":\"2021-03-15T17:10:25Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"38\",\"Desc\":\"CPM Verify Password Failed\",\"Severity\":\"Error\",\"Issuer\":\"PasswordManager\",\"Action\":\"CPM Verify Password Failed\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"partner\",\"File\":\"Root\\\\Database-MySQL-10.0.1.20-root\",\"Station\":\"10.0.1.20\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"ImmediateTask. Failure Description: CACPM344E Verifying Password Safe: partner, Folder: Root, Object: Database-MySQL-10.0.1.20-root failed (try #0). Code: 2103, Error: Error when verifypass to User root on Server . State: HY090 Native error: 0 Message: [Microsoft][ODBC Driver Manager] Invalid string or buffer length\\n\",\"ExtraDetails\":\"address=10.0.1.20;username=root;\",\"Message\":\"CPM Verify Password Failed\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"MySQL\"},{\"Name\":\"UserName\",\"Value\":\"root\"},{\"Name\":\"Address\",\"Value\":\"10.0.1.20\"},{\"Name\":\"ResetImmediately\",\"Value\":\"VerifyTask\"},{\"Name\":\"CPMStatus\",\"Value\":\"failure\"},{\"Name\":\"RetriesCount\",\"Value\":\"0\"},{\"Name\":\"LastFailDate\",\"Value\":\"1615828174\"},{\"Name\":\"LastTask\",\"Value\":\"VerifyTask\"},{\"Name\":\"DSN\",\"Value\":\"DSN=mariadb;TCPIP=1;SERVER=localhost;UID=root;PWD=1234;DATABASE=test\"},{\"Name\":\"CPMErrorDetails\",\"Value\":\"Error when verifypass to User root on Server . State: HY090 Native error: 0 Message: [Microsoft][ODBC Driver Manager] Invalid string or buffer length\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Database\"}]}}}}", "code": "38", "kind": "event", @@ -1140,7 +1140,7 @@ "event": { "severity": 7, "reason": "Error when verifypass to User root on Server 127.0.0.1. State: IM002 Native error: 0 Message: [Microsoft][ODBC Driver Manager] Data source name not found and no default driver specified", - "ingested": "2021-06-04T11:33:14.919456100Z", + "ingested": "2021-06-09T10:24:34.493927800Z", "original": "\u003c7\u003e1 2021-03-15T17:28:07Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 15 10:28:07\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-15T17:28:07Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e38\u003c/MessageID\u003e\\n \u003cDesc\u003eCPM Verify Password Failed\u003c/Desc\u003e\\n \u003cSeverity\u003eError\u003c/Severity\u003e\\n \u003cIssuer\u003ePasswordManager\u003c/Issuer\u003e\\n \u003cAction\u003eCPM Verify Password Failed\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003epartner\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Database-MySQL-10.0.1.20-root\u003c/File\u003e\\n \u003cStation\u003e10.0.1.20\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003eImmediateTask. Failure Description: CACPM344E Verifying Password Safe: partner, Folder: Root, Object: Database-MySQL-10.0.1.20-root failed (try #0). Code: 2103, Error: Error when verifypass to User root on Server 127.0.0.1. State: IM002 Native error: 0 Message: [Microsoft][ODBC Driver Manager] Data source name not found and no default driver specified\\n\u003c/Reason\u003e\\n \u003cExtraDetails\u003eaddress=127.0.0.1;username=root;\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eCPM Verify Password Failed\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"MySQL\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"root\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"127.0.0.1\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"ResetImmediately\\\" Value=\\\"VerifyTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMStatus\\\" Value=\\\"failure\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"RetriesCount\\\" Value=\\\"0\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastFailDate\\\" Value=\\\"1615829287\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastTask\\\" Value=\\\"VerifyTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Port\\\" Value=\\\"3306\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Database\\\" Value=\\\"test\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMErrorDetails\\\" Value=\\\"Error when verifypass to User root on Server 127.0.0.1. State: IM002 Native error: 0 Message: [Microsoft][ODBC Driver Manager] Data source name not found and no default driver specified\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Database\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 15 10:28:07\",\"IsoTimestamp\":\"2021-03-15T17:28:07Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"38\",\"Desc\":\"CPM Verify Password Failed\",\"Severity\":\"Error\",\"Issuer\":\"PasswordManager\",\"Action\":\"CPM Verify Password Failed\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"partner\",\"File\":\"Root\\\\Database-MySQL-10.0.1.20-root\",\"Station\":\"10.0.1.20\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"ImmediateTask. Failure Description: CACPM344E Verifying Password Safe: partner, Folder: Root, Object: Database-MySQL-10.0.1.20-root failed (try #0). Code: 2103, Error: Error when verifypass to User root on Server 127.0.0.1. State: IM002 Native error: 0 Message: [Microsoft][ODBC Driver Manager] Data source name not found and no default driver specified\\n\",\"ExtraDetails\":\"address=127.0.0.1;username=root;\",\"Message\":\"CPM Verify Password Failed\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"MySQL\"},{\"Name\":\"UserName\",\"Value\":\"root\"},{\"Name\":\"Address\",\"Value\":\"127.0.0.1\"},{\"Name\":\"ResetImmediately\",\"Value\":\"VerifyTask\"},{\"Name\":\"CPMStatus\",\"Value\":\"failure\"},{\"Name\":\"RetriesCount\",\"Value\":\"0\"},{\"Name\":\"LastFailDate\",\"Value\":\"1615829287\"},{\"Name\":\"LastTask\",\"Value\":\"VerifyTask\"},{\"Name\":\"Port\",\"Value\":\"3306\"},{\"Name\":\"Database\",\"Value\":\"test\"},{\"Name\":\"CPMErrorDetails\",\"Value\":\"Error when verifypass to User root on Server 127.0.0.1. State: IM002 Native error: 0 Message: [Microsoft][ODBC Driver Manager] Data source name not found and no default driver specified\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Database\"}]}}}}", "code": "38", "kind": "event", @@ -1253,7 +1253,7 @@ "event": { "severity": 7, "reason": "Error when verifypass to User root on Server . State: IM002 Native error: 0 Message: [Microsoft][ODBC Driver Manager] Data source name not found and no default driver specified", - "ingested": "2021-06-04T11:33:14.919458200Z", + "ingested": "2021-06-09T10:24:34.493929900Z", "original": "\u003c7\u003e1 2021-03-15T17:33:17Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 15 10:33:17\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-15T17:33:17Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e38\u003c/MessageID\u003e\\n \u003cDesc\u003eCPM Verify Password Failed\u003c/Desc\u003e\\n \u003cSeverity\u003eError\u003c/Severity\u003e\\n \u003cIssuer\u003ePasswordManager\u003c/Issuer\u003e\\n \u003cAction\u003eCPM Verify Password Failed\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003epartner\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Database-MySQL-10.0.1.20-root\u003c/File\u003e\\n \u003cStation\u003e10.0.1.20\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003eImmediateTask. Failure Description: CACPM344E Verifying Password Safe: partner, Folder: Root, Object: Database-MySQL-10.0.1.20-root failed (try #0). Code: 2103, Error: Error when verifypass to User root on Server . State: IM002 Native error: 0 Message: [Microsoft][ODBC Driver Manager] Data source name not found and no default driver specified\\n\u003c/Reason\u003e\\n \u003cExtraDetails\u003eaddress=127.0.0.1;username=root;\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eCPM Verify Password Failed\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"MySQL\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"root\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"127.0.0.1\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"ResetImmediately\\\" Value=\\\"VerifyTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMStatus\\\" Value=\\\"failure\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"RetriesCount\\\" Value=\\\"0\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastFailDate\\\" Value=\\\"1615829597\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastTask\\\" Value=\\\"VerifyTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Port\\\" Value=\\\"3306\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Database\\\" Value=\\\"test\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DSN\\\" Value=\\\"mysql\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMErrorDetails\\\" Value=\\\"Error when verifypass to User root on Server . State: IM002 Native error: 0 Message: [Microsoft][ODBC Driver Manager] Data source name not found and no default driver specified\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Database\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 15 10:33:17\",\"IsoTimestamp\":\"2021-03-15T17:33:17Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"38\",\"Desc\":\"CPM Verify Password Failed\",\"Severity\":\"Error\",\"Issuer\":\"PasswordManager\",\"Action\":\"CPM Verify Password Failed\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"partner\",\"File\":\"Root\\\\Database-MySQL-10.0.1.20-root\",\"Station\":\"10.0.1.20\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"ImmediateTask. Failure Description: CACPM344E Verifying Password Safe: partner, Folder: Root, Object: Database-MySQL-10.0.1.20-root failed (try #0). Code: 2103, Error: Error when verifypass to User root on Server . State: IM002 Native error: 0 Message: [Microsoft][ODBC Driver Manager] Data source name not found and no default driver specified\\n\",\"ExtraDetails\":\"address=127.0.0.1;username=root;\",\"Message\":\"CPM Verify Password Failed\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"MySQL\"},{\"Name\":\"UserName\",\"Value\":\"root\"},{\"Name\":\"Address\",\"Value\":\"127.0.0.1\"},{\"Name\":\"ResetImmediately\",\"Value\":\"VerifyTask\"},{\"Name\":\"CPMStatus\",\"Value\":\"failure\"},{\"Name\":\"RetriesCount\",\"Value\":\"0\"},{\"Name\":\"LastFailDate\",\"Value\":\"1615829597\"},{\"Name\":\"LastTask\",\"Value\":\"VerifyTask\"},{\"Name\":\"Port\",\"Value\":\"3306\"},{\"Name\":\"Database\",\"Value\":\"test\"},{\"Name\":\"DSN\",\"Value\":\"mysql\"},{\"Name\":\"CPMErrorDetails\",\"Value\":\"Error when verifypass to User root on Server . State: IM002 Native error: 0 Message: [Microsoft][ODBC Driver Manager] Data source name not found and no default driver specified\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Database\"}]}}}}", "code": "38", "kind": "event", @@ -1366,7 +1366,7 @@ "event": { "severity": 7, "reason": "Error when verifypass to User root on Server . State: HY090 Native error: 0 Message: [Microsoft][ODBC Driver Manager] Invalid string or buffer length", - "ingested": "2021-06-04T11:33:14.919460600Z", + "ingested": "2021-06-09T10:24:34.493932Z", "original": "\u003c7\u003e1 2021-03-15T17:38:27Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 15 10:38:27\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-15T17:38:27Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e38\u003c/MessageID\u003e\\n \u003cDesc\u003eCPM Verify Password Failed\u003c/Desc\u003e\\n \u003cSeverity\u003eError\u003c/Severity\u003e\\n \u003cIssuer\u003ePasswordManager\u003c/Issuer\u003e\\n \u003cAction\u003eCPM Verify Password Failed\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003epartner\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Database-MySQL-10.0.1.20-root\u003c/File\u003e\\n \u003cStation\u003e10.0.1.20\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003eImmediateTask. Failure Description: CACPM344E Verifying Password Safe: partner, Folder: Root, Object: Database-MySQL-10.0.1.20-root failed (try #0). Code: 2103, Error: Error when verifypass to User root on Server . State: HY090 Native error: 0 Message: [Microsoft][ODBC Driver Manager] Invalid string or buffer length\\n\u003c/Reason\u003e\\n \u003cExtraDetails\u003eaddress=127.0.0.1;username=root;\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eCPM Verify Password Failed\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"MySQL\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"root\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"127.0.0.1\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"ResetImmediately\\\" Value=\\\"VerifyTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMStatus\\\" Value=\\\"failure\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"RetriesCount\\\" Value=\\\"0\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastFailDate\\\" Value=\\\"1615829907\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastTask\\\" Value=\\\"VerifyTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Port\\\" Value=\\\"3306\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Database\\\" Value=\\\"test\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DSN\\\" Value=\\\"Driver={MySQL ODBC 5.3 Unicode Driver};server=%ADDRESS%;user=%USER%;option=3;port=%PORT%;Password=%LOGONPASSWORD%\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMErrorDetails\\\" Value=\\\"Error when verifypass to User root on Server . State: HY090 Native error: 0 Message: [Microsoft][ODBC Driver Manager] Invalid string or buffer length\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Database\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 15 10:38:27\",\"IsoTimestamp\":\"2021-03-15T17:38:27Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"38\",\"Desc\":\"CPM Verify Password Failed\",\"Severity\":\"Error\",\"Issuer\":\"PasswordManager\",\"Action\":\"CPM Verify Password Failed\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"partner\",\"File\":\"Root\\\\Database-MySQL-10.0.1.20-root\",\"Station\":\"10.0.1.20\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"ImmediateTask. Failure Description: CACPM344E Verifying Password Safe: partner, Folder: Root, Object: Database-MySQL-10.0.1.20-root failed (try #0). Code: 2103, Error: Error when verifypass to User root on Server . State: HY090 Native error: 0 Message: [Microsoft][ODBC Driver Manager] Invalid string or buffer length\\n\",\"ExtraDetails\":\"address=127.0.0.1;username=root;\",\"Message\":\"CPM Verify Password Failed\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"MySQL\"},{\"Name\":\"UserName\",\"Value\":\"root\"},{\"Name\":\"Address\",\"Value\":\"127.0.0.1\"},{\"Name\":\"ResetImmediately\",\"Value\":\"VerifyTask\"},{\"Name\":\"CPMStatus\",\"Value\":\"failure\"},{\"Name\":\"RetriesCount\",\"Value\":\"0\"},{\"Name\":\"LastFailDate\",\"Value\":\"1615829907\"},{\"Name\":\"LastTask\",\"Value\":\"VerifyTask\"},{\"Name\":\"Port\",\"Value\":\"3306\"},{\"Name\":\"Database\",\"Value\":\"test\"},{\"Name\":\"DSN\",\"Value\":\"Driver={MySQL ODBC 5.3 Unicode Driver};server=%ADDRESS%;user=%USER%;option=3;port=%PORT%;Password=%LOGONPASSWORD%\"},{\"Name\":\"CPMErrorDetails\",\"Value\":\"Error when verifypass to User root on Server . State: HY090 Native error: 0 Message: [Microsoft][ODBC Driver Manager] Invalid string or buffer length\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Database\"}]}}}}", "code": "38", "kind": "event", @@ -1475,7 +1475,7 @@ "event": { "severity": 7, "reason": "Error when verifypass to User root on Server . State: IM002 Native error: 0 Message: [Microsoft][ODBC Driver Manager] Data source name not found and no default driver specified", - "ingested": "2021-06-04T11:33:14.919462600Z", + "ingested": "2021-06-09T10:24:34.493934Z", "original": "\u003c7\u003e1 2021-03-15T18:00:07Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 15 11:00:07\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-15T18:00:07Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e38\u003c/MessageID\u003e\\n \u003cDesc\u003eCPM Verify Password Failed\u003c/Desc\u003e\\n \u003cSeverity\u003eError\u003c/Severity\u003e\\n \u003cIssuer\u003ePasswordManager\u003c/Issuer\u003e\\n \u003cAction\u003eCPM Verify Password Failed\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003epartner\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Database-MySQL-10.0.1.20-root\u003c/File\u003e\\n \u003cStation\u003e10.0.1.20\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003eImmediateTask. Failure Description: CACPM344E Verifying Password Safe: partner, Folder: Root, Object: Database-MySQL-10.0.1.20-root failed (try #0). Code: 2103, Error: Error when verifypass to User root on Server . State: IM002 Native error: 0 Message: [Microsoft][ODBC Driver Manager] Data source name not found and no default driver specified\\n\u003c/Reason\u003e\\n \u003cExtraDetails\u003eaddress=Driver\\\\={MySQL ODBC 5.3 Unicode Driver}\\\\;server\\\\=127.0.0.1\\\\;user\\\\=root\\\\;option\\\\=3\\\\;port\\\\=3306\\\\;Password\\\\=1234;username=root;\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eCPM Verify Password Failed\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"MySQL\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"root\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"Driver={MySQL ODBC 5.3 Unicode Driver};server=127.0.0.1;user=root;option=3;port=3306;Password=1234\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"ResetImmediately\\\" Value=\\\"VerifyTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMStatus\\\" Value=\\\"failure\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"RetriesCount\\\" Value=\\\"0\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastFailDate\\\" Value=\\\"1615831206\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastTask\\\" Value=\\\"VerifyTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Port\\\" Value=\\\"3306\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Database\\\" Value=\\\"test\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DSN\\\" Value=\\\"mysql\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMErrorDetails\\\" Value=\\\"Error when verifypass to User root on Server . State: IM002 Native error: 0 Message: [Microsoft][ODBC Driver Manager] Data source name not found and no default driver specified\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Database\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 15 11:00:07\",\"IsoTimestamp\":\"2021-03-15T18:00:07Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"38\",\"Desc\":\"CPM Verify Password Failed\",\"Severity\":\"Error\",\"Issuer\":\"PasswordManager\",\"Action\":\"CPM Verify Password Failed\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"partner\",\"File\":\"Root\\\\Database-MySQL-10.0.1.20-root\",\"Station\":\"10.0.1.20\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"ImmediateTask. Failure Description: CACPM344E Verifying Password Safe: partner, Folder: Root, Object: Database-MySQL-10.0.1.20-root failed (try #0). Code: 2103, Error: Error when verifypass to User root on Server . State: IM002 Native error: 0 Message: [Microsoft][ODBC Driver Manager] Data source name not found and no default driver specified\\n\",\"ExtraDetails\":\"address=Driver\\\\={MySQL ODBC 5.3 Unicode Driver}\\\\;server\\\\=127.0.0.1\\\\;user\\\\=root\\\\;option\\\\=3\\\\;port\\\\=3306\\\\;Password\\\\=1234;username=root;\",\"Message\":\"CPM Verify Password Failed\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"MySQL\"},{\"Name\":\"UserName\",\"Value\":\"root\"},{\"Name\":\"Address\",\"Value\":\"Driver={MySQL ODBC 5.3 Unicode Driver};server=127.0.0.1;user=root;option=3;port=3306;Password=1234\"},{\"Name\":\"ResetImmediately\",\"Value\":\"VerifyTask\"},{\"Name\":\"CPMStatus\",\"Value\":\"failure\"},{\"Name\":\"RetriesCount\",\"Value\":\"0\"},{\"Name\":\"LastFailDate\",\"Value\":\"1615831206\"},{\"Name\":\"LastTask\",\"Value\":\"VerifyTask\"},{\"Name\":\"Port\",\"Value\":\"3306\"},{\"Name\":\"Database\",\"Value\":\"test\"},{\"Name\":\"DSN\",\"Value\":\"mysql\"},{\"Name\":\"CPMErrorDetails\",\"Value\":\"Error when verifypass to User root on Server . State: IM002 Native error: 0 Message: [Microsoft][ODBC Driver Manager] Data source name not found and no default driver specified\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Database\"}]}}}}", "code": "38", "kind": "event", @@ -1597,7 +1597,7 @@ "event": { "severity": 7, "reason": "Error in verifypass to user 34.66.114.180\\ELASTIC.local\\bart on domain 34.66.114.180(\\\\34.66.114.180). Reason: The specified username is invalid. (winRc=2202). ", - "ingested": "2021-06-04T11:33:14.919464700Z", + "ingested": "2021-06-09T10:24:34.493936Z", "original": "\u003c7\u003e1 2021-03-15T18:05:16Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 15 11:05:16\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-15T18:05:16Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e38\u003c/MessageID\u003e\\n \u003cDesc\u003eCPM Verify Password Failed\u003c/Desc\u003e\\n \u003cSeverity\u003eError\u003c/Severity\u003e\\n \u003cIssuer\u003ePasswordManager\u003c/Issuer\u003e\\n \u003cAction\u003eCPM Verify Password Failed\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003epartner\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Operating System-WinDomain-34.66.114.180-ELASTICbart\u003c/File\u003e\\n \u003cStation\u003e10.0.1.20\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003eImmediateTask,Failure. Failure Description: CACPM344E Verifying Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-34.66.114.180-ELASTICbart failed (try #3). Code: 2101, Error: Error in verifypass to user 34.66.114.180\\\\ELASTIC.local\\\\bart on domain 34.66.114.180(\\\\\\\\34.66.114.180). Reason: The specified username is invalid. (winRc=2202). \\n\u003c/Reason\u003e\\n \u003cExtraDetails\u003eaddress=34.66.114.180;retriescount=3;username=ELASTIC.local\\\\bart;\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eCPM Verify Password Failed\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"WinDomain\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"ELASTIC.local\\\\bart\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"34.66.114.180\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"ResetImmediately\\\" Value=\\\"VerifyTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMStatus\\\" Value=\\\"failure\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"RetriesCount\\\" Value=\\\"3\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastFailDate\\\" Value=\\\"1615831516\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastTask\\\" Value=\\\"VerifyTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LogonDomain\\\" Value=\\\"34.66.114.180\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMErrorDetails\\\" Value=\\\"Error in verifypass to user 34.66.114.180\\\\ELASTIC.local\\\\bart on domain 34.66.114.180(\\\\\\\\34.66.114.180). Reason: The specified username is invalid. (winRc=2202). \\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Operating System\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 15 11:05:16\",\"IsoTimestamp\":\"2021-03-15T18:05:16Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"38\",\"Desc\":\"CPM Verify Password Failed\",\"Severity\":\"Error\",\"Issuer\":\"PasswordManager\",\"Action\":\"CPM Verify Password Failed\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"partner\",\"File\":\"Root\\\\Operating System-WinDomain-34.66.114.180-ELASTICbart\",\"Station\":\"10.0.1.20\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"ImmediateTask,Failure. Failure Description: CACPM344E Verifying Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-34.66.114.180-ELASTICbart failed (try #3). Code: 2101, Error: Error in verifypass to user 34.66.114.180\\\\ELASTIC.local\\\\bart on domain 34.66.114.180(\\\\\\\\34.66.114.180). Reason: The specified username is invalid. (winRc=2202). \\n\",\"ExtraDetails\":\"address=34.66.114.180;retriescount=3;username=ELASTIC.local\\\\bart;\",\"Message\":\"CPM Verify Password Failed\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"WinDomain\"},{\"Name\":\"UserName\",\"Value\":\"ELASTIC.local\\\\bart\"},{\"Name\":\"Address\",\"Value\":\"34.66.114.180\"},{\"Name\":\"ResetImmediately\",\"Value\":\"VerifyTask\"},{\"Name\":\"CPMStatus\",\"Value\":\"failure\"},{\"Name\":\"RetriesCount\",\"Value\":\"3\"},{\"Name\":\"LastFailDate\",\"Value\":\"1615831516\"},{\"Name\":\"LastTask\",\"Value\":\"VerifyTask\"},{\"Name\":\"LogonDomain\",\"Value\":\"34.66.114.180\"},{\"Name\":\"CPMErrorDetails\",\"Value\":\"Error in verifypass to user 34.66.114.180\\\\ELASTIC.local\\\\bart on domain 34.66.114.180(\\\\\\\\34.66.114.180). Reason: The specified username is invalid. (winRc=2202). \"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"}]}}}}", "code": "38", "kind": "event", @@ -1719,7 +1719,7 @@ "event": { "severity": 7, "reason": "Error in verifypass to user 34.66.114.180\\ELASTIC.local\\bart on domain 34.66.114.180(\\\\34.66.114.180). Reason: The specified username is invalid. (winRc=2202). ", - "ingested": "2021-06-04T11:33:14.919466800Z", + "ingested": "2021-06-09T10:24:34.493938Z", "original": "\u003c7\u003e1 2021-03-16T09:50:19Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 16 02:50:19\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-16T09:50:19Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e38\u003c/MessageID\u003e\\n \u003cDesc\u003eCPM Verify Password Failed\u003c/Desc\u003e\\n \u003cSeverity\u003eError\u003c/Severity\u003e\\n \u003cIssuer\u003ePasswordManager\u003c/Issuer\u003e\\n \u003cAction\u003eCPM Verify Password Failed\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003epartner\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Operating System-WinDomain-34.66.114.180-ELASTICbart\u003c/File\u003e\\n \u003cStation\u003e10.0.1.20\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003eImmediateTask,Failure. Failure Description: CACPM344E Verifying Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-34.66.114.180-ELASTICbart failed (try #4). Code: 2101, Error: Error in verifypass to user 34.66.114.180\\\\ELASTIC.local\\\\bart on domain 34.66.114.180(\\\\\\\\34.66.114.180). Reason: The specified username is invalid. (winRc=2202). \\n\u003c/Reason\u003e\\n \u003cExtraDetails\u003eaddress=34.66.114.180;retriescount=4;username=ELASTIC.local\\\\bart;\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eCPM Verify Password Failed\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"WinDomain\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"ELASTIC.local\\\\bart\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"34.66.114.180\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"ResetImmediately\\\" Value=\\\"VerifyTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMStatus\\\" Value=\\\"failure\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"RetriesCount\\\" Value=\\\"4\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastFailDate\\\" Value=\\\"1615888216\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastTask\\\" Value=\\\"VerifyTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LogonDomain\\\" Value=\\\"34.66.114.180\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMErrorDetails\\\" Value=\\\"Error in verifypass to user 34.66.114.180\\\\ELASTIC.local\\\\bart on domain 34.66.114.180(\\\\\\\\34.66.114.180). Reason: The specified username is