Skip to content

Cyberark Privileged Access Security module #24803

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
adriansr merged 102 commits into from
Apr 19, 2021
Merged

Cyberark Privileged Access Security module #24803

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
102 commits
Select commit Hold shift + click to select a range
1da5826
Cyberarkpas module skeleton
adriansr Mar 4, 2021
599b7aa
Save Cyberark transform XSLT file
adriansr Mar 5, 2021
c6d2ac0
XSL: Escape some control characters
adriansr Mar 5, 2021
79c4752
Mage update
adriansr Mar 5, 2021
f94039e
WIP
adriansr Mar 8, 2021
6152e86
proper failure modes
adriansr Mar 8, 2021
c505016
Cleanup temp fields on failure
adriansr Mar 8, 2021
8174cf7
Set event.code
adriansr Mar 10, 2021
e25ed29
Debug: Add raw key to JSON
adriansr Mar 11, 2021
e17d706
Save raw fields
adriansr Mar 11, 2021
43bb357
Initial test data
adriansr Mar 16, 2021
1d44d3a
add samples from Cyberark
adriansr Mar 16, 2021
8020472
Transform CAProperties to an object
adriansr Mar 16, 2021
5df1836
Remove empty fields
adriansr Mar 16, 2021
2895edd
Fix missing timestamp in log
adriansr Mar 16, 2021
28f34c0
Split ExtraDetails key/values
adriansr Mar 16, 2021
e380166
Convert fields to snake_case
adriansr Mar 17, 2021
99249be
Make population of ExtraDetails more efficient
adriansr Mar 18, 2021
f14e3af
CAProperties values as array is unnecessary
adriansr Mar 18, 2021
e91ab8b
Improve @timestamp calculation
adriansr Mar 18, 2021
950285e
Remove empty fields faster
adriansr Mar 18, 2021
09ab3a5
small cleanup
adriansr Mar 18, 2021
558d37f
Populate source.address/.ip/.domain
adriansr Mar 18, 2021
f75e411
Populate observer fields
adriansr Mar 20, 2021
9e8d1af
Populate destination.address and related.ip
adriansr Mar 20, 2021
3d9f2e2
Enrich events by message ID
adriansr Mar 20, 2021
f788eeb
Support logon/logoff/full gateway connection
adriansr Mar 21, 2021
fa865e0
Support 22 - Verify Password
adriansr Mar 22, 2021
3f0e931
Save message (temporary?)
adriansr Mar 22, 2021
a0a0011
event severity/type/action and corrections
adriansr Mar 22, 2021
9361652
Set event.type: error for errors
adriansr Mar 22, 2021
b1e2c3c
message_id: 4 -- User authentication failure
adriansr Mar 22, 2021
40578d5
24 - CPM Change password
adriansr Mar 22, 2021
322cf7e
Correct event.type as an array
adriansr Mar 22, 2021
f865a86
31 - CPM Reconcile Password (unsure)
adriansr Mar 22, 2021
6067668
32 - Add Owner to Safe
adriansr Mar 22, 2021
2e2b93e
33 - Same as 32
adriansr Mar 22, 2021
68b00e2
38 - CPM Verify Password failed
adriansr Mar 22, 2021
77de899
small cleanup
adriansr Mar 22, 2021
2c04a9e
Populate related.user
adriansr Mar 22, 2021
3367e5a
Refactor enrichment processor entries
adriansr Mar 22, 2021
cefa95d
Use event.reason instead of error.message
adriansr Mar 22, 2021
27fed9a
temporary comment
adriansr Mar 22, 2021
13c8e31
60 - CPM Reconcile Password Failed
adriansr Mar 22, 2021
16656a8
130 - CPM Disable Password
adriansr Mar 22, 2021
e069684
s/failed/failure/g
adriansr Mar 22, 2021
eb8416f
295 - Retrieve Password succeeded
adriansr Mar 22, 2021
86468c8
300 - PSM Connect
adriansr Mar 22, 2021
f3618c6
302 - PSM Disconnect
adriansr Mar 22, 2021
ae9b0bc
300 - PSM Connect
adriansr Mar 23, 2021
5818216
308 - Use Password
adriansr Mar 23, 2021
59136b3
361 - Keystroke Logging
adriansr Mar 23, 2021
32fbbee
Don't populate observer.hostname unless present.
adriansr Mar 23, 2021