invalid. (winRc=2202). \\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Operating System\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 16 02:50:19\",\"IsoTimestamp\":\"2021-03-16T09:50:19Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"38\",\"Desc\":\"CPM Verify Password Failed\",\"Severity\":\"Error\",\"Issuer\":\"PasswordManager\",\"Action\":\"CPM Verify Password Failed\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"partner\",\"File\":\"Root\\\\Operating System-WinDomain-34.66.114.180-ELASTICbart\",\"Station\":\"10.0.1.20\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"ImmediateTask,Failure. Failure Description: CACPM344E Verifying Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-34.66.114.180-ELASTICbart failed (try #4). Code: 2101, Error: Error in verifypass to user 34.66.114.180\\\\ELASTIC.local\\\\bart on domain 34.66.114.180(\\\\\\\\34.66.114.180). Reason: The specified username is invalid. (winRc=2202). \\n\",\"ExtraDetails\":\"address=34.66.114.180;retriescount=4;username=ELASTIC.local\\\\bart;\",\"Message\":\"CPM Verify Password Failed\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"WinDomain\"},{\"Name\":\"UserName\",\"Value\":\"ELASTIC.local\\\\bart\"},{\"Name\":\"Address\",\"Value\":\"34.66.114.180\"},{\"Name\":\"ResetImmediately\",\"Value\":\"VerifyTask\"},{\"Name\":\"CPMStatus\",\"Value\":\"failure\"},{\"Name\":\"RetriesCount\",\"Value\":\"4\"},{\"Name\":\"LastFailDate\",\"Value\":\"1615888216\"},{\"Name\":\"LastTask\",\"Value\":\"VerifyTask\"},{\"Name\":\"LogonDomain\",\"Value\":\"34.66.114.180\"},{\"Name\":\"CPMErrorDetails\",\"Value\":\"Error in verifypass to user 34.66.114.180\\\\ELASTIC.local\\\\bart on domain 34.66.114.180(\\\\\\\\34.66.114.180). Reason: The specified username is invalid. (winRc=2202). \"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"}]}}}}", "code": "38", "kind": "event", diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-385-blservice-audit-record.log-expected.json b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-385-blservice-audit-record.log-expected.json index 5aacddab4c3..394854cf5da 100644 --- a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-385-blservice-audit-record.log-expected.json +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-385-blservice-audit-record.log-expected.json @@ -58,7 +58,7 @@ "event": { "severity": 2, "action": "blservice audit record", - "ingested": "2021-06-04T11:33:15.446535600Z", + "ingested": "2021-06-09T10:24:35.024603900Z", "original": "\u003c5\u003e1 2021-03-11T16:31:13Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 11 08:31:13\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-11T16:31:13Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e385\u003c/MessageID\u003e\\n \u003cDesc\u003eBLService Audit Record\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003eBLService Audit Record\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003e\u003c/Safe\u003e\\n \u003cFile\u003e\u003c/File\u003e\\n \u003cStation\u003e127.0.0.1\u003c/Station\u003e\\n \u003cLocation\u003e\u003cVaultCommandAuditApplicativeHeader z:Id=\\\"1\\\" xmlns=\\\"CyberArk.AppServices.LogicContainer.Audit\\\" xmlns:i=\\\"http://www.w3.org/2001/XMLSchema-instance\\\" xmlns:z=\\\"http://schemas.microsoft.com/2003/10/Serialization/\\\"\u003e\u003cRuleAuditComponent z:Id=\\\"2\\\"\u003e\u003cAction z:Id=\\\"3\\\"\u003eUpdate\u003c/Action\u003e\u003cContainerName z:Id=\\\"4\\\"/\u003e\u003cIsAdvanced\u003etrue\u003c/IsAdvanced\u003e\u003cNewValue z:Id=\\\"5\\\"\u003eEnforceExclusiveAccess: False; EnforceOneTimePasswords: False; AllowOPMAccess: True; RecordSessions: False; EnforceExpirationPeriod: 90; EnforceVerificationPeriod: 7; AuditRetentionPeriod: 90; PSMEnabled: True; RequireReason: AllowFreeTextReason: True, BasicValue: True; AllowTransparentConnection: AllowViewingPasswords: True, BasicValue: True; DualControl: BasicValue: False, DualControlRequireMultilevelApproval: False, DualControlRequireManagerialApproval: False, DualControlRequiredConfirmers: 1\u003c/NewValue\u003e\u003cOldValue z:Id=\\\"6\\\"\u003eN/A\u003c/OldValue\u003e\u003cPropertyName z:Id=\\\"7\\\"\u003eMaster Policy\u003c/PropertyName\u003e\u003c/RuleAuditComponent\u003e\u003c/VaultCommandAuditApplicativeHeader\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eBLService Audit Record\u003c/Message\u003e\\n \u003cGatewayStation\u003e10.0.1.20\u003c/GatewayStation\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 11 08:31:13\",\"IsoTimestamp\":\"2021-03-11T16:31:13Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"385\",\"Desc\":\"BLService Audit Record\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"BLService Audit Record\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"127.0.0.1\",\"Location\":\"\u003cVaultCommandAuditApplicativeHeader z:Id=\\\"1\\\" xmlns=\\\"CyberArk.AppServices.LogicContainer.Audit\\\" xmlns:i=\\\"http://www.w3.org/2001/XMLSchema-instance\\\" xmlns:z=\\\"http://schemas.microsoft.com/2003/10/Serialization/\\\"\u003e\u003cRuleAuditComponent z:Id=\\\"2\\\"\u003e\u003cAction z:Id=\\\"3\\\"\u003eUpdate\u003c/Action\u003e\u003cContainerName z:Id=\\\"4\\\"/\u003e\u003cIsAdvanced\u003etrue\u003c/IsAdvanced\u003e\u003cNewValue z:Id=\\\"5\\\"\u003eEnforceExclusiveAccess: False; EnforceOneTimePasswords: False; AllowOPMAccess: True; RecordSessions: False; EnforceExpirationPeriod: 90; EnforceVerificationPeriod: 7; AuditRetentionPeriod: 90; PSMEnabled: True; RequireReason: AllowFreeTextReason: True, BasicValue: True; AllowTransparentConnection: AllowViewingPasswords: True, BasicValue: True; DualControl: BasicValue: False, DualControlRequireMultilevelApproval: False, DualControlRequireManagerialApproval: False, DualControlRequiredConfirmers: 1\u003c/NewValue\u003e\u003cOldValue z:Id=\\\"6\\\"\u003eN/A\u003c/OldValue\u003e\u003cPropertyName z:Id=\\\"7\\\"\u003eMaster Policy\u003c/PropertyName\u003e\u003c/RuleAuditComponent\u003e\u003c/VaultCommandAuditApplicativeHeader\u003e\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"BLService Audit Record\",\"GatewayStation\":\"10.0.1.20\"}}}", "code": "385", "kind": "event" @@ -122,7 +122,7 @@ "event": { "severity": 2, "action": "blservice audit record", - "ingested": "2021-06-04T11:33:15.446548700Z", + "ingested": "2021-06-09T10:24:35.024616700Z", "original": "\u003c5\u003e1 2021-03-11T16:31:23Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 11 08:31:23\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-11T16:31:23Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e385\u003c/MessageID\u003e\\n \u003cDesc\u003eBLService Audit Record\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003eBLService Audit Record\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003e\u003c/Safe\u003e\\n \u003cFile\u003e\u003c/File\u003e\\n \u003cStation\u003e127.0.0.1\u003c/Station\u003e\\n \u003cLocation\u003e\u003cVaultCommandAuditApplicativeHeader z:Id=\\\"1\\\" xmlns=\\\"CyberArk.AppServices.LogicContainer.Audit\\\" xmlns:i=\\\"http://www.w3.org/2001/XMLSchema-instance\\\" xmlns:z=\\\"http://schemas.microsoft.com/2003/10/Serialization/\\\"\u003e\u003cRuleAuditComponent z:Id=\\\"2\\\"\u003e\u003cAction z:Id=\\\"3\\\"\u003eUpdate\u003c/Action\u003e\u003cContainerName z:Id=\\\"4\\\"/\u003e\u003cIsAdvanced\u003etrue\u003c/IsAdvanced\u003e\u003cNewValue z:Id=\\\"5\\\"\u003eEnforceExclusiveAccess: False; EnforceOneTimePasswords: False; AllowOPMAccess: True; RecordSessions: True; EnforceExpirationPeriod: 90; EnforceVerificationPeriod: 7; AuditRetentionPeriod: 90; PSMEnabled: True; RequireReason: AllowFreeTextReason: True, BasicValue: True; AllowTransparentConnection: AllowViewingPasswords: True, BasicValue: True; DualControl: BasicValue: False, DualControlRequireMultilevelApproval: False, DualControlRequireManagerialApproval: False, DualControlRequiredConfirmers: 1\u003c/NewValue\u003e\u003cOldValue z:Id=\\\"6\\\"\u003eN/A\u003c/OldValue\u003e\u003cPropertyName z:Id=\\\"7\\\"\u003eMaster Policy\u003c/PropertyName\u003e\u003c/RuleAuditComponent\u003e\u003c/VaultCommandAuditApplicativeHeader\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eBLService Audit Record\u003c/Message\u003e\\n \u003cGatewayStation\u003e10.0.1.20\u003c/GatewayStation\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 11 08:31:23\",\"IsoTimestamp\":\"2021-03-11T16:31:23Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"385\",\"Desc\":\"BLService Audit Record\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"BLService Audit Record\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"127.0.0.1\",\"Location\":\"\u003cVaultCommandAuditApplicativeHeader z:Id=\\\"1\\\" xmlns=\\\"CyberArk.AppServices.LogicContainer.Audit\\\" xmlns:i=\\\"http://www.w3.org/2001/XMLSchema-instance\\\" xmlns:z=\\\"http://schemas.microsoft.com/2003/10/Serialization/\\\"\u003e\u003cRuleAuditComponent z:Id=\\\"2\\\"\u003e\u003cAction z:Id=\\\"3\\\"\u003eUpdate\u003c/Action\u003e\u003cContainerName z:Id=\\\"4\\\"/\u003e\u003cIsAdvanced\u003etrue\u003c/IsAdvanced\u003e\u003cNewValue z:Id=\\\"5\\\"\u003eEnforceExclusiveAccess: False; EnforceOneTimePasswords: False; AllowOPMAccess: True; RecordSessions: True; EnforceExpirationPeriod: 90; EnforceVerificationPeriod: 7; AuditRetentionPeriod: 90; PSMEnabled: True; RequireReason: AllowFreeTextReason: True, BasicValue: True; AllowTransparentConnection: AllowViewingPasswords: True, BasicValue: True; DualControl: BasicValue: False, DualControlRequireMultilevelApproval: False, DualControlRequireManagerialApproval: False, DualControlRequiredConfirmers: 1\u003c/NewValue\u003e\u003cOldValue z:Id=\\\"6\\\"\u003eN/A\u003c/OldValue\u003e\u003cPropertyName z:Id=\\\"7\\\"\u003eMaster Policy\u003c/PropertyName\u003e\u003c/RuleAuditComponent\u003e\u003c/VaultCommandAuditApplicativeHeader\u003e\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"BLService Audit Record\",\"GatewayStation\":\"10.0.1.20\"}}}", "code": "385", "kind": "event" @@ -186,7 +186,7 @@ "event": { "severity": 2, "action": "blservice audit record", - "ingested": "2021-06-04T11:33:15.446551500Z", + "ingested": "2021-06-09T10:24:35.024619600Z", "original": "\u003c5\u003e1 2021-03-11T19:40:52Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 11 11:40:52\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-11T19:40:52Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e385\u003c/MessageID\u003e\\n \u003cDesc\u003eBLService Audit Record\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003eBLService Audit Record\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003e\u003c/Safe\u003e\\n \u003cFile\u003e\u003c/File\u003e\\n \u003cStation\u003e127.0.0.1\u003c/Station\u003e\\n \u003cLocation\u003e\u003cVaultCommandAuditApplicativeHeader z:Id=\\\"1\\\" xmlns=\\\"CyberArk.AppServices.LogicContainer.Audit\\\" xmlns:i=\\\"http://www.w3.org/2001/XMLSchema-instance\\\" xmlns:z=\\\"http://schemas.microsoft.com/2003/10/Serialization/\\\"\u003e\u003cRuleAuditComponent z:Id=\\\"2\\\"\u003e\u003cAction z:Id=\\\"3\\\"\u003eUpdate\u003c/Action\u003e\u003cContainerName z:Id=\\\"4\\\"/\u003e\u003cIsAdvanced\u003etrue\u003c/IsAdvanced\u003e\u003cNewValue z:Id=\\\"5\\\"\u003eEnforceExclusiveAccess: False; EnforceOneTimePasswords: False; AllowOPMAccess: True; RecordSessions: True; EnforceExpirationPeriod: 90; EnforceVerificationPeriod: 7; AuditRetentionPeriod: 90; PSMEnabled: False; RequireReason: AllowFreeTextReason: True, BasicValue: True; AllowTransparentConnection: AllowViewingPasswords: True, BasicValue: True; DualControl: BasicValue: False, DualControlRequireMultilevelApproval: False, DualControlRequireManagerialApproval: False, DualControlRequiredConfirmers: 1\u003c/NewValue\u003e\u003cOldValue z:Id=\\\"6\\\"\u003eN/A\u003c/OldValue\u003e\u003cPropertyName z:Id=\\\"7\\\"\u003eMaster Policy\u003c/PropertyName\u003e\u003c/RuleAuditComponent\u003e\u003c/VaultCommandAuditApplicativeHeader\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eBLService Audit Record\u003c/Message\u003e\\n \u003cGatewayStation\u003e10.0.1.20\u003c/GatewayStation\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 11 11:40:52\",\"IsoTimestamp\":\"2021-03-11T19:40:52Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"385\",\"Desc\":\"BLService Audit Record\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"BLService Audit Record\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"127.0.0.1\",\"Location\":\"\u003cVaultCommandAuditApplicativeHeader z:Id=\\\"1\\\" xmlns=\\\"CyberArk.AppServices.LogicContainer.Audit\\\" xmlns:i=\\\"http://www.w3.org/2001/XMLSchema-instance\\\" xmlns:z=\\\"http://schemas.microsoft.com/2003/10/Serialization/\\\"\u003e\u003cRuleAuditComponent z:Id=\\\"2\\\"\u003e\u003cAction z:Id=\\\"3\\\"\u003eUpdate\u003c/Action\u003e\u003cContainerName z:Id=\\\"4\\\"/\u003e\u003cIsAdvanced\u003etrue\u003c/IsAdvanced\u003e\u003cNewValue z:Id=\\\"5\\\"\u003eEnforceExclusiveAccess: False; EnforceOneTimePasswords: False; AllowOPMAccess: True; RecordSessions: True; EnforceExpirationPeriod: 90; EnforceVerificationPeriod: 7; AuditRetentionPeriod: 90; PSMEnabled: False; RequireReason: AllowFreeTextReason: True, BasicValue: True; AllowTransparentConnection: AllowViewingPasswords: True, BasicValue: True; DualControl: BasicValue: False, DualControlRequireMultilevelApproval: False, DualControlRequireManagerialApproval: False, DualControlRequiredConfirmers: 1\u003c/NewValue\u003e\u003cOldValue z:Id=\\\"6\\\"\u003eN/A\u003c/OldValue\u003e\u003cPropertyName z:Id=\\\"7\\\"\u003eMaster Policy\u003c/PropertyName\u003e\u003c/RuleAuditComponent\u003e\u003c/VaultCommandAuditApplicativeHeader\u003e\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"BLService Audit Record\",\"GatewayStation\":\"10.0.1.20\"}}}", "code": "385", "kind": "event" @@ -250,7 +250,7 @@ "event": { "severity": 2, "action": "blservice audit record", - "ingested": "2021-06-04T11:33:15.446554300Z", + "ingested": "2021-06-09T10:24:35.024622Z", "original": "\u003c5\u003e1 2021-03-14T12:04:35Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 14 05:04:35\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-14T12:04:35Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e385\u003c/MessageID\u003e\\n \u003cDesc\u003eBLService Audit Record\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003eBLService Audit Record\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003e\u003c/Safe\u003e\\n \u003cFile\u003e\u003c/File\u003e\\n \u003cStation\u003e127.0.0.1\u003c/Station\u003e\\n \u003cLocation\u003e\u003cVaultCommandAuditApplicativeHeader z:Id=\\\"1\\\" xmlns=\\\"CyberArk.AppServices.LogicContainer.Audit\\\" xmlns:i=\\\"http://www.w3.org/2001/XMLSchema-instance\\\" xmlns:z=\\\"http://schemas.microsoft.com/2003/10/Serialization/\\\"\u003e\u003cRuleAuditComponent z:Id=\\\"2\\\"\u003e\u003cAction z:Id=\\\"3\\\"\u003eUpdate\u003c/Action\u003e\u003cContainerName z:Id=\\\"4\\\"/\u003e\u003cIsAdvanced\u003etrue\u003c/IsAdvanced\u003e\u003cNewValue z:Id=\\\"5\\\"\u003eEnforceExclusiveAccess: False; EnforceOneTimePasswords: False; AllowOPMAccess: True; RecordSessions: True; EnforceExpirationPeriod: 90; EnforceVerificationPeriod: 7; AuditRetentionPeriod: 90; PSMEnabled: False; RequireReason: AllowFreeTextReason: True, BasicValue: False; AllowTransparentConnection: AllowViewingPasswords: True, BasicValue: True; DualControl: BasicValue: False, DualControlRequireMultilevelApproval: False, DualControlRequireManagerialApproval: False, DualControlRequiredConfirmers: 1\u003c/NewValue\u003e\u003cOldValue z:Id=\\\"6\\\"\u003eN/A\u003c/OldValue\u003e\u003cPropertyName z:Id=\\\"7\\\"\u003eMaster Policy\u003c/PropertyName\u003e\u003c/RuleAuditComponent\u003e\u003c/VaultCommandAuditApplicativeHeader\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eBLService Audit Record\u003c/Message\u003e\\n \u003cGatewayStation\u003e10.0.1.20\u003c/GatewayStation\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 14 05:04:35\",\"IsoTimestamp\":\"2021-03-14T12:04:35Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"385\",\"Desc\":\"BLService Audit Record\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"BLService Audit Record\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"127.0.0.1\",\"Location\":\"\u003cVaultCommandAuditApplicativeHeader z:Id=\\\"1\\\" xmlns=\\\"CyberArk.AppServices.LogicContainer.Audit\\\" xmlns:i=\\\"http://www.w3.org/2001/XMLSchema-instance\\\" xmlns:z=\\\"http://schemas.microsoft.com/2003/10/Serialization/\\\"\u003e\u003cRuleAuditComponent z:Id=\\\"2\\\"\u003e\u003cAction z:Id=\\\"3\\\"\u003eUpdate\u003c/Action\u003e\u003cContainerName z:Id=\\\"4\\\"/\u003e\u003cIsAdvanced\u003etrue\u003c/IsAdvanced\u003e\u003cNewValue z:Id=\\\"5\\\"\u003eEnforceExclusiveAccess: False; EnforceOneTimePasswords: False; AllowOPMAccess: True; RecordSessions: True; EnforceExpirationPeriod: 90; EnforceVerificationPeriod: 7; AuditRetentionPeriod: 90; PSMEnabled: False; RequireReason: AllowFreeTextReason: True, BasicValue: False; AllowTransparentConnection: AllowViewingPasswords: True, BasicValue: True; DualControl: BasicValue: False, DualControlRequireMultilevelApproval: False, DualControlRequireManagerialApproval: False, DualControlRequiredConfirmers: 1\u003c/NewValue\u003e\u003cOldValue z:Id=\\\"6\\\"\u003eN/A\u003c/OldValue\u003e\u003cPropertyName z:Id=\\\"7\\\"\u003eMaster Policy\u003c/PropertyName\u003e\u003c/RuleAuditComponent\u003e\u003c/VaultCommandAuditApplicativeHeader\u003e\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"BLService Audit Record\",\"GatewayStation\":\"10.0.1.20\"}}}", "code": "385", "kind": "event" @@ -314,7 +314,7 @@ "event": { "severity": 2, "action": "blservice audit record", - "ingested": "2021-06-04T11:33:15.446556600Z", + "ingested": "2021-06-09T10:24:35.024624300Z", "original": "\u003c5\u003e1 2021-03-14T12:04:53Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 14 05:04:53\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-14T12:04:53Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e385\u003c/MessageID\u003e\\n \u003cDesc\u003eBLService Audit Record\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003eBLService Audit Record\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003e\u003c/Safe\u003e\\n \u003cFile\u003e\u003c/File\u003e\\n \u003cStation\u003e127.0.0.1\u003c/Station\u003e\\n \u003cLocation\u003e\u003cVaultCommandAuditApplicativeHeader z:Id=\\\"1\\\" xmlns=\\\"CyberArk.AppServices.LogicContainer.Audit\\\" xmlns:i=\\\"http://www.w3.org/2001/XMLSchema-instance\\\" xmlns:z=\\\"http://schemas.microsoft.com/2003/10/Serialization/\\\"\u003e\u003cRuleAuditComponent z:Id=\\\"2\\\"\u003e\u003cAction z:Id=\\\"3\\\"\u003eUpdate\u003c/Action\u003e\u003cContainerName z:Id=\\\"4\\\"/\u003e\u003cIsAdvanced\u003etrue\u003c/IsAdvanced\u003e\u003cNewValue z:Id=\\\"5\\\"\u003eEnforceExclusiveAccess: False; EnforceOneTimePasswords: False; AllowOPMAccess: True; RecordSessions: True; EnforceExpirationPeriod: 500; EnforceVerificationPeriod: 7; AuditRetentionPeriod: 90; PSMEnabled: False; RequireReason: AllowFreeTextReason: True, BasicValue: False; AllowTransparentConnection: AllowViewingPasswords: True, BasicValue: True; DualControl: BasicValue: False, DualControlRequireMultilevelApproval: False, DualControlRequireManagerialApproval: False, DualControlRequiredConfirmers: 1\u003c/NewValue\u003e\u003cOldValue z:Id=\\\"6\\\"\u003eN/A\u003c/OldValue\u003e\u003cPropertyName z:Id=\\\"7\\\"\u003eMaster Policy\u003c/PropertyName\u003e\u003c/RuleAuditComponent\u003e\u003c/VaultCommandAuditApplicativeHeader\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eBLService Audit Record\u003c/Message\u003e\\n \u003cGatewayStation\u003e10.0.1.20\u003c/GatewayStation\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 14 05:04:53\",\"IsoTimestamp\":\"2021-03-14T12:04:53Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"385\",\"Desc\":\"BLService Audit Record\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"BLService Audit Record\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"127.0.0.1\",\"Location\":\"\u003cVaultCommandAuditApplicativeHeader z:Id=\\\"1\\\" xmlns=\\\"CyberArk.AppServices.LogicContainer.Audit\\\" xmlns:i=\\\"http://www.w3.org/2001/XMLSchema-instance\\\" xmlns:z=\\\"http://schemas.microsoft.com/2003/10/Serialization/\\\"\u003e\u003cRuleAuditComponent z:Id=\\\"2\\\"\u003e\u003cAction z:Id=\\\"3\\\"\u003eUpdate\u003c/Action\u003e\u003cContainerName z:Id=\\\"4\\\"/\u003e\u003cIsAdvanced\u003etrue\u003c/IsAdvanced\u003e\u003cNewValue z:Id=\\\"5\\\"\u003eEnforceExclusiveAccess: False; EnforceOneTimePasswords: False; AllowOPMAccess: True; RecordSessions: True; EnforceExpirationPeriod: 500; EnforceVerificationPeriod: 7; AuditRetentionPeriod: 90; PSMEnabled: False; RequireReason: AllowFreeTextReason: True, BasicValue: False; AllowTransparentConnection: AllowViewingPasswords: True, BasicValue: True; DualControl: BasicValue: False, DualControlRequireMultilevelApproval: False, DualControlRequireManagerialApproval: False, DualControlRequiredConfirmers: 1\u003c/NewValue\u003e\u003cOldValue z:Id=\\\"6\\\"\u003eN/A\u003c/OldValue\u003e\u003cPropertyName z:Id=\\\"7\\\"\u003eMaster Policy\u003c/PropertyName\u003e\u003c/RuleAuditComponent\u003e\u003c/VaultCommandAuditApplicativeHeader\u003e\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"BLService Audit Record\",\"GatewayStation\":\"10.0.1.20\"}}}", "code": "385", "kind": "event" diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-4-user-authentication.log-expected.json b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-4-user-authentication.log-expected.json index bda5a06ad15..b9e081115c3 100644 --- a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-4-user-authentication.log-expected.json +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-4-user-authentication.log-expected.json @@ -61,7 +61,7 @@ }, "event": { "severity": 7, - "ingested": "2021-06-04T11:33:15.552396Z", + "ingested": "2021-06-09T10:24:35.129865Z", "original": "\u003c7\u003e1 2021-03-10T18:42:36Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 10:42:36\",\"IsoTimestamp\":\"2021-03-10T18:42:36Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"4\",\"Desc\":\"User Authentication\",\"Severity\":\"Error\",\"Issuer\":\"Administrator\",\"Action\":\"User Authentication\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"81.32.170.205\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"User Authentication\",\"GatewayStation\":\"\"}}}", "code": "4", "kind": "event", @@ -137,7 +137,7 @@ }, "event": { "severity": 7, - "ingested": "2021-06-04T11:33:15.552408900Z", + "ingested": "2021-06-09T10:24:35.129876300Z", "original": "\u003c7\u003e1 2021-03-11T18:03:43Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 11 10:03:43\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-11T18:03:43Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e4\u003c/MessageID\u003e\\n \u003cDesc\u003eUser Authentication\u003c/Desc\u003e\\n \u003cSeverity\u003eError\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003eUser Authentication\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003e\u003c/Safe\u003e\\n \u003cFile\u003e\u003c/File\u003e\\n \u003cStation\u003e127.0.0.1\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eUser Authentication\u003c/Message\u003e\\n \u003cGatewayStation\u003e10.0.1.20\u003c/GatewayStation\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 11 10:03:43\",\"IsoTimestamp\":\"2021-03-11T18:03:43Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"4\",\"Desc\":\"User Authentication\",\"Severity\":\"Error\",\"Issuer\":\"Administrator\",\"Action\":\"User Authentication\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"127.0.0.1\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"User Authentication\",\"GatewayStation\":\"10.0.1.20\"}}}", "code": "4", "kind": "event", diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-411-window-title.log-expected.json b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-411-window-title.log-expected.json index 4fa6ccc9820..734b6cf1929 100644 --- a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-411-window-title.log-expected.json +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-411-window-title.log-expected.json @@ -95,7 +95,7 @@ }, "event": { "severity": 2, - "ingested": "2021-06-04T11:33:15.600235100Z", + "ingested": "2021-06-09T10:24:35.179654900Z", "original": "{\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eno\u003c/Rfc5424\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.6.0000\u003c/Version\u003e\\n \u003cMessageID\u003e411\u003c/MessageID\u003e\\n \u003cDesc\u003eWindow Title\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eadm2\u003c/Issuer\u003e\\n \u003cAction\u003eWindow Title\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003eWindows\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Operating System-WIN-SERVER-LOCAL-dbserver.cyberark.local-Administrator2\u003c/File\u003e\\n \u003cStation\u003e10.2.0.5\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003eCommand=shutdown.exe, Shutdown Event Tracker;ConnectionComponentId=PSM-RDP;DstHost=dbserver.cyberark.local;ProcessId=4144;ProcessName=shutdown.exe;Protocol=RDP;PSMID=PSMServer_88f6598;RDPOffset=218B;SessionID=a1f46060-1de4-4f56-a8ba-71fdf3140ac1;SrcHost=10.2.0.6;User=Administrator2;VIDOffset=12T;\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eWindow Title\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"WIN-SERVER-LOCAL\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"Administrator2\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"dbserver.cyberark.local\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Operating System\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LogonDomain\\\" Value=\\\"DBServer\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"SequenceID\\\" Value=\\\"1\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"RetriesCount\\\" Value=\\\"-1\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastTask\\\" Value=\\\"ReconcileTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMStatus\\\" Value=\\\"success\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastSuccessReconciliation\\\" Value=\\\"1604944215\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Customer\\\" Value=\\\"EvilCorp\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"no\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.6.0000\",\"MessageID\":\"411\",\"Desc\":\"Window Title\",\"Severity\":\"Info\",\"Issuer\":\"adm2\",\"Action\":\"Window Title\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"Windows\",\"File\":\"Root\\\\Operating System-WIN-SERVER-LOCAL-dbserver.cyberark.local-Administrator2\",\"Station\":\"10.2.0.5\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"Command=shutdown.exe, Shutdown Event Tracker;ConnectionComponentId=PSM-RDP;DstHost=dbserver.cyberark.local;ProcessId=4144;ProcessName=shutdown.exe;Protocol=RDP;PSMID=PSMServer_88f6598;RDPOffset=218B;SessionID=a1f46060-1de4-4f56-a8ba-71fdf3140ac1;SrcHost=10.2.0.6;User=Administrator2;VIDOffset=12T;\",\"IsoTimestamp\":\"2021-03-16T17:11:42Z\",\"Message\":\"Window Title\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"WIN-SERVER-LOCAL\"},{\"Name\":\"UserName\",\"Value\":\"Administrator2\"},{\"Name\":\"Address\",\"Value\":\"dbserver.cyberark.local\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"},{\"Name\":\"LogonDomain\",\"Value\":\"DBServer\"},{\"Name\":\"SequenceID\",\"Value\":\"1\"},{\"Name\":\"RetriesCount\",\"Value\":\"-1\"},{\"Name\":\"LastTask\",\"Value\":\"ReconcileTask\"},{\"Name\":\"CPMStatus\",\"Value\":\"success\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"LastSuccessReconciliation\",\"Value\":\"1604944215\"},{\"Name\":\"Customer\",\"Value\":\"EvilCorp\"}]}}}}", "code": "411", "kind": "event", diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-412-keystroke-logging.log-expected.json b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-412-keystroke-logging.log-expected.json index d50b1374b43..c46e56a355b 100644 --- a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-412-keystroke-logging.log-expected.json +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-412-keystroke-logging.log-expected.json @@ -101,7 +101,7 @@ }, "event": { "severity": 2, - "ingested": "2021-06-04T11:33:15.643035900Z", + "ingested": "2021-06-09T10:24:35.222280400Z", "original": "\u003c5\u003e1 2021-03-25T11:29:37Z VLT01 {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 25 07:29:37\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-25T11:29:37Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVLT01\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e12.0.0000\u003c/Version\u003e\\n \u003cMessageID\u003e412\u003c/MessageID\u003e\\n \u003cDesc\u003eKeystroke logging\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003eKeystroke logging\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003eMSSQL\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Database-MSSql-epmsvr01.cybr.com-sa\u003c/File\u003e\\n \u003cStation\u003e10.0.0.15\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003eCommand=SHOW DATABASES\\\\;;ConnectionComponentId=PSM-SQLServerMgmtStudio;DataBase=master;DstHost=tgtsvr01.cybr.com;Protocol=SQLNet;PSMID=PSMServer;SessionID=975edc19-ad10-4b42-8098-f26afab40fac;SrcHost=127.0.0.1;TXTOffset=702B;User=sa;VIDOffset=33T;\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eKeystroke logging\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"MSSql\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"sa\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"tgtsvr01.cybr.com\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Database\\\" Value=\\\"master\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Database\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMStatus\\\" Value=\\\"success\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"RetriesCount\\\" Value=\\\"-1\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastTask\\\" Value=\\\"VerifyTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastSuccessVerification\\\" Value=\\\"1616580240\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastSuccessChange\\\" Value=\\\"1616011980\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Tags\\\" Value=\\\"SQL;DB\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Privcloud\\\" Value=\\\"privcloud\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 25 07:29:37\",\"IsoTimestamp\":\"2021-03-25T11:29:37Z\",\"Hostname\":\"VLT01\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"12.0.0000\",\"MessageID\":\"412\",\"Desc\":\"Keystroke logging\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Keystroke logging\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"MSSQL\",\"File\":\"Root\\\\Database-MSSql-epmsvr01.cybr.com-sa\",\"Station\":\"10.0.0.15\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"Command=SHOW DATABASES\\\\;;ConnectionComponentId=PSM-SQLServerMgmtStudio;DataBase=master;DstHost=tgtsvr01.cybr.com;Protocol=SQLNet;PSMID=PSMServer;SessionID=975edc19-ad10-4b42-8098-f26afab40fac;SrcHost=127.0.0.1;TXTOffset=702B;User=sa;VIDOffset=33T;\",\"Message\":\"Keystroke logging\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"MSSql\"},{\"Name\":\"UserName\",\"Value\":\"sa\"},{\"Name\":\"Address\",\"Value\":\"tgtsvr01.cybr.com\"},{\"Name\":\"Database\",\"Value\":\"master\"},{\"Name\":\"DeviceType\",\"Value\":\"Database\"},{\"Name\":\"CPMStatus\",\"Value\":\"success\"},{\"Name\":\"RetriesCount\",\"Value\":\"-1\"},{\"Name\":\"LastTask\",\"Value\":\"VerifyTask\"},{\"Name\":\"LastSuccessVerification\",\"Value\":\"1616580240\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"LastSuccessChange\",\"Value\":\"1616011980\"},{\"Name\":\"Tags\",\"Value\":\"SQL;DB\"},{\"Name\":\"Privcloud\",\"Value\":\"privcloud\"}]}}}}", "code": "412", "kind": "event", diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-414-cpm-verify-ssh-key.log-expected.json b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-414-cpm-verify-ssh-key.log-expected.json index f56b75c3726..62ef50979b6 100644 --- a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-414-cpm-verify-ssh-key.log-expected.json +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-414-cpm-verify-ssh-key.log-expected.json @@ -93,7 +93,7 @@ }, "event": { "severity": 2, - "ingested": "2021-06-04T11:33:15.689852800Z", + "ingested": "2021-06-09T10:24:35.266376100Z", "original": "\u003c5\u003e1 2021-03-25T10:04:06Z VLT01 {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 25 06:04:06\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-25T10:04:06Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVLT01\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e12.0.0000\u003c/Version\u003e\\n \u003cMessageID\u003e414\u003c/MessageID\u003e\\n \u003cDesc\u003eCPM Verify SSH Key\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003ePasswordManager\u003c/Issuer\u003e\\n \u003cAction\u003eCPM Verify SSH Key\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003eLinux SSH Keys\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Operating System-UnixSSHKeys-rhel7.cybr.com-firecall1\u003c/File\u003e\\n \u003cStation\u003e10.0.0.15\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003eVerificationPeriod\u003c/Reason\u003e\\n \u003cExtraDetails\u003eaddress=rhel7.cybr.com;username=firecall1;\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eCPM Verify SSH Key\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"UnixSSHKeys\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"firecall1\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"rhel7.cybr.com\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Operating System\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"SequenceID\\\" Value=\\\"2\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMStatus\\\" Value=\\\"success\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"ExtraPass3Name\\\" Value=\\\"Operating System-UnixSSH-rhel7.cybr.com-root\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"ExtraPass3Folder\\\" Value=\\\"Root\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"ExtraPass3Safe\\\" Value=\\\"Linux Root\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"RetriesCount\\\" Value=\\\"-1\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastTask\\\" Value=\\\"VerifyTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastSuccessVerification\\\" Value=\\\"1616666646\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastSuccessChange\\\" Value=\\\"1582315464\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Tags\\\" Value=\\\"SSH\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Privcloud\\\" Value=\\\"privcloud\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 25 06:04:06\",\"IsoTimestamp\":\"2021-03-25T10:04:06Z\",\"Hostname\":\"VLT01\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"12.0.0000\",\"MessageID\":\"414\",\"Desc\":\"CPM Verify SSH Key\",\"Severity\":\"Info\",\"Issuer\":\"PasswordManager\",\"Action\":\"CPM Verify SSH Key\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"Linux SSH Keys\",\"File\":\"Root\\\\Operating System-UnixSSHKeys-rhel7.cybr.com-firecall1\",\"Station\":\"10.0.0.15\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"VerificationPeriod\",\"ExtraDetails\":\"address=rhel7.cybr.com;username=firecall1;\",\"Message\":\"CPM Verify SSH Key\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"UnixSSHKeys\"},{\"Name\":\"UserName\",\"Value\":\"firecall1\"},{\"Name\":\"Address\",\"Value\":\"rhel7.cybr.com\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"},{\"Name\":\"SequenceID\",\"Value\":\"2\"},{\"Name\":\"CPMStatus\",\"Value\":\"success\"},{\"Name\":\"ExtraPass3Name\",\"Value\":\"Operating System-UnixSSH-rhel7.cybr.com-root\"},{\"Name\":\"ExtraPass3Folder\",\"Value\":\"Root\"},{\"Name\":\"ExtraPass3Safe\",\"Value\":\"Linux Root\"},{\"Name\":\"RetriesCount\",\"Value\":\"-1\"},{\"Name\":\"LastTask\",\"Value\":\"VerifyTask\"},{\"Name\":\"LastSuccessVerification\",\"Value\":\"1616666646\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"LastSuccessChange\",\"Value\":\"1582315464\"},{\"Name\":\"Tags\",\"Value\":\"SSH\"},{\"Name\":\"Privcloud\",\"Value\":\"privcloud\"}]}}}}", "code": "414", "kind": "event", diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-427-store-ssh-key.log-expected.json b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-427-store-ssh-key.log-expected.json index 713aaf53992..4d4c14174b6 100644 --- a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-427-store-ssh-key.log-expected.json +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-427-store-ssh-key.log-expected.json @@ -62,7 +62,7 @@ "event": { "severity": 2, "action": "store ssh key", - "ingested": "2021-06-04T11:33:15.739741800Z", + "ingested": "2021-06-09T10:24:35.310803700Z", "original": "\u003c5\u003e1 2021-03-11T16:50:17Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 11 08:50:17\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-11T16:50:17Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e427\u003c/MessageID\u003e\\n \u003cDesc\u003eStore SSH Key\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003eStore SSH Key\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003ePSM\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Operating System-UnixSSHKeys-34.123.103.115-adrian\u003c/File\u003e\\n \u003cStation\u003e127.0.0.1\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eStore SSH Key\u003c/Message\u003e\\n \u003cGatewayStation\u003e10.0.1.20\u003c/GatewayStation\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 11 08:50:17\",\"IsoTimestamp\":\"2021-03-11T16:50:17Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"427\",\"Desc\":\"Store SSH Key\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Store SSH Key\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"PSM\",\"File\":\"Root\\\\Operating System-UnixSSHKeys-34.123.103.115-adrian\",\"Station\":\"127.0.0.1\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Store SSH Key\",\"GatewayStation\":\"10.0.1.20\"}}}", "code": "427", "kind": "event" diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-428-retrieve-ssh-key.log-expected.json b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-428-retrieve-ssh-key.log-expected.json index b5996b7eacd..efe7af7e9cd 100644 --- a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-428-retrieve-ssh-key.log-expected.json +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-428-retrieve-ssh-key.log-expected.json @@ -99,7 +99,7 @@ "event": { "severity": 2, "reason": "(Action: Retrieve SSH key)for fun and profit", - "ingested": "2021-06-04T11:33:15.770419Z", + "ingested": "2021-06-09T10:24:35.337710600Z", "original": "\u003c5\u003e1 2021-03-11T17:43:44Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 11 09:43:44\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-11T17:43:44Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e428\u003c/MessageID\u003e\\n \u003cDesc\u003eRetrieve SSH Key\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003eRetrieve SSH Key\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003ePSM\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Operating System-UnixSSHKeys-34.123.103.115-adrian\u003c/File\u003e\\n \u003cStation\u003e127.0.0.1\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e(Action: Retrieve SSH key)for fun and profit\u003c/Reason\u003e\\n \u003cPvwaDetails\u003e\u003cRetrieveReason\u003e\\n \u003cGeneral\u003e\\n \u003cUserReason\u003efor fun and profit\u003c/UserReason\u003e\\n \u003cRetrieveAction\u003eRetrieve SSH key\u003c/RetrieveAction\u003e\\n \u003c/General\u003e\\n\u003c/RetrieveReason\u003e\u003c/PvwaDetails\u003e\\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eRetrieve SSH Key\u003c/Message\u003e\\n \u003cGatewayStation\u003e10.0.1.20\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"UnixSSHKeys\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"adrian\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"34.123.103.115\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Operating System\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 11 09:43:44\",\"IsoTimestamp\":\"2021-03-11T17:43:44Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"428\",\"Desc\":\"Retrieve SSH Key\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Retrieve SSH Key\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"PSM\",\"File\":\"Root\\\\Operating System-UnixSSHKeys-34.123.103.115-adrian\",\"Station\":\"127.0.0.1\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"(Action: Retrieve SSH key)for fun and profit\",\"PvwaDetails\":{\"RetrieveReason\":{\"General\":{\"UserReason\":\"for fun and profit\",\"RetrieveAction\":\"Retrieve SSH key\"}}},\"ExtraDetails\":\"\",\"Message\":\"Retrieve SSH Key\",\"GatewayStation\":\"10.0.1.20\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"UnixSSHKeys\"},{\"Name\":\"UserName\",\"Value\":\"adrian\"},{\"Name\":\"Address\",\"Value\":\"34.123.103.115\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"}]}}}}", "code": "428", "kind": "event", @@ -219,7 +219,7 @@ "event": { "severity": 2, "reason": "(Action: Connect)testing(Connection to address: 34.123.103.115)", - "ingested": "2021-06-04T11:33:15.770430400Z", + "ingested": "2021-06-09T10:24:35.337721500Z", "original": "\u003c5\u003e1 2021-03-11T21:08:48Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 11 13:08:48\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-11T21:08:48Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e428\u003c/MessageID\u003e\\n \u003cDesc\u003eRetrieve SSH Key\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003eRetrieve SSH Key\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003ePSM\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Operating System-UnixSSHKeys-34.123.103.115-adrian\u003c/File\u003e\\n \u003cStation\u003e127.0.0.1\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e(Action: Connect)testing(Connection to address: 34.123.103.115)\u003c/Reason\u003e\\n \u003cPvwaDetails\u003e\u003cRetrieveReason\u003e\\n \u003cGeneral\u003e\\n \u003cUserReason\u003etesting\u003c/UserReason\u003e\\n \u003cRetrieveAction\u003eConnect\u003c/RetrieveAction\u003e\\n \u003c/General\u003e\\n \u003cConnectionDetails\u003e\\n \u003cConnectionAddress\u003e34.123.103.115\u003c/ConnectionAddress\u003e\\n \u003c/ConnectionDetails\u003e\\n\u003c/RetrieveReason\u003e\u003c/PvwaDetails\u003e\\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eRetrieve SSH Key\u003c/Message\u003e\\n \u003cGatewayStation\u003e10.0.1.20\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"UnixSSHKeys\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"adrian\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"34.123.103.115\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Operating System\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 11 13:08:48\",\"IsoTimestamp\":\"2021-03-11T21:08:48Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"428\",\"Desc\":\"Retrieve SSH Key\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Retrieve SSH Key\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"PSM\",\"File\":\"Root\\\\Operating System-UnixSSHKeys-34.123.103.115-adrian\",\"Station\":\"127.0.0.1\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"(Action: Connect)testing(Connection to address: 34.123.103.115)\",\"PvwaDetails\":{\"RetrieveReason\":{\"General\":{\"UserReason\":\"testing\",\"RetrieveAction\":\"Connect\"},\"ConnectionDetails\":{\"ConnectionAddress\":\"34.123.103.115\"}}},\"ExtraDetails\":\"\",\"Message\":\"Retrieve SSH Key\",\"GatewayStation\":\"10.0.1.20\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"UnixSSHKeys\"},{\"Name\":\"UserName\",\"Value\":\"adrian\"},{\"Name\":\"Address\",\"Value\":\"34.123.103.115\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"}]}}}}", "code": "428", "kind": "event", @@ -335,7 +335,7 @@ "event": { "severity": 2, "reason": "(Action: Retrieve SSH key)", - "ingested": "2021-06-04T11:33:15.770433Z", + "ingested": "2021-06-09T10:24:35.337724300Z", "original": "\u003c5\u003e1 2021-03-15T13:18:52Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 15 06:18:52\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-15T13:18:52Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e428\u003c/MessageID\u003e\\n \u003cDesc\u003eRetrieve SSH Key\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003eRetrieve SSH Key\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003ePSM\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Operating System-UnixSSHKeys-34.123.103.115-adrian\u003c/File\u003e\\n \u003cStation\u003e127.0.0.1\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e(Action: Retrieve SSH key)\u003c/Reason\u003e\\n \u003cPvwaDetails\u003e\u003cRetrieveReason\u003e\\n \u003cGeneral\u003e\\n \u003cRetrieveAction\u003eRetrieve SSH key\u003c/RetrieveAction\u003e\\n \u003c/General\u003e\\n\u003c/RetrieveReason\u003e\u003c/PvwaDetails\u003e\\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eRetrieve SSH Key\u003c/Message\u003e\\n \u003cGatewayStation\u003e10.0.1.20\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"UnixSSHKeys\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"adrian\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"34.123.103.115\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Operating System\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 15 06:18:52\",\"IsoTimestamp\":\"2021-03-15T13:18:52Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"428\",\"Desc\":\"Retrieve SSH Key\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Retrieve SSH Key\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"PSM\",\"File\":\"Root\\\\Operating System-UnixSSHKeys-34.123.103.115-adrian\",\"Station\":\"127.0.0.1\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"(Action: Retrieve SSH key)\",\"PvwaDetails\":{\"RetrieveReason\":{\"General\":{\"RetrieveAction\":\"Retrieve SSH key\"}}},\"ExtraDetails\":\"\",\"Message\":\"Retrieve SSH Key\",\"GatewayStation\":\"10.0.1.20\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"UnixSSHKeys\"},{\"Name\":\"UserName\",\"Value\":\"adrian\"},{\"Name\":\"Address\",\"Value\":\"34.123.103.115\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"}]}}}}", "code": "428", "kind": "event", diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-449-create-discovery-succeeded.log-expected.json b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-449-create-discovery-succeeded.log-expected.json index bfa1614b861..b958a33ded2 100644 --- a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-449-create-discovery-succeeded.log-expected.json +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-449-create-discovery-succeeded.log-expected.json @@ -49,7 +49,7 @@ "event": { "severity": 2, "action": "create discovery succeeded", - "ingested": "2021-06-04T11:33:15.879035200Z", + "ingested": "2021-06-09T10:24:35.458324400Z", "original": "\u003c5\u003e1 2021-03-14T12:06:35Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 14 05:06:35\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-14T12:06:35Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e449\u003c/MessageID\u003e\\n \u003cDesc\u003eCreate Discovery Succeeded\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003eCreate Discovery Succeeded\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003e\u003c/Safe\u003e\\n \u003cFile\u003e\u003c/File\u003e\\n \u003cStation\u003e10.0.1.20\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003eStatus:Success; Discovery:\u003cWindows discovery from ELASTIC.local\u003e; Reason:;\u003c/Reason\u003e\\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eCreate Discovery Succeeded\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 14 05:06:35\",\"IsoTimestamp\":\"2021-03-14T12:06:35Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"449\",\"Desc\":\"Create Discovery Succeeded\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Create Discovery Succeeded\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"10.0.1.20\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"Status:Success; Discovery:\u003cWindows discovery from ELASTIC.local\u003e; Reason:;\",\"ExtraDetails\":\"\",\"Message\":\"Create Discovery Succeeded\",\"GatewayStation\":\"\"}}}", "code": "449", "kind": "event" diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-459-general-audit.log-expected.json b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-459-general-audit.log-expected.json index 4b2d293b4b4..fb2892443a2 100644 --- a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-459-general-audit.log-expected.json +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-459-general-audit.log-expected.json @@ -76,7 +76,7 @@ "event": { "severity": 2, "action": "general audit", - "ingested": "2021-06-04T11:33:15.903375500Z", + "ingested": "2021-06-09T10:24:35.480432400Z", "original": "\u003c5\u003e1 2021-03-08T10:19:42Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 08 02:19:42\",\"IsoTimestamp\":\"2021-03-08T10:19:42Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"459\",\"Desc\":\"General Audit\",\"Severity\":\"Info\",\"Issuer\":\"PasswordManager\",\"Action\":\"General Audit\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"Test\",\"File\":\"Root\\\\Operating System-WindowsDesktopLocalAccountsRotationalPolicy-10.0.1.20-x_accountB\",\"Station\":\"10.0.1.20\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"Dual account rotation\",\"ExtraDetails\":\"DualAccountStatus=Active;Index=2;\",\"Message\":\"General Audit\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"WinDesktopLocal\"},{\"Name\":\"UserName\",\"Value\":\"x_accountB\"},{\"Name\":\"Address\",\"Value\":\"components\"},{\"Name\":\"SequenceID\",\"Value\":\"24\"},{\"Name\":\"CPMStatus\",\"Value\":\"success\"},{\"Name\":\"RetriesCount\",\"Value\":\"-1\"},{\"Name\":\"LastTask\",\"Value\":\"ChangeTask\"},{\"Name\":\"GroupName\",\"Value\":\"WindowsGroup\"},{\"Name\":\"LastSuccessChange\",\"Value\":\"1614868762\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"},{\"Name\":\"Index\",\"Value\":\"2\"},{\"Name\":\"DualAccountStatus\",\"Value\":\"Active\"},{\"Name\":\"VirtualUsername\",\"Value\":\"virtual\"}]}}}}", "code": "459", "kind": "event" @@ -158,7 +158,7 @@ "event": { "severity": 2, "action": "general audit", - "ingested": "2021-06-04T11:33:15.903386300Z", + "ingested": "2021-06-09T10:24:35.480443300Z", "original": "\u003c5\u003e1 2021-03-10T14:38:57Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 06:38:57\",\"IsoTimestamp\":\"2021-03-10T14:38:57Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"459\",\"Desc\":\"General Audit\",\"Severity\":\"Info\",\"Issuer\":\"PasswordManager\",\"Action\":\"General Audit\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"Test\",\"File\":\"Root\\\\Operating System-WindowsDesktopLocalAccountsRotationalPolicy-10.0.1.20-x_accountA\",\"Station\":\"10.0.1.20\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"Dual account rotation\",\"ExtraDetails\":\"DualAccountStatus=Active;Index=1;\",\"Message\":\"General Audit\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"WinDesktopLocal\"},{\"Name\":\"UserName\",\"Value\":\"x_accountA\"},{\"Name\":\"Address\",\"Value\":\"components\"},{\"Name\":\"SequenceID\",\"Value\":\"27\"},{\"Name\":\"CPMStatus\",\"Value\":\"success\"},{\"Name\":\"RetriesCount\",\"Value\":\"-1\"},{\"Name\":\"LastTask\",\"Value\":\"ChangeTask\"},{\"Name\":\"GroupName\",\"Value\":\"WindowsGroup\"},{\"Name\":\"LastSuccessChange\",\"Value\":\"1615231204\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"},{\"Name\":\"Index\",\"Value\":\"1\"},{\"Name\":\"DualAccountStatus\",\"Value\":\"Active\"},{\"Name\":\"VirtualUsername\",\"Value\":\"virtual\"}]}}}}", "code": "459", "kind": "event" @@ -241,7 +241,7 @@ "event": { "severity": 2, "action": "general audit", - "ingested": "2021-06-04T11:33:15.903389Z", + "ingested": "2021-06-09T10:24:35.480446Z", "original": "\u003c5\u003e1 2021-03-14T11:48:26Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 14 04:48:26\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-14T11:48:26Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e459\u003c/MessageID\u003e\\n \u003cDesc\u003eGeneral Audit\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003ePasswordManager\u003c/Issuer\u003e\\n \u003cAction\u003eGeneral Audit\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003eTest\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Operating System-WindowsDesktopLocalAccountsRotationalPolicy-10.0.1.20-x_accountB\u003c/File\u003e\\n \u003cStation\u003e10.0.1.20\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003eDual account rotation\u003c/Reason\u003e\\n \u003cExtraDetails\u003eDualAccountStatus=Active;Index=2;\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eGeneral Audit\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"WinDesktopLocal\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"x_accountB\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"components\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"SequenceID\\\" Value=\\\"25\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMStatus\\\" Value=\\\"success\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"RetriesCount\\\" Value=\\\"-1\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastTask\\\" Value=\\\"ChangeTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"GroupName\\\" Value=\\\"WindowsGroup\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastSuccessChange\\\" Value=\\\"1615419568\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Operating System\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Index\\\" Value=\\\"2\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DualAccountStatus\\\" Value=\\\"Active\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"VirtualUsername\\\" Value=\\\"virtual\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 14 04:48:26\",\"IsoTimestamp\":\"2021-03-14T11:48:26Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"459\",\"Desc\":\"General Audit\",\"Severity\":\"Info\",\"Issuer\":\"PasswordManager\",\"Action\":\"General Audit\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"Test\",\"File\":\"Root\\\\Operating System-WindowsDesktopLocalAccountsRotationalPolicy-10.0.1.20-x_accountB\",\"Station\":\"10.0.1.20\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"Dual account rotation\",\"ExtraDetails\":\"DualAccountStatus=Active;Index=2;\",\"Message\":\"General Audit\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"WinDesktopLocal\"},{\"Name\":\"UserName\",\"Value\":\"x_accountB\"},{\"Name\":\"Address\",\"Value\":\"components\"},{\"Name\":\"SequenceID\",\"Value\":\"25\"},{\"Name\":\"CPMStatus\",\"Value\":\"success\"},{\"Name\":\"RetriesCount\",\"Value\":\"-1\"},{\"Name\":\"LastTask\",\"Value\":\"ChangeTask\"},{\"Name\":\"GroupName\",\"Value\":\"WindowsGroup\"},{\"Name\":\"LastSuccessChange\",\"Value\":\"1615419568\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"},{\"Name\":\"Index\",\"Value\":\"2\"},{\"Name\":\"DualAccountStatus\",\"Value\":\"Active\"},{\"Name\":\"VirtualUsername\",\"Value\":\"virtual\"}]}}}}", "code": "459", "kind": "event" diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-467-the-component-public-key-for-jwt-authentication-was-updated.log-expected.json b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-467-the-component-public-key-for-jwt-authentication-was-updated.log-expected.json index 5eef1d615c6..8923f256957 100644 --- a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-467-the-component-public-key-for-jwt-authentication-was-updated.log-expected.json +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-467-the-component-public-key-for-jwt-authentication-was-updated.log-expected.json @@ -47,7 +47,7 @@ "event": { "severity": 2, "action": "the component public key for jwt authentication was updated", - "ingested": "2021-06-04T11:33:16.011617100Z", + "ingested": "2021-06-09T10:24:35.576057Z", "original": "\u003c5\u003e1 2021-03-10T18:14:35Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 10:14:35\",\"IsoTimestamp\":\"2021-03-10T18:14:35Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"467\",\"Desc\":\"The component public key for JWT authentication was updated\",\"Severity\":\"Info\",\"Issuer\":\"PasswordManager\",\"Action\":\"The component public key for JWT authentication was updated\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"10.0.1.20\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"The component public key for JWT authentication was updated\",\"GatewayStation\":\"\"}}}", "code": "467", "kind": "event" diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-479-security-warning-the-signature-hash-algorithm-of-the-vault-certificate-is-sha1.log-expected.json b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-479-security-warning-the-signature-hash-algorithm-of-the-vault-certificate-is-sha1.log-expected.json index e765697b5a5..860294e8474 100644 --- a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-479-security-warning-the-signature-hash-algorithm-of-the-vault-certificate-is-sha1.log-expected.json +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-479-security-warning-the-signature-hash-algorithm-of-the-vault-certificate-is-sha1.log-expected.json @@ -46,7 +46,7 @@ }, "event": { "severity": 7, - "ingested": "2021-06-04T11:33:16.037606600Z", + "ingested": "2021-06-09T10:24:35.596452500Z", "original": "\u003c7\u003e1 2021-03-04T19:10:01Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 04 11:10:01\",\"IsoTimestamp\":\"2021-03-04T19:10:01Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"479\",\"Desc\":\"Security warning - The Signature Hash Algorithm of the Vault certificate is SHA1.