1efdca2
411 - Window Title
adriansr Mar 23, 2021
0215811
Use event.timezone for syslog timestamp
adriansr Mar 23, 2021
5125c17
Set pipeline_error on error
adriansr Mar 23, 2021
51520f2
set user.name from source.user.name
adriansr Mar 23, 2021
1ff264f
414 - CPM Verify SSH Key
adriansr Mar 25, 2021
ed90394
428 - Retrive SSH Key
adriansr Mar 25, 2021
55ee830
57 - CPM Change Password Failed
adriansr Mar 25, 2021
bae9ff2
309 - Undefined User Logon
adriansr Mar 25, 2021
74957b5
359 - SQL Command / network.protocol to application
adriansr Mar 25, 2021
8ba68ae
Remove known unknowns
adriansr Mar 26, 2021
e78a7cb
Configuration with TLS support
adriansr Mar 28, 2021
db134ee
Fix
adriansr Mar 29, 2021
0836391
Make update
adriansr Mar 29, 2021
eb0eb5d
412 - Keystroke logging (cloned from 361)
adriansr Mar 31, 2021
546fed6
Remove comment
adriansr Mar 31, 2021
c50242b
Keep event.original if flag is set
adriansr Mar 31, 2021
cc0b7d7
Missing file
adriansr Apr 1, 2021
81f91ef
Add geoip processors
adriansr Apr 1, 2021
a32e95c
Define explicit fields instead of using flattened
adriansr Apr 6, 2021
953693d
Alternative population of Hostname field
adriansr Apr 7, 2021
6a0e481
Sample dashboard
adriansr Apr 8, 2021
f1d7b84
Docs
adriansr Apr 8, 2021
ad79790
Update docs
adriansr Apr 12, 2021
f026c60
Document preserve_original_event flag
adriansr Apr 13, 2021
c142c74
Populate host.name / host.hostname
adriansr Apr 13, 2021
e9d8528
Update dashboard
adriansr Apr 13, 2021
238da18
New dashboard image
adriansr Apr 13, 2021
757d59a
User IAM events
adriansr Apr 13, 2021
be6cb78
Update dashboard again
adriansr Apr 13, 2021
03002d2
Fix double backslashes
adriansr Apr 13, 2021
43a1cb8
Use triple braces for mustache in processors
adriansr Apr 14, 2021
0fd761b
Remove duplicate observer fields
adriansr Apr 14, 2021
d565794
No need to populate host.hostname
adriansr Apr 14, 2021
b71a273
Remove duplicated message_id
adriansr Apr 14, 2021
552d9e4
More triple braces for mustache
adriansr Apr 14, 2021
6f3a77d
Mage update
adriansr Apr 15, 2021
d846f02
Comment improvements
adriansr Apr 15, 2021
68ecae8
Disable debug in XSL file
adriansr Apr 15, 2021
d7b0bd2
Update XSL link.
adriansr Apr 15, 2021
11dc572
Add changelog entry
adriansr Apr 15, 2021
86dceae
Remove redundant test logs
adriansr Apr 15, 2021
57123d2
Add network_direction
adriansr Apr 18, 2021
1685391
Use correct log.syslog.priority
adriansr Apr 18, 2021
adfc531
Re-generate golden files with newer 7.13 ES
adriansr Apr 18, 2021
4a958f2
Determine if a field is a valid IP address the 7.13 way
adriansr Apr 18, 2021
0a02a6b
Add station/gateway_station to related.ip
adriansr Apr 18, 2021
1e807b3
Remove bogus XSL distribution claim from docs
adriansr Apr 18, 2021
0fabc9f
Add description to script processors
adriansr Apr 18, 2021
d739863
Make rfc5424 field a boolean
adriansr Apr 19, 2021
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions CHANGELOG.next.asciidoc
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -836,6 +836,7 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d
- Add `fail_on_template_error` option for httpjson input. {pull}24784[24784]
- Change `okta.target` to `flattened` field type. {issue}24354[24354] {pull}24636[24636]
- Added `http.request.id` to `nginx/ingress_controller` and `elasticsearch/audit`. {pull}24994[24994]
- New module `cyberarkpas` for CyberArk Privileged Access Security audit logs. {pull}24803[24803]