\",\"Severity\":\"Error\",\"Issuer\":\"Builtin\",\"Action\":\"Security warning - The Signature Hash Algorithm of the Vault certificate is SHA1.\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"0.0.0.0\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Security warning - The Signature Hash Algorithm of the Vault certificate is SHA1.\",\"GatewayStation\":\"\"}}}", "code": "479", "kind": "event", @@ -90,7 +90,7 @@ }, "event": { "severity": 7, - "ingested": "2021-06-04T11:33:16.037616900Z", + "ingested": "2021-06-09T10:24:35.596463100Z", "original": "Mar 08 07:46:54 VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"no\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"479\",\"Desc\":\"Security warning - The Signature Hash Algorithm of the Vault certificate is SHA1.\",\"Severity\":\"Error\",\"Issuer\":\"Builtin\",\"Action\":\"Security warning - The Signature Hash Algorithm of the Vault certificate is SHA1.\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"0.0.0.0\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Security warning - The Signature Hash Algorithm of the Vault certificate is SHA1.\",\"GatewayStation\":\"\"}}}", "code": "479", "kind": "event", diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-482-update-existing-add-account-bulk-operation-succeeded.log-expected.json b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-482-update-existing-add-account-bulk-operation-succeeded.log-expected.json index 7dcdf96f11f..11c2734067d 100644 --- a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-482-update-existing-add-account-bulk-operation-succeeded.log-expected.json +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-482-update-existing-add-account-bulk-operation-succeeded.log-expected.json @@ -47,7 +47,7 @@ "event": { "severity": 2, "action": "update existing add account bulk operation succeeded", - "ingested": "2021-06-04T11:33:16.084734300Z", + "ingested": "2021-06-09T10:24:35.631517300Z", "original": "\u003c5\u003e1 2021-03-10T08:31:49Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 00:31:49\",\"IsoTimestamp\":\"2021-03-10T08:31:49Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"482\",\"Desc\":\"Update existing Add Account Bulk Operation succeeded\",\"Severity\":\"Info\",\"Issuer\":\"PVWAAppUser\",\"Action\":\"Update existing Add Account Bulk Operation succeeded\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"10.0.1.20\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Update existing Add Account Bulk Operation succeeded\",\"GatewayStation\":\"\"}}}", "code": "482", "kind": "event" diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-50-store-file.log-expected.json b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-50-store-file.log-expected.json index 527d38ff4ee..3fc6d26d4e2 100644 --- a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-50-store-file.log-expected.json +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-50-store-file.log-expected.json @@ -52,7 +52,7 @@ "event": { "severity": 2, "action": "store file", - "ingested": "2021-06-04T11:33:16.110786300Z", + "ingested": "2021-06-09T10:24:35.653794300Z", "original": "\u003c5\u003e1 2021-03-08T18:24:50Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 08 10:24:50\",\"IsoTimestamp\":\"2021-03-08T18:24:50Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"50\",\"Desc\":\"Store File\",\"Severity\":\"Info\",\"Issuer\":\"PVWAAppUser\",\"Action\":\"Store File\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"PVWAPrivateUserPrefs\",\"File\":\"Root\\\\YWRtaW5pc3RyYXRvcg==\",\"Station\":\"10.0.1.20\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Store File\",\"GatewayStation\":\"\"}}}", "code": "50", "kind": "event" @@ -122,7 +122,7 @@ "event": { "severity": 2, "action": "store file", - "ingested": "2021-06-04T11:33:16.110796900Z", + "ingested": "2021-06-09T10:24:35.653805600Z", "original": "\u003c5\u003e1 2021-03-10T09:11:21Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 01:11:21\",\"IsoTimestamp\":\"2021-03-10T09:11:21Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"50\",\"Desc\":\"Store File\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Store File\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"PSMPConf\",\"File\":\"Root\\\\syntaxparser-conf.json.1.1\",\"Station\":\"81.32.170.205\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Store File\",\"GatewayStation\":\"\"}}}", "code": "50", "kind": "event" @@ -180,7 +180,7 @@ "event": { "severity": 2, "action": "store file", - "ingested": "2021-06-04T11:33:16.110813100Z", + "ingested": "2021-06-09T10:24:35.653820300Z", "original": "\u003c5\u003e1 2021-03-10T18:36:22Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 10:36:22\",\"IsoTimestamp\":\"2021-03-10T18:36:22Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"50\",\"Desc\":\"Store File\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Store File\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"PVWAConfig\",\"File\":\"Root\\\\PVConfiguration.xml\",\"Station\":\"127.0.0.1\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Store File\",\"GatewayStation\":\"\"}}}", "code": "50", "kind": "event" @@ -249,7 +249,7 @@ "event": { "severity": 2, "action": "store file", - "ingested": "2021-06-04T11:33:16.110817200Z", + "ingested": "2021-06-09T10:24:35.653824400Z", "original": "\u003c5\u003e1 2021-03-10T22:17:56Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 14:17:56\",\"IsoTimestamp\":\"2021-03-10T22:17:56Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"50\",\"Desc\":\"Store File\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Store File\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"PVWAConfig\",\"File\":\"ROOT\\\\PVConfiguration.xml\",\"Station\":\"35.192.121.42\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Store File\",\"GatewayStation\":\"\"}}}", "code": "50", "kind": "event" @@ -320,7 +320,7 @@ "event": { "severity": 2, "action": "store file", - "ingested": "2021-06-04T11:33:16.110820200Z", + "ingested": "2021-06-09T10:24:35.653827400Z", "original": "\u003c5\u003e1 2021-03-11T17:38:27Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 11 09:38:27\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-11T17:38:27Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e50\u003c/MessageID\u003e\\n \u003cDesc\u003eStore File\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003ePSMPApp_VAGRANT\u003c/Issuer\u003e\\n \u003cAction\u003eStore File\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003ePSMRecordings\u003c/Safe\u003e\\n \u003cFile\u003eroot\\\\87012dcc-8290-11eb-949e-080027efd402.SSH.txt\u003c/File\u003e\\n \u003cStation\u003e81.32.170.205\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eStore File\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 11 09:38:27\",\"IsoTimestamp\":\"2021-03-11T17:38:27Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"50\",\"Desc\":\"Store File\",\"Severity\":\"Info\",\"Issuer\":\"PSMPApp_VAGRANT\",\"Action\":\"Store File\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"PSMRecordings\",\"File\":\"root\\\\87012dcc-8290-11eb-949e-080027efd402.SSH.txt\",\"Station\":\"81.32.170.205\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Store File\",\"GatewayStation\":\"\"}}}", "code": "50", "kind": "event" @@ -388,7 +388,7 @@ "event": { "severity": 2, "action": "store file", - "ingested": "2021-06-04T11:33:16.110822500Z", + "ingested": "2021-06-09T10:24:35.653829700Z", "original": "\u003c5\u003e1 2021-03-11T19:45:26Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 11 11:45:26\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-11T19:45:26Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e50\u003c/MessageID\u003e\\n \u003cDesc\u003eStore File\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003eStore File\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003ePVWAConfig\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\PVConfiguration.xml\u003c/File\u003e\\n \u003cStation\u003e127.0.0.1\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eStore File\u003c/Message\u003e\\n \u003cGatewayStation\u003e10.0.1.20\u003c/GatewayStation\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 11 11:45:26\",\"IsoTimestamp\":\"2021-03-11T19:45:26Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"50\",\"Desc\":\"Store File\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Store File\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"PVWAConfig\",\"File\":\"Root\\\\PVConfiguration.xml\",\"Station\":\"127.0.0.1\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Store File\",\"GatewayStation\":\"10.0.1.20\"}}}", "code": "50", "kind": "event" diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-51-retrieve-file.log-expected.json b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-51-retrieve-file.log-expected.json index b2cd019b151..4c4507cb66a 100644 --- a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-51-retrieve-file.log-expected.json +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-51-retrieve-file.log-expected.json @@ -52,7 +52,7 @@ "event": { "severity": 2, "action": "retrieve file", - "ingested": "2021-06-04T11:33:16.253471100Z", + "ingested": "2021-06-09T10:24:35.778795800Z", "original": "\u003c5\u003e1 2021-03-04T19:10:05Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 04 11:10:05\",\"IsoTimestamp\":\"2021-03-04T19:10:05Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"51\",\"Desc\":\"Retrieve File\",\"Severity\":\"Info\",\"Issuer\":\"PasswordManager\",\"Action\":\"Retrieve File\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"PasswordManagerShared\",\"File\":\"Root\\\\Policies\\\\Policy-GenericWebApp.ini\",\"Station\":\"10.0.1.20\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Retrieve File\",\"GatewayStation\":\"\"}}}", "code": "51", "kind": "event" @@ -110,7 +110,7 @@ "event": { "severity": 2, "action": "retrieve file", - "ingested": "2021-06-04T11:33:16.253485900Z", + "ingested": "2021-06-09T10:24:35.778809900Z", "original": "\u003c5\u003e1 2021-03-04T19:11:23Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 04 11:11:23\",\"IsoTimestamp\":\"2021-03-04T19:11:23Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"51\",\"Desc\":\"Retrieve File\",\"Severity\":\"Info\",\"Issuer\":\"Prov_COMPONENTS\",\"Action\":\"Retrieve File\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"AppProviderConf\",\"File\":\"Root\\\\main_appprovider.conf.Win64.11.04\",\"Station\":\"10.0.1.20\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Retrieve File\",\"GatewayStation\":\"\"}}}", "code": "51", "kind": "event" diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-52-delete-file.log-expected.json b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-52-delete-file.log-expected.json index ee264404885..2c8002eeaea 100644 --- a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-52-delete-file.log-expected.json +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-52-delete-file.log-expected.json @@ -69,7 +69,7 @@ "event": { "severity": 2, "action": "delete file", - "ingested": "2021-06-04T11:33:16.296182900Z", + "ingested": "2021-06-09T10:24:35.820704600Z", "original": "\u003c5\u003e1 2021-03-08T18:32:43Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 08 10:32:43\",\"IsoTimestamp\":\"2021-03-08T18:32:43Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"52\",\"Desc\":\"Delete File\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Delete File\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"Test\",\"File\":\"Root\\\\Operating System-WinDesktopLocal-Address-adriansr\",\"Station\":\"127.0.0.1\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Delete File\",\"GatewayStation\":\"10.0.1.20\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"WinDesktopLocal\"},{\"Name\":\"UserName\",\"Value\":\"adriansr\"},{\"Name\":\"Address\",\"Value\":\"components\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"}]}}}}", "code": "52", "kind": "event" @@ -145,7 +145,7 @@ "event": { "severity": 2, "action": "delete file", - "ingested": "2021-06-04T11:33:16.296200600Z", + "ingested": "2021-06-09T10:24:35.820719900Z", "original": "\u003c5\u003e1 2021-03-08T18:38:21Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 08 10:38:21\",\"IsoTimestamp\":\"2021-03-08T18:38:21Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"52\",\"Desc\":\"Delete File\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Delete File\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"VaultInternal\",\"File\":\"Root\\\\Operating System-WinServerLocal-components-adriansr\",\"Station\":\"127.0.0.1\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Delete File\",\"GatewayStation\":\"10.0.1.20\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"WinServerLocal\"},{\"Name\":\"UserName\",\"Value\":\"adriansr\"},{\"Name\":\"Address\",\"Value\":\"components\"},{\"Name\":\"LogonDomain\",\"Value\":\"COMPONENTS\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"}]}}}}", "code": "52", "kind": "event" @@ -203,7 +203,7 @@ "event": { "severity": 2, "action": "delete file", - "ingested": "2021-06-04T11:33:16.296202900Z", + "ingested": "2021-06-09T10:24:35.820722100Z", "original": "\u003c5\u003e1 2021-03-08T19:20:04Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 08 11:20:04\",\"IsoTimestamp\":\"2021-03-08T19:20:04Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"52\",\"Desc\":\"Delete File\",\"Severity\":\"Info\",\"Issuer\":\"PasswordManager\",\"Action\":\"Delete File\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"PasswordManager_workspace\",\"File\":\"Root\\\\Test_4\",\"Station\":\"10.0.1.20\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Delete File\",\"GatewayStation\":\"\"}}}", "code": "52", "kind": "event" @@ -273,7 +273,7 @@ "event": { "severity": 2, "action": "delete file", - "ingested": "2021-06-04T11:33:16.296204700Z", + "ingested": "2021-06-09T10:24:35.820723800Z", "original": "\u003c5\u003e1 2021-03-11T18:59:57Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 11 10:59:57\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-11T18:59:57Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e52\u003c/MessageID\u003e\\n \u003cDesc\u003eDelete File\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003ePSMApp_ASR-WIN\u003c/Issuer\u003e\\n \u003cAction\u003eDelete File\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003ePSMSessions\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\c89ca3ba9c76f820fdc58e86f2c854f99d232fcd\u003c/File\u003e\\n \u003cStation\u003e35.192.121.42\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eDelete File\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 11 10:59:57\",\"IsoTimestamp\":\"2021-03-11T18:59:57Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"52\",\"Desc\":\"Delete File\",\"Severity\":\"Info\",\"Issuer\":\"PSMApp_ASR-WIN\",\"Action\":\"Delete File\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"PSMSessions\",\"File\":\"Root\\\\c89ca3ba9c76f820fdc58e86f2c854f99d232fcd\",\"Station\":\"35.192.121.42\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Delete File\",\"GatewayStation\":\"\"}}}", "code": "52", "kind": "event" @@ -341,7 +341,7 @@ "event": { "severity": 2, "action": "delete file", - "ingested": "2021-06-04T11:33:16.296206800Z", + "ingested": "2021-06-09T10:24:35.820725300Z", "original": "\u003c5\u003e1 2021-03-11T19:32:12Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 11 11:32:12\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-11T19:32:12Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e52\u003c/MessageID\u003e\\n \u003cDesc\u003eDelete File\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003eDelete File\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003ePSMPLiveSessions\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\PSMPApp_VAGRANT.LiveSessions\u003c/File\u003e\\n \u003cStation\u003e127.0.0.1\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eDelete File\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"_PSMLiveSessions_1\\\" Value=\\\"\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"_PSMLiveSessions_2\\\" Value=\\\"\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"_PSMLiveSessions_3\\\" Value=\\\"\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"_PSMLiveSessions_4\\\" Value=\\\"\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"_PSMLiveSessions_5\\\" Value=\\\"\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 11 11:32:12\",\"IsoTimestamp\":\"2021-03-11T19:32:12Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"52\",\"Desc\":\"Delete File\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Delete File\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"PSMPLiveSessions\",\"File\":\"Root\\\\PSMPApp_VAGRANT.LiveSessions\",\"Station\":\"127.0.0.1\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Delete File\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"_PSMLiveSessions_1\",\"Value\":\"\"},{\"Name\":\"_PSMLiveSessions_2\",\"Value\":\"\"},{\"Name\":\"_PSMLiveSessions_3\",\"Value\":\"\"},{\"Name\":\"_PSMLiveSessions_4\",\"Value\":\"\"},{\"Name\":\"_PSMLiveSessions_5\",\"Value\":\"\"}]}}}}", "code": "52", "kind": "event" @@ -417,7 +417,7 @@ "event": { "severity": 2, "action": "delete file", - "ingested": "2021-06-04T11:33:16.296208300Z", + "ingested": "2021-06-09T10:24:35.820726700Z", "original": "\u003c5\u003e1 2021-03-11T21:06:40Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 11 13:06:40\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-11T21:06:40Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e52\u003c/MessageID\u003e\\n \u003cDesc\u003eDelete File\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003eDelete File\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003ePSM\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Operating System-WinDomain-35.192.121.42-PSMConnect\u003c/File\u003e\\n \u003cStation\u003e127.0.0.1\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eDelete File\u003c/Message\u003e\\n \u003cGatewayStation\u003e10.0.1.20\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"WinDomain\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"PSMConnect\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"35.192.121.42\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Operating System\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 11 13:06:40\",\"IsoTimestamp\":\"2021-03-11T21:06:40Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"52\",\"Desc\":\"Delete File\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Delete File\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"PSM\",\"File\":\"Root\\\\Operating System-WinDomain-35.192.121.42-PSMConnect\",\"Station\":\"127.0.0.1\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Delete File\",\"GatewayStation\":\"10.0.1.20\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"WinDomain\"},{\"Name\":\"UserName\",\"Value\":\"PSMConnect\"},{\"Name\":\"Address\",\"Value\":\"35.192.121.42\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"}]}}}}", "code": "52", "kind": "event" @@ -491,7 +491,7 @@ "event": { "severity": 2, "action": "delete file", - "ingested": "2021-06-04T11:33:16.296232200Z", + "ingested": "2021-06-09T10:24:35.820759300Z", "original": "\u003c5\u003e1 2021-03-11T21:06:50Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 11 13:06:50\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-11T21:06:50Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e52\u003c/MessageID\u003e\\n \u003cDesc\u003eDelete File\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003eDelete File\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003ePSM\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\PSM-ASR-CYBERARK-WI\u003c/File\u003e\\n \u003cStation\u003e127.0.0.1\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eDelete File\u003c/Message\u003e\\n \u003cGatewayStation\u003e10.0.1.20\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"PSMConnect\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"10.128.0.65\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LogonDomain\\\" Value=\\\"ASR-CYBERARK-WI\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 11 13:06:50\",\"IsoTimestamp\":\"2021-03-11T21:06:50Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"52\",\"Desc\":\"Delete File\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Delete File\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"PSM\",\"File\":\"Root\\\\PSM-ASR-CYBERARK-WI\",\"Station\":\"127.0.0.1\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Delete File\",\"GatewayStation\":\"10.0.1.20\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"UserName\",\"Value\":\"PSMConnect\"},{\"Name\":\"Address\",\"Value\":\"10.128.0.65\"},{\"Name\":\"LogonDomain\",\"Value\":\"ASR-CYBERARK-WI\"}]}}}}", "code": "52", "kind": "event" @@ -565,7 +565,7 @@ "event": { "severity": 2, "action": "delete file", - "ingested": "2021-06-04T11:33:16.296234400Z", + "ingested": "2021-06-09T10:24:35.820761900Z", "original": "\u003c5\u003e1 2021-03-14T12:10:17Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 14 05:10:17\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-14T12:10:17Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e52\u003c/MessageID\u003e\\n \u003cDesc\u003eDelete File\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003eDelete File\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003ePSM\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\PSMAdmin\u003c/File\u003e\\n \u003cStation\u003e127.0.0.1\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eDelete File\u003c/Message\u003e\\n \u003cGatewayStation\u003e10.0.1.20\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"PSMAdminConnect\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"169.254.180.25\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LogonDomain\\\" Value=\\\"VAGRANT-2012-R2\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 14 05:10:17\",\"IsoTimestamp\":\"2021-03-14T12:10:17Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"52\",\"Desc\":\"Delete File\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Delete File\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"PSM\",\"File\":\"Root\\\\PSMAdmin\",\"Station\":\"127.0.0.1\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Delete File\",\"GatewayStation\":\"10.0.1.20\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"UserName\",\"Value\":\"PSMAdminConnect\"},{\"Name\":\"Address\",\"Value\":\"169.254.180.25\"},{\"Name\":\"LogonDomain\",\"Value\":\"VAGRANT-2012-R2\"}]}}}}", "code": "52", "kind": "event" @@ -643,7 +643,7 @@ "event": { "severity": 2, "action": "delete file", - "ingested": "2021-06-04T11:33:16.296236100Z", + "ingested": "2021-06-09T10:24:35.820763400Z", "original": "\u003c5\u003e1 2021-03-15T15:09:00Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 15 08:09:00\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-15T15:09:00Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e52\u003c/MessageID\u003e\\n \u003cDesc\u003eDelete File\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003eDelete File\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003epartner\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Database-Oracle-10.128.0.7-adrian\u003c/File\u003e\\n \u003cStation\u003e127.0.0.1\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eDelete File\u003c/Message\u003e\\n \u003cGatewayStation\u003e10.0.1.20\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"Oracle\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"adrian\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"10.128.0.7\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Port\\\" Value=\\\"3306\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Database\\\" Value=\\\"test\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Database\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 15 08:09:00\",\"IsoTimestamp\":\"2021-03-15T15:09:00Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"52\",\"Desc\":\"Delete File\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Delete File\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"partner\",\"File\":\"Root\\\\Database-Oracle-10.128.0.7-adrian\",\"Station\":\"127.0.0.1\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Delete File\",\"GatewayStation\":\"10.0.1.20\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"Oracle\"},{\"Name\":\"UserName\",\"Value\":\"adrian\"},{\"Name\":\"Address\",\"Value\":\"10.128.0.7\"},{\"Name\":\"Port\",\"Value\":\"3306\"},{\"Name\":\"Database\",\"Value\":\"test\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Database\"}]}}}}", "code": "52", "kind": "event" @@ -721,7 +721,7 @@ "event": { "severity": 2, "action": "delete file", - "ingested": "2021-06-04T11:33:16.296237600Z", + "ingested": "2021-06-09T10:24:35.820764900Z", "original": "\u003c5\u003e1 2021-03-15T15:13:59Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 15 08:13:59\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-15T15:13:59Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e52\u003c/MessageID\u003e\\n \u003cDesc\u003eDelete File\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003eDelete File\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003epartner\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Database-MySQL-10.128.0.7-adrian\u003c/File\u003e\\n \u003cStation\u003e127.0.0.1\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eDelete File\u003c/Message\u003e\\n \u003cGatewayStation\u003e10.0.1.20\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"MySQL\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"adrian\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"10.128.0.7\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Port\\\" Value=\\\"3306\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Database\\\" Value=\\\"test\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Database\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 15 08:13:59\",\"IsoTimestamp\":\"2021-03-15T15:13:59Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"52\",\"Desc\":\"Delete File\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Delete File\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"partner\",\"File\":\"Root\\\\Database-MySQL-10.128.0.7-adrian\",\"Station\":\"127.0.0.1\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Delete File\",\"GatewayStation\":\"10.0.1.20\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"MySQL\"},{\"Name\":\"UserName\",\"Value\":\"adrian\"},{\"Name\":\"Address\",\"Value\":\"10.128.0.7\"},{\"Name\":\"Port\",\"Value\":\"3306\"},{\"Name\":\"Database\",\"Value\":\"test\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Database\"}]}}}}", "code": "52", "kind": "event" diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-57-cpm-change-password-failed.log-expected.json b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-57-cpm-change-password-failed.log-expected.json index e74b3e19ee1..d45d810897b 100644 --- a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-57-cpm-change-password-failed.log-expected.json +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-57-cpm-change-password-failed.log-expected.json @@ -92,7 +92,7 @@ "event": { "severity": 7, "reason": "Execution error. EXT01::A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond. Error code:9002", - "ingested": "2021-06-04T11:33:16.538837800Z", + "ingested": "2021-06-09T10:24:36.068992600Z", "original": "\u003c7\u003e1 2021-03-25T12:00:08Z VLT01 {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 25 08:00:08\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-25T12:00:08Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVLT01\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e12.0.0000\u003c/Version\u003e\\n \u003cMessageID\u003e57\u003c/MessageID\u003e\\n \u003cDesc\u003eCPM Change Password Failed\u003c/Desc\u003e\\n \u003cSeverity\u003eError\u003c/Severity\u003e\\n \u003cIssuer\u003ePasswordManager\u003c/Issuer\u003e\\n \u003cAction\u003eCPM Change Password Failed\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003eLinux Accounts\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Operating System-UnixSSH-rhel7.cybr.com-firecall2\u003c/File\u003e\\n \u003cStation\u003e10.0.0.15\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003eImmediateTask. Failure Description: Execution error. EXT01::A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond. Error code:9002\u003c/Reason\u003e\\n \u003cExtraDetails\u003eaddress=rhel7.cybr.com;username=firecall2;\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eCPM Change Password Failed\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"UnixSSH\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"firecall2\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"rhel7.cybr.com\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Operating System\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"ResetImmediately\\\" Value=\\\"ChangeTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMStatus\\\" Value=\\\"failure\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"ExtraPass3Name\\\" Value=\\\"Operating System-UnixSSH-rhel7.cybr.com-root\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"ExtraPass3Folder\\\" Value=\\\"Root\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"ExtraPass3Safe\\\" Value=\\\"Linux Root\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"RetriesCount\\\" Value=\\\"0\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastFailDate\\\" Value=\\\"1616673608\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastTask\\\" Value=\\\"ChangeTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastSuccessVerification\\\" Value=\\\"1616580255\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMErrorDetails\\\" Value=\\\"Execution error. EXT01::A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond. Error code:9002\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastSuccessChange\\\" Value=\\\"1616011989\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastSuccessReconciliation\\\" Value=\\\"1576120341\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UseSudoOnReconcile\\\" Value=\\\"No\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Tags\\\" Value=\\\"SSH\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Privcloud\\\" Value=\\\"privcloud\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 25 08:00:08\",\"IsoTimestamp\":\"2021-03-25T12:00:08Z\",\"Hostname\":\"VLT01\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"12.0.0000\",\"MessageID\":\"57\",\"Desc\":\"CPM Change Password Failed\",\"Severity\":\"Error\",\"Issuer\":\"PasswordManager\",\"Action\":\"CPM Change Password Failed\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"Linux Accounts\",\"File\":\"Root\\\\Operating System-UnixSSH-rhel7.cybr.com-firecall2\",\"Station\":\"10.0.0.15\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"ImmediateTask. Failure Description: Execution error. EXT01::A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond. Error code:9002\",\"ExtraDetails\":\"address=rhel7.cybr.com;username=firecall2;\",\"Message\":\"CPM Change Password Failed\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"UnixSSH\"},{\"Name\":\"UserName\",\"Value\":\"firecall2\"},{\"Name\":\"Address\",\"Value\":\"rhel7.cybr.com\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"},{\"Name\":\"ResetImmediately\",\"Value\":\"ChangeTask\"},{\"Name\":\"CPMStatus\",\"Value\":\"failure\"},{\"Name\":\"ExtraPass3Name\",\"Value\":\"Operating System-UnixSSH-rhel7.cybr.com-root\"},{\"Name\":\"ExtraPass3Folder\",\"Value\":\"Root\"},{\"Name\":\"ExtraPass3Safe\",\"Value\":\"Linux Root\"},{\"Name\":\"RetriesCount\",\"Value\":\"0\"},{\"Name\":\"LastFailDate\",\"Value\":\"1616673608\"},{\"Name\":\"LastTask\",\"Value\":\"ChangeTask\"},{\"Name\":\"LastSuccessVerification\",\"Value\":\"1616580255\"},{\"Name\":\"CPMErrorDetails\",\"Value\":\"Execution error. EXT01::A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond. Error code:9002\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"LastSuccessChange\",\"Value\":\"1616011989\"},{\"Name\":\"LastSuccessReconciliation\",\"Value\":\"1576120341\"},{\"Name\":\"UseSudoOnReconcile\",\"Value\":\"No\"},{\"Name\":\"Tags\",\"Value\":\"SSH\"},{\"Name\":\"Privcloud\",\"Value\":\"privcloud\"}]}}}}", "code": "57", "kind": "event", diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-59-clear-safe-history.log-expected.json b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-59-clear-safe-history.log-expected.json index c742e99c24d..de870f22440 100644 --- a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-59-clear-safe-history.log-expected.json +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-59-clear-safe-history.log-expected.json @@ -48,7 +48,7 @@ "event": { "severity": 2, "action": "clear safe history", - "ingested": "2021-06-04T11:33:16.582439400Z", + "ingested": "2021-06-09T10:24:36.123418600Z", "original": "\u003c5\u003e1 2021-03-04T19:25:02Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 04 11:25:02\",\"IsoTimestamp\":\"2021-03-04T19:25:02Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"59\",\"Desc\":\"Clear Safe History\",\"Severity\":\"Info\",\"Issuer\":\"PasswordManager\",\"Action\":\"Clear Safe History\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"PasswordManager_workspace\",\"File\":\"\",\"Station\":\"10.0.1.20\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Clear Safe History\",\"GatewayStation\":\"\"}}}", "code": "59", "kind": "event" @@ -92,7 +92,7 @@ "event": { "severity": 2, "action": "clear safe history", - "ingested": "2021-06-04T11:33:16.582449Z", + "ingested": "2021-06-09T10:24:36.123427700Z", "original": "Mar 08 03:10:31 VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"no\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"59\",\"Desc\":\"Clear Safe History\",\"Severity\":\"Info\",\"Issuer\":\"PasswordManager\",\"Action\":\"Clear Safe History\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"PasswordManager_workspace\",\"File\":\"\",\"Station\":\"10.0.1.20\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Clear Safe History\",\"GatewayStation\":\"\"}}}", "code": "59", "kind": "event" @@ -149,7 +149,7 @@ "event": { "severity": 2, "action": "clear safe history", - "ingested": "2021-06-04T11:33:16.582450700Z", + "ingested": "2021-06-09T10:24:36.123429600Z", "original": "\u003c5\u003e1 2021-03-09T09:00:47Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 09 01:00:47\",\"IsoTimestamp\":\"2021-03-09T09:00:47Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"59\",\"Desc\":\"Clear Safe History\",\"Severity\":\"Info\",\"Issuer\":\"Batch\",\"Action\":\"Clear Safe History\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"System\",\"File\":\"\",\"Station\":\"0.0.0.0\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Clear Safe History\",\"GatewayStation\":\"\"}}}", "code": "59", "kind": "event" diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-60-cpm-reconcile-password-failed.log-expected.json b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-60-cpm-reconcile-password-failed.log-expected.json index 8934490ef21..7fba23302b0 100644 --- a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-60-cpm-reconcile-password-failed.log-expected.json +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-60-cpm-reconcile-password-failed.log-expected.json @@ -98,7 +98,7 @@ "event": { "severity": 7, "reason": "Parameter Reconcile account is mandatory but has an empty value or is not defined", - "ingested": "2021-06-04T11:33:16.635874300Z", + "ingested": "2021-06-09T10:24:36.176769500Z", "original": "\u003c7\u003e1 2021-03-11T21:12:22Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 11 13:12:22\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-11T21:12:22Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e60\u003c/MessageID\u003e\\n \u003cDesc\u003eCPM Reconcile Password Failed\u003c/Desc\u003e\\n \u003cSeverity\u003eError\u003c/Severity\u003e\\n \u003cIssuer\u003ePasswordManager\u003c/Issuer\u003e\\n \u003cAction\u003eCPM Reconcile Password Failed\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003epartner\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Operating System-WinDomain-35.192.121.42-ELASTICbart\u003c/File\u003e\\n \u003cStation\u003e10.0.1.20\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003eImmediateTask. Failure Description: CACPM406E Reconciling Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-35.192.121.42-ELASTICbart failed (try #0). Code: 2101, Error: Parameter Reconcile account is mandatory but has an empty value or is not defined\\n\u003c/Reason\u003e\\n \u003cExtraDetails\u003eaddress=34.66.114.180;username=ELASTIC\\\\bart;\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eCPM Reconcile Password Failed\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"WinDomain\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"ELASTIC\\\\bart\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"34.66.114.180\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"ResetImmediately\\\" Value=\\\"ReconcileTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMStatus\\\" Value=\\\"failure\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"RetriesCount\\\" Value=\\\"0\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastFailDate\\\" Value=\\\"1615497142\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastTask\\\" Value=\\\"ReconcileTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LogonDomain\\\" Value=\\\"34.66.114.180\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMErrorDetails\\\" Value=\\\"Parameter Reconcile account is mandatory but has an empty value or is not defined\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Operating System\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 11 13:12:22\",\"IsoTimestamp\":\"2021-03-11T21:12:22Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"60\",\"Desc\":\"CPM Reconcile Password Failed\",\"Severity\":\"Error\",\"Issuer\":\"PasswordManager\",\"Action\":\"CPM Reconcile Password Failed\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"partner\",\"File\":\"Root\\\\Operating System-WinDomain-35.192.121.42-ELASTICbart\",\"Station\":\"10.0.1.20\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"ImmediateTask. Failure Description: CACPM406E Reconciling Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-35.192.121.42-ELASTICbart failed (try #0). Code: 2101, Error: Parameter Reconcile account is mandatory but has an empty value or is not defined\\n\",\"ExtraDetails\":\"address=34.66.114.180;username=ELASTIC\\\\bart;\",\"Message\":\"CPM Reconcile Password Failed\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"WinDomain\"},{\"Name\":\"UserName\",\"Value\":\"ELASTIC\\\\bart\"},{\"Name\":\"Address\",\"Value\":\"34.66.114.180\"},{\"Name\":\"ResetImmediately\",\"Value\":\"ReconcileTask\"},{\"Name\":\"CPMStatus\",\"Value\":\"failure\"},{\"Name\":\"RetriesCount\",\"Value\":\"0\"},{\"Name\":\"LastFailDate\",\"Value\":\"1615497142\"},{\"Name\":\"LastTask\",\"Value\":\"ReconcileTask\"},{\"Name\":\"LogonDomain\",\"Value\":\"34.66.114.180\"},{\"Name\":\"CPMErrorDetails\",\"Value\":\"Parameter Reconcile account is mandatory but has an empty value or is not defined\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"}]}}}}", "code": "60", "kind": "event", @@ -219,7 +219,7 @@ "event": { "severity": 7, "reason": "Parameter Reconcile account is mandatory but has an empty value or is not defined", - "ingested": "2021-06-04T11:33:16.635884300Z", + "ingested": "2021-06-09T10:24:36.176778300Z", "original": "\u003c7\u003e1 2021-03-14T13:18:15Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 14 06:18:15\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-14T13:18:15Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e60\u003c/MessageID\u003e\\n \u003cDesc\u003eCPM Reconcile Password Failed\u003c/Desc\u003e\\n \u003cSeverity\u003eError\u003c/Severity\u003e\\n \u003cIssuer\u003ePasswordManager\u003c/Issuer\u003e\\n \u003cAction\u003eCPM Reconcile Password Failed\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003epartner\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Operating System-WinDomain-35.192.121.42-ELASTICbart\u003c/File\u003e\\n \u003cStation\u003e10.0.1.20\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003eImmediateTask. Failure Description: CACPM406E Reconciling Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-35.192.121.42-ELASTICbart failed (try #2). Code: 2101, Error: Parameter Reconcile account is mandatory but has an empty value or is not defined\\n\u003c/Reason\u003e\\n \u003cExtraDetails\u003eaddress=34.66.114.180;retriescount=2;username=ELASTIC\\\\bart;\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eCPM Reconcile Password Failed\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"WinDomain\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"ELASTIC\\\\bart\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"34.66.114.180\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"ResetImmediately\\\" Value=\\\"ReconcileTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMStatus\\\" Value=\\\"failure\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"RetriesCount\\\" Value=\\\"2\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastFailDate\\\" Value=\\\"1615727895\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastTask\\\" Value=\\\"ReconcileTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LogonDomain\\\" Value=\\\"34.66.114.180\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMErrorDetails\\\" Value=\\\"Parameter Reconcile account is mandatory but has an empty value or is not defined\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Operating System\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 14 06:18:15\",\"IsoTimestamp\":\"2021-03-14T13:18:15Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"60\",\"Desc\":\"CPM Reconcile Password Failed\",\"Severity\":\"Error\",\"Issuer\":\"PasswordManager\",\"Action\":\"CPM Reconcile Password Failed\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"partner\",\"File\":\"Root\\\\Operating System-WinDomain-35.192.121.42-ELASTICbart\",\"Station\":\"10.0.1.20\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"ImmediateTask. Failure Description: CACPM406E Reconciling Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-35.192.121.42-ELASTICbart failed (try #2). Code: 2101, Error: Parameter Reconcile account is mandatory but has an empty value or is not defined\\n\",\"ExtraDetails\":\"address=34.66.114.180;retriescount=2;username=ELASTIC\\\\bart;\",\"Message\":\"CPM Reconcile Password Failed\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"WinDomain\"},{\"Name\":\"UserName\",\"Value\":\"ELASTIC\\\\bart\"},{\"Name\":\"Address\",\"Value\":\"34.66.114.180\"},{\"Name\":\"ResetImmediately\",\"Value\":\"ReconcileTask\"},{\"Name\":\"CPMStatus\",\"Value\":\"failure\"},{\"Name\":\"RetriesCount\",\"Value\":\"2\"},{\"Name\":\"LastFailDate\",\"Value\":\"1615727895\"},{\"Name\":\"LastTask\",\"Value\":\"ReconcileTask\"},{\"Name\":\"LogonDomain\",\"Value\":\"34.66.114.180\"},{\"Name\":\"CPMErrorDetails\",\"Value\":\"Parameter Reconcile account is mandatory but has an empty value or is not defined\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"}]}}}}", "code": "60", "kind": "event", @@ -336,7 +336,7 @@ "event": { "severity": 7, "reason": "First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031", - "ingested": "2021-06-04T11:33:16.635886200Z", + "ingested": "2021-06-09T10:24:36.176780600Z", "original": "\u003c7\u003e1 2021-03-14T13:46:13Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 14 06:46:13\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-14T13:46:13Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e60\u003c/MessageID\u003e\\n \u003cDesc\u003eCPM Reconcile Password Failed\u003c/Desc\u003e\\n \u003cSeverity\u003eError\u003c/Severity\u003e\\n \u003cIssuer\u003ePasswordManager\u003c/Issuer\u003e\\n \u003cAction\u003eCPM Reconcile Password Failed\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003epartner\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Operating System-UnixSSH-34.123.103.115-testark\u003c/File\u003e\\n \u003cStation\u003e10.0.1.20\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003eImmediateTask. Failure Description: CACPM406E Reconciling Password Safe: partner, Folder: Root, Object: Operating System-UnixSSH-34.123.103.115-testark failed (try #0). Code: 8031, Error: First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031\\n\u003c/Reason\u003e\\n \u003cExtraDetails\u003eaddress=34.123.103.115;username=testark;\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eCPM Reconcile Password Failed\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"UnixSSH\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"testark\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"34.123.103.115\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"ResetImmediately\\\" Value=\\\"ReconcileTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMStatus\\\" Value=\\\"failure\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"RetriesCount\\\" Value=\\\"0\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastFailDate\\\" Value=\\\"1615729572\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastTask\\\" Value=\\\"ReconcileTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMErrorDetails\\\" Value=\\\"First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Operating System\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 14 06:46:13\",\"IsoTimestamp\":\"2021-03-14T13:46:13Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"60\",\"Desc\":\"CPM Reconcile Password Failed\",\"Severity\":\"Error\",\"Issuer\":\"PasswordManager\",\"Action\":\"CPM Reconcile Password Failed\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"partner\",\"File\":\"Root\\\\Operating System-UnixSSH-34.123.103.115-testark\",\"Station\":\"10.0.1.20\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"ImmediateTask. Failure Description: CACPM406E Reconciling Password Safe: partner, Folder: Root, Object: Operating System-UnixSSH-34.123.103.115-testark failed (try #0). Code: 8031, Error: First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031\\n\",\"ExtraDetails\":\"address=34.123.103.115;username=testark;\",\"Message\":\"CPM Reconcile Password Failed\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"UnixSSH\"},{\"Name\":\"UserName\",\"Value\":\"testark\"},{\"Name\":\"Address\",\"Value\":\"34.123.103.115\"},{\"Name\":\"ResetImmediately\",\"Value\":\"ReconcileTask\"},{\"Name\":\"CPMStatus\",\"Value\":\"failure\"},{\"Name\":\"RetriesCount\",\"Value\":\"0\"},{\"Name\":\"LastFailDate\",\"Value\":\"1615729572\"},{\"Name\":\"LastTask\",\"Value\":\"ReconcileTask\"},{\"Name\":\"CPMErrorDetails\",\"Value\":\"First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"}]}}}}", "code": "60", "kind": "event", @@ -457,7 +457,7 @@ "event": { "severity": 7, "reason": "Parameter Reconcile account is mandatory but has an empty value or is not defined", - "ingested": "2021-06-04T11:33:16.635887600Z", + "ingested": "2021-06-09T10:24:36.176781900Z", "original": "\u003c7\u003e1 2021-03-14T14:49:11Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 14 07:49:11\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-14T14:49:11Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e60\u003c/MessageID\u003e\\n \u003cDesc\u003eCPM Reconcile Password Failed\u003c/Desc\u003e\\n \u003cSeverity\u003eError\u003c/Severity\u003e\\n \u003cIssuer\u003ePasswordManager\u003c/Issuer\u003e\\n \u003cAction\u003eCPM Reconcile Password Failed\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003epartner\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Operating System-WinDomain-35.192.121.42-ELASTICbart\u003c/File\u003e\\n \u003cStation\u003e10.0.1.20\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003eImmediateTask,Failure. Failure Description: CACPM406E Reconciling Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-35.192.121.42-ELASTICbart failed (try #3). Code: 2101, Error: Parameter Reconcile account is mandatory but has an empty value or is not defined\\n\u003c/Reason\u003e\\n \u003cExtraDetails\u003eaddress=34.66.114.180;retriescount=3;username=ELASTIC\\\\bart;\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eCPM Reconcile Password Failed\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"WinDomain\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"ELASTIC\\\\bart\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"34.66.114.180\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"ResetImmediately\\\" Value=\\\"ReconcileTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMStatus\\\" Value=\\\"failure\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"RetriesCount\\\" Value=\\\"3\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastFailDate\\\" Value=\\\"1615733350\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastTask\\\" Value=\\\"ReconcileTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LogonDomain\\\" Value=\\\"34.66.114.180\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMErrorDetails\\\" Value=\\\"Parameter Reconcile account is mandatory but has an empty value or is not defined\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Operating System\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 14 07:49:11\",\"IsoTimestamp\":\"2021-03-14T14:49:11Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"60\",\"Desc\":\"CPM Reconcile Password Failed\",\"Severity\":\"Error\",\"Issuer\":\"PasswordManager\",\"Action\":\"CPM Reconcile Password Failed\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"partner\",\"File\":\"Root\\\\Operating System-WinDomain-35.192.121.42-ELASTICbart\",\"Station\":\"10.0.1.20\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"ImmediateTask,Failure. Failure Description: CACPM406E Reconciling Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-35.192.121.42-ELASTICbart failed (try #3). Code: 2101, Error: Parameter Reconcile account is mandatory but has an empty value or is not defined\\n\",\"ExtraDetails\":\"address=34.66.114.180;retriescount=3;username=ELASTIC\\\\bart;\",\"Message\":\"CPM Reconcile Password Failed\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"WinDomain\"},{\"Name\":\"UserName\",\"Value\":\"ELASTIC\\\\bart\"},{\"Name\":\"Address\",\"Value\":\"34.66.114.180\"},{\"Name\":\"ResetImmediately\",\"Value\":\"ReconcileTask\"},{\"Name\":\"CPMStatus\",\"Value\":\"failure\"},{\"Name\":\"RetriesCount\",\"Value\":\"3\"},{\"Name\":\"LastFailDate\",\"Value\":\"1615733350\"},{\"Name\":\"LastTask\",\"Value\":\"ReconcileTask\"},{\"Name\":\"LogonDomain\",\"Value\":\"34.66.114.180\"},{\"Name\":\"CPMErrorDetails\",\"Value\":\"Parameter Reconcile