*Heartbeat*

Expand Down
263 changes: 263 additions & 0 deletions filebeat/docs/fields.asciidoc
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -29,6 +29,7 @@ grouped in the following categories:
* <<exported-fields-coredns>>
* <<exported-fields-crowdstrike>>
* <<exported-fields-cyberark>>
* <<exported-fields-cyberarkpas>>
* <<exported-fields-cylance>>
* <<exported-fields-docker-processor>>
* <<exported-fields-ecs>>
Expand Down Expand Up @@ -34178,6 +34179,268 @@ type: keyword

--

[[exported-fields-cyberarkpas]]
== CyberArk PAS fields

cyberarkpas fields.




[float]
=== audit

Cyberark Privileged Access Security Audit fields.



*`cyberarkpas.audit.action`*::
+
--
A description of the audit record.

type: keyword

--

*`cyberarkpas.audit.ca_properties`*::
+
--
Account metadata.

type: flattened

--

*`cyberarkpas.audit.category`*::
+
--
The category name (for category-related operations).

type: keyword

--

*`cyberarkpas.audit.desc`*::
+
--
A static value that displays a description of the audit codes.

type: keyword

--

*`cyberarkpas.audit.extra_details`*::
+
--
Specific extra details of the audit records.

type: flattened

--

*`cyberarkpas.audit.file`*::
+
--
The name of the target file.

type: keyword

--

*`cyberarkpas.audit.gateway_station`*::
+
--
The IP of the web application machine (PVWA).

type: ip

--

*`cyberarkpas.audit.hostname`*::
+
--
The hostname, in upper case.

type: keyword

example: MY-COMPUTER

--

*`cyberarkpas.audit.iso_timestamp`*::
+
--
The timestamp, in ISO Timestamp format (RFC 3339).

type: date

example: 2013-06-25 10:47:19+00:00

--

*`cyberarkpas.audit.issuer`*::
+
--
The Vault user who wrote the audit. This is usually the user who performed the operation.

type: keyword

--

*`cyberarkpas.audit.location`*::
+
--
The target Location (for Location operations).

type: keyword

Field is not indexed.

--

*`cyberarkpas.audit.message`*::
+
--
A description of the audit records (same information as in the Desc field).

type: keyword

--

*`cyberarkpas.audit.message_id`*::
+
--
The code ID of the audit records.

type: keyword

--

*`cyberarkpas.audit.product`*::
+
--
A static value that represents the product.

type: keyword

--

*`cyberarkpas.audit.pvwa_details`*::
+
--
Specific details of the PVWA audit records.

type: flattened

--

*`cyberarkpas.audit.raw`*::
+
--
Raw XML for the original audit record. Only present when XSLT file has debugging enabled.


type: keyword

Field is not indexed.

--

*`cyberarkpas.audit.reason`*::
+
--
The reason entered by the user.

type: text

--

*`cyberarkpas.audit.rfc5424`*::
+
--
Whether the syslog format complies with RFC5424.

type: boolean

example: True

--

*`cyberarkpas.audit.safe`*::
+
Comment thread
adriansr marked this conversation as resolved.
Outdated
--
The name of the target Safe.

type: keyword

--

*`cyberarkpas.audit.severity`*::
+
--
The severity of the audit records.

type: keyword

--

*`cyberarkpas.audit.source_user`*::
+
--
The name of the Vault user who performed the operation.

type: keyword

--

*`cyberarkpas.audit.station`*::
+
--
The IP from where the operation was performed. For PVWA sessions, this will be the real client machine IP.

type: ip

--

*`cyberarkpas.audit.target_user`*::
+
--
The name of the Vault user on which the operation was performed.

type: keyword

--

*`cyberarkpas.audit.timestamp`*::
+
--
The timestamp, in MMM DD HH:MM:SS format.

type: keyword

example: Jun 25 10:47:19

--

*`cyberarkpas.audit.vendor`*::
+
--
A static value that represents the vendor.

type: keyword

--

*`cyberarkpas.audit.version`*::
+
--
A static value that represents the version of the Vault.

type: keyword

--

[[exported-fields-cylance]]
== CylanceProtect fields

Expand Down
Binary file added filebeat/docs/images/filebeat-cyberarkpas-overview.png
View file
Open in desktop
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Loading