account is mandatory but has an empty value or is not defined\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"}]}}}}", "code": "60", "kind": "event", @@ -578,7 +578,7 @@ "event": { "severity": 7, "reason": "Parameter Reconcile account is mandatory but has an empty value or is not defined", - "ingested": "2021-06-04T11:33:16.635888900Z", + "ingested": "2021-06-09T10:24:36.176783200Z", "original": "\u003c7\u003e1 2021-03-15T10:12:18Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 15 03:12:18\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-15T10:12:18Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e60\u003c/MessageID\u003e\\n \u003cDesc\u003eCPM Reconcile Password Failed\u003c/Desc\u003e\\n \u003cSeverity\u003eError\u003c/Severity\u003e\\n \u003cIssuer\u003ePasswordManager\u003c/Issuer\u003e\\n \u003cAction\u003eCPM Reconcile Password Failed\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003epartner\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Operating System-WinDomain-35.192.121.42-ELASTICbart\u003c/File\u003e\\n \u003cStation\u003e10.0.1.20\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003eImmediateTask,Failure. Failure Description: CACPM406E Reconciling Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-35.192.121.42-ELASTICbart failed (try #4). Code: 2101, Error: Parameter Reconcile account is mandatory but has an empty value or is not defined\\n\u003c/Reason\u003e\\n \u003cExtraDetails\u003eaddress=34.66.114.180;retriescount=4;username=ELASTIC\\\\bart;\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eCPM Reconcile Password Failed\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"WinDomain\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"ELASTIC\\\\bart\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"34.66.114.180\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"ResetImmediately\\\" Value=\\\"ReconcileTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMStatus\\\" Value=\\\"failure\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"RetriesCount\\\" Value=\\\"4\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastFailDate\\\" Value=\\\"1615803137\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastTask\\\" Value=\\\"ReconcileTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LogonDomain\\\" Value=\\\"34.66.114.180\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMErrorDetails\\\" Value=\\\"Parameter Reconcile account is mandatory but has an empty value or is not defined\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Operating System\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 15 03:12:18\",\"IsoTimestamp\":\"2021-03-15T10:12:18Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"60\",\"Desc\":\"CPM Reconcile Password Failed\",\"Severity\":\"Error\",\"Issuer\":\"PasswordManager\",\"Action\":\"CPM Reconcile Password Failed\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"partner\",\"File\":\"Root\\\\Operating System-WinDomain-35.192.121.42-ELASTICbart\",\"Station\":\"10.0.1.20\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"ImmediateTask,Failure. Failure Description: CACPM406E Reconciling Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-35.192.121.42-ELASTICbart failed (try #4). Code: 2101, Error: Parameter Reconcile account is mandatory but has an empty value or is not defined\\n\",\"ExtraDetails\":\"address=34.66.114.180;retriescount=4;username=ELASTIC\\\\bart;\",\"Message\":\"CPM Reconcile Password Failed\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"WinDomain\"},{\"Name\":\"UserName\",\"Value\":\"ELASTIC\\\\bart\"},{\"Name\":\"Address\",\"Value\":\"34.66.114.180\"},{\"Name\":\"ResetImmediately\",\"Value\":\"ReconcileTask\"},{\"Name\":\"CPMStatus\",\"Value\":\"failure\"},{\"Name\":\"RetriesCount\",\"Value\":\"4\"},{\"Name\":\"LastFailDate\",\"Value\":\"1615803137\"},{\"Name\":\"LastTask\",\"Value\":\"ReconcileTask\"},{\"Name\":\"LogonDomain\",\"Value\":\"34.66.114.180\"},{\"Name\":\"CPMErrorDetails\",\"Value\":\"Parameter Reconcile account is mandatory but has an empty value or is not defined\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"}]}}}}", "code": "60", "kind": "event", @@ -696,7 +696,7 @@ "event": { "severity": 7, "reason": "First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031", - "ingested": "2021-06-04T11:33:16.635890200Z", + "ingested": "2021-06-09T10:24:36.176784500Z", "original": "\u003c7\u003e1 2021-03-15T10:12:19Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 15 03:12:19\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-15T10:12:19Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e60\u003c/MessageID\u003e\\n \u003cDesc\u003eCPM Reconcile Password Failed\u003c/Desc\u003e\\n \u003cSeverity\u003eError\u003c/Severity\u003e\\n \u003cIssuer\u003ePasswordManager\u003c/Issuer\u003e\\n \u003cAction\u003eCPM Reconcile Password Failed\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003epartner\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Operating System-UnixSSH-34.123.103.115-testark\u003c/File\u003e\\n \u003cStation\u003e10.0.1.20\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003eImmediateTask,Failure. Failure Description: CACPM406E Reconciling Password Safe: partner, Folder: Root, Object: Operating System-UnixSSH-34.123.103.115-testark failed (try #1). Code: 8031, Error: First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031\\n\u003c/Reason\u003e\\n \u003cExtraDetails\u003eaddress=34.123.103.115;retriescount=1;username=testark;\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eCPM Reconcile Password Failed\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"UnixSSH\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"testark\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"34.123.103.115\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"ResetImmediately\\\" Value=\\\"ReconcileTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMStatus\\\" Value=\\\"failure\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"RetriesCount\\\" Value=\\\"1\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastFailDate\\\" Value=\\\"1615803137\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastTask\\\" Value=\\\"ReconcileTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMErrorDetails\\\" Value=\\\"First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Operating System\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 15 03:12:19\",\"IsoTimestamp\":\"2021-03-15T10:12:19Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"60\",\"Desc\":\"CPM Reconcile Password Failed\",\"Severity\":\"Error\",\"Issuer\":\"PasswordManager\",\"Action\":\"CPM Reconcile Password Failed\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"partner\",\"File\":\"Root\\\\Operating System-UnixSSH-34.123.103.115-testark\",\"Station\":\"10.0.1.20\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"ImmediateTask,Failure. Failure Description: CACPM406E Reconciling Password Safe: partner, Folder: Root, Object: Operating System-UnixSSH-34.123.103.115-testark failed (try #1). Code: 8031, Error: First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031\\n\",\"ExtraDetails\":\"address=34.123.103.115;retriescount=1;username=testark;\",\"Message\":\"CPM Reconcile Password Failed\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"UnixSSH\"},{\"Name\":\"UserName\",\"Value\":\"testark\"},{\"Name\":\"Address\",\"Value\":\"34.123.103.115\"},{\"Name\":\"ResetImmediately\",\"Value\":\"ReconcileTask\"},{\"Name\":\"CPMStatus\",\"Value\":\"failure\"},{\"Name\":\"RetriesCount\",\"Value\":\"1\"},{\"Name\":\"LastFailDate\",\"Value\":\"1615803137\"},{\"Name\":\"LastTask\",\"Value\":\"ReconcileTask\"},{\"Name\":\"CPMErrorDetails\",\"Value\":\"First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"}]}}}}", "code": "60", "kind": "event", @@ -818,7 +818,7 @@ "event": { "severity": 7, "reason": "Parameter Reconcile account is mandatory but has an empty value or is not defined", - "ingested": "2021-06-04T11:33:16.635891500Z", + "ingested": "2021-06-09T10:24:36.176785800Z", "original": "\u003c7\u003e1 2021-03-15T12:57:13Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 15 05:57:13\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-15T12:57:13Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e60\u003c/MessageID\u003e\\n \u003cDesc\u003eCPM Reconcile Password Failed\u003c/Desc\u003e\\n \u003cSeverity\u003eError\u003c/Severity\u003e\\n \u003cIssuer\u003ePasswordManager\u003c/Issuer\u003e\\n \u003cAction\u003eCPM Reconcile Password Failed\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003epartner\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Operating System-WinDomain-35.192.121.42-ELASTICbart\u003c/File\u003e\\n \u003cStation\u003e10.0.1.20\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003eImmediateTask,Failure. Failure Description: CACPM406E Reconciling Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-35.192.121.42-ELASTICbart failed (try #5). Code: 2101, Error: Parameter Reconcile account is mandatory but has an empty value or is not defined\\n\u003c/Reason\u003e\\n \u003cExtraDetails\u003eaddress=34.66.114.180;retriescount=5;username=ELASTIC\\\\bart;\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eCPM Reconcile Password Failed\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"WinDomain\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"ELASTIC\\\\bart\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"34.66.114.180\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"ResetImmediately\\\" Value=\\\"ReconcileTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMStatus\\\" Value=\\\"failure\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMDisabled\\\" Value=\\\"(CPM)MaxRetries\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"RetriesCount\\\" Value=\\\"5\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastFailDate\\\" Value=\\\"1615813031\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastTask\\\" Value=\\\"ReconcileTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LogonDomain\\\" Value=\\\"34.66.114.180\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMErrorDetails\\\" Value=\\\"Parameter Reconcile account is mandatory but has an empty value or is not defined\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Operating System\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 15 05:57:13\",\"IsoTimestamp\":\"2021-03-15T12:57:13Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"60\",\"Desc\":\"CPM Reconcile Password Failed\",\"Severity\":\"Error\",\"Issuer\":\"PasswordManager\",\"Action\":\"CPM Reconcile Password Failed\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"partner\",\"File\":\"Root\\\\Operating System-WinDomain-35.192.121.42-ELASTICbart\",\"Station\":\"10.0.1.20\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"ImmediateTask,Failure. Failure Description: CACPM406E Reconciling Master Safe: partner, Folder: Root, Object: Operating System-WinDomain-35.192.121.42-ELASTICbart failed (try #5). Code: 2101, Error: Parameter Reconcile account is mandatory but has an empty value or is not defined\\n\",\"ExtraDetails\":\"address=34.66.114.180;retriescount=5;username=ELASTIC\\\\bart;\",\"Message\":\"CPM Reconcile Password Failed\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"WinDomain\"},{\"Name\":\"UserName\",\"Value\":\"ELASTIC\\\\bart\"},{\"Name\":\"Address\",\"Value\":\"34.66.114.180\"},{\"Name\":\"ResetImmediately\",\"Value\":\"ReconcileTask\"},{\"Name\":\"CPMStatus\",\"Value\":\"failure\"},{\"Name\":\"CPMDisabled\",\"Value\":\"(CPM)MaxRetries\"},{\"Name\":\"RetriesCount\",\"Value\":\"5\"},{\"Name\":\"LastFailDate\",\"Value\":\"1615813031\"},{\"Name\":\"LastTask\",\"Value\":\"ReconcileTask\"},{\"Name\":\"LogonDomain\",\"Value\":\"34.66.114.180\"},{\"Name\":\"CPMErrorDetails\",\"Value\":\"Parameter Reconcile account is mandatory but has an empty value or is not defined\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"}]}}}}", "code": "60", "kind": "event", @@ -936,7 +936,7 @@ "event": { "severity": 7, "reason": "First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031", - "ingested": "2021-06-04T11:33:16.635892800Z", + "ingested": "2021-06-09T10:24:36.176787Z", "original": "\u003c7\u003e1 2021-03-15T13:04:27Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 15 06:04:27\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-15T13:04:27Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e60\u003c/MessageID\u003e\\n \u003cDesc\u003eCPM Reconcile Password Failed\u003c/Desc\u003e\\n \u003cSeverity\u003eError\u003c/Severity\u003e\\n \u003cIssuer\u003ePasswordManager\u003c/Issuer\u003e\\n \u003cAction\u003eCPM Reconcile Password Failed\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003epartner\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Operating System-UnixSSH-34.123.103.115-testark\u003c/File\u003e\\n \u003cStation\u003e10.0.1.20\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003eImmediateTask. Failure Description: CACPM406E Reconciling Password Safe: partner, Folder: Root, Object: Operating System-UnixSSH-34.123.103.115-testark failed (try #0). Code: 8031, Error: First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031\\n\u003c/Reason\u003e\\n \u003cExtraDetails\u003eaddress=34.123.103.115;username=testark;\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eCPM Reconcile Password Failed\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"UnixSSH\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"testark\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"34.123.103.115\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"ResetImmediately\\\" Value=\\\"ReconcileTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMStatus\\\" Value=\\\"failure\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"RetriesCount\\\" Value=\\\"0\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastFailDate\\\" Value=\\\"1615813465\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastTask\\\" Value=\\\"ReconcileTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastSuccessVerification\\\" Value=\\\"1615803764\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMErrorDetails\\\" Value=\\\"First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Operating System\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 15 06:04:27\",\"IsoTimestamp\":\"2021-03-15T13:04:27Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"60\",\"Desc\":\"CPM Reconcile Password Failed\",\"Severity\":\"Error\",\"Issuer\":\"PasswordManager\",\"Action\":\"CPM Reconcile Password Failed\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"partner\",\"File\":\"Root\\\\Operating System-UnixSSH-34.123.103.115-testark\",\"Station\":\"10.0.1.20\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"ImmediateTask. Failure Description: CACPM406E Reconciling Password Safe: partner, Folder: Root, Object: Operating System-UnixSSH-34.123.103.115-testark failed (try #0). Code: 8031, Error: First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031\\n\",\"ExtraDetails\":\"address=34.123.103.115;username=testark;\",\"Message\":\"CPM Reconcile Password Failed\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"UnixSSH\"},{\"Name\":\"UserName\",\"Value\":\"testark\"},{\"Name\":\"Address\",\"Value\":\"34.123.103.115\"},{\"Name\":\"ResetImmediately\",\"Value\":\"ReconcileTask\"},{\"Name\":\"CPMStatus\",\"Value\":\"failure\"},{\"Name\":\"RetriesCount\",\"Value\":\"0\"},{\"Name\":\"LastFailDate\",\"Value\":\"1615813465\"},{\"Name\":\"LastTask\",\"Value\":\"ReconcileTask\"},{\"Name\":\"LastSuccessVerification\",\"Value\":\"1615803764\"},{\"Name\":\"CPMErrorDetails\",\"Value\":\"First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"}]}}}}", "code": "60", "kind": "event", @@ -1057,7 +1057,7 @@ "event": { "severity": 7, "reason": "First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031", - "ingested": "2021-06-04T11:33:16.635894200Z", + "ingested": "2021-06-09T10:24:36.176788400Z", "original": "\u003c7\u003e1 2021-03-15T14:44:37Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 15 07:44:37\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-15T14:44:37Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e60\u003c/MessageID\u003e\\n \u003cDesc\u003eCPM Reconcile Password Failed\u003c/Desc\u003e\\n \u003cSeverity\u003eError\u003c/Severity\u003e\\n \u003cIssuer\u003ePasswordManager\u003c/Issuer\u003e\\n \u003cAction\u003eCPM Reconcile Password Failed\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003epartner\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Operating System-UnixSSH-34.123.103.115-testark\u003c/File\u003e\\n \u003cStation\u003e10.0.1.20\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003eImmediateTask. Failure Description: CACPM406E Reconciling Password Safe: partner, Folder: Root, Object: Operating System-UnixSSH-34.123.103.115-testark failed (try #1). Code: 8031, Error: First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031\\n\u003c/Reason\u003e\\n \u003cExtraDetails\u003eaddress=34.123.103.115;retriescount=1;username=testark;\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eCPM Reconcile Password Failed\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003cCAProperties\u003e\\n \u003cCAProperty Name=\\\"PolicyID\\\" Value=\\\"UnixSSH\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UserName\\\" Value=\\\"testark\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"Address\\\" Value=\\\"34.123.103.115\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"ResetImmediately\\\" Value=\\\"ReconcileTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMStatus\\\" Value=\\\"failure\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"RetriesCount\\\" Value=\\\"1\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastFailDate\\\" Value=\\\"1615819476\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastTask\\\" Value=\\\"ReconcileTask\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"LastSuccessVerification\\\" Value=\\\"1615803764\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CPMErrorDetails\\\" Value=\\\"First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"CreationMethod\\\" Value=\\\"PVWA\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"DeviceType\\\" Value=\\\"Operating System\\\"\u003e\u003c/CAProperty\u003e\\n \u003cCAProperty Name=\\\"UseSudoOnReconcile\\\" Value=\\\"Yes\\\"\u003e\u003c/CAProperty\u003e\\n \u003c/CAProperties\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 15 07:44:37\",\"IsoTimestamp\":\"2021-03-15T14:44:37Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"60\",\"Desc\":\"CPM Reconcile Password Failed\",\"Severity\":\"Error\",\"Issuer\":\"PasswordManager\",\"Action\":\"CPM Reconcile Password Failed\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"partner\",\"File\":\"Root\\\\Operating System-UnixSSH-34.123.103.115-testark\",\"Station\":\"10.0.1.20\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"ImmediateTask. Failure Description: CACPM406E Reconciling Password Safe: partner, Folder: Root, Object: Operating System-UnixSSH-34.123.103.115-testark failed (try #1). Code: 8031, Error: First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031\\n\",\"ExtraDetails\":\"address=34.123.103.115;retriescount=1;username=testark;\",\"Message\":\"CPM Reconcile Password Failed\",\"GatewayStation\":\"\",\"CAProperties\":{\"CAProperty\":[{\"Name\":\"PolicyID\",\"Value\":\"UnixSSH\"},{\"Name\":\"UserName\",\"Value\":\"testark\"},{\"Name\":\"Address\",\"Value\":\"34.123.103.115\"},{\"Name\":\"ResetImmediately\",\"Value\":\"ReconcileTask\"},{\"Name\":\"CPMStatus\",\"Value\":\"failure\"},{\"Name\":\"RetriesCount\",\"Value\":\"1\"},{\"Name\":\"LastFailDate\",\"Value\":\"1615819476\"},{\"Name\":\"LastTask\",\"Value\":\"ReconcileTask\"},{\"Name\":\"LastSuccessVerification\",\"Value\":\"1615803764\"},{\"Name\":\"CPMErrorDetails\",\"Value\":\"First login - Reconcile account is not set or password is empty. Please link reconcile account to the target account or set the password. code: 8031\"},{\"Name\":\"CreationMethod\",\"Value\":\"PVWA\"},{\"Name\":\"DeviceType\",\"Value\":\"Operating System\"},{\"Name\":\"UseSudoOnReconcile\",\"Value\":\"Yes\"}]}}}}", "code": "60", "kind": "event", diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-62-create-file-version.log-expected.json b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-62-create-file-version.log-expected.json index 4344cb47a71..34a4efe3530 100644 --- a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-62-create-file-version.log-expected.json +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-62-create-file-version.log-expected.json @@ -64,7 +64,7 @@ "event": { "severity": 2, "action": "create file version", - "ingested": "2021-06-04T11:33:16.981431Z", + "ingested": "2021-06-09T10:24:36.502246900Z", "original": "\u003c5\u003e1 2021-03-10T09:11:54Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 01:11:54\",\"IsoTimestamp\":\"2021-03-10T09:11:54Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"62\",\"Desc\":\"Create File Version\",\"Severity\":\"Info\",\"Issuer\":\"PSMPApp_localhost.localdomain\",\"Action\":\"Create File Version\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"PSMPLiveSessions\",\"File\":\"Root\\\\PSMPApp_localhost.localdomain.LiveSessions\",\"Station\":\"81.32.170.205\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Create File Version\",\"GatewayStation\":\"\"}}}", "code": "62", "kind": "event" @@ -134,7 +134,7 @@ "event": { "severity": 2, "action": "create file version", - "ingested": "2021-06-04T11:33:16.981440700Z", + "ingested": "2021-06-09T10:24:36.502258900Z", "original": "\u003c5\u003e1 2021-03-10T17:58:05Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 09:58:05\",\"IsoTimestamp\":\"2021-03-10T17:58:05Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"62\",\"Desc\":\"Create File Version\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Create File Version\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"PSMNotifications\",\"File\":\"Root\\\\SessionControl\",\"Station\":\"81.32.170.205\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Create File Version\",\"GatewayStation\":\"\"}}}", "code": "62", "kind": "event" @@ -204,7 +204,7 @@ "event": { "severity": 2, "action": "create file version", - "ingested": "2021-06-04T11:33:16.981442400Z", + "ingested": "2021-06-09T10:24:36.502260800Z", "original": "\u003c5\u003e1 2021-03-10T18:46:47Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 10:46:47\",\"IsoTimestamp\":\"2021-03-10T18:46:47Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"62\",\"Desc\":\"Create File Version\",\"Severity\":\"Info\",\"Issuer\":\"PSMApp_VAGRANT\",\"Action\":\"Create File Version\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"PSMLiveSessions\",\"File\":\"Root\\\\PSMServer.LiveSessions\",\"Station\":\"81.32.170.205\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Create File Version\",\"GatewayStation\":\"\"}}}", "code": "62", "kind": "event" @@ -273,7 +273,7 @@ "event": { "severity": 2, "action": "create file version", - "ingested": "2021-06-04T11:33:16.981443700Z", + "ingested": "2021-06-09T10:24:36.502262200Z", "original": "\u003c5\u003e1 2021-03-10T22:20:12Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 14:20:12\",\"IsoTimestamp\":\"2021-03-10T22:20:12Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"62\",\"Desc\":\"Create File Version\",\"Severity\":\"Info\",\"Issuer\":\"PSMApp_ASR-WIN\",\"Action\":\"Create File Version\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"PSMLiveSessions\",\"File\":\"Root\\\\PSM-ASR-CYBERARK-WI.LiveSessions\",\"Station\":\"35.192.121.42\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Create File Version\",\"GatewayStation\":\"\"}}}", "code": "62", "kind": "event" @@ -332,7 +332,7 @@ "event": { "severity": 2, "action": "create file version", - "ingested": "2021-06-04T11:33:16.981445Z", + "ingested": "2021-06-09T10:24:36.502263800Z", "original": "\u003c5\u003e1 2021-03-11T16:50:29Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 11 08:50:29\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-11T16:50:29Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e62\u003c/MessageID\u003e\\n \u003cDesc\u003eCreate File Version\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003ePVWAAppUser\u003c/Issuer\u003e\\n \u003cAction\u003eCreate File Version\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003ePSMSessions\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\ec7c3e3bd11069dd20a491a6b11bbe293bf4780b\u003c/File\u003e\\n \u003cStation\u003e10.0.1.20\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eCreate File Version\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 11 08:50:29\",\"IsoTimestamp\":\"2021-03-11T16:50:29Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"62\",\"Desc\":\"Create File Version\",\"Severity\":\"Info\",\"Issuer\":\"PVWAAppUser\",\"Action\":\"Create File Version\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"PSMSessions\",\"File\":\"Root\\\\ec7c3e3bd11069dd20a491a6b11bbe293bf4780b\",\"Station\":\"10.0.1.20\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Create File Version\",\"GatewayStation\":\"\"}}}", "code": "62", "kind": "event" @@ -403,7 +403,7 @@ "event": { "severity": 2, "action": "create file version", - "ingested": "2021-06-04T11:33:16.981446500Z", + "ingested": "2021-06-09T10:24:36.502265100Z", "original": "\u003c5\u003e1 2021-03-11T16:59:58Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 11 08:59:58\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-11T16:59:58Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e62\u003c/MessageID\u003e\\n \u003cDesc\u003eCreate File Version\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003ePSMPApp_VAGRANT\u003c/Issuer\u003e\\n \u003cAction\u003eCreate File Version\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003ePSMPLiveSessions\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\PSMPApp_VAGRANT.LiveSessions\u003c/File\u003e\\n \u003cStation\u003e81.32.170.205\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eCreate File Version\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 11 08:59:58\",\"IsoTimestamp\":\"2021-03-11T16:59:58Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"62\",\"Desc\":\"Create File Version\",\"Severity\":\"Info\",\"Issuer\":\"PSMPApp_VAGRANT\",\"Action\":\"Create File Version\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"PSMPLiveSessions\",\"File\":\"Root\\\\PSMPApp_VAGRANT.LiveSessions\",\"Station\":\"81.32.170.205\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Create File Version\",\"GatewayStation\":\"\"}}}", "code": "62", "kind": "event" @@ -470,7 +470,7 @@ "event": { "severity": 2, "action": "create file version", - "ingested": "2021-06-04T11:33:16.981447800Z", + "ingested": "2021-06-09T10:24:36.502266400Z", "original": "\u003c5\u003e1 2021-03-14T12:07:32Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 14 05:07:32\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-14T12:07:32Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e62\u003c/MessageID\u003e\\n \u003cDesc\u003eCreate File Version\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003ePasswordManager\u003c/Issuer\u003e\\n \u003cAction\u003eCreate File Version\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003eAccountsFeedDiscoveryLogs\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\Windows discovery from ELASTIC.local_PasswordManager_UID1.log\u003c/File\u003e\\n \u003cStation\u003e10.0.1.20\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eCreate File Version\u003c/Message\u003e\\n \u003cGatewayStation\u003e10.0.1.20\u003c/GatewayStation\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 14 05:07:32\",\"IsoTimestamp\":\"2021-03-14T12:07:32Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"62\",\"Desc\":\"Create File Version\",\"Severity\":\"Info\",\"Issuer\":\"PasswordManager\",\"Action\":\"Create File Version\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"AccountsFeedDiscoveryLogs\",\"File\":\"Root\\\\Windows discovery from ELASTIC.local_PasswordManager_UID1.log\",\"Station\":\"10.0.1.20\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Create File Version\",\"GatewayStation\":\"10.0.1.20\"}}}", "code": "62", "kind": "event" @@ -538,7 +538,7 @@ "event": { "severity": 2, "action": "create file version", - "ingested": "2021-06-04T11:33:16.981449Z", + "ingested": "2021-06-09T10:24:36.502267700Z", "original": "\u003c5\u003e1 2021-03-14T12:57:27Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 14 05:57:27\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-14T12:57:27Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e62\u003c/MessageID\u003e\\n \u003cDesc\u003eCreate File Version\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003ePSMPApp_SSH\u003c/Issuer\u003e\\n \u003cAction\u003eCreate File Version\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003ePSMPLiveSessions\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\PSMPApp_SSH.LiveSessions\u003c/File\u003e\\n \u003cStation\u003e34.71.250.247\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eCreate File Version\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 14 05:57:27\",\"IsoTimestamp\":\"2021-03-14T12:57:27Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"62\",\"Desc\":\"Create File Version\",\"Severity\":\"Info\",\"Issuer\":\"PSMPApp_SSH\",\"Action\":\"Create File Version\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"PSMPLiveSessions\",\"File\":\"Root\\\\PSMPApp_SSH.LiveSessions\",\"Station\":\"34.71.250.247\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Create File Version\",\"GatewayStation\":\"\"}}}", "code": "62", "kind": "event" diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-7-logon.log-expected.json b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-7-logon.log-expected.json index 736c614acac..927b7d5d719 100644 --- a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-7-logon.log-expected.json +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-7-logon.log-expected.json @@ -49,7 +49,7 @@ }, "event": { "severity": 2, - "ingested": "2021-06-04T11:33:17.158021Z", + "ingested": "2021-06-09T10:24:36.675175400Z", "original": "{\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eno\u003c/Rfc5424\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.6.0000\u003c/Version\u003e\\n \u003cMessageID\u003e7\u003c/MessageID\u003e\\n \u003cDesc\u003eLogon\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eadm2\u003c/Issuer\u003e\\n \u003cAction\u003eLogon\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003e\u003c/Safe\u003e\\n \u003cFile\u003e\u003c/File\u003e\\n \u003cStation\u003e10.2.0.6\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eLogon\u003c/Message\u003e\\n \u003cGatewayStation\u003e10.2.0.3\u003c/GatewayStation\u003e\\n \u003c/audit_record\u003e\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"no\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.6.0000\",\"MessageID\":\"7\",\"Desc\":\"Logon\",\"Severity\":\"Info\",\"Issuer\":\"adm2\",\"Action\":\"Logon\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"10.2.0.6\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Logon\",\"GatewayStation\":\"10.2.0.3\",\"IsoTimestamp\":\"2021-03-16T15:01:00Z\"}}}", "code": "7", "kind": "event", @@ -116,7 +116,7 @@ }, "event": { "severity": 2, - "ingested": "2021-06-04T11:33:17.158032100Z", + "ingested": "2021-06-09T10:24:36.675184400Z", "original": "\u003c5\u003e1 2021-03-04T19:10:05Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 04 11:10:05\",\"IsoTimestamp\":\"2021-03-04T19:10:05Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"7\",\"Desc\":\"Logon\",\"Severity\":\"Info\",\"Issuer\":\"PasswordManager\",\"Action\":\"Logon\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"10.0.1.20\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Logon\",\"GatewayStation\":\"\"}}}", "code": "7", "kind": "event", @@ -183,7 +183,7 @@ }, "event": { "severity": 2, - "ingested": "2021-06-04T11:33:17.158034Z", + "ingested": "2021-06-09T10:24:36.675186400Z", "original": "\u003c5\u003e1 2021-03-04T19:10:20Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 04 11:10:20\",\"IsoTimestamp\":\"2021-03-04T19:10:20Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"7\",\"Desc\":\"Logon\",\"Severity\":\"Info\",\"Issuer\":\"SCIM-user\",\"Action\":\"Logon\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"10.0.1.20\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Logon\",\"GatewayStation\":\"\"}}}", "code": "7", "kind": "event", @@ -250,7 +250,7 @@ }, "event": { "severity": 2, - "ingested": "2021-06-04T11:33:17.158036200Z", + "ingested": "2021-06-09T10:24:36.675187800Z", "original": "\u003c5\u003e1 2021-03-04T19:11:20Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 04 11:11:20\",\"IsoTimestamp\":\"2021-03-04T19:11:20Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"7\",\"Desc\":\"Logon\",\"Severity\":\"Info\",\"Issuer\":\"PVWAGWUser\",\"Action\":\"Logon\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"10.0.1.20\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Logon\",\"GatewayStation\":\"\"}}}", "code": "7", "kind": "event", @@ -317,7 +317,7 @@ }, "event": { "severity": 2, - "ingested": "2021-06-04T11:33:17.158037600Z", + "ingested": "2021-06-09T10:24:36.675189100Z", "original": "\u003c5\u003e1 2021-03-04T19:11:23Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 04 11:11:23\",\"IsoTimestamp\":\"2021-03-04T19:11:23Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"7\",\"Desc\":\"Logon\",\"Severity\":\"Info\",\"Issuer\":\"Prov_COMPONENTS\",\"Action\":\"Logon\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"10.0.1.20\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Logon\",\"GatewayStation\":\"\"}}}", "code": "7", "kind": "event", @@ -384,7 +384,7 @@ }, "event": { "severity": 2, - "ingested": "2021-06-04T11:33:17.158038900Z", + "ingested": "2021-06-09T10:24:36.675190400Z", "original": "\u003c5\u003e1 2021-03-05T10:18:50Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 05 02:18:50\",\"IsoTimestamp\":\"2021-03-05T10:18:50Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"7\",\"Desc\":\"Logon\",\"Severity\":\"Info\",\"Issuer\":\"PVWAAppUser\",\"Action\":\"Logon\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"10.0.1.20\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Logon\",\"GatewayStation\":\"\"}}}", "code": "7", "kind": "event", @@ -460,7 +460,7 @@ }, "event": { "severity": 2, - "ingested": "2021-06-04T11:33:17.158040100Z", + "ingested": "2021-06-09T10:24:36.675191700Z", "original": "\u003c5\u003e1 2021-03-08T18:07:51Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 08 10:07:51\",\"IsoTimestamp\":\"2021-03-08T18:07:51Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"7\",\"Desc\":\"Logon\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Logon\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"127.0.0.1\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Logon\",\"GatewayStation\":\"10.0.1.20\"}}}", "code": "7", "kind": "event", @@ -548,7 +548,7 @@ }, "event": { "severity": 2, - "ingested": "2021-06-04T11:33:17.158041400Z", + "ingested": "2021-06-09T10:24:36.675192900Z", "original": "\u003c5\u003e1 2021-03-09T08:32:51Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 09 00:32:51\",\"IsoTimestamp\":\"2021-03-09T08:32:51Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"7\",\"Desc\":\"Logon\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Logon\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"81.32.170.205\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Logon\",\"GatewayStation\":\"10.0.1.20\"}}}", "code": "7", "kind": "event", @@ -636,7 +636,7 @@ }, "event": { "severity": 2, - "ingested": "2021-06-04T11:33:17.158042700Z", + "ingested": "2021-06-09T10:24:36.675194300Z", "original": "\u003c5\u003e1 2021-03-09T10:14:58Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 09 02:14:58\",\"IsoTimestamp\":\"2021-03-09T10:14:58Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"7\",\"Desc\":\"Logon\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Logon\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"37.223.7.45\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Logon\",\"GatewayStation\":\"10.0.1.20\"}}}", "code": "7", "kind": "event", @@ -715,7 +715,7 @@ }, "event": { "severity": 2, - "ingested": "2021-06-04T11:33:17.158044100Z", + "ingested": "2021-06-09T10:24:36.675195600Z", "original": "\u003c5\u003e1 2021-03-10T09:11:48Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 01:11:48\",\"IsoTimestamp\":\"2021-03-10T09:11:48Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"7\",\"Desc\":\"Logon\",\"Severity\":\"Info\",\"Issuer\":\"PSMP_ADB_localhost.localdomain\",\"Action\":\"Logon\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"81.32.170.205\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Logon\",\"GatewayStation\":\"\"}}}", "code": "7", "kind": "event", @@ -794,7 +794,7 @@ }, "event": { "severity": 2, - "ingested": "2021-06-04T11:33:17.158045400Z", + "ingested": "2021-06-09T10:24:36.675197Z", "original": "\u003c5\u003e1 2021-03-10T09:11:48Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 01:11:48\",\"IsoTimestamp\":\"2021-03-10T09:11:48Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"7\",\"Desc\":\"Logon\",\"Severity\":\"Info\",\"Issuer\":\"PSMPApp_localhost.localdomain\",\"Action\":\"Logon\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"81.32.170.205\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Logon\",\"GatewayStation\":\"\"}}}", "code": "7", "kind": "event", @@ -873,7 +873,7 @@ }, "event": { "severity": 2, - "ingested": "2021-06-04T11:33:17.158046800Z", + "ingested": "2021-06-09T10:24:36.675198400Z", "original": "\u003c5\u003e1 2021-03-10T09:11:49Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 01:11:49\",\"IsoTimestamp\":\"2021-03-10T09:11:49Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"7\",\"Desc\":\"Logon\",\"Severity\":\"Info\",\"Issuer\":\"PSMPGW_localhost.localdomain\",\"Action\":\"Logon\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"81.32.170.205\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Logon\",\"GatewayStation\":\"\"}}}", "code": "7", "kind": "event", diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-8-logoff.log-expected.json b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-8-logoff.log-expected.json index 9bc3363f904..a12e82639a9 100644 --- a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-8-logoff.log-expected.json +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-8-logoff.log-expected.json @@ -49,7 +49,7 @@ }, "event": { "severity": 2, - "ingested": "2021-06-04T11:33:17.393067Z", + "ingested": "2021-06-09T10:24:36.904208100Z", "original": "\u003c5\u003e1 2021-03-08T18:19:15Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 08 10:19:15\",\"IsoTimestamp\":\"2021-03-08T18:19:15Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"8\",\"Desc\":\"Logoff\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Logoff\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"10.0.1.20\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Logoff\",\"GatewayStation\":\"\"}}}", "code": "8", "kind": "event", @@ -116,7 +116,7 @@ }, "event": { "severity": 2, - "ingested": "2021-06-04T11:33:17.393075100Z", + "ingested": "2021-06-09T10:24:36.904217Z", "original": "\u003c5\u003e1 2021-03-08T18:59:23Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 08 10:59:23\",\"IsoTimestamp\":\"2021-03-08T18:59:23Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"8\",\"Desc\":\"Logoff\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Logoff\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"127.0.0.1\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Logoff\",\"GatewayStation\":\"\"}}}", "code": "8", "kind": "event", @@ -183,7 +183,7 @@ }, "event": { "severity": 2, - "ingested": "2021-06-04T11:33:17.393076700Z", + "ingested": "2021-06-09T10:24:36.904218600Z", "original": "\u003c5\u003e1 2021-03-10T08:28:28Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 00:28:28\",\"IsoTimestamp\":\"2021-03-10T08:28:28Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"8\",\"Desc\":\"Logoff\",\"Severity\":\"Info\",\"Issuer\":\"PasswordManager\",\"Action\":\"Logoff\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"10.0.1.20\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Logoff\",\"GatewayStation\":\"\"}}}", "code": "8", "kind": "event", @@ -250,7 +250,7 @@ }, "event": { "severity": 2, - "ingested": "2021-06-04T11:33:17.393078200Z", + "ingested": "2021-06-09T10:24:36.904220Z", "original": "\u003c5\u003e1 2021-03-10T08:28:29Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 00:28:29\",\"IsoTimestamp\":\"2021-03-10T08:28:29Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"8\",\"Desc\":\"Logoff\",\"Severity\":\"Info\",\"Issuer\":\"Prov_COMPONENTS\",\"Action\":\"Logoff\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"10.0.1.20\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Logoff\",\"GatewayStation\":\"\"}}}", "code": "8", "kind": "event", @@ -317,7 +317,7 @@ }, "event": { "severity": 2, - "ingested": "2021-06-04T11:33:17.393079600Z", + "ingested": "2021-06-09T10:24:36.904221400Z", "original": "\u003c5\u003e1 2021-03-10T08:28:30Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 00:28:30\",\"IsoTimestamp\":\"2021-03-10T08:28:30Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"8\",\"Desc\":\"Logoff\",\"Severity\":\"Info\",\"Issuer\":\"PVWAGWUser\",\"Action\":\"Logoff\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"10.0.1.20\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Logoff\",\"GatewayStation\":\"\"}}}", "code": "8", "kind": "event", @@ -384,7 +384,7 @@ }, "event": { "severity": 2, - "ingested": "2021-06-04T11:33:17.393081Z", + "ingested": "2021-06-09T10:24:36.904222700Z", "original": "\u003c5\u003e1 2021-03-10T08:28:30Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 00:28:30\",\"IsoTimestamp\":\"2021-03-10T08:28:30Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"8\",\"Desc\":\"Logoff\",\"Severity\":\"Info\",\"Issuer\":\"PVWAAppUser\",\"Action\":\"Logoff\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"10.0.1.20\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Logoff\",\"GatewayStation\":\"\"}}}", "code": "8", "kind": "event", @@ -463,7 +463,7 @@ }, "event": { "severity": 2, - "ingested": "2021-06-04T11:33:17.393082200Z", + "ingested": "2021-06-09T10:24:36.904223900Z", "original": "\u003c5\u003e1 2021-03-10T09:11:33Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 01:11:33\",\"IsoTimestamp\":\"2021-03-10T09:11:33Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"8\",\"Desc\":\"Logoff\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Logoff\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"81.32.170.205\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Logoff\",\"GatewayStation\":\"\"}}}", "code": "8", "kind": "event", @@ -542,7 +542,7 @@ }, "event": { "severity": 2, - "ingested": "2021-06-04T11:33:17.393083500Z", + "ingested": "2021-06-09T10:24:36.904225200Z", "original": "\u003c5\u003e1 2021-03-10T09:12:20Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 01:12:20\",\"IsoTimestamp\":\"2021-03-10T09:12:20Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"8\",\"Desc\":\"Logoff\",\"Severity\":\"Info\",\"Issuer\":\"PSMP_ADB_localhost.localdomain\",\"Action\":\"Logoff\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"81.32.170.205\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Logoff\",\"GatewayStation\":\"\"}}}", "code": "8", "kind": "event", @@ -621,7 +621,7 @@ }, "event": { "severity": 2, - "ingested": "2021-06-04T11:33:17.393084800Z", + "ingested": "2021-06-09T10:24:36.904226400Z", "original": "\u003c5\u003e1 2021-03-10T09:12:27Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 01:12:27\",\"IsoTimestamp\":\"2021-03-10T09:12:27Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"8\",\"Desc\":\"Logoff\",\"Severity\":\"Info\",\"Issuer\":\"PSMPGW_localhost.localdomain\",\"Action\":\"Logoff\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"81.32.170.205\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Logoff\",\"GatewayStation\":\"\"}}}", "code": "8", "kind": "event", @@ -699,7 +699,7 @@ }, "event": { "severity": 2, - "ingested": "2021-06-04T11:33:17.393086100Z", + "ingested": "2021-06-09T10:24:36.904256400Z", "original": "\u003c5\u003e1 2021-03-10T22:17:27Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 14:17:27\",\"IsoTimestamp\":\"2021-03-10T22:17:27Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"8\",\"Desc\":\"Logoff\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Logoff\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"35.192.121.42\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Logoff\",\"GatewayStation\":\"\"}}}", "code": "8", "kind": "event", @@ -788,7 +788,7 @@ }, "event": { "severity": 2, - "ingested": "2021-06-04T11:33:17.393087400Z", + "ingested": "2021-06-09T10:24:36.904258500Z", "original": "\u003c5\u003e1 2021-03-11T17:38:13Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 11 09:38:13\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-11T17:38:13Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e8\u003c/MessageID\u003e\\n \u003cDesc\u003eLogoff\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003eLogoff\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003e\u003c/Safe\u003e\\n \u003cFile\u003e\u003c/File\u003e\\n \u003cStation\u003e127.0.0.1\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eLogoff\u003c/Message\u003e\\n \u003cGatewayStation\u003e81.32.170.205\u003c/GatewayStation\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 11 09:38:13\",\"IsoTimestamp\":\"2021-03-11T17:38:13Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"8\",\"Desc\":\"Logoff\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Logoff\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"127.0.0.1\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Logoff\",\"GatewayStation\":\"81.32.170.205\"}}}", "code": "8", "kind": "event", @@ -877,7 +877,7 @@ }, "event": { "severity": 2, - "ingested": "2021-06-04T11:33:17.393088800Z", + "ingested": "2021-06-09T10:24:36.904260500Z", "original": "\u003c5\u003e1 2021-03-11T17:48:28Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 11 09:48:28\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-11T17:48:28Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e8\u003c/MessageID\u003e\\n \u003cDesc\u003eLogoff\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003eLogoff\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003e\u003c/Safe\u003e\\n \u003cFile\u003e\u003c/File\u003e\\n \u003cStation\u003e10.0.2.2\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eLogoff\u003c/Message\u003e\\n \u003cGatewayStation\u003e81.32.170.205\u003c/GatewayStation\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 11 09:48:28\",\"IsoTimestamp\":\"2021-03-11T17:48:28Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"8\",\"Desc\":\"Logoff\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Logoff\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"10.0.2.2\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Logoff\",\"GatewayStation\":\"81.32.170.205\"}}}", "code": "8", "kind": "event", @@ -957,7 +957,7 @@ }, "event": { "severity": 2, - "ingested": "2021-06-04T11:33:17.393090100Z", + "ingested": "2021-06-09T10:24:36.904261900Z", "original": "\u003c5\u003e1 2021-03-11T17:49:06Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 11 09:49:06\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-11T17:49:06Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e8\u003c/MessageID\u003e\\n \u003cDesc\u003eLogoff\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003ePSMPGW_VAGRANT\u003c/Issuer\u003e\\n \u003cAction\u003eLogoff\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003e\u003c/Safe\u003e\\n \u003cFile\u003e\u003c/File\u003e\\n \u003cStation\u003e81.32.170.205\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eLogoff\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 11 09:49:06\",\"IsoTimestamp\":\"2021-03-11T17:49:06Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"8\",\"Desc\":\"Logoff\",\"Severity\":\"Info\",\"Issuer\":\"PSMPGW_VAGRANT\",\"Action\":\"Logoff\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"81.32.170.205\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Logoff\",\"GatewayStation\":\"\"}}}", "code": "8", "kind": "event", @@ -1034,7 +1034,7 @@ }, "event": { "severity": 2, - "ingested": "2021-06-04T11:33:17.393091300Z", + "ingested": "2021-06-09T10:24:36.904263300Z", "original": "\u003c5\u003e1 2021-03-14T12:57:20Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 14 05:57:20\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-14T12:57:20Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e8\u003c/MessageID\u003e\\n \u003cDesc\u003eLogoff\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003eLogoff\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003e\u003c/Safe\u003e\\n \u003cFile\u003e\u003c/File\u003e\\n \u003cStation\u003e34.71.250.247\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eLogoff\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 14 05:57:20\",\"IsoTimestamp\":\"2021-03-14T12:57:20Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"8\",\"Desc\":\"Logoff\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Logoff\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"34.71.250.247\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Logoff\",\"GatewayStation\":\"\"}}}", "code": "8", "kind": "event", @@ -1132,7 +1132,7 @@ }, "event": { "severity": 2, - "ingested": "2021-06-04T11:33:17.393092500Z", + "ingested": "2021-06-09T10:24:36.904264500Z", "original": "\u003c5\u003e1 2021-03-14T13:49:36Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 14 06:49:36\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-14T13:49:36Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e8\u003c/MessageID\u003e\\n \u003cDesc\u003eLogoff\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003eLogoff\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003e\u003c/Safe\u003e\\n \u003cFile\u003e\u003c/File\u003e\\n \u003cStation\u003e81.32.170.205\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eLogoff\u003c/Message\u003e\\n \u003cGatewayStation\u003e34.71.250.247\u003c/GatewayStation\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 14 06:49:36\",\"IsoTimestamp\":\"2021-03-14T13:49:36Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"8\",\"Desc\":\"Logoff\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Logoff\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"81.32.170.205\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Logoff\",\"GatewayStation\":\"34.71.250.247\"}}}", "code": "8", "kind": "event", diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-88-set-password.log-expected.json b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-88-set-password.log-expected.json index f892d711355..be5eaf16d06 100644 --- a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-88-set-password.log-expected.json +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-88-set-password.log-expected.json @@ -47,7 +47,7 @@ "event": { "severity": 2, "action": "set password", - "ingested": "2021-06-04T11:33:17.696325800Z", + "ingested": "2021-06-09T10:24:37.212139100Z", "original": "\u003c5\u003e1 2021-03-04T19:16:19Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 04 11:16:19\",\"IsoTimestamp\":\"2021-03-04T19:16:19Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"88\",\"Desc\":\"Set Password\",\"Severity\":\"Info\",\"Issuer\":\"PVWAGWUser\",\"Action\":\"Set Password\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"10.0.1.20\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Set Password\",\"GatewayStation\":\"\"}}}", "code": "88", "kind": "event" @@ -100,7 +100,7 @@ "event": { "severity": 2, "action": "set password", - "ingested": "2021-06-04T11:33:17.696335700Z", + "ingested": "2021-06-09T10:24:37.212147900Z", "original": "\u003c5\u003e1 2021-03-04T19:16:19Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 04 11:16:19\",\"IsoTimestamp\":\"2021-03-04T19:16:19Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"88\",\"Desc\":\"Set Password\",\"Severity\":\"Info\",\"Issuer\":\"PVWAAppUser\",\"Action\":\"Set Password\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"10.0.1.20\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Set Password\",\"GatewayStation\":\"\"}}}", "code": "88", "kind": "event" @@ -143,7 +143,7 @@ "event": { "severity": 2, "action": "set password", - "ingested": "2021-06-04T11:33:17.696337400Z", + "ingested": "2021-06-09T10:24:37.212149500Z", "original": "Mar 08 02:54:46 VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"no\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"88\",\"Desc\":\"Set Password\",\"Severity\":\"Info\",\"Issuer\":\"PVWAGWUser\",\"Action\":\"Set Password\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"10.0.1.20\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Set Password\",\"GatewayStation\":\"\"}}}", "code": "88", "kind": "event" @@ -199,7 +199,7 @@ "event": { "severity": 2, "action": "set password", - "ingested": "2021-06-04T11:33:17.696338600Z", + "ingested": "2021-06-09T10:24:37.212150900Z", "original": "\u003c5\u003e1 2021-03-10T08:29:19Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 00:29:19\",\"IsoTimestamp\":\"2021-03-10T08:29:19Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"88\",\"Desc\":\"Set Password\",\"Severity\":\"Info\",\"Issuer\":\"Prov_COMPONENTS\",\"Action\":\"Set Password\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"10.0.1.20\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Set Password\",\"GatewayStation\":\"\"}}}", "code": "88", "kind": "event" @@ -252,7 +252,7 @@ "event": { "severity": 2, "action": "set password", - "ingested": "2021-06-04T11:33:17.696339900Z", + "ingested": "2021-06-09T10:24:37.212152100Z", "original": "\u003c5\u003e1 2021-03-10T08:29:28Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 00:29:28\",\"IsoTimestamp\":\"2021-03-10T08:29:28Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"88\",\"Desc\":\"Set Password\",\"Severity\":\"Info\",\"Issuer\":\"PasswordManager\",\"Action\":\"Set Password\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"10.0.1.20\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Set Password\",\"GatewayStation\":\"\"}}}", "code": "88", "kind": "event" @@ -317,7 +317,7 @@ "event": { "severity": 2, "action": "set password", - "ingested": "2021-06-04T11:33:17.696341100Z", + "ingested": "2021-06-09T10:24:37.212153400Z", "original": "\u003c5\u003e1 2021-03-10T09:11:52Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 01:11:52\",\"IsoTimestamp\":\"2021-03-10T09:11:52Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"88\",\"Desc\":\"Set Password\",\"Severity\":\"Info\",\"Issuer\":\"PSMPApp_localhost.localdomain\",\"Action\":\"Set Password\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"81.32.170.205\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Set Password\",\"GatewayStation\":\"\"}}}", "code": "88", "kind": "event" @@ -382,7 +382,7 @@ "event": { "severity": 2, "action": "set password", - "ingested": "2021-06-04T11:33:17.696342400Z", + "ingested": "2021-06-09T10:24:37.212154600Z", "original": "\u003c5\u003e1 2021-03-10T09:11:52Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 01:11:52\",\"IsoTimestamp\":\"2021-03-10T09:11:52Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"88\",\"Desc\":\"Set Password\",\"Severity\":\"Info\",\"Issuer\":\"PSMPGW_localhost.localdomain\",\"Action\":\"Set Password\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"81.32.170.205\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Set Password\",\"GatewayStation\":\"\"}}}", "code": "88", "kind": "event" @@ -447,7 +447,7 @@ "event": { "severity": 2, "action": "set password", - "ingested": "2021-06-04T11:33:17.696343700Z", + "ingested": "2021-06-09T10:24:37.212155800Z", "original": "\u003c5\u003e1 2021-03-10T09:11:55Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 01:11:55\",\"IsoTimestamp\":\"2021-03-10T09:11:55Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"88\",\"Desc\":\"Set Password\",\"Severity\":\"Info\",\"Issuer\":\"PSMP_ADB_localhost.localdomain\",\"Action\":\"Set Password\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"81.32.170.205\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Set Password\",\"GatewayStation\":\"\"}}}", "code": "88", "kind": "event" @@ -512,7 +512,7 @@ "event": { "severity": 2, "action": "set password", - "ingested": "2021-06-04T11:33:17.696345100Z", + "ingested": "2021-06-09T10:24:37.212157600Z", "original": "\u003c5\u003e1 2021-03-10T18:46:47Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 10:46:47\",\"IsoTimestamp\":\"2021-03-10T18:46:47Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"88\",\"Desc\":\"Set Password\",\"Severity\":\"Info\",\"Issuer\":\"PSMApp_VAGRANT\",\"Action\":\"Set Password\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"81.32.170.205\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Set Password\",\"GatewayStation\":\"\"}}}", "code": "88", "kind": "event" @@ -577,7 +577,7 @@ "event": { "severity": 2, "action": "set password", - "ingested": "2021-06-04T11:33:17.696346200Z", + "ingested": "2021-06-09T10:24:37.212158800Z", "original": "\u003c5\u003e1 2021-03-10T18:46:47Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 10:46:47\",\"IsoTimestamp\":\"2021-03-10T18:46:47Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"88\",\"Desc\":\"Set Password\",\"Severity\":\"Info\",\"Issuer\":\"PSMGw_VAGRANT\",\"Action\":\"Set Password\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"81.32.170.205\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Set Password\",\"GatewayStation\":\"\"}}}", "code": "88", "kind": "event" @@ -641,7 +641,7 @@ "event": { "severity": 2, "action": "set password", - "ingested": "2021-06-04T11:33:17.696347600Z", + "ingested": "2021-06-09T10:24:37.212160Z", "original": "\u003c5\u003e1 2021-03-10T22:20:12Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 14:20:12\",\"IsoTimestamp\":\"2021-03-10T22:20:12Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"88\",\"Desc\":\"Set Password\",\"Severity\":\"Info\",\"Issuer\":\"PSMApp_ASR-WIN\",\"Action\":\"Set Password\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"35.192.121.42\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Set Password\",\"GatewayStation\":\"\"}}}", "code": "88", "kind": "event" @@ -705,7 +705,7 @@ "event": { "severity": 2, "action": "set password", - "ingested": "2021-06-04T11:33:17.696349100Z", + "ingested": "2021-06-09T10:24:37.212161300Z", "original": "\u003c5\u003e1 2021-03-10T22:20:12Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 14:20:12\",\"IsoTimestamp\":\"2021-03-10T22:20:12Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"88\",\"Desc\":\"Set Password\",\"Severity\":\"Info\",\"Issuer\":\"PSMGw_ASR-WIN\",\"Action\":\"Set Password\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"35.192.121.42\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Set Password\",\"GatewayStation\":\"\"}}}", "code": "88", "kind": "event" @@ -771,7 +771,7 @@ "event": { "severity": 2, "action": "set password", - "ingested": "2021-06-04T11:33:17.696350400Z", + "ingested": "2021-06-09T10:24:37.212162700Z", "original": "\u003c5\u003e1 2021-03-11T16:59:54Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 11 08:59:54\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-11T16:59:54Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e88\u003c/MessageID\u003e\\n \u003cDesc\u003eSet Password\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003ePSMPApp_VAGRANT\u003c/Issuer\u003e\\n \u003cAction\u003eSet Password\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003e\u003c/Safe\u003e\\n \u003cFile\u003e\u003c/File\u003e\\n \u003cStation\u003e81.32.170.205\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eSet Password\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 11 08:59:54\",\"IsoTimestamp\":\"2021-03-11T16:59:54Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"88\",\"Desc\":\"Set Password\",\"Severity\":\"Info\",\"Issuer\":\"PSMPApp_VAGRANT\",\"Action\":\"Set Password\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"81.32.170.205\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Set Password\",\"GatewayStation\":\"\"}}}", "code": "88", "kind": "event" @@ -837,7 +837,7 @@ "event": { "severity": 2, "action": "set password", - "ingested": "2021-06-04T11:33:17.696351700Z", + "ingested": "2021-06-09T10:24:37.212163900Z", "original": "\u003c5\u003e1 2021-03-11T16:59:55Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 11 08:59:55\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-11T16:59:55Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e88\u003c/MessageID\u003e\\n \u003cDesc\u003eSet Password\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003ePSMPGW_VAGRANT\u003c/Issuer\u003e\\n \u003cAction\u003eSet Password\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003e\u003c/Safe\u003e\\n \u003cFile\u003e\u003c/File\u003e\\n \u003cStation\u003e81.32.170.205\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eSet Password\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 11 08:59:55\",\"IsoTimestamp\":\"2021-03-11T16:59:55Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"88\",\"Desc\":\"Set Password\",\"Severity\":\"Info\",\"Issuer\":\"PSMPGW_VAGRANT\",\"Action\":\"Set Password\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"81.32.170.205\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Set Password\",\"GatewayStation\":\"\"}}}", "code": "88", "kind": "event" @@ -902,7 +902,7 @@ "event": { "severity": 2, "action": "set password", - "ingested": "2021-06-04T11:33:17.696352900Z", + "ingested": "2021-06-09T10:24:37.212165200Z", "original": "\u003c5\u003e1 2021-03-11T20:10:33Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 11 12:10:33\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-11T20:10:33Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e88\u003c/MessageID\u003e\\n \u003cDesc\u003eSet Password\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003ePSMApp_ASR-WIN\u003c/Issuer\u003e\\n \u003cAction\u003eSet Password\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003e\u003c/Safe\u003e\\n \u003cFile\u003e\u003c/File\u003e\\n \u003cStation\u003e34.66.114.180\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eSet Password\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 11 12:10:33\",\"IsoTimestamp\":\"2021-03-11T20:10:33Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"88\",\"Desc\":\"Set Password\",\"Severity\":\"Info\",\"Issuer\":\"PSMApp_ASR-WIN\",\"Action\":\"Set Password\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"34.66.114.180\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Set Password\",\"GatewayStation\":\"\"}}}", "code": "88", "kind": "event" @@ -965,7 +965,7 @@ "event": { "severity": 2, "action": "set password", - "ingested": "2021-06-04T11:33:17.696393Z", + "ingested": "2021-06-09T10:24:37.212166500Z", "original": "\u003c5\u003e1 2021-03-14T12:57:25Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 14 05:57:25\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-14T12:57:25Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e88\u003c/MessageID\u003e\\n \u003cDesc\u003eSet Password\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003ePSMPGW_SSH\u003c/Issuer\u003e\\n \u003cAction\u003eSet Password\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003e\u003c/Safe\u003e\\n \u003cFile\u003e\u003c/File\u003e\\n \u003cStation\u003e34.71.250.247\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eSet Password\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 14 05:57:25\",\"IsoTimestamp\":\"2021-03-14T12:57:25Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"88\",\"Desc\":\"Set Password\",\"Severity\":\"Info\",\"Issuer\":\"PSMPGW_SSH\",\"Action\":\"Set Password\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"34.71.250.247\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Set Password\",\"GatewayStation\":\"\"}}}", "code": "88", "kind": "event" @@ -1028,7 +1028,7 @@ "event": { "severity": 2, "action": "set password", - "ingested": "2021-06-04T11:33:17.696395200Z", + "ingested": "2021-06-09T10:24:37.212167700Z", "original": "\u003c5\u003e1 2021-03-14T12:57:25Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 14 05:57:25\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-14T12:57:25Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e88\u003c/MessageID\u003e\\n \u003cDesc\u003eSet Password\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003ePSMPApp_SSH\u003c/Issuer\u003e\\n \u003cAction\u003eSet Password\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003e\u003c/Safe\u003e\\n \u003cFile\u003e\u003c/File\u003e\\n \u003cStation\u003e34.71.250.247\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eSet Password\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 14 05:57:25\",\"IsoTimestamp\":\"2021-03-14T12:57:25Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"88\",\"Desc\":\"Set Password\",\"Severity\":\"Info\",\"Issuer\":\"PSMPApp_SSH\",\"Action\":\"Set Password\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"34.71.250.247\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Set Password\",\"GatewayStation\":\"\"}}}", "code": "88", "kind": "event" @@ -1091,7 +1091,7 @@ "event": { "severity": 2, "action": "set password", - "ingested": "2021-06-04T11:33:17.696408200Z", + "ingested": "2021-06-09T10:24:37.212182200Z", "original": "\u003c5\u003e1 2021-03-14T12:57:25Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 14 05:57:25\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-14T12:57:25Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e88\u003c/MessageID\u003e\\n \u003cDesc\u003eSet Password\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003ePSMP_ADB_asr-cyberark-psm-ssh\u003c/Issuer\u003e\\n \u003cAction\u003eSet Password\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003e\u003c/Safe\u003e\\n \u003cFile\u003e\u003c/File\u003e\\n \u003cStation\u003e34.71.250.247\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eSet Password\u003c/Message\u003e\\n \u003cGatewayStation\u003e\u003c/GatewayStation\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 14 05:57:25\",\"IsoTimestamp\":\"2021-03-14T12:57:25Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"88\",\"Desc\":\"Set Password\",\"Severity\":\"Info\",\"Issuer\":\"PSMP_ADB_asr-cyberark-psm-ssh\",\"Action\":\"Set Password\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"34.71.250.247\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Set Password\",\"GatewayStation\":\"\"}}}", "code": "88", "kind": "event" diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-98-open-file-write-only.log-expected.json b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-98-open-file-write-only.log-expected.json index a559eb368cf..012959378c7 100644 --- a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-98-open-file-write-only.log-expected.json +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-98-open-file-write-only.log-expected.json @@ -52,7 +52,7 @@ "event": { "severity": 2, "action": "open file (write only)", - "ingested": "2021-06-04T11:33:18.042698900Z", + "ingested": "2021-06-09T10:24:37.546522700Z", "original": "\u003c5\u003e1 2021-03-08T18:24:50Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 08 10:24:50\",\"IsoTimestamp\":\"2021-03-08T18:24:50Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"98\",\"Desc\":\"Open File (Write Only)\",\"Severity\":\"Info\",\"Issuer\":\"PVWAAppUser\",\"Action\":\"Open File (Write Only)\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"PVWAPrivateUserPrefs\",\"File\":\"Root\\\\YWRtaW5pc3RyYXRvcg==\",\"Station\":\"10.0.1.20\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Open File (Write Only)\",\"GatewayStation\":\"\"}}}", "code": "98", "kind": "event" @@ -122,7 +122,7 @@ "event": { "severity": 2, "action": "open file (write only)", - "ingested": "2021-06-04T11:33:18.042705100Z", + "ingested": "2021-06-09T10:24:37.546544100Z", "original": "\u003c5\u003e1 2021-03-10T18:44:08Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 10:44:08\",\"IsoTimestamp\":\"2021-03-10T18:44:08Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"98\",\"Desc\":\"Open File (Write Only)\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Open File (Write Only)\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"PVWAConfig\",\"File\":\"ROOT\\\\PVConfiguration.xml\",\"Station\":\"81.32.170.205\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Open File (Write Only)\",\"GatewayStation\":\"\"}}}", "code": "98", "kind": "event" @@ -191,7 +191,7 @@ "event": { "severity": 2, "action": "open file (write only)", - "ingested": "2021-06-04T11:33:18.042706300Z", + "ingested": "2021-06-09T10:24:37.546545600Z", "original": "\u003c5\u003e1 2021-03-10T22:17:40Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 10 14:17:40\",\"IsoTimestamp\":\"2021-03-10T22:17:40Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"98\",\"Desc\":\"Open File (Write Only)\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Open File (Write Only)\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"PVWAConfig\",\"File\":\"ROOT\\\\PVConfiguration.xml\",\"Station\":\"35.192.121.42\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Open File (Write Only)\",\"GatewayStation\":\"\"}}}", "code": "98", "kind": "event" @@ -259,7 +259,7 @@ "event": { "severity": 2, "action": "open file (write only)", - "ingested": "2021-06-04T11:33:18.042707300Z", + "ingested": "2021-06-09T10:24:37.546546700Z", "original": "\u003c5\u003e1 2021-03-11T19:45:26Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"raw\":\"\u003csyslog\u003e\\n\\n \u003caudit_record\u003e\\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\\n \u003cTimestamp\u003eMar 11 11:45:26\u003c/Timestamp\u003e\\n \u003cIsoTimestamp\u003e2021-03-11T19:45:26Z\u003c/IsoTimestamp\u003e\\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\\n \u003cProduct\u003eVault\u003c/Product\u003e\\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\\n \u003cMessageID\u003e98\u003c/MessageID\u003e\\n \u003cDesc\u003eOpen File (Write Only)\u003c/Desc\u003e\\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\\n \u003cAction\u003eOpen File (Write Only)\u003c/Action\u003e\\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\\n \u003cSafe\u003ePVWAConfig\u003c/Safe\u003e\\n \u003cFile\u003eRoot\\\\PVConfiguration.xml\u003c/File\u003e\\n \u003cStation\u003e127.0.0.1\u003c/Station\u003e\\n \u003cLocation\u003e\u003c/Location\u003e\\n \u003cCategory\u003e\u003c/Category\u003e\\n \u003cRequestId\u003e\u003c/RequestId\u003e\\n \u003cReason\u003e\u003c/Reason\u003e\\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\\n \u003cMessage\u003eOpen File (Write Only)\u003c/Message\u003e\\n \u003cGatewayStation\u003e10.0.1.20\u003c/GatewayStation\u003e\\n \u003c/audit_record\u003e\\n\\n\u003c/syslog\u003e\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 11 11:45:26\",\"IsoTimestamp\":\"2021-03-11T19:45:26Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"98\",\"Desc\":\"Open File (Write Only)\",\"Severity\":\"Info\",\"Issuer\":\"Administrator\",\"Action\":\"Open File (Write Only)\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"PVWAConfig\",\"File\":\"Root\\\\PVConfiguration.xml\",\"Station\":\"127.0.0.1\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Open File (Write Only)\",\"GatewayStation\":\"10.0.1.20\"}}}", "code": "98", "kind": "event" diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-99-open-file.log-expected.json b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-99-open-file.log-expected.json index 85de37d4230..78db165f0b6 100644 --- a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-99-open-file.log-expected.json +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-99-open-file.log-expected.json @@ -52,7 +52,7 @@ "event": { "severity": 2, "action": "open file", - "ingested": "2021-06-04T11:33:18.139337400Z", + "ingested": "2021-06-09T10:24:37.636379200Z", "original": "\u003c5\u003e1 2021-03-04T19:10:05Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 04 11:10:05\",\"IsoTimestamp\":\"2021-03-04T19:10:05Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"99\",\"Desc\":\"Open File\",\"Severity\":\"Info\",\"Issuer\":\"PVWAAppUser\",\"Action\":\"Open File\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"PVWAConfig\",\"File\":\"Root\\\\EPMConfiguration.xml\",\"Station\":\"10.0.1.20\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Open File\",\"GatewayStation\":\"\"}}}", "code": "99", "kind": "event" diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-legacysyslog.log-expected.json b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-legacysyslog.log-expected.json index e26eecd48c1..0b98d8e20f1 100644 --- a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-legacysyslog.log-expected.json +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-legacysyslog.log-expected.json @@ -45,7 +45,7 @@ "event": { "severity": 2, "action": "retrieve file", - "ingested": "2021-06-04T11:33:18.162541200Z", + "ingested": "2021-06-09T10:24:37.659605700Z", "original": "Mar 08 03:41:01 VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"no\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"51\",\"Desc\":\"Retrieve File\",\"Severity\":\"Info\",\"Issuer\":\"PasswordManager\",\"Action\":\"Retrieve File\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"PasswordManagerShared\",\"File\":\"Root\\\\Policies\\\\Policy-BusinessWebsite.ini\",\"Station\":\"10.0.1.20\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Retrieve File\",\"GatewayStation\":\"\"}}}", "code": "51", "kind": "event" diff --git a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-rfc5424syslog.log-expected.json b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-rfc5424syslog.log-expected.json index 38c3510ac35..515f077011e 100644 --- a/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-rfc5424syslog.log-expected.json +++ b/packages/cyberarkpas/data_stream/audit/_dev/test/pipeline/test-rfc5424syslog.log-expected.json @@ -49,7 +49,7 @@ }, "event": { "severity": 2, - "ingested": "2021-06-04T11:33:18.183258200Z", + "ingested": "2021-06-09T10:24:37.684018100Z", "original": "\u003c5\u003e1 2021-03-04T17:27:14Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 04 09:27:14\",\"IsoTimestamp\":\"2021-03-04T17:27:14Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"7\",\"Desc\":\"Logon\",\"Severity\":\"Info\",\"Issuer\":\"PVWAGWUser\",\"Action\":\"Logon\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"10.0.1.20\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Logon\",\"GatewayStation\":\"\"}}}", "code": "7", "kind": "event", @@ -116,7 +116,7 @@ }, "event": { "severity": 2, - "ingested": "2021-06-04T11:33:18.183264800Z", + "ingested": "2021-06-09T10:24:37.684022300Z", "original": "\u003c5\u003e1 2021-03-04T17:27:21Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 04 09:27:21\",\"IsoTimestamp\":\"2021-03-04T17:27:21Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"7\",\"Desc\":\"Logon\",\"Severity\":\"Info\",\"Issuer\":\"PasswordManager\",\"Action\":\"Logon\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"10.0.1.20\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Logon\",\"GatewayStation\":\"\"}}}", "code": "7", "kind": "event", @@ -186,7 +186,7 @@ "event": { "severity": 2, "action": "retrieve file", - "ingested": "2021-06-04T11:33:18.183266300Z", + "ingested": "2021-06-09T10:24:37.684023500Z", "original": "\u003c5\u003e1 2021-03-04T17:27:21Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 04 09:27:21\",\"IsoTimestamp\":\"2021-03-04T17:27:21Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"51\",\"Desc\":\"Retrieve File\",\"Severity\":\"Info\",\"Issuer\":\"PasswordManager\",\"Action\":\"Retrieve File\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"PasswordManagerShared\",\"File\":\"Root\\\\Policies\\\\Policy-GenericWebApp.ini\",\"Station\":\"10.0.1.20\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Retrieve File\",\"GatewayStation\":\"\"}}}", "code": "51", "kind": "event" @@ -241,7 +241,7 @@ }, "event": { "severity": 2, - "ingested": "2021-06-04T11:33:18.183267400Z", + "ingested": "2021-06-09T10:24:37.684024500Z", "original": "\u003c5\u003e1 2021-03-04T17:27:33Z VAULT {\"format\":\"elastic\",\"version\":\"1.0\",\"syslog\":{\"audit_record\":{\"Rfc5424\":\"yes\",\"Timestamp\":\"Mar 04 09:27:33\",\"IsoTimestamp\":\"2021-03-04T17:27:33Z\",\"Hostname\":\"VAULT\",\"Vendor\":\"Cyber-Ark\",\"Product\":\"Vault\",\"Version\":\"11.7.0000\",\"MessageID\":\"7\",\"Desc\":\"Logon\",\"Severity\":\"Info\",\"Issuer\":\"PVWAAppUser\",\"Action\":\"Logon\",\"SourceUser\":\"\",\"TargetUser\":\"\",\"Safe\":\"\",\"File\":\"\",\"Station\":\"10.0.1.20\",\"Location\":\"\",\"Category\":\"\",\"RequestId\":\"\",\"Reason\":\"\",\"ExtraDetails\":\"\",\"Message\":\"Logon\",\"GatewayStation\":\"\"}}}", "code": "7", "kind": "event", diff --git a/packages/cyberarkpas/data_stream/audit/elasticsearch/ingest_pipeline/default.yml b/packages/cyberarkpas/data_stream/audit/elasticsearch/ingest_pipeline/default.yml index 3f366ee85db..429c4ce77da 100644 --- a/packages/cyberarkpas/data_stream/audit/elasticsearch/ingest_pipeline/default.yml +++ b/packages/cyberarkpas/data_stream/audit/elasticsearch/ingest_pipeline/default.yml @@ -1169,12 +1169,13 @@ processors: ignore_missing: true - remove: field: event.original + if: "ctx?.tags == null || !(ctx.tags.contains('preserve_original_event'))" + ignore_failure: true ignore_missing: true - if: 'ctx.tags == null || !ctx.tags.contains("preserve_original_event")' on_failure: - append: - field: error.message - value: '{{{_ingest.on_failure_message}}}' + field: error.message + value: '{{{_ingest.on_failure_message}}}' - remove: field: _tmp ignore_missing: true diff --git a/packages/cyberarkpas/data_stream/audit/manifest.yml b/packages/cyberarkpas/data_stream/audit/manifest.yml index a06e15e66c4..3487244dc06 100644 --- a/packages/cyberarkpas/data_stream/audit/manifest.yml +++ b/packages/cyberarkpas/data_stream/audit/manifest.yml @@ -22,15 +22,7 @@ streams: show_user: false default: - forwarded - - name: processors - type: yaml - title: Processors - multi: false - required: false - show_user: false - description: > - Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. - + - cyberarkpas-audit - name: preserve_original_event required: true show_user: true @@ -39,6 +31,14 @@ streams: type: bool multi: false default: false + - name: processors + type: yaml + title: Processors + multi: false + required: false + show_user: false + description: > + Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. - input: tcp enabled: true template_path: tcp.yml.hbs @@ -68,13 +68,6 @@ streams: default: - cyberarkpas-audit - forwarded - - name: preserve_original_event - type: bool - title: Preserve original event - multi: false - required: true - show_user: true - default: false - name: ssl type: yaml title: TLS configuration @@ -82,6 +75,14 @@ streams: required: false show_user: true description: Options for enabling TLS mode. See the [documentation](https://www.elastic.co/guide/en/beats/filebeat/current/configuration-ssl.html) for a list of all options. + - name: preserve_original_event + required: true + show_user: true + title: Preserve original event + description: Preserves a raw copy of the original event, added to the field `event.original` + type: bool + multi: false + default: false - name: processors type: yaml title: Processors @@ -121,11 +122,12 @@ streams: - cyberarkpas-audit - forwarded - name: preserve_original_event - type: bool - title: Preserve original event - multi: false required: true show_user: true + title: Preserve original event + description: Preserves a raw copy of the original event, added to the field `event.original` + type: bool + multi: false default: false - name: processors type: yaml diff --git a/packages/cyberarkpas/docs/README.md b/packages/cyberarkpas/docs/README.md index b97f6dd8837..1e54f562e08 100644 --- a/packages/cyberarkpas/docs/README.md +++ b/packages/cyberarkpas/docs/README.md @@ -31,7 +31,7 @@ For proper timestamping of events, it's recommended to use the newer RFC5424 Sys An example event for `audit` looks as following: -```$json +```json { "@timestamp": "2021-03-04T17:27:14.000Z", "cyberarkpas": { From e8f62c6290b64baca4617a6dbcec5f07d77fea97 Mon Sep 17 00:00:00 2001 From: Marius Iversen Date: Wed, 9 Jun 2021 12:25:42 +0200 Subject: [PATCH 7/7] More linting --- packages/cyberarkpas/data_stream/audit/manifest.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/packages/cyberarkpas/data_stream/audit/manifest.yml b/packages/cyberarkpas/data_stream/audit/manifest.yml index 3487244dc06..285985cf216 100644 --- a/packages/cyberarkpas/data_stream/audit/manifest.yml +++ b/packages/cyberarkpas/data_stream/audit/manifest.yml @@ -39,6 +39,7 @@ streams: show_user: false description: > Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. + - input: tcp enabled: true template_path: tcp.yml.hbs